NSA + VMware = Crackproof Computing? 157
n8willis writes: "ZDnet is reporting on a VMware and NSA collaboration called "NetTop." The idea to run multiple virtual computers on one box, to eliminate the need for government workers to have separate PCs--and indeed separate networks--for classified and unclassified data. The challenge is making the virtual barriers as secure as the physically separate networks. NSA and VMware say they've done it. What do you think?" Will copying between virtual machines be impossible? I wonder when (or if) NSA changes will make their way into the various distributions' boxed releases.
Very Interesting (Score:1)
Here's one problem.. (Score:5)
As I understand it now, the present system where multiple machines are used in government institutions has a black machine that contains secret data, and a white machine that contains only sensitive data. Much harder to type something into the wrong machine when the color of it is immediately apparent to you, I would think.
--
Securing (Score:2)
Therefore, this would only help a PC user that is always working under his highest security.
----------------------
Re:Crack Proof? (Score:1)
--
You think being a MIB is all voodoo mind control? You should see the paperwork!
Colored computers? (Score:1)
We do have stickers on each machine, color-coded as well as with much verbiage, telling what level of material can be accessed on each machine. Hell, we've got classification stickers on Xerox machines!
DMS? (Score:1)
We're still getting contradictory instructions ever couple days on how to interact with "normal" email addresses, and new registry patches get pushed out seemingly daily.
Thank goodness I'm leaving next week.
Re:This is the Orange Book, redux (Score:1)
Re:Here's one problem.. (Score:2)
Re:Sounds familiar (Score:1)
VMware is simply not secure (Score:1)
Only if the other machine can measure it. (Score:1)
Re:Crack Proof? (Score:1)
If you have some element with HCL as a constituent unit and then you remove the HCL, what happens? The two become chemically different. If two things are chemically different, then they are not the same.
-----
"People who bite the hand that feeds them usually lick the boot that kicks them"
Re:Sounds familiar (Score:1)
Re:Crack is right (Score:1)
Re: (Score:1)
Copy-Paste, Go to Jail (Score:1)
Re:Linux World (Score:1)
-_Quinn
most excellent comment (Score:1)
Re:Same CPU same RAM (Score:2)
UML? (Score:1)
No, dammit! (Score:2)
same box, etc (Score:1)
IMO for complete security you want the physical boxes to be secure too...
Moz.
Re:Here's one problem.. (Score:1)
A user could inadvertantly (or maliciously) cut text from one VM window and paste in another VM window using the host system's clipboard.
Re:Maybe I am confused but... (Score:2)
Then, you are left with penetrating the host filesystem and changing the vmware software. But of course, this isn't the point. You secure the host system from outside attack and then basically the only way the hackers can get in is through the guest operating systems. And these cannot talk to other guest systems.
Sounds like a dumb terminal concept to me (Score:1)
Chokepoints (Score:2)
Grab whatever's in there and you've got a copy of what the user sees. Reprocess it and you've got the content a screen at a time. Get a trojan house onto the less-secured sode of the machine and you've got a window onto the more-secured side.
Similar to how the US bugged Xerox machines (and yes they were Xerox-brand) in the Washington Soviet Embasssy - put a mirror inside and simply dupicate-duplicated everything.
Is there any technique (that just-folks know) to encrypt/otherwise secure what's in a videocard yet still have it perform properly?
Re:Only if the other machine can measure it. (Score:2)
Because it undermines a lot of the advantages of having a single system. If you allocate each separate VM a fixed percentage of system resources, you also prevent one process from being able to access complete system resources if none of the other ones are using them. IOW, if you have 2 VMs on a system and each is allocated equal resources, you won't ever be able to go over 50% usage with a single process. Admittedly, that may be acceptable in a system where you have a small number of separate security compartments, but if you have 10 different compartments on a single machine, it's just not acceptable to restrict each of them to 10% or less of system resources at all times.
