Virtualization Decreases Security

ParaFan writes "In a fascinating story on KernelTrap, Theo de Raadt asserts that while virtualization can increase hardware utilization, it does not in any way improve security. In fact, he contends the exact opposite is true: 'You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.' de Raadt argues that the lack of support for process isolation on x86 hardware combined with numerous bugs in the architecture are a formula for virtualization decreasing overall security, not increasing it."

Uh oh

[$RANDOMLUSER]

Theo de Raadt asserts...

CAUTION: flame war ahead.

Re:Uh oh

[Anonymous Coward]

CAUTION: flame war ahead.

No there isn't! How dare you say that?? F-you! YOU GO TO HELL AND YOU DIE!!!

Re:

[Anonymous Coward]

TdR also asserts that SMP makes the system less secure ... and he is right. Most new functionality does.

It is sad that he doesn't acknowledge that the larger your trusted code base the less secure you are.

It's easy to defeat Theo's argument

[Morgaine]

> CAUTION: flame war ahead.

There doesn't need to be a flame war, because in this particular instance Theo's argument has a gaping hole in it. Consider the following two system architectures:

1) An ordinary multi-function Unix-type system which also runs a non-trivial component that is exposed to the world (all non-trivial components have bugs, as Theo is right to point out, and hence are attack vectors).

2) A machine running 2-guest virtualization, in which the non-trivial component runs in one guest, and the rest of the functions run in another.

Now consider what happens when the world-facing component gets compromised, and by one of many methods (because sysadmins are fallible) the attack gets promoted to root privilege. Security has failed in one guest, but has it failed in the other? Not necessarily, depending on whether the sysadmin has made repeated blunders and not just one. (Eg. a fool might be keeping ssh keys on the public-facing guest ...)

In this scenario, the isolation created by virtualization has given the syadmin an additional bulkhead against his own fallibility, and that is worthwhile for security, not only for better hardware utilization. The partitioning of the application and O/S space has reduced the cross-section of software open to attack.

Theo's argument also doesn't bear scrutiny at the hypervisor level, because while an O/S in dom0 is just as fragile as the one in domU that runs an exposed application, the instance in the hypervisor isn't exposed to attack. Theo seems to miss the distinction between endpoint fallibility and fallibility in the conveyance and resourcing that is done by hypervisors. They're different.

I like Theo's hard stance on security, but on this issue he's handwaving.

Re:It's easy to defeat Theo's argument

[Chris Mattern]

I don't think you've entirely grasped Theo's argument. He argues that your reasoning is invalid *because it assumes that the interface between the O/S in dom0 and the hypervisor has no security holes in it*. You don't get to just state that the hypervisor isn't exposed to attack. Now, you can argue that because of its limited nature, and because great pains are taken to avoid unwanted interaction between the hypervisor and the virutal O/S, it is more secure than ordinary software interactions. But I think Theo is not arguing that VMs are less secure than running all your stuff in one O/S. I think he's arguing that VNs are less secure than running your services *on actual separate machines*. And that stands a good chance of being true.

Chris Mattern

Re:

[AVee]

The hypervisor O/S is almost entirely transparent...

"No really officer, my door was almost entirely closed. I really don't understand how they got in."

And thats one of the reason why, as much as I totally *hate* to admit it, Theo is right about this.
On of the other reasons is the simple fact that running more code on your system means more potential bugs, allways. Or perhaps the stupid trivial fact that it doesn't really matter if the machine that is pwned is virtual or not, its not like those creditcard records suddenly become virtual when you start usi

Re:Uh oh

[oyenstikker]

I don't think anybody considers DJB a leader of the Free Software movement.

They consider him a brilliant man, and excellent programmer, and generous to let people download his code. They consider him a hero for taking on and beating the US government. They consider him a jerk. I've never heard anybody call him a leader of the Free Software Movement. I've never even heard his license-free software to be considered Free Software.

As an aside, many people call him a jerk for his style of writing information and documentation. I had to install a DNS server, and I found his you-must-be-a-moron-so-I-will-explain-everything-in-very-simple-terms documentation very informative, clear, and helpful. The security advantage is nice, but to me, tinydns' greatest advantage was the DJB's documentation.

Re:Uh oh

[XenoPhage]

We should put Theo and Daniel J. Bernstein (DJB) [cr.yp.to] and see who survives. These so-called 'visionaries' and have a hard time forming an argument without degrading the argument with words like 'stupid'. It's a real shame that men like these are considered leaders the Free Software movement.

After reading vitriolic posts by these two fools, RMS doesn't seem all that bad.

I disagree. He seems to call it like it is. And I would agree that anyone deluded enough to think that adding another layer to the, already complex, PC model increases security is just stupid. Sure, it may be that they are not well versed in the inner workings of both the hardware and software, but does that make their assertion any more correct? And besides, he's on a mailing list where the majority of the readers should be close to his level of knowledge.. He may not be the most tactful guy in the world, but he's a hell of a lot smarter than most...

I've been on the fence about virtualization for a very long time now. Sure, it's quite convenient to install VMware, load up a guest OS, and tinker with new features. But to load up a server with multiple instances of the same operating system is ludicrous. It certainly doesn't scale well at all. And the marketing teams are incredibly good at making people believe that by installing their virtualization software, you'll suddenly have a bunch of "virtual" servers with the same capabilities as a single server. Sure, they all have the same capabilities from an OS standpoint, but performance isn't going to be anything close to a standalone server..

And as far as security goes, it's nonsense. Ok, so I install 5 copies of RHEL 5.0 on my virtual server. If the virtualization software itself is attacked and compromised, all 5 servers go down. If an OS level attack is successful, then all 5 virtual servers are likely vulnerable because it's an OS level attack. The only security "benefit" I can see is if a single virtual server is compromised through something like a web application. That application may not exist on the other virtual servers, so they're "safe".. However, once you get into that one server, DDoS attacks aren't far behind. At the very least, you'll take up resources and you can potentially impact the operation of the other virtual servers.

I'll stick with standalone servers for now.. At least until there's a better solution, of which I don't see one coming anytime soon...

