Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Virtualization Decreases Security

Posted by kdawson on Thu Oct 25, 2007 10:54 AM
from the more-chances-to-blow-it dept.
ParaFan writes "In a fascinating story on KernelTrap, Theo de Raadt asserts that while virtualization can increase hardware utilization, it does not in any way improve security. In fact, he contends the exact opposite is true: 'You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.' de Raadt argues that the lack of support for process isolation on x86 hardware combined with numerous bugs in the architecture are a formula for virtualization decreasing overall security, not increasing it."

Related Stories

This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • Uh oh (Score:5, Funny)

    by $RANDOMLUSER (804576) on Thursday October 25, @10:55AM (#21114697)

    Theo de Raadt asserts...
    CAUTION: flame war ahead.
    • Re:Uh oh (Score:4, Funny)

      by Anonymous Coward on Thursday October 25, @11:02AM (#21114805)

      CAUTION: flame war ahead.
      No there isn't! How dare you say that?? F-you! YOU GO TO HELL AND YOU DIE!!!
      [ Parent ]
      • Re:Uh oh by Corwn of Amber (Score:1) Thursday October 25, @06:36PM
    • Re:Uh oh by Anonymous Coward (Score:1) Thursday October 25, @11:17AM
      • Re:Uh oh (Score:5, Insightful)

        I don't think anybody considers DJB a leader of the Free Software movement.

        They consider him a brilliant man, and excellent programmer, and generous to let people download his code. They consider him a hero for taking on and beating the US government. They consider him a jerk. I've never heard anybody call him a leader of the Free Software Movement. I've never even heard his license-free software to be considered Free Software.

        As an aside, many people call him a jerk for his style of writing information and documentation. I had to install a DNS server, and I found his you-must-be-a-moron-so-I-will-explain-everything-in-very-simple-terms documentation very informative, clear, and helpful. The security advantage is nice, but to me, tinydns' greatest advantage was the DJB's documentation.
        [ Parent ]
      • Re:Uh oh (Score:5, Insightful)

        by XenoPhage (242134) on Thursday October 25, @11:58AM (#21115721)
        (http://blog.godshell.com/)

        We should put Theo and Daniel J. Bernstein (DJB) [cr.yp.to] and see who survives. These so-called 'visionaries' and have a hard time forming an argument without degrading the argument with words like 'stupid'. It's a real shame that men like these are considered leaders the Free Software movement.

        After reading vitriolic posts by these two fools, RMS doesn't seem all that bad.
        I disagree. He seems to call it like it is. And I would agree that anyone deluded enough to think that adding another layer to the, already complex, PC model increases security is just stupid. Sure, it may be that they are not well versed in the inner workings of both the hardware and software, but does that make their assertion any more correct? And besides, he's on a mailing list where the majority of the readers should be close to his level of knowledge.. He may not be the most tactful guy in the world, but he's a hell of a lot smarter than most...

        I've been on the fence about virtualization for a very long time now. Sure, it's quite convenient to install VMware, load up a guest OS, and tinker with new features. But to load up a server with multiple instances of the same operating system is ludicrous. It certainly doesn't scale well at all. And the marketing teams are incredibly good at making people believe that by installing their virtualization software, you'll suddenly have a bunch of "virtual" servers with the same capabilities as a single server. Sure, they all have the same capabilities from an OS standpoint, but performance isn't going to be anything close to a standalone server..

        And as far as security goes, it's nonsense. Ok, so I install 5 copies of RHEL 5.0 on my virtual server. If the virtualization software itself is attacked and compromised, all 5 servers go down. If an OS level attack is successful, then all 5 virtual servers are likely vulnerable because it's an OS level attack. The only security "benefit" I can see is if a single virtual server is compromised through something like a web application. That application may not exist on the other virtual servers, so they're "safe".. However, once you get into that one server, DDoS attacks aren't far behind. At the very least, you'll take up resources and you can potentially impact the operation of the other virtual servers.

