Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

NSA + VMware = Crackproof Computing? 157

Posted by timothy from the heh-heh-heh dept.
n8willis writes: "ZDnet is reporting on a VMware and NSA collaboration called "NetTop." The idea to run multiple virtual computers on one box, to eliminate the need for government workers to have separate PCs--and indeed separate networks--for classified and unclassified data. The challenge is making the virtual barriers as secure as the physically separate networks. NSA and VMware say they've done it. What do you think?" Will copying between virtual machines be impossible? I wonder when (or if) NSA changes will make their way into the various distributions' boxed releases.
This discussion has been archived. No new comments can be posted.

NSA + VMware = Crackproof Computing? More

NSA + VMware = Crackproof Computing?

Comments Filter:
  • I'm very pleased the way technology from some of the NSA's earlier projects has filtered out to us in some form or another. I hope that other projects do the same! What I don't understand though, is how can they really prevent copying from one OS to another? It's all in memory. Can't they just copy it from there? Or is the entire virtual os encrypted or something? That seems horribly slow. :) Ben
  • At home, I run Enlightenment, and often have multiple terminal windows open at once. I've already made stupid mistakes like trying to type my GPG passphrase or root password into the wrong window. My concern is that the NSA trying to do something similar could lead to similar problems. Given that governement employees aren't exactly know for being the sharpest pencils in the box, I could easily see someone going to the trouble of doing an hour or more of work, only to discover that they were typing it all in the wrong window on an unsecure network. Whoops!

    As I understand it now, the present system where multiple machines are used in government institutions has a black machine that contains secret data, and a white machine that contains only sensitive data. Much harder to type something into the wrong machine when the color of it is immediately apparent to you, I would think.

    --

  • Securing a system of this type, even if 100% successful, requires it be locked up according to the highest security clearance it operates under. There's a really good chance there will still be two computers: one in the secure area, and one for e-mail, word processing, etc, because it requires a great big physical effort to get the whole system out.

    Therefore, this would only help a PC user that is always working under his highest security.

    ----------------------

  • If cocaine and crack weren't two different things, then yes.
    But they are the same thing. IANA chemist, but IIRC crack is simply cocaine with the hydrochloride removed...
    --
    You think being a MIB is all voodoo mind control? You should see the paperwork!
  • Um, I've been working with classified materials on computers for the past 12 years, and in all that time I've not once seen color-coded machines.

    We do have stickers on each machine, color-coded as well as with much verbiage, telling what level of material can be accessed on each machine. Hell, we've got classification stickers on Xerox machines! :-)
  • You mean you've gotten DMS working? hehe

    We're still getting contradictory instructions ever couple days on how to interact with "normal" email addresses, and new registry patches get pushed out seemingly daily.

    Thank goodness I'm leaving next week.
  • As I remember it Mutlics went to insane lengths to get their rating -- first it was Mr. Secure Guy cannot set the system time because that would leak bits. Then it was weird stuff with trying to hide the paging behavior of Mr. Secure Guy from less secure people, since you could communicate bits down by paging in and out large amounts of memory and having someone at a less secure level monitor system resources. I can't remember how they camoflagued the paging behavior of the higher security levels, but it wasn't simple.
  • Like put a transparent background in the secret window with "SECRET" printed diagonally across the window again and again?
  • By giving it direct access only to the virtualized MMU?
  • Ignoring tricks/bugs that cause the machine to violate the partitioning, there are always other ways to get around VMware in theory. Data could be passed in display adapter memory, in "garbage" registers or memory, or you can even pass data between VMware/etc processes on a totally secure machine by having them affect task switch time (admittedly, this is a very low-bandwidth channel, but it does work).
  • Why wouldn't they virtualize the resource measurement/allocation. Make it so that hardware resource measurement (disk I/O, processor, net I/O, etc.) is completely isolated between virtual machines.
  • Well, let's analyze this then:

    If you have some element with HCL as a constituent unit and then you remove the HCL, what happens? The two become chemically different. If two things are chemically different, then they are not the same.

    -----
    "People who bite the hand that feeds them usually lick the boot that kicks them"
  • Sorry, wrong thread...
  • How? How about the fact that the unclassified VM has access to the virtualized MMU, not the real one?
  • Comment removed based on user account deletion
  • Like it's going to prevent security clearance worker from snip-snip, paste-paste.
  • Sounds like S/390. :)

    -_Quinn
  • I thought the best comment came at the end of the article. It confirms one of the fundamental advantages of open-source:
    In a nod to the open-source community, he said that--for the NSA's purposes--seeing the source code and testing its security is extremely important. "You wouldn't want to do it on Windows NT, because you know nothing about what is going on inside NT," he said.
  • I agree... there's still a single machine running a single operating system underneath it all... Crackers would just have to start getting familiar with the way VMWare handles processes. Or, if they're just after the data, just crack the host OS and grab data from there...