Re:Uh oh

[CrazedWalrus]

The fact is that very little hardening is typically done on the inside of the organization. A lot of organizations have the hard crunchy outside with a soft chewey center. (Don't remember who I heard make that analogy, but it's apt.) Most IT departments seem to have hardened servers at the border, but the inside is run-of-the-mill software and hardware. What this means is that maybe virtualization isn't great for the border proxies and firewalls, but it probably fits right into the controlled chaos on the inside, where nothing is especially secure anyway.

Re:Uh oh

[Bill_the_Engineer]

I've been on the fence about virtualization for a very long time now. Sure, it's quite convenient to install VMware, load up a guest OS, and tinker with new features. But to load up a server with multiple instances of the same operating system is ludicrous. It certainly doesn't scale well at all. And the marketing teams are incredibly good at making people believe that by installing their virtualization software, you'll suddenly have a bunch of "virtual" servers with the same capabilities as a single server. Sure, they all have the same capabilities from an OS standpoint, but performance isn't going to be anything close to a standalone server..

Performance will take a hit from the overhead involved, but availability should increase. Most server applications don't fully utilize the CPU anyway, so sacrificing some cycles to run the apps in a virtualized environment is not really a big deal. Where virtualization shines is availability. If a server is malfunctioning or overburdened, the virtualized environment can migrate to another server without the server clients knowing this has taken place (other than some latency caused by the migration). This is actually the coolest part of this technology.

I never thought about using virtual servers to increase security. Except for running windows within Mac OS X, I really don't see virtualization making anything more secure.

I think this is much ado about nothing. It is only here because Theo is getting upset...

Re:

[COMON$]

But to load up a server with multiple instances of the same operating system is ludicrous. It certainly doesn't scale well at all.

What is the difference between the popular, "by 10 Dell 2650s and slap server 2003 on all of them" or "buy 1 2650 and slap 10 server 2003s on it?" Answer? nothing other than that with the virtual server you have a layer in between the hardware and OS, which 'could' offer greater security or worse. It is up in the air right now as in my opinion Virtual environments tend to pu

Counterargument

[Anonymous Coward]

Virtualization layers can be much smaller than operating systems. Hypervisors don't have to do as much as a monolithic kernel does, so they're less prone to security holes.

Re:

[Kristoph]

I am not sure how this makes sense given that each VM is actually running a monolithic kernel.

]{

Re:

[spun]

You don't get the concept. It doesn't matter what the VMs are doing. The monolithic kernels can get hacked up down and sideways, and if there are no bugs in the hypervisor, the rest of the machine is still secure.

Re:

[644bd346996]

Fewer lines of code in the hypervisor makes it easier to audit the whole thing for bugs. Yes, there will still be bugs, but it is quite feasible for a hypervisor to have significantly fewer bugs per line of code than the operating systems it runs.

Re:

[darthflo]

Fewer still implies more than zero, which is a few too many. Don't forget to include the severity a potential hijack might have into your equation. A bug in Slash (just an example, I know Slash doesn't and will never have any bugs ;)) would usually compromise the web server, maybe just Slash itself running on a given machine. A bug in the kernel of the VM running Slash would compromise the whole VM, but a bug in a Datacentre-wide Hypervisor net certainly could render your whole facility useless (for a limit

Re:

[Tanktalus]

#include <stdio.h>
int main()
{
return printf("Hello world\n");
}

Small, simple, bug free. Scaling this to 50,000 lines is far simpler (or at least more accurately scaled) than scaling to 6,000,000 lines, or 50,000,000 lines.

(And then there is the defensive code that actually works around its own defects such that bugs can't actually be exploited... but I don't know if the VMs in question have that or not.)

Perhaps a Different Train of Thought

[eldavojohn]

Well, here's his original post : [kerneltrap.org]

Virtualization seems to have a lot of security benefits.

You've been smoking something really mind altering, and I think you should share it.

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.

You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.

You've seen something on the shelf, and it has all sorts of pretty colours, and you've bought it.

That's all x86 virtualization is.

It's highly probable that Theo is right. After reading the above post, it's highly probable he is a very abrasive and one sided individual. But this is a tech forum so I won't get into judging character.

However, his technical argument is ... somewhat unsound in my humble opinion. He seems to follow the train of thought that 1) people are, by nature, erroneous coders 2) virtualization means more code therefore 3) virtualization has more errors.

I'm going to point out some other things I know about coding. Although more lines of code usually means more bugs, this is not always the case. Correlation does not equal causation. It is correlated but only because the more lines of code, the more probability that more people contributed to the project which means it is highly probable one of them was a bad coder. Also, if you plan things out and follow a rigorous model, it is within your power to make very fully functional, very nice software.

My second point is a different way of looking at the problem. Let's take the naive approach of assuming a primary job of the operating system is to protect the user (and applications) from completely fouling things up in the hardware & memory realm. So it does an 'ok' job at this but, as Theo noted, some bugs still exist. Let's say it's something really bad like they don't stop programs from altering a very sensitive range of memory that is very vital to the correct execution of the operating system itself. Now, hypothetically, the virtualized layer on top of this would give coders a chance to catch this and correct it and protect the user from bringing down the operating system. In this way of looking at things you have two nets. Alone one lets many things pass through so you double it up and now you're catching more fish.

But my analogy is probably very flawed and I must confess I have coded neither of these pieces of software so I cannot confirm or deny this. I am quite shocked that Mr. de Raadt would react so abusively to a post where someone was merely saying that they 'appeared' to be receiving some amount of additional security from virtualization.

As for the very last comment Mr. de Raadt makes, I am confused. My employer uses virtualization on a mass scale to more effectively utilize hardware. I believe it has more uses than just bright shiny colors and wrapping--in fact I am interested in its potentials for hosting web OSs and other neat applications to users. It might not be the future like some people think it is but I think Mr. de Raadt was suffering a moment of frustration or dealing with irritable people when he authored this.

I do wish he were open to more ideas. The second you start to just outright dismiss all your options because they don't satisfy you on the surface you will find you are left with none and often miss the best.

Re:

[kebes]

It's highly probable that Theo is right. After reading the above post, it's highly probable he is a very abrasive and one sided individual. But this is a tech forum so I won't get into judging character.