        I'll stick with standalone servers for now.. At least until there's a better solution, of which I don't see one coming anytime soon...
        [ Parent ]
        • Re:Uh oh (Score:5, Informative)

          by CrazedWalrus (901897) on Thursday October 25, @01:03PM (#21116715)
          (Last Journal: Sunday September 16, @11:18PM)
          The fact is that very little hardening is typically done on the inside of the organization. A lot of organizations have the hard crunchy outside with a soft chewey center. (Don't remember who I heard make that analogy, but it's apt.) Most IT departments seem to have hardened servers at the border, but the inside is run-of-the-mill software and hardware. What this means is that maybe virtualization isn't great for the border proxies and firewalls, but it probably fits right into the controlled chaos on the inside, where nothing is especially secure anyway.
          [ Parent ]
        • Re:Uh oh by kyofunikushimi (Score:1) Thursday October 25, @01:16PM
          • Re:Uh oh by COMON$ (Score:2) Thursday October 25, @03:00PM
        • Re:Uh oh (Score:5, Insightful)

          by Bill_the_Engineer (772575) on Thursday October 25, @01:48PM (#21117375)

          I've been on the fence about virtualization for a very long time now. Sure, it's quite convenient to install VMware, load up a guest OS, and tinker with new features. But to load up a server with multiple instances of the same operating system is ludicrous. It certainly doesn't scale well at all. And the marketing teams are incredibly good at making people believe that by installing their virtualization software, you'll suddenly have a bunch of "virtual" servers with the same capabilities as a single server. Sure, they all have the same capabilities from an OS standpoint, but performance isn't going to be anything close to a standalone server..

          Performance will take a hit from the overhead involved, but availability should increase. Most server applications don't fully utilize the CPU anyway, so sacrificing some cycles to run the apps in a virtualized environment is not really a big deal. Where virtualization shines is availability. If a server is malfunctioning or overburdened, the virtualized environment can migrate to another server without the server clients knowing this has taken place (other than some latency caused by the migration). This is actually the coolest part of this technology.

          I never thought about using virtual servers to increase security. Except for running windows within Mac OS X, I really don't see virtualization making anything more secure.

          I think this is much ado about nothing. It is only here because Theo is getting upset...

          [ Parent ]
          • Re:Uh oh by COMON$ (Score:2) Thursday October 25, @03:02PM
            • Re:Uh oh by j-cloth (Score:2) Friday October 26, @08:44AM
        • Re:Uh oh by COMON$ (Score:3) Thursday October 25, @02:46PM
        • Re:Uh oh by dragonmantank (Score:1) Thursday October 25, @04:44PM
        • Re:Uh oh by drsmithy (Score:2) Thursday October 25, @09:10PM
        • Re:Uh oh by shotgunefx (Score:2) Friday October 26, @08:26AM
          • Re:Uh oh by XenoPhage (Score:2) Friday October 26, @03:40PM
        • Re:Uh oh by fuzznutz (Score:1) Friday October 26, @01:59PM
      • 1 reply beneath your current threshold.
    • Re:Uh oh by xorbe (Score:1) Thursday October 25, @11:54AM
    • Re:Uh oh by Anonymous Coward (Score:2) Thursday October 25, @12:08PM
    • It's easy to defeat Theo's argument (Score:5, Insightful)

      by Morgaine (4316) on Thursday October 25, @02:05PM (#21117581)
      > CAUTION: flame war ahead.

      There doesn't need to be a flame war, because in this particular instance Theo's argument has a gaping hole in it. Consider the following two system architectures:

      1) An ordinary multi-function Unix-type system which also runs a non-trivial component that is exposed to the world (all non-trivial components have bugs, as Theo is right to point out, and hence are attack vectors).

      2) A machine running 2-guest virtualization, in which the non-trivial component runs in one guest, and the rest of the functions run in another.

      Now consider what happens when the world-facing component gets compromised, and by one of many methods (because sysadmins are fallible) the attack gets promoted to root privilege. Security has failed in one guest, but has it failed in the other? Not necessarily, depending on whether the sysadmin has made repeated blunders and not just one. (Eg. a fool might be keeping ssh keys on the public-facing guest ...)

      In this scenario, the isolation created by virtualization has given the syadmin an additional bulkhead against his own fallibility, and that is worthwhile for security, not only for better hardware utilization. The partitioning of the application and O/S space has reduced the cross-section of software open to attack.

      Theo's argument also doesn't bear scrutiny at the hypervisor level, because while an O/S in dom0 is just as fragile as the one in domU that runs an exposed application, the instance in the hypervisor isn't exposed to attack. Theo seems to miss the distinction between endpoint fallibility and fallibility in the conveyance and resourcing that is done by hypervisors. They're different.