  • UML? (Score:1)

    by soybean ( 1120 )
    Why can't we do the same thing with User Mode Linux? [sourceforge.net]
  • Crap! I don't want VMWare to set up barriers around my virtual machines; I'd like very much for them to interoperate smoothly!
  • It's still the same machine.. plus, don't even start thinking about (sniffable?) network connections, keyboards, etc.

    IMO for complete security you want the physical boxes to be secure too...

    Moz.
  • Not to mention the lowly cut & paste.
    A user could inadvertantly (or maliciously) cut text from one VM window and paste in another VM window using the host system's clipboard.
  • This would indeed be a single point of failure if and only if the filesystem for the virtual machine is unencrypted. However, I would assume that they will be encrypting the filesystem.

    Then, you are left with penetrating the host filesystem and changing the vmware software. But of course, this isn't the point. You secure the host system from outside attack and then basically the only way the hackers can get in is through the guest operating systems. And these cannot talk to other guest systems.

  • A bunch of computers connnecting to the central computer to get their data/CPU power, vaguely similar. The critical thing is that they have good physical security of the lines that go to the server net, lest they get tapped into. Another idea might be to make dumb terminals with encrypted communications and connect those to the server. The day of huge centralized computers set up in such a manner was near ending I thought, but it may see a small revival in cases such as this. It may be possible to upgrade the ROM in a dumb terminal to handle an encrypted protocol, but it may be easier to design from the ground up I bet.
  • As elaborate as the underlying software and systems might be it's all going to a video-buffer for presentation. Unless there's some technique I'm not aware of (and that's entirely likely) it's seems to me that this would be an exploitable chokepoint.

    Grab whatever's in there and you've got a copy of what the user sees. Reprocess it and you've got the content a screen at a time. Get a trojan house onto the less-secured sode of the machine and you've got a window onto the more-secured side.

    Similar to how the US bugged Xerox machines (and yes they were Xerox-brand) in the Washington Soviet Embasssy - put a mirror inside and simply dupicate-duplicated everything.

    Is there any technique (that just-folks know) to encrypt/otherwise secure what's in a videocard yet still have it perform properly?

  • Because it undermines a lot of the advantages of having a single system. If you allocate each separate VM a fixed percentage of system resources, you also prevent one process from being able to access complete system resources if none of the other ones are using them. IOW, if you have 2 VMs on a system and each is allocated equal resources, you won't ever be able to go over 50% usage with a single process. Admittedly, that may be acceptable in a system where you have a small number of separate security compartments, but if you have 10 different compartments on a single machine, it's just not acceptable to restrict each of them to 10% or less of system resources at all times.

    In practice, it would probably be acceptable to go to a moderately coarse grained resource allocation scheme that would limit covert channel bandwidth (the secure computing guidelines suggest that any channel that can transmit data about as fast as a person can type is critical) and then audit any remaining channels. You may actually be better off letting people think they're getting away with something and catching them then shutting off something you know about and letting them find out about something you don't know about.

  • He said Air _Farce_

    A Farce is a charade, or pointless excercise in politics, or a drama played out in reality. For example, a high school student council.

    I like it the way it was originally.
  • Guys, it's NSA INSANO WORLD [untitledgif.org] and VMWARE INSANO WORLD [untitledgif.org]

    Very important to the ZDnet article!!!!!!

  • If the linux host operating system was completely secure, in that it ran no services and provided stateful firewalling on the network interface, it may be able to protect the data that resides on the disk (including the virtual disk of the guest OS). Encrypting the vmware virtual disk would be help, but there are still ways to get at the data if they do gain access to the host operating system. They could either reverse-engineer the Vmware binary, they could try to grab the key out of the running vmware process, or they could even just access vmware's memory segment (or other kernel structures) directly to get the data. (not to mention offline brute-force attacks against the encrypted data). Anyway, keeping the host operating system secure is critical. I think they will be able to provide ample security to protect even their sensitive data if they do it right, though. Obviously, the host operating system would be behind the firewall anyway.

    --
    Twivel

  • I'd love to help my kids' grade school setup dumb X terminals connected to a big box that runs a vmware intance of windoze for each student who's logged in for a class. The collection of aging *shit* machines their school has is pathetic. Problem is I guess it would take such a huge monster linux box to run 30-50 simultaneous copies of vmware/windoze it wouldn't be practical

  • Someone call Hillary and Jack! (Score:5)

    by Tackhead ( 54550 ) on Friday February 02, 2001 @08:24AM (#461619)
    > Will copying between virtual machines be impossible?

    I dunno, but if it is, someone'd better call RIAA and MPAA to let Ms. Rosen and Mr. Valenti know about it :)

  • Sounds like a reasonable idea, but wouldn't usermode linux for example be better? It would give much the same results but without the virtualisation overhead. Also, it would not be restricted to x86.
  • As soon as a user has physical access to anything, they have the ability to do a lot more with it. If at any point the data travels through memory or wires unencrypted (highly possible) nothing prevents a recording device being attached at that point.... Furthermore, if special chips are added at points in order to encrypt the data as it goes over a wire (for instance, as data travels to the monitor, from the video card), nothing prevents that particular chip from being replaced... Even assuming that harddrive data is encrypted, drives can be removed and transplated into a computer with less scruples, which could be set to work at cracking the encryption. Short of OTPs, every cryptography method is theoretically brute-force crackable. (And if users get careless, which is entirely possible, crypto-breakers may have an even easier time of it.) There's no such thing as perfect security. Then again, there's No Such Agency to worry about... :)
  • it would seem that if you are going to emulate multiple systems on a single machine you are going to need some big iron to run it... course, what is tax money for anyway?