In practice, it would probably be acceptable to go to a moderately coarse grained resource allocation scheme that would limit covert channel bandwidth (the secure computing guidelines suggest that any channel that can transmit data about as fast as a person can type is critical) and then audit any remaining channels. You may actually be better off letting people think they're getting away with something and catching them then shutting off something you know about and letting them find out about something you don't know about.
Re:Air Farce? (Score:2)
A Farce is a charade, or pointless excercise in politics, or a drama played out in reality. For example, a high school student council.
I like it the way it was originally.
All my dreams come true! (Score:2)
Very important to the ZDnet article!!!!!!
It just might work, with enough protection... (Score:1)
--
Twivel
Do it for grade schools (Score:1)
Someone call Hillary and Jack! (Score:5)
I dunno, but if it is, someone'd better call RIAA and MPAA to let Ms. Rosen and Mr. Valenti know about it :)
Is this the bast way to do it? (Score:2)
There is, of course, a moderately obvious problem: (Score:1)
big iron (Score:1)
/ k.d / earth trickle / Monkeys vs. Robots Films [monkeysvsrobots.com] /
Re:VMWare firewall (Score:2)
----
Re:Slow down... (Score:1)
Or, Maybe the NSA is having a hard time keeping up with these new CPUs
Yeah, right. Nobody has more experience with using fast CPUs than NSA. Besides, we don't generate more internet traffic because our CPUs are faster. It's because of the cheaper bandwidth available.
Also note, this is for people who do work on both classified networks and non-classified networks. Do you know anybody who works on a classified network? It certainly isn't joe home user.
secure, eh ? (Score:1)
cat
Covert Channels - XTX/STOP (Score:1)
Re: (Score:2)
Regulations would never allow it (Score:2)
The amount of regulations that would have to be rewritten would be astounding. That (esp. versus the small cost {for the DOD loves to spend your tax money} of buying a seperate computer) would keep that from ever happening.
Plus you are talking about a new idea. The military thrives on the status quo. New ideas are implemented over many many years of missed deadlines (example {for mil guys} DMS).
You wouldn't believe the paranoia that sorrounds security around here. I can't stress enough, that would never ever happen.
That won't change anything. (Score:1)
That won't change anything. The same silly security breaches would still plague them. In my oppinion, the best way to insure these stupid security breaches don't occur is to use a nix, and only hire people who know or learn something about computers.
It's ridiculous to assume that an end user who can only use a simple (windows-like?) GUI will know anything about security.
That would be a good start.
Copying between virtual machines trivial if... (Score:1)
What you need is a filesystem which is accessable from either/any virtual machine. There are cryptographic techniques so that any subset M (or more) from N passwords will permit decoding the data (see Schneier Applied Cryptography for how). Our case is effectively M=1, N=2. However, you're then in a state of having an idiot putting things on the shared filesystem rather than where it should go. In which case you'd need to impose some handling restrictions to prevent misuse. Enforcing these restrictions would be not 100% possible I'd guess, but little to do with humans is.
The other idea would be that the shared are should only be accessible if you can prove that you have both keys. That limits the number of people who can access the shared area, and may impose a bottleneck.
I'm sure anything's possible, it's just a simple matter of coding! (tongue in cheek, there
Phil
-- Real Men Don't Use Porn. -- Morality In Media Billboards
Douglas Adams would be proud (Score:2)
sheesh, it's like that douglas addams book Mostly Harmless where, in order to get around all the inconveniences of tight security, people carry around small credit cards with their mothers maiden name, fingerprints, retinal prints, dna pattern, etc etc holographically encoded.
Woops.. (Score:2)
And what's worse, since he was using cut-paste, he lossed the code once he closed the window, clearly not a very lucid move, and now we can not change the launch code without the old one. Isn't that a bummer?
Re:Here's one problem.. (Score:1)
P.S. Why doesn't the government employee look out his window in the morning? So he'll have something to do later.