      I like Theo's hard stance on security, but on this issue he's handwaving.
      [ Parent ]
    • Re:Uh oh by fuliginous (Score:1) Thursday October 25, @02:35PM
      • Re:Uh oh by styrotech (Score:2) Thursday October 25, @05:37PM
        • Re:Uh oh by fuliginous (Score:1) Sunday October 28, @03:55PM
    • Re:Uh oh by Anonymous Coward (Score:1) Thursday October 25, @03:30PM
      • 1 reply beneath your current threshold.
    • In general, he may be right. In specific cases... by JimMarch(equalccw) (Score:2) Thursday October 25, @06:08PM
    • 4 replies beneath your current threshold.
  • History teaches once again... (Score:1, Interesting)

    The Irish Potato Famine happened because Ireland was growing a small range of species of potato.
    A virus hit the Potato and it spread so most of the potato's died thus causing the famine.
    Other Areas had the same virus but it didn't cause a Famine because their stock was more diverse.
    It wasn't because the other guys potatoes were immune to all virus or they were a heartier bread, but
    because they had a wider diversity of product.

    The same thing with Virtualization, each VM will not be completely secure and will have holes in it but
    spreading will be reduced because only a smaller portion of application will use that OS to virtualize.
    A Linux VM OS, a BSD VM OS, a Windows VM OS... Sure there will be security problems and patching and fixing
    the problems in the Virtual OS will need to be resolved... But if there is an outbrake you will basicly loose your
    VM application and perhaps some other ones that you may have running at the same time that uses the same OS. But now
    If your OS Gets infected all your Apps are dead.
  • You're just NOW realizing this???

  • Counterargument (Score:3, Insightful)

    by Anonymous Coward on Thursday October 25, @10:59AM (#21114763)
    Virtualization layers can be much smaller than operating systems. Hypervisors don't have to do as much as a monolithic kernel does, so they're less prone to security holes.
  • Well, here's his original post : [kerneltrap.org]

    Virtualization seems to have a lot of security benefits.

    You've been smoking something really mind altering, and I think you should share it.

    x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.

    You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

    You've seen something on the shelf, and it has all sorts of pretty colours, and you've bought it.

    That's all x86 virtualization is.
    It's highly probable that Theo is right. After reading the above post, it's highly probable he is a very abrasive and one sided individual. But this is a tech forum so I won't get into judging character.

    However, his technical argument is ... somewhat unsound in my humble opinion. He seems to follow the train of thought that 1) people are, by nature, erroneous coders 2) virtualization means more code therefore 3) virtualization has more errors.

    I'm going to point out some other things I know about coding. Although more lines of code usually means more bugs, this is not always the case. Correlation does not equal causation. It is correlated but only because the more lines of code, the more probability that more people contributed to the project which means it is highly probable one of them was a bad coder. Also, if you plan things out and follow a rigorous model, it is within your power to make very fully functional, very nice software.

    My second point is a different way of looking at the problem. Let's take the naive approach of assuming a primary job of the operating system is to protect the user (and applications) from completely fouling things up in the hardware & memory realm. So it does an 'ok' job at this but, as Theo noted, some bugs still exist. Let's say it's something really bad like they don't stop programs from altering a very sensitive range of memory that is very vital to the correct execution of the operating system itself. Now, hypothetically, the virtualized layer on top of this would give coders a chance to catch this and correct it and protect the user from bringing down the operating system. In this way of looking at things you have two nets. Alone one lets many things pass through so you double it up and now you're catching more fish.

    But my analogy is probably very flawed and I must confess I have coded neither of these pieces of software so I cannot confirm or deny this. I am quite shocked that Mr. de Raadt would react so abusively to a post where someone was merely saying that they 'appeared' to be receiving some amount of additional security from virtualization.

    As for the very last comment Mr. de Raadt makes, I am confused. My employer uses virtualization on a mass scale to more effectively utilize hardware. I believe it has more uses than just bright shiny colors and wrapping--in fact I am interested in its potentials for hosting web OSs and other neat applications to users. It might not be the future like some people think it is but I think Mr. de Raadt was suffering a moment of frustration or dealing with irritable people when he authored this.