This is off-topic but I'm going to say it anyway. After reading the email exchange I find Theo's style quite bothersome. He's a highly skilled hacker and I don't doubt his technical abilities. However his writing style is terrible for technical discussions:

1. He uses troll-like sentences that divert away

Re:Perhaps a Different Train of Thought

[Colin Smith]

This doesn't just go for Theo. Many geeks have a superiority complex that causes them to be acerbic, arrogant, and dismissive in technical discussions.

Actually caused by strong feelings of insecurity. The secure don't need to attack to try to constantly prove their superiority.

 

The only secure OS

[Colin Smith]

One unplugged from the network, with no applications.

If you want to do anything in this world, there is risk and generally, the greater the risk the greater any reward. So while he may well be correct, he's totally missed the point of well, everything. Leave him to stew in his paranoid fantasy world. I'm sure the NSA, CIA or whoever will be happy to use his skills.

 

Re:

[rk]

That Theo... he's such a smooth talker. I'll bet he's quite a hit with the ladies.

Re:

[yuna49]

Regardless of Theo's language or his comments about the quality of OS engineers, I thought this argument was more compelling:

x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection.

Just how nasty is the x86 architecture as a platform for virtualization? Certainly the x86 wasn't originally designed to be an S/370 in a smaller box. I read Theo's post as raising the question of how exposed the hype

Re:

[yuna49]

I thought the 386 and successor architectures were fundamentally different from the original 8086 and 80286 architectures, particularly with regard to support for multitasking and memory protection. The transition to the 386 was pretty apparent to me. I used Desqview/386 to run more than one DOS program at a time in parallel, a feat not possible on any of the earlier x86 chips.

I admit to being a total novice in these areas, but intuitively I imagined that a hypervisor was nothing more than a stripped-down

Re:

[Soko]

It's highly probable that Theo is right.

Theo is a very smart and resourceful individual - that's shown by his work

After reading the above post, it's highly probable he is a very abrasive and one sided individual.

That's an understatement to say the least. It's not "highly probable", it's an absolute certainty.

But this is a tech forum so I won't get into judging character.

You must be new here. ;-)

Anyway, abrasive as he is, when Theo has something to say on security I tend to listen as he has a proven track re

Theo is so full of himself he misses reality

[lib3rtarian]

Theo thinks so highly of himself, he is just wrong on this one. There is not one recorded/public example of someone breaking out of the isolation of a virtual environment! I dare someone to demonstrate otherwise, and I will eat my words.

Re:

[mccalli]

There is not one recorded/public example of someone breaking out of the isolation of a virtual environment! I dare someone to demonstrate otherwise, and I will eat my words.

VMware Tools seems to do it every day...

Cheers,
Ian

Re:

[644bd346996]

That's a feature, not a bug. The existence of that hole is well-documented and intentional (even if the details of exploiting it aren't). I haven't used VMware, so I can't comment on whether that feature can be disabled by the user, but it would be trivial for VMware to do so.

Re:

[LLuthor]

Lots of hypervizors and VM kernels are vulnerable, and can allow guest OSes to inject code into the host OS.

See this for just a few examples: http://secunia.com/advisories/26890 [secunia.com]
I can easily find several implementations that cause DOS and escalation attacks on older versions (these are fixed in the current versions, but you can bet more flaws will be found).

Regardless of Theo's opinion of himself, he is right in that more complexity means more bugs.

Re:

[LLuthor]

Anything inside a VM IS untrusted. Whether someone has root inside the VM or not should not make a difference.

Re:

[Cheesey]

Here is one [securitytracker.com].

Beware of a false sense of security! VMware was not designed to be a security tool.

Re:

[Krondor]

There is not one recorded/public example of someone breaking out of the isolation of a virtual environment! I dare someone to demonstrate otherwise, and I will eat my words.

How do those words taste? [eweek.com].

From the link: "It could allow a malicious hacker to sidestep the virtual machine and exploit the underlying operating system.".

Anyway I think that you do make a point. Exploiting the underlying OS isn't as much as exploiting the guest OS in the virtual instance. Interesting stuff like Blue Pill [blogspot.com] (which is hotl

What are the big threats now?

[timeOday]

A few years ago, it seemed email worms were constantly ravaging Outlook. That, I noticed. But that seems to have tapered off. Haven't noticed any panicked patching of zlib or ssh or sendmail lately. What is keeping people busy these days? Spyware-infested zombie boxes? Anything else?

Re:

[zappepcs]

The number one threat to America today? BEARS !

Re:

[somersault]

I think the latest is something called "World of Warcraft".

Risk profiles

[Anonymous Coward]

Let's consider the following:

1. Security is improved by minimizing the number of services your software layer exports.
   
2. Virtualization has a relatively small, well-defined number of services.
   
3. Operating systems do not.
   
4. ???
   

Virtualization is no doubt a complex problem to get right, but it's only one problem. There is a relatively fixed set of hardware any virtualization system claims to support. A reasonably complete virtualization system can be frozen at some level of functionality. An operating system can not; it must, by nature, constantly evolve to new requirements. Hardware, in contrast, is relatively more stable.

Operating systems running on virtualized systems also have the advantages of operating systems running any fixed configuration. While not quite as consistent as a completely emulated environment, virtualization gets most of the benefits, under reasonable assumptions.

So, in short, virtualization has the same sort of benefits microkernels were supposed to provide, albeit with a much more heavyweight solution: smaller core that's easier to secure. Virtualization has been used in the mainframe community for years. Virtualization is an even stronger form of process isolation than what operating systems provide.

Virtualization is much more costly to run than a standard operating system process. This should be a clue that it probably provides stronger isolation guarantees, even if you don't buy the rest of the argument.

I think it's a specious argument, as usual, to claim that securing the virtualization layer is no harder or easier than securing an operating system. I think securing the virtualization layer is going to be much easier, because while the problem itself is complex, it's still less complex than a complete operating system is.

A better argument would have been to point out that guest operating systems running under virtualization are no less vulnerable to being compromised than those running on real hardware. But then that would point the finger at operating system vendors, not virtualization ones.

Re:

[Aladrin]

I think you missed the point.

App A may be secure, but probably is not.
App B may be secure, but probably is not.

If you run BOTH, you're even less likely to be secure.

It's the same here. OS A is insecure. To 'secure' it, you run it under Virtualization, which is itself possibly insecure. You've now got all the insecurity of OS A and all its apps plus the Virtualization to worry about.