    / k.d / earth trickle / Monkeys vs. Robots Films [monkeysvsrobots.com] /

  • I had something like that as a side effect. VMWare was binding to the wrong adapter, and the virtual machine took over the IP lease from my cable provider. I guess theoretically you could run some MS-Dos NAT or the linux-firewall-on-a-floppy stuff... Could be nice... or at the very least confuse some black hats for a little bit.

    ----

  • Or, Maybe the NSA is having a hard time keeping up with these new CPUs

    Yeah, right. Nobody has more experience with using fast CPUs than NSA. Besides, we don't generate more internet traffic because our CPUs are faster. It's because of the cheaper bandwidth available.

    Also note, this is for people who do work on both classified networks and non-classified networks. Do you know anybody who works on a classified network? It certainly isn't joe home user.

  • ... gain root access ...

    cat /proc/kcore > ~/my-copy-of-memory
  • Passing information by system utilisation is not a new concept. For instance the various versions of STOP, from Wang Federal, implement a form of jitter on resource reporting and quanta so that the noise is greater than the signal. You can be reasonably certain that the NSA are familliar with these techniques and how to circumvent them.
  • Comment removed based on user account deletion
  • I used to work computer security for the Air Force. I think this sort of thing would never be allowed.

    The amount of regulations that would have to be rewritten would be astounding. That (esp. versus the small cost {for the DOD loves to spend your tax money} of buying a seperate computer) would keep that from ever happening.

    Plus you are talking about a new idea. The military thrives on the status quo. New ideas are implemented over many many years of missed deadlines (example {for mil guys} DMS).

    You wouldn't believe the paranoia that sorrounds security around here. I can't stress enough, that would never ever happen.

  • That won't change anything. The same silly security breaches would still plague them. In my oppinion, the best way to insure these stupid security breaches don't occur is to use a nix, and only hire people who know or learn something about computers.

    It's ridiculous to assume that an end user who can only use a simple (windows-like?) GUI will know anything about security.

    • If I were in the position of improving the general level of security within government branches, I would:
    • Move every computer onto linux
    • Force every single employee to take computer/security/*nix classes before allowing them access to the institution's computers or issuing one
    • Start an R&D team of developers on developing GPL'd secutiry tools as needed.
    • Install smart GPS hardware/software into laptops which can do things such as alert a central security office when a laptop leaves the building, goes into a dissalowed area, is left unatended in an insecure area.

    That would be a good start.

  • ... if they want it to be.
    What you need is a filesystem which is accessable from either/any virtual machine. There are cryptographic techniques so that any subset M (or more) from N passwords will permit decoding the data (see Schneier Applied Cryptography for how). Our case is effectively M=1, N=2. However, you're then in a state of having an idiot putting things on the shared filesystem rather than where it should go. In which case you'd need to impose some handling restrictions to prevent misuse. Enforcing these restrictions would be not 100% possible I'd guess, but little to do with humans is.
    The other idea would be that the shared are should only be accessible if you can prove that you have both keys. That limits the number of people who can access the shared area, and may impose a bottleneck.

    I'm sure anything's possible, it's just a simple matter of coding! (tongue in cheek, there :-))

    Phil
    -- Real Men Don't Use Porn. -- Morality In Media Billboards
  • the whole POINT is that there's a PHYSICAL distance between the computers, so no possible bug could allow unauthorized access...

    sheesh, it's like that douglas addams book Mostly Harmless where, in order to get around all the inconveniences of tight security, people carry around small credit cards with their mothers maiden name, fingerprints, retinal prints, dna pattern, etc etc holographically encoded.

  • Uh, Mr President, it seems China just got hold of our missle launch codes. Apparently one of our staff was using AOL Messanger on his insecure virtual computer and while cutting and pasting codes on his secure VM, an IM blinked up without him knowing it and he pasted and pressed enter before noticing the window. It turns out that with the disallowment of computer speakers in the office, it's impossible to predict this scenario occuring.

    And what's worse, since he was using cut-paste, he lossed the code once he closed the window, clearly not a very lucid move, and now we can not change the launch code without the old one. Isn't that a bummer?

  • Welll, for one thing, I am sure they have thought of this and probably the VM does not even allow it. Second, workers of the NSA probably ARE the sharpest pencils in the box. Now patent workers and government employees of that nature? That's another story all together.

    P.S. Why doesn't the government employee look out his window in the morning? So he'll have something to do later.