    I do wish he were open to more ideas. The second you start to just outright dismiss all your options because they don't satisfy you on the surface you will find you are left with none and often miss the best.
  • by lib3rtarian (1050840) on Thursday October 25, @11:00AM (#21114769)
    Theo thinks so highly of himself, he is just wrong on this one. There is not one recorded/public example of someone breaking out of the isolation of a virtual environment! I dare someone to demonstrate otherwise, and I will eat my words.
  • VMware selloff (Score:1, Funny)

    by Anonymous Coward on Thursday October 25, @11:03AM (#21114833)
    Thanks for the insider tip Theo, I just dumped all of my VMware stock.
  • Missing the point (Score:1, Interesting)

    by Anonymous Coward on Thursday October 25, @11:06AM (#21114885)
    Virtualization layers, and their cousins Separation Kernels are the darlings of the security crowd because they can be written in a relatively small number of SLOCs, which means there is a possibility to formally analyze them. Where Formal Analysis means proofs written in a well established mathematical notation, and machine checked. Green Hills Software has a separation kernel that should shortly be certified to a very high level (EAL 6 Augmented) CCEVS [niap-ccevs.org]
  • What are the big threats now? (Score:3, Interesting)

    by timeOday (582209) on Thursday October 25, @11:06AM (#21114895)
    A few years ago, it seemed email worms were constantly ravaging Outlook. That, I noticed. But that seems to have tapered off. Haven't noticed any panicked patching of zlib or ssh or sendmail lately. What is keeping people busy these days? Spyware-infested zombie boxes? Anything else?
  • Risk profiles (Score:5, Insightful)

    by Anonymous Coward on Thursday October 25, @11:08AM (#21114919)
    Let's consider the following:
    1. Security is improved by minimizing the number of services your software layer exports.
    2. Virtualization has a relatively small, well-defined number of services.
    3. Operating systems do not.
    4. ???

    Virtualization is no doubt a complex problem to get right, but it's only one problem. There is a relatively fixed set of hardware any virtualization system claims to support. A reasonably complete virtualization system can be frozen at some level of functionality. An operating system can not; it must, by nature, constantly evolve to new requirements. Hardware, in contrast, is relatively more stable.

    Operating systems running on virtualized systems also have the advantages of operating systems running any fixed configuration. While not quite as consistent as a completely emulated environment, virtualization gets most of the benefits, under reasonable assumptions.

    So, in short, virtualization has the same sort of benefits microkernels were supposed to provide, albeit with a much more heavyweight solution: smaller core that's easier to secure. Virtualization has been used in the mainframe community for years. Virtualization is an even stronger form of process isolation than what operating systems provide.

    Virtualization is much more costly to run than a standard operating system process. This should be a clue that it probably provides stronger isolation guarantees, even if you don't buy the rest of the argument.

    I think it's a specious argument, as usual, to claim that securing the virtualization layer is no harder or easier than securing an operating system. I think securing the virtualization layer is going to be much easier, because while the problem itself is complex, it's still less complex than a complete operating system is.

    A better argument would have been to point out that guest operating systems running under virtualization are no less vulnerable to being compromised than those running on real hardware. But then that would point the finger at operating system vendors, not virtualization ones.
  • by swamp boy (151038) on Thursday October 25, @11:09AM (#21114933)
    From TFA,

    The topic is specifically about virtualization on the x86 platform.
    • 1 reply beneath your current threshold.
  • Useless (Score:4, Interesting)

    by andreyw (798182) on Thursday October 25, @11:10AM (#21114947)
    (http://andreywarkentin.livejournal.com/)
    Theo's side keeps asserting that "x86 virtualization isn't secure", but they seem to be perfectly comfortable at keeping the discussion at the level of a "I'm right, NO I'M RIGHT", without any corroborating statements (Hint: Theo's "I am familiar with x86 and its 'nastiness'" isn't one). What's not secure about SVM? What's not secure about VT-x? Why does Theo think that virtualizatio somehow has to imply legacy PC I/O emulation?

    Ugh.
    • Re:Useless (Score:5, Interesting)

      by Krondor (306666) on Thursday October 25, @11:40AM (#21115429)
      What's not secure about SVM? What's not secure about VT-x?

      VT-x and SVM provide paths for rootkits to integrate and hide. New rootkits like Blue Pill [bluepillproject.org] and Vitriol [theta44.org] utilize SVM and VT-x to virtualize the host platform and remain undetected and immune from removal. They're not widespread, but an attack vector exists, which implies the security concerns over them.