Re:Covert Channels - XTX/STOP (Score:1)
Or you can design ways to monitor possible covert channels and alert computer security if something suspicious is going on. This should actually work pretty well together with various covert bandwidth reduction approaches. If you can reduce bandwidth to, say, 1 bit/second, it will take several minutes to send even the most trivial message covertly, and that should give you plenty of time to notify the bandwidth police to monitor the situation and stop it if something fishy is going on. And if you save all of your critical data as MS Word files, it will take all day to get through the endless Word headers and make it to the vital data ;-)
Re:Crack Proof? (Score:1)
Re:Will never be used in practice (Score:1)
Even assuming that you have one physical machine running n independent virtual machines which are absolutely and utterly independent of each other (note that I don't think this is actually possible, I'm saying just assume that it is), there remains the problem of getting information in and out of the box. As it stands, you've got seperate ethernet cables, routers, the whole nine yards for the outside internet and the classified intranets. With VMWare, would you be running that over one physical network? I suppose you could try to tunnel the secure box's connections over the unsecure ethernet, but that just seems to me like you're asking for trouble.
Basically, it boils down to, with two networks and an air gap, you know you're secure as much as is humanly possible. The moment you start running all your data over one pipe, you open yourself up to all sorts of trouble, with intercepted connections, eavesdropping, and all that. I can't ever see this sort of thing being approved by the people in charge of security, no matter how much the cost-cutters beg.
Re:Air Farce? (Score:1)
Sounds like good ol' VM/370 from IBM (Score:1)
Don't they share the same hardware & host OS? (Score:1)
DOS is dead, and no one cares...
Re:Crack Proof? (Score:1)
Maybe I'm REALLY confused... (Score:1)
Doesn't that mean that each individual client has a key to the one single file that is the single point of failure? So, getting a backup of even just a client would be a start to reversing the encryption
I'm sure I'm over simplifying this, but its a job requirement in the real world...
PIB = Pengiun in Black (Score:1)
Re:Here's one problem.. (Score:3)
Re:Here's one problem.. (Score:1)
Will never be used in practice (Score:3)
I don't get it... (Score:1)
They're security just seems flawed, and this soultion isn't a fix. I'm sure they have reasons for doing so (probally classified reasons), but what about useing different NICs for the different networks (hey, a Quad ethernet adapter or two and you would be set.) of just get one and use IP Aliasing? Why use seperate networks at all? Different servers for each level of access, with strick control over who can access the info from where, and strong encryption, and you have a perhaps better soultion.
If anyone can figure out their securiy model and reasons behind it, please enlighten the rest of us.
...nothing is certain in security... (Score:1)
I hope the NSA takes their time in evaluating VMWare's stuff. Right now, they have a working system. Is it really worth it to throw this system out in favor of an unproven technology.
I am not saying VMWare is unproven technology, but merely this new use for the product. Again, from the article, "the current VMware technology is not up to a level of assurance necessary for this."
Of course an obvious point is that there is no such thing as "Crackproof Computing." No matter how good this product becomes, there will always be a chance that there are remaining security holes. It may be a while before this risk is at an acceptable level for the NSA.
Re:Hmmm... (Score:1)
Witness the failure of Suns java station and Larry Ellison's net pc concept.
There is a place for both distributed and centralized setups, but for the majority of people having a compromise works well.
Remember VM/370 (Score:1)
The advantage of this approach comes from the precision with which machine architectures are specified, and the very limited number of communication paths available between machines.
IBM also did some work with VM/370 where they completely virtualized the clocks on the system. While they did this project to allow benchmarking hardware that had not yet been built, the same facility can be used to greatly reduce the bandwidth of covert channels between virtual machines.
If the VMWare system has these features, it may well be a B level system, and be approved for the kind of multi-level security application described.
What about hardware malfunctions (Score:1)
Ken
Re:What? (Score:1)
Heh, except of course you can't run *any* operating system. They've taken a few shortcuts that mean you can't boot unsupported OS's in many cases. (For example OS/2).