  • Or you can design ways to monitor possible covert channels and alert computer security if something suspicious is going on. This should actually work pretty well together with various covert bandwidth reduction approaches. If you can reduce bandwidth to, say, 1 bit/second, it will take several minutes to send even the most trivial message covertly, and that should give you plenty of time to notify the bandwidth police to monitor the situation and stop it if something fishy is going on. And if you save all of your critical data as MS Word files, it will take all day to get through the endless Word headers and make it to the vital data ;-)

  • Honeypot or a way of getting into everybodies machines ? The NSA ( or its military branches ) is not stupid. If they can convince somebody to run their version of some software, what makes you think it is crackproof from them ( NSA )?
  • Agreed. I worked for the NSA several years ago, and the importance of the air gap was paramount. I don't see how they can possibly be thinking of getting rid of that.

    Even assuming that you have one physical machine running n independent virtual machines which are absolutely and utterly independent of each other (note that I don't think this is actually possible, I'm saying just assume that it is), there remains the problem of getting information in and out of the box. As it stands, you've got seperate ethernet cables, routers, the whole nine yards for the outside internet and the classified intranets. With VMWare, would you be running that over one physical network? I suppose you could try to tunnel the secure box's connections over the unsecure ethernet, but that just seems to me like you're asking for trouble.

    Basically, it boils down to, with two networks and an air gap, you know you're secure as much as is humanly possible. The moment you start running all your data over one pipe, you open yourself up to all sorts of trouble, with intercepted connections, eavesdropping, and all that. I can't ever see this sort of thing being approved by the people in charge of security, no matter how much the cost-cutters beg.

  • For people in the other branches of the US military it has always been known as the Air Farce. Its been called part of the Disney Company also because they have a Mickey Mouse ( Goofy )way of doing things.
  • VMware's software is just another implementation of IBM's original "VM/370" resource manager OS from the 1970's. Back in the 1970's, we ran intelligence systems under IBM's VM/370 Virtual Machine architecture for the same resaons. Worked great security-wise, as long as you didn't then connect your mainframe to the outside world... IBM recently demoed (Slashdotted too as I recall?) 45,000 seperate copies of Linux running in seperate virtual machines on one mainframe using their VM OS.
  • Correct me if I am wrong, but it seems that multiple virtual machines still share the same hardware (hence, memory space, harddrives) and same host OS. Seems to me that an exploit could still target the host which would allow access to the memory spaces on both virtual machines... then your back to square one...

    DOS is dead, and no one cares...
  • I agree. As long as there is connected hardware, somebody will figure out how to get at it. And even if the VM's are completely isolated and unbreakable (doubtful), aren't they talking down the same NIC? C'mon, NSA can't believe that nobody will ever crack that, can they? I thought these were the people of Faraday cages, white-noise on the windows, etc. Now they're going to throw their most secret data onto one big happy ethernet with Sue's email from her Mom? Sounds like a honeypot to me.
  • Feel free to tell me if I'm mad wrong...

    Doesn't that mean that each individual client has a key to the one single file that is the single point of failure? So, getting a backup of even just a client would be a start to reversing the encryption

    I'm sure I'm over simplifying this, but its a job requirement in the real world...

  • I know the NSA looks to be doing good work with Linux but I just can't trust an agency thats so damn big brotherish to the point we dont know anything realy about them.

  • Re:Here's one problem.. (Score:3)

    by SquadBoy ( 167263 ) on Friday February 02, 2001 @08:53AM (#461643) Homepage Journal
    This is why when I was in the Air Farce we had removable HDs. One for classified and one for unclassifed stuff. And of course all the various levels of secret. Where I had hands on with the system we had to take the network cable out but on that machine the network was not critical at that time. In any case my CO still got it wrong. This is a *very* bad idea in many ways.
  • actually, its not as easy as you think (thus timothy's question about copying between virtual machines). you would have to rely on a much more covert means of communication that a simple copy and paste. see this post. [slashdot.org]

  • Will never be used in practice (Score:3)

    by hawkstone ( 233083 ) on Friday February 02, 2001 @08:54AM (#461645)
    I work for a national laboratory where we have two separate networks: one for unclassified, one for classified. We use an air gap to separate the two networks. The classified one has no connection to the outside world, and the only way to get information to the classified net is through tape and sneakernet, and the only people who have access to do this are subject to polygraphs. In fact, for those of us who have classified and unclassified computers in our office, the network cables must be separated by 6 inches (15cm), and this is actually audited by computer security folks. There are so many rules in place, we even have classified keyboards -- you cannot hook a keyboard up to an unclassified computer that has been contaminated by being connected to a classified one. The hardest part about this is that you cannot have classified and unclassified data on the same hard drive. The point is, there are so many rules in place designed to prevent this, no other government agencies but the NSA would ever consider this. We would rather pay twice for two separate sets of computers and networks.
  • From what I read, there are different physical networks for different security clearences. As a result, a computer in the classified class can't access info in lower clearance levels, so the worker need a different computer for each clearance level. How does that make sence? So here I am writing a top secret document that references a few sensitive documents and a top-secret document. To properly reference the document in this system, I would have to physically switch to a different computer.