If Virtualization covered up the problems with the OSs it hosts, there would be no issue. It does not.

Re:

[ZorbaTHut]

I don't agree. You're assuming that an attacker can exploit bugs in both App A and App B, at will. I don't think that's the case. In order to even touch the OS, you have to first exploit the virtualization framework.

I run virtualization because it seems stronger to me than not. Without virtualization, in order to root my box, the user needs to follow this order:

* Exploit a running process to get in
* Find a hole in any root-permission process to get root privileges

(Note that these might be the same step in s

Useless

[andreyw]

Theo's side keeps asserting that "x86 virtualization isn't secure", but they seem to be perfectly comfortable at keeping the discussion at the level of a "I'm right, NO I'M RIGHT", without any corroborating statements (Hint: Theo's "I am familiar with x86 and its 'nastiness'" isn't one). What's not secure about SVM? What's not secure about VT-x? Why does Theo think that virtualizatio somehow has to imply legacy PC I/O emulation?

Ugh.

Re:Useless

[Krondor]

What's not secure about SVM? What's not secure about VT-x?

VT-x and SVM provide paths for rootkits to integrate and hide. New rootkits like Blue Pill [bluepillproject.org] and Vitriol [theta44.org] utilize SVM and VT-x to virtualize the host platform and remain undetected and immune from removal. They're not widespread, but an attack vector exists, which implies the security concerns over them.

Makes sense to me.

Re:

[Ed Avis]

If you choose not to run a virtualization layer, that doesn't (as far as I know) make you any safer from rootkits like Blue Pill.

If you run a virtualization layer, that doesn't (as far as I know) make you more vulnerable to rootkits.

In any case, a rootkit can work only once you've already compromised the system. What happens once the system is compromised is not really relevant; we take it for granted that an attacker with root access can do anything he or she wants. The question of security mostly hinges

Re:

[Krondor]

Isn't that more of an argument against an OS on the bare hardware?

No, the parent asked what is insecure about VT-x and/or SVM. Both of which provide attack vectors for VM-type rootkits, which are quite serious. VT-x and SVM are designed to be transparent to the guest so these are hard to detect.

As to your point, If an existing hypervisor is there already this is probably not effective. Perhaps a VM rootkit could emulate a ring-0 environment to nest itself as a virtual instance on the host while still vir

Re:

[tji]

Yes, precisely. He doesn't say that he has looked into virtualization code and it has X problems. Or, even virtualization is vulnerable to Y attacks. He says "Those of us who have experience with the gory bits of the x86 architecture can clearly say
that we know what would be involved in virtualizing it, and if it was so simple, we would not still be fixing bugs in the exact same area in our operating system going on 12 years."

In other words "I've never really studied the problem. But my guess is that

I'm Not Sure I Buy His Analysis

[Nova Express]

The snippet presented seems to suggest that more security holes in virtualization = less secure operating system, or OS(X) + V(X), where OS(X) represents the operating system vulnerabilities and V(X) represents virtualization vulnerabilities.

However, I see this more as if the virtualization layer actually sits under the OS layer, then the actual security for remote intrusion would be, first, Y/OS(X), THEN Y/V(X), where Y is the number of people with the knowledge to exploit each vulnerability. Thus, someone who wanted to exploit the system would both have to be capable of exploiting an OS vulnerability, and THEN also exploiting a virtualization vulnerability.

(And we're talking about remote usage, because we all know it's virtually impossible to protect a system from anyone who has direct access to the hardware.)

I understand that reality may not be quite as tidy, but it still seems like a virtualized system would be much more secure that a non-virtualized system, if only because the increased level of knowledge involved means a smaller number of hackers capable of exploiting both layers. What am I missing?

Re:

[Cheesey]

I understand that reality may not be quite as tidy, but it still seems like a virtualized system would be much more secure that a non-virtualized system, if only because the increased level of knowledge involved means a smaller number of hackers capable of exploiting both layers. What am I missing?

I think you might be assuming that the security provided by the OS and the VM are multiplicative, that the result of having both is much stronger than the sum of the two parts. But that might not be true, because

Re:

[mdielmann]

I understand that reality may not be quite as tidy, but it still seems like a virtualized system would be much more secure that a non-virtualized system, if only because the increased level of knowledge involved means a smaller number of hackers capable of exploiting both layers. What am I missing?

What you are missing is that hackers with different skillsets might talk to each other. This is similar to defeating DRM, another security model. Once it's broken by one person, there's nothing to stop him from sharing it with everyone else.

Re:

[evilviper]

it still seems like a virtualized system would be much more secure that a non-virtualized system, if only because the increased level of knowledge involved means a smaller number of hackers capable of exploiting both layers. What am I missing?

#1) The simple fact that the alternative to virtualization is separate physical hardware, where NO amount of knowledge can allow you to break-out of the hardware, and gain control of the 10 other systems.

#2) Reality really isn't nearly that tidy. Anyone who is skilled

Theo rocks, as his usual!

[VincenzoRomano]

And as there is no engineer that can develop hardware without security bugs, the only solution is to stay with insecurity!

Sounds to me like "those who can't, bitch"

[RLiegh]

This sounds suspiciously close to his comments about journaling filesystems when asked why OpenBSD didn't support them (which boiled down to "journaling sucks, use softdeps instead"). OpenBSD has native support for exactly zero virtualisation schemes, whereas NetBSD has native Xen support (something Opensolaris is working on -if they don't have it already), FreeBSD and Linux both have support for kqemu and Linux and Windows both have support for VMWare, Virtualbox and kqemu.

For fuck's sake, OpenBSD can't ev

When a Port is Lagging Behind the Mainstream

[shking]

For fuck's sake, OpenBSD can't even offer a modern version of WINE in their ports (the one they offer is from 1999, and is broken to boot)

The ports tree is 3rd party stuff, not OpenBSD. Why don't YOU contribute instead of whining.

When a Port Is Lagging Behind the Mainstream Version [openbsd.org]

"The ports collection is a volunteer project. Sometimes the project simply doesn't have the developer resources to keep everything up-to-date. Developers pretty much pick up what they consider interesting and can test in t

Re:When a Port is Lagging Behind the Mainstream

[RLiegh]

For fuck's sake, OpenBSD can't even offer a modern version of WINE in their ports (the one they offer is from 1999, and is broken to boot)

The ports tree is 3rd party stuff, not OpenBSD. Why don't YOU contribute instead of whining.