I disagree (Score:2)
Computers are very good at blindly following instructions. Humans, however, tend to suffer from problems such as laziness, ignorance, contempt, or outright disregard for the rules (and in the worst cases, greed...). No one has ever heard of a computer that decided to disregard its programming. Every case I have worked began with human error.
By their very nature, computers can't break the rules, but humans definately do.
As for the hard drive issue, I see two solutions:
1. Have a single drive for the entire machine, and the classified Virtual Machines (VMs) would operate with an encrypted file and swap space. Modify the OS so that unencrypted info can exist only in volitile RAM (I believe OpenBSD already does this).
2. Run at least two hard drives, one for the host OS and unclassified VMs, the other encrypted for the classified VMs. This would be easier to conform with existing regulations on classified handling and storage.
Re:Is this the bast way to do it? (Score:1)
Also, at the moment UML only runs on x86 as well, though in theory it's not hard to port.
C'mon (Score:2)
Re:Maybe I'm REALLY confused... (Score:1)
Re:secure, eh ? (Score:1)
the -real- interesting part of hacking VM's, and the principal point of security, is virtual isolation. now, if someone could crack -that-... then the fun would begin.
--nick
Crack proof? Yeah, right... (Score:2)
Then again, multiple virtual machines and strong crypto would not protect against the type of small keyboard sniffers that the FBI (and other intelligence agencies) supposedly already have -- the kind that connects directly on your keyboard and stores everything that is typed.
Finally, I am almost certain that someone could come up with a virus that would infect one VMWare layer (think Win9x here) and would do the same password-gathering. With the right drivers, one can even imagine a virus/trojan horse mounting other filesystems and discreetly searching for interesting files and data.
In short, I really don't think this has any chance to work. Memo to NSA: use OpenBSD or your own (reinforced) version of Linux with ultra-strong crypto -- you'll run less risks this way.
After all, what's the point of emulating (slowly) multiple operating systems, when it's probably much faster to port all the tools users need to one "set" of platforms (Unix?).
Just my $0.02. I am not sure this rant makes sense.
Can you Imagine a... (Score:1)
How about terminal sessions instead? (Score:1)
Think about it...a virtual machine is still going to have access to RAM, ports, etc. Not to mention they're probably going to have each virtual machine running on private IP space over the same wire...that can be sniffed as well.
A central server that each person accesses through an encrypted link allows for secure network traffic, a central repository of the data in question, and allows for ACL's restricting which computers can even access it.
Sometimes the most elegeant solution isn't the most complex one.
Sure there are still risks associated, like hardware keystroke loggers, shoulder surfing, and shit like that, but that's a risk regardless, and I hope the DoD has measures in place to reduce physical security risks.
this is funny (Score:1)
I think I'll invent "floppy" disks, and tout them as the future because one could fold up his data and carry it in his pocket.
cool idea , but.... (Score:1)
(i.e. a Windows P.C. and a Solaris Sparcstation).
It would be very interesting if VMWare could emulate other platforms such as running IRIX or HPUX on intel based hardware.
Regardless, I'll definitely be keeping my eye on this company!
This is the Orange Book, redux (Score:4)
Once upon a time, the U.S. government write a set of specifications for multi-level secure computers, called the orange book [fas.org]. This worked pretty well for mainframes: Multics was rated B2, and was on the 'net as dockmaster.mil.
It was a bit clunky, but had been continuously updated over time, so I still have a machine running Trusted Solaris 7 [sun.com] in my basement.
It's arguably the same task to do this sort of thing with a virtual machine monitor as it is with a security monitor: both create trusted computing bases, which enforce the security rules.
It would look almost exactly like an unmodified system, with optional colored bars on the windows indicating the security level and subject matter that was displayed there.