    They're security just seems flawed, and this soultion isn't a fix. I'm sure they have reasons for doing so (probally classified reasons), but what about useing different NICs for the different networks (hey, a Quad ethernet adapter or two and you would be set.) of just get one and use IP Aliasing? Why use seperate networks at all? Different servers for each level of access, with strick control over who can access the info from where, and strong encryption, and you have a perhaps better soultion.

    If anyone can figure out their securiy model and reasons behind it, please enlighten the rest of us. :)
  • I think this one phrase from the "Makes sense" section pretty much sums up the problem.

    I hope the NSA takes their time in evaluating VMWare's stuff. Right now, they have a working system. Is it really worth it to throw this system out in favor of an unproven technology.

    I am not saying VMWare is unproven technology, but merely this new use for the product. Again, from the article, "the current VMware technology is not up to a level of assurance necessary for this."

    Of course an obvious point is that there is no such thing as "Crackproof Computing." No matter how good this product becomes, there will always be a chance that there are remaining security holes. It may be a while before this risk is at an acceptable level for the NSA.
  • I think we started at one extreme (completely centralized mainframes) and swung to the other extreme (completely indepented pcs), and now we settling in a happy medium. People do not want to go back to having dumb terminals or thin clients, there are still to many things which can't be done well over the wire.

    Witness the failure of Suns java station and Larry Ellison's net pc concept.

    There is a place for both distributed and centralized setups, but for the majority of people having a compromise works well.
  • Back in the early 1970s, the CIA used IBM's VM/370 operating system for secure computing inside the agency. Like the VMWare product, VM/370 creates an virtual machine on which you can run an operating system designed to run on a real machine.

    The advantage of this approach comes from the precision with which machine architectures are specified, and the very limited number of communication paths available between machines.

    IBM also did some work with VM/370 where they completely virtualized the clocks on the system. While they did this project to allow benchmarking hardware that had not yet been built, the same facility can be used to greatly reduce the bandwidth of covert channels between virtual machines.

    If the VMWare system has these features, it may well be a B level system, and be approved for the kind of multi-level security application described.

  • This approach can never be trusted. You can't have data of different security levels on the same media, circuitry, network, ..., what ever. Even if you could create secure software - yeah right, this would not protect against a hardware malfunction. Any number of failures could cause secure data to be available at a lower level. Something as simple as scrapped wires touching, or a staple shorting two contacts could echo data into a different virtual machine. Of course such a "malfunction" could be introduced by any person with physical access to any part of the system/network that "sees" this data.

    Ken

  • Heh, except of course you can't run *any* operating system. They've taken a few shortcuts that mean you can't boot unsupported OS's in many cases. (For example OS/2).

  • I work in a particular five-sided building [defenselink.mil]in Arlington, VA. Part of my job involves tracking down classified information that has been leaked onto uncleared computers and networks and 'sanitizing' them (degaussers are my friend). If I could have one wish in this world, it would be to rip every 3.5" floppy drive out of every computer rated 'Secret' and above.

    Computers are very good at blindly following instructions. Humans, however, tend to suffer from problems such as laziness, ignorance, contempt, or outright disregard for the rules (and in the worst cases, greed...). No one has ever heard of a computer that decided to disregard its programming. Every case I have worked began with human error.
    By their very nature, computers can't break the rules, but humans definately do.

    As for the hard drive issue, I see two solutions:
    1. Have a single drive for the entire machine, and the classified Virtual Machines (VMs) would operate with an encrypted file and swap space. Modify the OS so that unencrypted info can exist only in volitile RAM (I believe OpenBSD already does this).

    2. Run at least two hard drives, one for the host OS and unclassified VMs, the other encrypted for the classified VMs. This would be easier to conform with existing regulations on classified handling and storage.
  • Depending on the application, UML may run worse than VMWare. I did a rough study of their performance, and system calls were usually roughly an order of magnitude slower under UML than they were under VMWare.

    Also, at the moment UML only runs on x86 as well, though in theory it's not hard to port.
  • What about cut and paste? Screen grabs?
  • Client as in person or client as in virtual machine? The key would be stored in the brain, not in the machine. Sure, there are single points of failure here, but there are under the current implementation.
  • sorry, won't work. the point of running virtual machines is that they're -not aware of each other-. there is always a mechanism involved to isolate the virtual machines so that a process running on one VM won't trash the entire mainframe should it start to trample memory.

    the -real- interesting part of hacking VM's, and the principal point of security, is virtual isolation. now, if someone could crack -that-... then the fun would begin.