Because I have a wealth of already working solutions to choose from. Why in the fuck would I waste my time contributing to a project full of assholes (read the mailing lists for details) who don't even want to admit there's a problem in the first place -much less fix it?

Don't know about you, but I've got a life to live; if OpenBSD doesn't feel like offering virtualisation technology (or -in the case of WINE- compatibility functionality) then I'll simply move on and use operating systems which do.

And if Theo insists on making it sound as if the problem isn't OpenBSD's inability to support virtualisation but virtualisation itself; then I reserve the right to laugh my ass off at his extremely silly pompousness.

Re:

[MikeBabcock]

He has a point inasmuch as adding complexity invariably adds security issues that need addressing. However, auditing the Xen code makes much more sense considering the possible security benefits in the long run than avoiding it altogether. Partitioning of the system's resources is a net win for me.

Re:

[evilviper]

"journaling sucks, use softdeps instead"

I fail to see why you have a problem with that statement. It's true that softdeps has better performance than journaling, both in theory, and in practice. You need only look at FreeBSD.

FreeBSD and Linux both have support for kqemu and Linux and Windows both have support for VMWare, Virtualbox and kqemu.

kqemu is borderline useless on FreeBSD. I don't notice any performance difference with or without it. So OpenBSD is on pretty much equal footing. Not to mention th

credibility?

[Known Nutter]

Theo's childish, condescending and pointless choice of language seems to undermine his credibility. Although he may be an authority on the subject, I think he owes it to himself - as well as the rest of the community he helped to create - to communicate in a more professional, civilized and respectful manner.

He's in the same bucket as Dvorak - who wants to listen to the little twerp?

Its not just the developers...

[rodney dill]

I do a lot of prototyping and testing out of scenarios with virtual machines. (40+ iterations for servers and client) Not all are complete builds as I do a lot of cloning. If you fire up a virtual machine that hasn't been in use for a while, you may need to spend time with security updates. Also if you didn't place or adequately configure virus protection and a firewall in an original clone you may end up with a number of machines with poor security. On the other hand cleaning up viruses is easy with my s

Wrong argument?

[leuk_he]

I am not sure that the argument is right. Saying that virtualizion add possible security bugs is like saying that adding a personal firewall is adding fucntionaltity and thus possible exploits.

Virtualiztaion is more secure IMHO than current process isolation in most operating systems, but both can fail.

Theo's argument about security just proves the argument of linux about Security is "people wanking around with their opinions" is not unrealstic.

You have torealize that the alternative to virtualisation is ge

Re:

[darthflo]

1. I'd argue that a personal firewall does make a system more vulnerable in many cases, not because it's own vulnerabilities (usually few, if any), but because it makes it's user feel (more) secure. Similar to always sporting a kevlar vest, it'll certainly help in some situations, but you might forget that you still are vulnerable and, after needlessy walking through the worst part of some city, end up in an armed robbery with a gun pointed at your (un-kevlar'd) head.

Additional to that, virtualization do

Dumb

[Reality Master 101]

I have no idea with Theo's point here is. His statement is like saying, "Firewalls are programmed by the same people who write operating systems. If you think Firewalls have no security issues, then you're deluded, if not stupid." Therefore, Firewalls are useless and just increase complexity.

Virtualization, from a security standpoint, is just a firewalling method. It increases isolation between instances, and more isolation is ALWAYS good.

Oh yeah?

[Ambitwistor]

Virtualization, from a security standpoint, is just a firewalling method. It increases isolation between instances, and more isolation is ALWAYS good.

More isolation is ALWAYS good? Bah, I think it's a real pain. It makes it much harder for me to write security exploits.

unstated assumption

[sribe]

I believe that he is working from the unstated assumption that the virtualization host and guest OSen all have approximately equivalent levels of security. If so, then virtualization does just increase the number of holes available for exploit. Rather like the way a RAID system increases the overall chance of a drive failing, because of using more drives. The difference of course, is that the RAID system is able to effectively isolate the failed drive, where a security exploit in one OS can potentially prov

Theo's pessimism and where it comes from.

[argent]

Theo tends to be cynical and pessimistic about just about anything that's got to do with security, and he's got good reasons to be... things that people push as security features turn out to be irrelevant or even actually dangerous a large proportion of the time. They're not batting 1.000, or even 0.500, by any means.

This doesn't mean that OpenBSD won't get some kind of virtualization support, it just means that he's being careful and conservative and letting other people be the pioneers. I think this is a good thing, on balance... you don't want to be pulling arrows out of your back because your secure OS decided to take you through unknown territory.

Yeh, he's got an emphatic way of putting things. You just gotta deal with it. Several years ago I asked him about stack protection and his response was eerily similar to this. A few years later OpenBSD enabled stack protection by default.

I think he's got a point, but he's comparing running separate computers to running separate OS instances on the same computer. If that's how you're using VMs, then yes, the resulting system is less secure overall... and for Windows that's often how VMs get used because Windows tends to make it unreasonably hard to run multiple instances of the same application on the same computer. If you're replacing less extreme isolation mechanisms on the same computer with VMs, though, then you're adding an extra layer of defence. Think of it as a hierarchy...

* Same application instance (eg, web server modules)
* Separate applications (running multiple instances of apache)
* User level separation (multiple accounts for the separate instances)
* File system separation (multiple chrooted instances of apache)
* OS-level separation (eg, FreeBSD jails and I think Solaris domains)
* Hardware-assisted software virtualization (VMware, Xen)
* Hardware virtualization (IBM VM "penguin farms")
* Separate physical computers

It might be argued that IBM's virtual machines should be lumped with virtualization, or that separate computers should be split from blades, and things like NAS and SAN complicate things, but you get the idea.

Theo's looking at the hierarchy starting at the bottom, and seeing a reduction in security. Other people are starting at the top, and seeing an increase in security. Both sides are correct, it depends on where you start.

a google employee has done a good analysis

[cpm99352]

As another person pointed out on the OpenBSD list, see http://taviso.decsystem.org/virtsec.pdf [decsystem.org] for Tavis Ormandy's analysis of various VM's -- attack methods were exploiting bugs in the x86 architecture as well as invalid I/O device communication.