The rules the TCB would enforce are things like "thou shalt not copy from higher security down to lower security", so the TCB gets asked if it should allow a top-secret cut buffer to be pasted into an merely restricted document.
The Trusted Computing Base (the VMM) gets to say no, and so refuses to allow mapping of that page. The X server gets a -1 return code and errno=NOWAYJOSE, so it then pops up a "sorry, that was a security breach" message... which is exactly what my TS system does when I klutz and try to copy stuff from my confidential files into my unclassified email!
Re:Slow down... (Score:2)
... and rightly so -- proven impossible to secure (Score:2)
Basically, ANY time you share a resource, you can monitor how others use it. The CPU is such a resource.
Re:Maybe I am confused but... (Score:3)
Host
/ \
inter- intra-
net VM net VM
If you compromise the internet VM (which we assume can happen -- this is why they are currently different machines, physically) this doesn't necessarily give you any means to access the meta level Host computer.
If that were possible, then yes, the attacker could compromise the supposedly secure intra-net VM (NB: copying its state would only give you a snapshot -- it would be much better just to relay all of its communication traffic to the internet).
So now we need to prove that it is impossible to get access to the meta level from the internet. This comes immediately from the virtualisation requirements -- each hosted OS has no way of realising it isn't running on the base hardware.
Even if we are not able to prove this, the fact that the internet connected machine is virtual gives us the abilty to snapshot its state at a fully booted uncompromised point in time; In order to make cracking it hard, we can just kill the entire machine every 5 minutes and reinstate the snapshotted version. Any attacker now has to crack not only the inter-net VM, but also the Host machine in 5 minutes.
However, this all assumes a trusted user. If the user has the ability to do screen captures from the intra-net VM, they could then conveniently send these via the inter-net VM.
BSODs on top of VMware (Score:2)
In some ways, Windows on VMware is actually more stable than Windows on real hardware, largely because VMware emulates hardware that has well proven drivers.
Slow down... (Score:3)
-Andy
Re: (Score:2)
Not possible, sorry (Score:2)
2. insmod fuck-vmware.o
3. Proceed to read and/or write all the address space your heart desires.
The entire idea is ridiculous. Nothing can be as secure as having separate networks, except not having secrets.
Crack Proof? (Score:2)
Hmmm... (Score:2)
Then there were PC's where everyone had their own "little mainframe."
Now I'm seeing a trend back towards centralized computers. It started with client/server, and now this from the boys and girls at the NSA.
Can you say "pendulum swings?"
VirtualPC API (Score:2)
The reason I bring this up is because VirtualPC includes an API that lets Windows "see" your Mac hard drives and vice-versa. The API exists both inside the VM and outside, but I think it's only capable of letting Windows mount Mac directories, not the other way around.
In either case, this API effectively can let multiple Windows VMs see each other, so VMWare would have to certify that such an API doesn't exist in their NSA-approved VM.
--
Re:Maybe I'm REALLY confused... (Score:2)
However, these session keys are not the same as the (presumably) strong master key used to generate them. Many programs (such as PGP) go to great lengths to destroy the memory-representation of my master key after it is no longer needed -- tho this is mainly to avoid it being swapped to disk.
Other workarounds are keeping the master keys in hardware -- the NIC or in one of the IBM hardware locks. Neither of these are part of the VM state, but rather the base hardware, so they wouldn't be represented in the secure VM.
Another idea would be to have the Host do these as a trap -- have the secure VM think its running on hardware with an de/encryption primitive instruction. This instruction is trapped by the VMWare and executed by the host operating system.
In this last case, compromising the host would imply key loss; this is not necessarily the case in the hardware scenario.
Re:Will never be used in practice (Score:2)
Fortunately, (The Matrix aside), it's still harder for crackers to break the electronic barrier than the physical barrier.
I am the ghost of Trusted Mach (Score:2)
My first job out of graduate school was at Trusted Information Systems (now swallowed by Network Associates) on the NSA-funded Trusted Mach [pgp.com] project.