    --nick
  • I really don't think this would work. Even if VMWare runs a multiple emulation layer straight from the hardware, this would still require strong crypto to protect data saved to disk.
    Then again, multiple virtual machines and strong crypto would not protect against the type of small keyboard sniffers that the FBI (and other intelligence agencies) supposedly already have -- the kind that connects directly on your keyboard and stores everything that is typed.
    Finally, I am almost certain that someone could come up with a virus that would infect one VMWare layer (think Win9x here) and would do the same password-gathering. With the right drivers, one can even imagine a virus/trojan horse mounting other filesystems and discreetly searching for interesting files and data.
    In short, I really don't think this has any chance to work. Memo to NSA: use OpenBSD or your own (reinforced) version of Linux with ultra-strong crypto -- you'll run less risks this way.
    After all, what's the point of emulating (slowly) multiple operating systems, when it's probably much faster to port all the tools users need to one "set" of platforms (Unix?).
    Just my $0.02. I am not sure this rant makes sense.
  • Ok, so I wont say it :) Seriously, though, there are some problems with this kind of technology: 1) you may have several "secure" virtual machines, but what if the OTHER non-secure VMs are comprimised, and are set to crack/infiltrate your secure VMs? You'd have crackers beating down your door, and they wouldn't even necessarily have to be pounding on some port... 2) unless you are doing SMP and have OTHER processors to split amongst these tasks, wouldn't several VMs on one machine slow the piss out of it, even with all the speed advances in processors, etc 3) unless the "task-switching" mechanism is built into the hardware, and the data for it are taken from some type of rom, you're risking the chance of one process getting under that very task-switching mechanism, like we used to do with tunneling interrupts, to get in UNDER the interrupt and get our routine called before/instead of the one that was intended. Afterward, the switching would be compromised, yeilding the possibility of nabbing "secure" data, or maybe giving a bogus VM false secure status, or how about even giving certain VMs a higher execution priority: you have a remote connection to a machine running your VM in addition to 7 others. You all are allotted an equal slice of time, but since you've "(task)switch-tunneled, you give your machine %75 percent of the allotted time, and leave the other poor bastards to fight over the remaining %25 percent. Apply that to a shared-resource business idea... Hmmm... wonder if that would help my frag count...
  • If they INSIST on being able to access their highly sensitive systems from an unsecured box, wouldn't they be better off using either A) an encrypted X-session or B) an encrypted Citrix / Terminal Server session?

    Think about it...a virtual machine is still going to have access to RAM, ports, etc. Not to mention they're probably going to have each virtual machine running on private IP space over the same wire...that can be sniffed as well.

    A central server that each person accesses through an encrypted link allows for secure network traffic, a central repository of the data in question, and allows for ACL's restricting which computers can even access it.

    Sometimes the most elegeant solution isn't the most complex one.

    Sure there are still risks associated, like hardware keystroke loggers, shoulder surfing, and shit like that, but that's a risk regardless, and I hope the DoD has measures in place to reduce physical security risks.

  • I find humor in the fact that many so-called "technology" companies these days are touting old technology as the wave of the future. Perhaps computing in general is coming full circle... it started with large, "virtual computer" type systems that are gloriously known as "mainframes"... then, computing progressed to the PC with each his own, and now, somehow, combining computing back into a centralized mainframe layout is somehow revolutionary?

    I think I'll invent "floppy" disks, and tout them as the future because one could fold up his data and carry it in his pocket.

  • A lot of these guys run dual platforms.
    (i.e. a Windows P.C. and a Solaris Sparcstation).

    It would be very interesting if VMWare could emulate other platforms such as running IRIX or HPUX on intel based hardware.

    Regardless, I'll definitely be keeping my eye on this company!

  • This is the Orange Book, redux (Score:4)

    by davecb ( 6526 ) <davecb@spamcop.net> on Friday February 02, 2001 @09:47AM (#461664) Homepage Journal

    Once upon a time, the U.S. government write a set of specifications for multi-level secure computers, called the orange book [fas.org]. This worked pretty well for mainframes: Multics was rated B2, and was on the 'net as dockmaster.mil.

    It was a bit clunky, but had been continuously updated over time, so I still have a machine running Trusted Solaris 7 [sun.com] in my basement.

    It's arguably the same task to do this sort of thing with a virtual machine monitor as it is with a security monitor: both create trusted computing bases, which enforce the security rules.

    It would look almost exactly like an unmodified system, with optional colored bars on the windows indicating the security level and subject matter that was displayed there.

    The rules the TCB would enforce are things like "thou shalt not copy from higher security down to lower security", so the TCB gets asked if it should allow a top-secret cut buffer to be pasted into an merely restricted document.

    The Trusted Computing Base (the VMM) gets to say no, and so refuses to allow mapping of that page. The X server gets a -1 return code and errno=NOWAYJOSE, so it then pops up a "sorry, that was a security breach" message... which is exactly what my TS system does when I klutz and try to copy stuff from my confidential files into my unclassified email!

  • It doesn't. You'd need an x86 emulator too.
  • Consider a secure process that modulates use of swap space. This affects the running performance of other, non-secure processes. Measureing your own running performance allows you to use such a method for inter (secure to non-secure) process communication.

    Basically, ANY time you share a resource, you can monitor how others use it. The CPU is such a resource.