Okay, here's what happened

[Schraegstrichpunkt]

Theo de Raadt argues that it's more secure to put applications on separate machines than to consolidate them into a single machine.

L. V. Lammert very inarticulately argues that having a VM provides more security, because otherwise, you're not going to put applications on separate machines, because it's too expensive.

Security == managing complexity

[kscguru]

Virtualization is NOT intended for security. Period, end of story, full stop. Security is a secondary effect from having smaller interfaces, and you DO get smaller interfaces with inherent security advantages.

Here's the first truth of security: your ability to secure a system is INVERSELY PROPORTIONAL to the size of the interface to that system. Every interface point is a potential attack vector, whether direct (an attacker can exploit the interface) or indirect (something outside your control is loaded at interface A, then an attacker at interface B causes A to exploit something). Most security products try to reduce the size of interfaces (e.g. a firewall limits the number of open ports, then further excludes some types of traffic from those ports).

Look at a general purpose operating system kernel. There are hundreds of system calls (direct attack vectors), hundreds more driver interfaces (indirect attack vectors - driver interfaces are privileged and thus drivers must be bug-free), a few thousand more configuration points (Windows Registery, Linux /sys and /proc trees). Add the libraries that make up the rest of the operating system, and the number of APIs has exploded to thousands, if not tens of thousands.

Now look at a hypervisor stack. The hypervisor::guest interface is the CPU instruction set (extremely well documented and easy to programatically verify, especially when 99% of instructions can be verified to have no side effects!). Much narrower interface than a general-purpose API. The driver::hypervisor interface is narrower too, since the hypervisor only uses a lower-level interface (e.g. Xen's block device interface, VMware's SCSI interface) that happens to be simpler and better documented. Configuration API is smaller, since it only needs to manage virtual machines, not every possible combination of user-level program and device.

It's the old microkernel / monolithic kernel debate all over again, where a hypervisor is a microkernel and a general-purpose OS is a monolithic kernel, and the performance loss is small enough that companies are using it in production today. Microkernel have advantages in being easier to secure, more robust in the face of bugs ... monolithic kernels are faster. Is the smaller API (and increased security) worth the loss in performance?

Here's some security thoughts, based on actual experience with virtualization bugs.

• The largest number of security vulnerabilities appear in user-level servers, e.g. NAT, DHCP, ssh, apache. Potential commands to these services are unlimited (wide API), often involve text-parsing in C code (inherently difficult), and so they are hardest to secure.
• A moderate number of security vulnerabilities appear in paravirtualized device emulations. Paravirtual devices are less well specified (medium-width API), so the implementations have more bugs, often from ways the paravirtual device spec doesn't anticipate. (Yes, hardware folks write more complete specs than software folks).
• Extremely few security vulnerabilities appear in the hypervisor::guest boundary. This boundary is extremely well specified via data sheets and architectural manuals. (narrow API).

Lack of process isolation?

[tjstork]

When did segment registers and page tables quit working? I guess I must have missed that errata!

He's right, in theory

[Chris Snook]

[disclosure text="I work for a company that sells virtualization."]

Theo's expertise, and indeed that of the entire OpenBSD project, is in the realm of provably correct security. Virtualization adds yet another layer where something can go wrong. Sure there are and will be bugs. We're finding them and fixing them, just as we've always done. From an absolute security standpoint, Theo's right.

Of course, most businesses couldn't care less. Businesses don't view security as an absolute thing, because human factors make it generally impossible. Businesses view security as a risk, with associated probabilities and costs, worst-case scenarios, likely scenarios, mitigation strategies, and ultimately, diminishing marginal returns. For businesses using virtualization to consolidate systems, it generally reduces risk because it makes it easier to implement policies that mitigate human factors.

To be precise, virtualization *technology* decreases security, but virtualization *solutions* increase security, at least when done well, which is much more practical than the technical absolute of "done right".

[/disclosure]

Security granularity too big

[Animats]

I'm always amazed that virtualization on x86 works at all. The architecture didn't support it, and VMware dealt with that by dynamic code patching. Then Intel and AMD both added some hardware support, but 1) incompatible between Intel and AMD, and 2) single-layer (you can't run a VM on a VM on a VM, unlike IBM mainframes, where that works quite nicely. And then there's the issue that you now have two levels of scheduler, which may or may not play well together.

But those aren't the real problems. From a security standpoint, a VM running a whole operating system is an overly large security domain. It doesn't even contain, say, exploitable PHP scripts on a server, let alone a rootkit. In fact, almost any exploit that will work on a standalone server will work on the same server inside a VM, and can cause just as much trouble on the net. Now you can have multiple corrupted VM partitions!

What we're really seeing is that server virtualization is a way to unload security worries from the server farm operator (be it a hosting company or an in-house operation) onto the user. If the server operator just gives the user an empty partition and takes no responsibility for maintaining it, it's cheaper to be a server operator. Server management is easier. But it's no more secure from the standpoint of network, user, or data protection. Too much code in one security box.

Two types of security

[QuasiEvil]

Ugh, I hate it when I have to agree with Theo, but in this case, I think he's got a point. Hypervisors will have bugs, and some small portion of those will lead to security holes. I don't care how carefully the code is audited, when you're dealing with handling an architecture this nasty, there will be bugs. Because of the smaller amount of code and services that a hypervisor provides, it should be easier to get all the big bugs out, but I'd be willing to bet that some small ones will hang on, undiscovered, for some time.

As far as VMs and security, there are two types of security - defense against the malicious, and defense against the retarded. While VMs may not add much in the long term against the malicious (and may even expose more risk), I'd argue right now they're reasonable tools of isolation, until virtualization becomes mainstream and crackers get wise to exploiting the host machine.

They are effective, from a defense against the malicious standpoint, for isolating old platforms that you continue to need, but can't be exposed to the world. We have a proprietary tool that only runs on NT 4 (we've tried 2k, XP, etc. and no dice) that we absolutely must have at work. NT4 is no longer patched when security issues are found, and there are no longer drivers for the hardware we've had to move it to. So we run it in a VMWare VM that has no network access. Problem solved.