The idea was that you would run different OS sessions, each of which would provide a POSIX, or OS/2 (guess that dates the project), or whatever, "personality", at different sensitivity levels on top of the Mach microkernel. Data could be copied between sessions subject to security contraints. It was targeted (though never evaluated) to hit the B3 TCSEC critera. Interesting stuff, but it never really went anywhere.
This sounds very similar.
Tom Swiss | the infamous tms | http://www.infamous.net/
Two things. Simple short, and not stuipd. (Score:2)
Remember DES? The NSA rolled out DES because it wanted everyone to use something it could crack.
Read the article and think. They have a linux distribution that they believe to be bullet proof. They are ging to use this to host other operating systems. A hardened linux box can cat as a security arbiter. That is all they are doing, they are building in a firewall in to every box they'll be using.
The effect of the second can be stunning. There admins will now be able to do anything they want to any Win XXX PCs on there network. Monitor it, patch it, replace the OS, lock out the user, sane and reliable network firewalling, anything they want.
They lose easily verifiable air gaps... which can be violated any time a security officer is not looking, and they gain the ability to truly manage there PC enviorment. Emagine IPSec wrappers for every one of your network transactions, even if the underlying (overriding) Win xxx does not support it. That is a huge win even on just sensitive networks.
Covert Channels (Score:4)
It seems to me that this approach would still be very succeptible to various forms of covert timing channels. Since the different systems are running on the same hardware, you could still signal between them by having one system hog system resources or not as a way of signaling bits to the other system. There was some discussion of this approach to covert channels in this [slashdot.org] discussion here on slashdot.
Maybe I am confused but... (Score:5)
Is this like a single point of failure thing?
Linux World (Score:3)
I saw at the VMware booth at linux world expo yesterday a demonstration of a product called VMware GSX [vmware.com], which is not out yet, but is going to be their "enterprise level" product. Rather than running a virtual OS on top of a real OS, it runs multiple VM's straight on the hardware level.
If the NSA thing is using this it would cut out a whole layer of security that they have to deal with.
What? (Score:4)
I can imagine a blue screen of death that would still have a VMWare window with Linux that is still running in it...
Crack Proof? (Score:2)
Red Book for networks was harder, but yeah. (Score:2)
I spent way too much time in the late 80s making things fit on System V/MLS, the AT&T System V Unix version that was certified as a B1 Orange Book System. The Red Book, which covers secure networking, was still pretty edgy research at the time, because authentication for machines you don
't directly control is a hard problem - doing it right requires crypto, and the NSA didn't want to let it out of the box at the time or let the military use civilian crypto, though there were a few IPSEC-predecessor networks that were certifiable.
2 answers (Score:2)
1)Could it be secure enough for their purposes? Possibly. Only THEY can decide this.
2) Is it as secure as separate workstations? Of course not. By definition it CAN'T be.
This could work (Score:2)
Note that systems like this will have some annoying limitations. For example, hardware graphics acceleration will not be used.
If it crashed it prob isn't secure... (Score:2)
I have gotten VMWare to crash. If it crashes there is some behaviour that the programmers were not aware of. These behaviours may well be secrity problems (buffer overuns frequently cause crashes, only choosing the right data to overun with will show a security problem).
I wouldn't be very thrilled with the idea of VMWare being part of a secure system (even if it is more the CMW part then the "secure from the outside" part) until it pretty much is impossable to crash.
Look to (Score:2)
I've found that life seems to parallel life, and a lot of times when I don't know the answer to something in the realm of computers, I look to other things in life as an equivalent. So in other words, the question becomes: can making a copy of something that we have created be made impossible?
I think that, when the question is asked that way, the answer is clearly no.
-Daniel.
--
Depends what you talk to (Score:4)
Peripherals are a different matter. They had better be sure that only the insecure side is capable of sync'ing to the Palm Pilot!
-- Brian