  • Re:Maybe I am confused but... (Score:3)

    by jovlinger ( 55075 ) on Friday February 02, 2001 @09:19AM (#461677) Homepage
    The point is that you have 3 systems running:


    Host
    / \
    inter- intra-
    net VM net VM


    If you compromise the internet VM (which we assume can happen -- this is why they are currently different machines, physically) this doesn't necessarily give you any means to access the meta level Host computer.

    If that were possible, then yes, the attacker could compromise the supposedly secure intra-net VM (NB: copying its state would only give you a snapshot -- it would be much better just to relay all of its communication traffic to the internet).

    So now we need to prove that it is impossible to get access to the meta level from the internet. This comes immediately from the virtualisation requirements -- each hosted OS has no way of realising it isn't running on the base hardware.
    Even if we are not able to prove this, the fact that the internet connected machine is virtual gives us the abilty to snapshot its state at a fully booted uncompromised point in time; In order to make cracking it hard, we can just kill the entire machine every 5 minutes and reinstate the snapshotted version. Any attacker now has to crack not only the inter-net VM, but also the Host machine in 5 minutes.

    However, this all assumes a trusted user. If the user has the ability to do screen captures from the intra-net VM, they could then conveniently send these via the inter-net VM.
  • Windows has been known to crash on VMware running on Linux, but I can assure you VMware does not exit - it just displays the BSOD in the same way a non-virtual PC would.

    In some ways, Windows on VMware is actually more stable than Windows on real hardware, largely because VMware emulates hardware that has well proven drivers.

  • Slow down... (Score:3)

    by whydna ( 9312 ) <.whydna. .at. .hotmail.com.> on Friday February 02, 2001 @08:27AM (#461688)
    Or, Maybe the NSA is having a hard time keeping up with these new CPUs and they can't process all the information about us that they want to. So really this is just a big ploy for us to install VMWare and /really/ have things slow to a creep... And hell, what's better than one instance of VMWare running... two or three!!! hell yeah!!

    -Andy
  • Comment removed based on user account deletion
  • 1. Become root (choose your favourite exploit).
    2. insmod fuck-vmware.o
    3. Proceed to read and/or write all the address space your heart desires.

    The entire idea is ridiculous. Nothing can be as secure as having separate networks, except not having secrets.
  • If the history of computer security has taught us anything, it has taught us that there is no software that is crackproof.

  • Hmmm... (Score:2)

    by Anonymous Coward
    First, there were centralized mainframes and user terminals for people to run apps and data through.

    Then there were PC's where everyone had their own "little mainframe."

    Now I'm seeing a trend back towards centralized computers. It started with client/server, and now this from the boys and girls at the NSA.

    Can you say "pendulum swings?"

  • VirtualPC is a PC emulator for Macs. It emulates an entire PC, including the BIOS and peripherals, so that you can run pretty much any OS (including OS/2, which VMWare doesn't support).

    The reason I bring this up is because VirtualPC includes an API that lets Windows "see" your Mac hard drives and vice-versa. The API exists both inside the VM and outside, but I think it's only capable of letting Windows mount Mac directories, not the other way around.

    In either case, this API effectively can let multiple Windows VMs see each other, so VMWare would have to certify that such an API doesn't exist in their NSA-approved VM.
    --

  • This is a really good point; if the image from a running secure VM is captured, it will necessarily have any session keys in its memory.

    However, these session keys are not the same as the (presumably) strong master key used to generate them. Many programs (such as PGP) go to great lengths to destroy the memory-representation of my master key after it is no longer needed -- tho this is mainly to avoid it being swapped to disk.

    Other workarounds are keeping the master keys in hardware -- the NIC or in one of the IBM hardware locks. Neither of these are part of the VM state, but rather the base hardware, so they wouldn't be represented in the secure VM.

    Another idea would be to have the Host do these as a trap -- have the secure VM think its running on hardware with an de/encryption primitive instruction. This instruction is trapped by the VMWare and executed by the host operating system.

    In this last case, compromising the host would imply key loss; this is not necessarily the case in the hardware scenario.
  • It's not just in national labs and defense work; key financial networks also use a similar strategy. Take Fedwire, for example, the network that transmits enormous quantities of money electronically every day. The network connections have special nodes with plastic coverings that are designed to corrode the chips if you ever try to open them. The nodes are accessed through sneakernet at banks.

    Fortunately, (The Matrix aside), it's still harder for crackers to break the electronic barrier than the physical barrier.

  • My first job out of graduate school was at Trusted Information Systems (now swallowed by Network Associates) on the NSA-funded Trusted Mach [pgp.com] project.

    The idea was that you would run different OS sessions, each of which would provide a POSIX, or OS/2 (guess that dates the project), or whatever, "personality", at different sensitivity levels on top of the Mach microkernel. Data could be copied between sessions subject to security contraints. It was targeted (though never evaluated) to hit the B3 TCSEC critera. Interesting stuff, but it never really went anywhere.

    This sounds very similar.

    Tom Swiss | the infamous tms | http://www.infamous.net/

  • Remember DES? The NSA rolled out DES because it wanted everyone to use something it could crack.