I'd argue that VMs are very effective on the "defense against the retarded" side. We have a shared departmental webserver here my job. I'm the main admin in my spare time. However, when they merged a bunch of groups, they made us share the box with them. Thus, management mandated they be allowed to change things as root to fit their needs - adding users, resizing LVs, fiddling with apache, etc. They kept fucking up the box and breaking our stuff. So eventually I loaded up Xen and gave them their own VM that they could break in any way they wanted. Tada - their virtual box is always screwed up, mine stays up all the time, and management is happy because we didn't need more hardware.

Arguably, the above also fits within the greater utilization purpose that I see being the big driver for virtualization. Realistically, most production boxes are far oversized for what they do. If you could stack virtual boxes on real iron to get better asset utilization, that's going to be the driving force for business, as it's a simple, quick way to reduce costs.

Re:

[micromuncher]

You missed the part about the solution; eating ones children. :-)

Re:

[jellomizer]

It is not sustainable. It takes more calories to produce a child then you get from eating them. It may only fix the problem in the short term, but in the long term you are better off putting them to work plaining new crops.

Re:History teaches once again...

[mdielmann]

It is not sustainable. It takes more calories to produce a child then you get from eating them.

This assumes that you eat (only) your own children.

Re:

[account_deleted]

Comment removed based on user account deletion

You mean baby MULCHING

[shking]

"software which OpenBSD uses and redistributes must be free to all (be they people or companies), for any purpose they wish to use it, including modification, use, peeing on, or even integration into baby mulching machines [neohapsis.com] or atomic bombs to be dropped on Australia" — Theo de Raadt

Re:History teaches once again...

[Bob-taro]

The Irish Potato Famine happened because Ireland was growing a small range of species of potato.

The same thing with Virtualization, each VM will not be completely secure and will have holes in it but spreading will be reduced because only a smaller portion of application will use that OS to virtualize.

I don't think that analogy applies here. I think TA's point is that the hypervisor itself may not be any more secure than the OSes it virtualizes. So now you're hypervisor OR the OS it's running may get hacked.

Re:History teaches once again...

[jellomizer]

Well right now most flaws are threw Applications anyways. I can run Open BSD and still make an application that runs as root and have such a major security flaw that it will allow people to have full access to my system. At least with it being virtualized it will at least protect it from quickly spreading to my other Apps.

Re:History teaches once again...

[alan_dershowitz]

You're missing the point. Your virtualization product is an application, which weakens the security of the OS running under it. So now you can have attacks from both sides. As Theo says, now an OS crash (inside the VM) can become an attack on the host system, and application attacks on the VM can become an attack on the OS running in the VM.

His position has many facets. As I understand it:

* programmers make buggy code, and now programmers are programming virtual hardware
* the hardware they are emulating (PC architecture) is a nightmare, they have to do crazy, unsafe crap to implement it.
* application flaws in the VM can compromise the guest OS.
* OS flaws in the guest OS can potentially compromise the host OS.
* virtualizing hardware is inherently less secure than the physical segmentation of using actual, separate machines, so when you consolidate many machines onto a VM system you have a net loss in security.

Re:

[pionzypher]

the hardware they are emulating (PC architecture) is a nightmare, they have to do crazy, unsafe crap to implement it.

Question, (and forgive my ignorance of the actual implementation of VMs) but would this not be an opportunity for an improvement? It would be a huge undertaking to be sure, but why emulate x86? If an architecture specifically for VMs were developed that did away with the craziness of x86 and streamlined to be more efficient and secure, would that not be worthwhile? I can run linux on sparc or (motorola) mac hardware, would a standard HyperVisor architecture be much more of a stretch?

This definitely

Re:

[bhima]

I have sort of mused for a while that adding native hypervisor functionality (or would it, in this case, be native para-hypervisor?) would be an interesting path for next generation firmware, like Open Boot Firmware, to take.

I also think that another one of Theo's point that is getting lost is that _anything_ that adds complexity also adds risk and should be considered unsafe. It may be that it adds value and is therefore worth to add and to audit but it still adds risk. This I wholly agree with, which is

Re:

[Sancho]

Security is all about layers. It's about doing many things to keep your systems from becoming compromised, so that if any one of them fails, hopefully the others will minimize or mitigate the damage. If I jail a service, that's one more barrier that an attacker must overcome to get control of the bare metal. In this case, although you're adding complexity, it's possible that it increases security overall. If that process which I jailed happens to be init, and it happens to load an entire new instance of

Re:

[afidel]

virtualizing hardware is inherently less secure than the physical segmentation of using actual, separate machines, so when you consolidate many machines onto a VM system you have a net loss in security.

And you know what, I don't freaking care about that. If I can trade a little theoretical attack surface for real world gains I'd be foolish to not consider it. I mean we do it every day when we use normal OS's instead of something like Trusted Solaris, so why not do it to see significant gains. The gains a

Re:

[Just Some Guy]

Those have significant direct and indirect benefits (lowered cost and less environmental impact primarily). I guess if you're a security zealot you wouldn't even consider the tradeoff, but for those of us in the real world it's probably not a tough sell.

I think his point was to make people aware of the tradeoff. He's telling them that those reasons are perfectly valid, but you should know what new risks you're exposing your systems to so you can make that decision with full knowledge. I do know people who equate VMWare with security, and that's just not true. He wants everyone to understand that.

Re:

[alan_dershowitz]

ack, I didn't address your specific example. Theo's position here is: now, instead of an exploitable app and an exploitable OS, you have two exploitable OS (guest and host) and two exploitable apps (your app and the VM.) Making this worse is that the the exploitability of each individual piece is amplified by the potential promoting of an OS crash into an application exploit (VM.)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[darthflo]

It doesn't really matter how big the hypervisor's attack surface to the outside world is, as long as a guest running on top of it is in any way able to compromise it. If this is the case (and I don't really doubt it), a hole in one of your guests and the hypervisor will allow an attacker not only to compromise all identical guests but all guests to which said hypervisor has access to. This has the potential to trade whatever efficiency gains virtualization provides for complete lack of control over the whol

Re:

[_Sprocket_]

I don't think that analogy applies here. I think TA's point is that the hypervisor itself may not be any more secure than the OSes it virtualizes. So now you're hypervisor OR the OS it's running may get hacked

Actually... the gist of argument seems to go deeper. The point being stressed is that the underlying hardware can't provide sufficient separation so its unwise to expect either the host kernel / hypervisor or guest OS to do it. Buggy OS implementations seems to be more historical proof than the issue in itself.