      Makes sense to me.
      [ Parent ]
      • Re:Useless by Ed Avis (Score:2) Thursday October 25, @12:09PM
        • Re:Useless by Krondor (Score:2) Thursday October 25, @12:41PM
          • Re:Useless by Ed Avis (Score:1) Thursday October 25, @02:36PM
      • VT-x? by Typoboy (Score:1) Thursday October 25, @02:09PM
      • Re:Useless by Krondor (Score:2) Thursday October 25, @12:10PM
      • 1 reply beneath your current threshold.
    • Re:Useless by the_B0fh (Score:1) Thursday October 25, @11:55AM
      • Re:Useless by andreyw (Score:2) Thursday October 25, @03:38PM
    • Re:Useless by tji (Score:2) Thursday October 25, @11:58AM
      • Re:Useless by arkanes (Score:2) Thursday October 25, @02:01PM
      • Re:Useless by BitZtream (Score:2) Thursday October 25, @05:19PM
      • 1 reply beneath your current threshold.
    • Re:Useless by Seumas (Score:1) Thursday October 25, @12:10PM
    • 2 replies beneath your current threshold.
  • The snippet presented seems to suggest that more security holes in virtualization = less secure operating system, or OS(X) + V(X), where OS(X) represents the operating system vulnerabilities and V(X) represents virtualization vulnerabilities.

    However, I see this more as if the virtualization layer actually sits under the OS layer, then the actual security for remote intrusion would be, first, Y/OS(X), THEN Y/V(X), where Y is the number of people with the knowledge to exploit each vulnerability. Thus, someone who wanted to exploit the system would both have to be capable of exploiting an OS vulnerability, and THEN also exploiting a virtualization vulnerability.

    (And we're talking about remote usage, because we all know it's virtually impossible to protect a system from anyone who has direct access to the hardware.)

    I understand that reality may not be quite as tidy, but it still seems like a virtualized system would be much more secure that a non-virtualized system, if only because the increased level of knowledge involved means a smaller number of hackers capable of exploiting both layers. What am I missing?

  • But it's so fun (Score:1, Funny)

    by Anonymous Coward on Thursday October 25, @11:14AM (#21115031)
    You mean my strategy of running Windows inside of Mac Parallels inside of Pear inside a VMWare instance in a Wine bottle isn't the most secure, stable environment ever conceived? Sheeze. Maybe I should just get a Mac. :)

    --
    http://www.metagovernment.org/ [metagovernment.org]
    GOVERNMENT BY *ALL* THE PEOPLE
    • 1 reply beneath your current threshold.
  • Theo rocks, as his usual! (Score:4, Funny)

    by VincenzoRomano (881055) on Thursday October 25, @11:16AM (#21115063)
    And as there is no engineer that can develop hardware without security bugs, the only solution is to stay with insecurity!
  • by RLiegh (247921) on Thursday October 25, @11:18AM (#21115105)
    (http://slashdot.org/ | Last Journal: Sunday July 29, @04:31PM)
    This sounds suspiciously close to his comments about journaling filesystems when asked why OpenBSD didn't support them (which boiled down to "journaling sucks, use softdeps instead"). OpenBSD has native support for exactly zero virtualisation schemes, whereas NetBSD has native Xen support (something Opensolaris is working on -if they don't have it already), FreeBSD and Linux both have support for kqemu and Linux and Windows both have support for VMWare, Virtualbox and kqemu.

    For fuck's sake, OpenBSD can't even offer a modern version of WINE in their ports (the one they offer is from 1999, and is broken to boot).

    So instead of fixing OpenBSD so that it has native support for running some sort of native virtualisation scheme, Theo does what he usually does -bitches, whines and blames the technology for the flaws in his OS.

  • credibility? (Score:4, Insightful)

    by Known Nutter (988758) on Thursday October 25, @11:22AM (#21115153)
    Theo's childish, condescending and pointless choice of language seems to undermine his credibility. Although he may be an authority on the subject, I think he owes it to himself - as well as the rest of the community he helped to create - to communicate in a more professional, civilized and respectful manner.

    He's in the same bucket as Dvorak - who wants to listen to the little twerp?

  • by rodney dill (631059) on Thursday October 25, @11:25AM (#21115209)
    (Last Journal: Sunday November 02 2003, @01:54PM)
    I do a lot of prototyping and testing out of scenarios with virtual machines. (40+ iterations for servers and client) Not all are complete builds as I do a lot of cloning. If you fire up a virtual machine that hasn't been in use for a while, you may need to spend time with security updates. Also if you didn't place or adequately configure virus protection and a firewall in an original clone you may end up with a number of machines with poor security. On the other hand cleaning up viruses is easy with my scenario, I just delete a current clone and go back to one not infected. (Assuming the virus is readily identifiable.