    Read the article and think. They have a linux distribution that they believe to be bullet proof. They are ging to use this to host other operating systems. A hardened linux box can cat as a security arbiter. That is all they are doing, they are building in a firewall in to every box they'll be using.

    The effect of the second can be stunning. There admins will now be able to do anything they want to any Win XXX PCs on there network. Monitor it, patch it, replace the OS, lock out the user, sane and reliable network firewalling, anything they want.

    They lose easily verifiable air gaps... which can be violated any time a security officer is not looking, and they gain the ability to truly manage there PC enviorment. Emagine IPSec wrappers for every one of your network transactions, even if the underlying (overriding) Win xxx does not support it. That is a huge win even on just sensitive networks.

  • Covert Channels (Score:4)

    by rgmoore ( 133276 ) <glandauer@charter.net> on Friday February 02, 2001 @08:28AM (#461717) Homepage

    It seems to me that this approach would still be very succeptible to various forms of covert timing channels. Since the different systems are running on the same hardware, you could still signal between them by having one system hog system resources or not as a way of signaling bits to the other system. There was some discussion of this approach to covert channels in this [slashdot.org] discussion here on slashdot.

  • Maybe I am confused but... (Score:5)

    by Dios ( 83038 ) on Friday February 02, 2001 @08:29AM (#461718) Homepage
    So I guess the goal would be to hack into the 'host' system. That way you can copy the virtual machines data file (isn't it just one big nice file in vmware?) and have a complete copy of the virtual system... and all its data...

    Is this like a single point of failure thing?

  • Linux World (Score:3)

    by Cire ( 96846 ) on Friday February 02, 2001 @08:30AM (#461719)

    I saw at the VMware booth at linux world expo yesterday a demonstration of a product called VMware GSX [vmware.com], which is not out yet, but is going to be their "enterprise level" product. Rather than running a virtual OS on top of a real OS, it runs multiple VM's straight on the hardware level.

    If the NSA thing is using this it would cut out a whole layer of security that they have to deal with.

  • What? (Score:4)

    by roman_mir ( 125474 ) on Friday February 02, 2001 @08:31AM (#461720) Homepage Journal
    "Last year, the company also released a version of its software that runs on Windows NT and 2000, enabling users to run Linux (or any other operating system) in a virtual machine on top of Windows. "
    I can imagine a blue screen of death that would still have a VMWare window with Linux that is still running in it...
  • Crack proof means one can't hide a stash of cocaine inside the computer right?
  • Agreed - you don't need multiple machines if you've got a multi-level secure operating system. (And you don't need multiple machines very often if you've got removable disk drives, as someone else said.) But maintaining MLSs hasn't been mainstream commercial business for a while, certification is way too expensive, networking is too important, and everybody wants to use Windows anyway (which means getting a POSIX compliance waiver, if they still enforce that.)


    I spent way too much time in the late 80s making things fit on System V/MLS, the AT&T System V Unix version that was certified as a B1 Orange Book System. The Red Book, which covers secure networking, was still pretty edgy research at the time, because authentication for machines you don
    't directly control is a hard problem - doing it right requires crypto, and the NSA didn't want to let it out of the box at the time or let the military use civilian crypto, though there were a few IPSEC-predecessor networks that were certifiable.

  • to that loaded question.

    1)Could it be secure enough for their purposes? Possibly. Only THEY can decide this.

    2) Is it as secure as separate workstations? Of course not. By definition it CAN'T be.
  • This makes a lot of sense. Isolated virtual machines have been done successfully. IBM mainframes have had them since the 1970s. Several efforts funded by the intelligence community have produced specialized secure operating systems. But they generally lacked application software. This is a way to run common applications in a secure environment.

    Note that systems like this will have some annoying limitations. For example, hardware graphics acceleration will not be used.

  • I have gotten VMWare to crash. If it crashes there is some behaviour that the programmers were not aware of. These behaviours may well be secrity problems (buffer overuns frequently cause crashes, only choosing the right data to overun with will show a security problem).

    I wouldn't be very thrilled with the idea of VMWare being part of a secure system (even if it is more the CMW part then the "secure from the outside" part) until it pretty much is impossable to crash.

  • Will copying between virtual machines be impossible?

    I've found that life seems to parallel life, and a lot of times when I don't know the answer to something in the realm of computers, I look to other things in life as an equivalent. So in other words, the question becomes: can making a copy of something that we have created be made impossible?

    I think that, when the question is asked that way, the answer is clearly no.

    -Daniel.
    --

  • Depends what you talk to (Score:4)

    by GlobalEcho ( 26240 ) on Friday February 02, 2001 @08:35AM (#461742)
    It's probably possible, at the very least in theory, to separate two virtual machines more or less completely. You can simulate the BIOS, the hardware clock, the PRAM, the ethernet card PRAM, and all those other sneaky places that most people don't think about as writable areas of their PC.

    Peripherals are a different matter. They had better be sure that only the insecure side is capable of sync'ing to the Palm Pilot!

    -- Brian

Slashdot Top Deals

Math is like love -- a simple idea but it can get complicated. -- R. Drabek

Close