Keep in mind that the base debate is whether a virtualized environment is "more secure" or not. I understand where the initial idea is coming from; the ability to provide various groups with their

Re:

[jours]

> So now you're hypervisor OR the OS it's running may get hacked

The avenues of attack against a hypervisor number far less than those against a guest OS...and should be zero behind a proper perimeter.

One thing no one mentioned in the article is that virtualization provides a great opportunity for intrusion detection. I haven't seen it implemented by anyone yet (admittedly I haven't been looking) but the concept at least allows for software running at the hypervisor level that could detect misbehaving or

Re:History teaches once again...

[Wavicle]

I think TA's point is that the hypervisor itself may not be any more secure than the OSes it virtualizes.

Actually Theo's argument was that software engineers can't write an OS without security holes, therefore they can't write a hypervisor without security holes.

The argument is, of course, full of shit. The hypervisor in question, Xen, is 50,000 lines of code. Compare this to the linux kernel which is about 6 million lines of code or Vista which is said to be 10s of millions. Theo also drags out his favorite attack about page protection. He is known for attacking a "vulnerability" in a C2D code segment limit/page accessed issue (AI90) as being "assuredly exploitable" in OSes other than OpenBSD, even though nobody has been able to propose a way to exploit it.

The problem with Theo attacking things is that he is so well respected in BSD-land that his word is taken for granted. Sometimes he gets it wrong, but unless someone equally high up wants to spend the time to rebut his ranting (a lot of work for no gain) everybody accepts what he says.

Re:History teaches once again...

[Chris Burke]

The Irish Potato Famine happened because potato crops were the only thing they could grow on tiny plots of land in sufficient quantity to both pay their English Lords and feed themselves (the latter being the optional part), so when the potato crop failed they didn't have any other food. Other areas had a more diverse potato crop, but more importantly they had other crops entirely and thus even had all their potatoes died, it wouldn't have caused a famine (or at least not anywhere near the scale of the Great Famine) because they had other food to eat. The Irish had no other food source by design of the English, thus causing mass starvation.

There's still a lesson in diversity and computer security to be learned here. But it includes the harsher lesson that human leaders often don't care about the necessity for diversity and the cost to security (and thus the IT department), and can impose a homogeneity that is even worse than an IT department that just didn't consider diversity to be important.

Re:

[darthflo]

Actually I think virtualization is somewhat able to undermine all advantages diversification has if (and only if) an attacker is able to not only gain access to one guest but also, through that guest, to the hypervisor itself. After that is done, no amount of diversity in your choice of guests will be of any help whatsoever.
Using different hypervisors is a possibility, but there doesn't seem to be real possibility to both provide security and maximum usage of capacity.

Re:

[mdarksbane]

It's an interesting fact that Ireland was still a net EXPORTER of food during the potato famine, most of it going to England. Politics kills more people than crop failures.

Re:

[crush]

Not to forget that huge quantities of corn (not the same thing as US corn, but what we would call wheat) were exported from Ireland from the estates of the English absentee landlords while the population starved. An extremist "laissez faire" freemarket ideology was used at the time to explain the situation (especially by the eminent philospher Burke) similar to the approach taken across several centuries of famines in India by the English Imperialists). These market experiments on millions of starving peo

Re:History teaches once again...

[value_added]

There's still a lesson in diversity and computer security to be learned here.

Indeed. Implementing proper security is no small potatoes.

Re:

[somersault]

Security by obscurity, baby!

Re:

[DrSkwid]

> The Irish Potato Famine happened because Ireland ...

You missed the part where the World's richest nation continued to export other foodstuffs from Ireland, refusing to help.

History teaches that you must check your facts

[giafly]

... or look like a retard. Potato blight [wikipedia.org] is caused by a mold, not a virus. Your on-topic opinion is equally wrong, because if any OS running on your computer gets pwned then the bad guys can use it in their botnet - they only need to crack one not all - so more OS's == more risk.

The Irish Potato Famine happened because Ireland was growing a small range of species of potato. A virus hit the Potato and it spread so most of the potato's died thus causing the famine.

Re:

[coldmist]

Although the potatoes died because of the blight, the famine was caused by the corn laws:

http://www.fee.org/publications/the-freeman/article.asp?aid=2019 [fee.org]

The situation of Irish tenant-farmers explains how the failure of a single crop could devastate an entire country. Since most of the farmland in Ireland belonged to a few wealthy English and Irish landowners, the majority of the Irish agricultural population did not own land and had to trade their labor for the use of a dwelling and a garden plot. Alth

Re:

[superpulpsicle]

Virtualization is overrated. For people who are really in the field to manage, it creates as much overhead as the it solves. Whatever happen to the days when 1 machine is 1 machine. For the people who claim there is benefit, I am starting to be convinced it only benefits where configs are simple.

Re:Welcome to the rest of the IT world, Theo!

[spun]

Not to put it as harshly as the AC, but you don't know what you're talking about. Are you a sysadmin of any kind? Security was never the direct reason for virtualization. Utilization was. Now, virtualization may not help with crackers, but it does help isolate configuration issues, runaway processes and things like that. Admins like to keep one app on one machine because in a production environment, we are afraid of borking things that are currently working. Virtualization lets us keep one app per virtual machine, while letting us more fully utilize our physical hardware. This cuts down on electrical and cooling bills, & frees up rackspace. Mainframes have been doing this for decades.

Re:

[i.r.id10t]

Not to mention making the hardware generic - you can move the virtual disks from one machine to another (or have it boot them from a SAN, etc) and not worry about the HAL that windows sees changing, even if the "real" HAL does. Makes migrating your "server" to a new box very easy, same with developing and setting up a "box"....

Wrong

[spun]

We are talking custom in-house apps, not running DNS and a web server on the same box. I am and always have been a UNIX admin, I was taught this method, and I've seen it done in every place I've worked.

Dumb AC fanboi. Pick a better reason to dis Windows.