The Virtualization Room

Oct 25 2007   8:32PM GMT

Does virtualization subvert security?

Kutz Profile: Akutz


A recent discussion on the OpenBSD mailing list led to the assertion that virtualization decreases security. For those interested, a summary of the discussion is available on Kernel Trap. But proponents on both sides of the argument have taken to throwing about emotionally driven comments rather than thinking objectively about the subject. Of course, because the original comment labeled all those as”stupid” and “deluded” who think virtualization somehow contributes to security weaknesses, who can really blame people for getting a bit emotional? All the flame-war commentary aside, the question remains, does virtualization weaken security? The original argument that virtualization can diminish security was based on two points:

  1. If software engineers cannot create an OS or application without bugs, what hope does a virtualization solution have to be bug-free?
  2. x86 hardware is ill-suited for virtualization.

Bug-free software
The first point does two things: it lumps all software engineers, operating systems, and applications into one pool and assumes that it is possible to find bug-free code.

Addressing the sub-points in order, while it is true that software engineers are human (and we make mistakes) and that software in general has a track record of imperfections, it is also true that the world does not judge all software engineers or software to be the same. In fact, I would guess that a lot of members of the OpenBSD mailing list in fact prefer OpenBSD to, Windows, let’s say. However, there are many readers of this blog that may prefer Windows to OpenBSD, or Linux, or OS X, etc. The same preference could be applied to office suites (OpenOffice, StarOffice, MS Office, KOffice, etc.). The fact of the matter is that we all have our own preferences: we do not judge software to be the same.

Secondly, the first point argues that the community should expect a bug-free hypervisor, and anything less contributes to the decrease of the overall security of a server platform. This is a very lofty expectation indeed! A very long time ago I wrote to Slashdot, heck, almost seven years ago now, and asked the question why it was not possible for developers to spend more time on projects and produce bug-free software. Commander Taco (the ring-leader of Slashdot) himself replied to me and said that it was a foolish expectation: software is 1) written by humans and 2) is far too complex today to be without errors. However, people still judge some operating systems to be more secure than others. The same for kernels. How can such a judgment possibly be made if all software has bugs? The answer is “easily.” We observe the rapidity that bugs are discovered in software, the impact that they have on the IT infrastructure across the world, the speed at which operating system and independent software vendors (OSVs and ISVs) release patches, and how easily those patches are applied without affecting the rest of the server platform, and then we judge the security of a piece of software. Therefore we do not judge a piece of software to be secure because it contains no bugs, but rather by the history of its imperfections and how quickly blemishes are removed.

Notice that I did not say whether or not I agreed with Mr. Slashdot. I do not. I do believe that software designed be generally purposed, such as today’s OSes, is doomed to be bug-laden, simply because it lacks a specific purpose and too many conditions have to be accounted for. However, imagine if the same leeway were given to the software that runs our air-traffic control systems? Or military installations? Such software is held to a higher standard, and it can be in part because it is designed with a specific purpose. The same is true of hypervisors: they are designed specifically for one purpose. They do not yet have all the cruft and bloat sitting on top of them that today’s OSes do. Here’s hoping that the ISVs producing today’s leading virtualization solutions step up to the challenge.

In short, I believe that there is a reasonable expectation that hypervisors will be a lot more secure than general purpose applications written on top of general purpose OSes could ever hope to be.

x86 hardware
Yes, the x86 instruction set was never designed to be virtualized, but to say that the instruction set has not grown well above and beyond its original intentions is to do an injustice to the original minds at Intel who took part in creating one of the most persevering pieces of technology to date. With the first set of virtualization extensions, those created to solve the problems of ring compression and ring aliasing, the x86 instruction set was given a breath of new life. And with the latest extensions, enabling live migrations of virtual machines across multiple generations of processor versions, the staying power of the x86 instruction set in a world with virtualization has been increased even further.

My point is simply that just because the x86 instruction set was not designed with virtualization in mind does not mean that it cannot work, and work securely. That is the beauty of x86: it can be extended to do what we need it to do. History has spoken.

With both of the original arguments shown to be false, is the conclusion of the original argument then reversed? Not completely. While virtualization does not decrease security, the potential for it to do so is there. Hypervisors are software, and although they are a lot less likely to have bugs than a general-purpose piece of software, bugs can still occur. However, to blanketly state that virtualization decreases security is far too general as there are many different implementations of virtualization. For example, if VMware ESX was found to have a memory sharing bug that allowed one virtual machine to read and write the memory of another, does this mean that XenSource is immediately compromised? Of course not. So even when a bug in a hypervisor is found it does not immediately mean that all virtualization is suddenly subject to the same problem.

As I stated earlier, the security of any software package is judged by the number of bugs historically observed, their impact (potential or real), and how quickly the parties responsible for said software fix the bug. While the potential is there, it is far too soon to observe whether or not virtualization decreases security. Only time will tell.

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Greg Ness
    Virtualization and Security (or virtsec) It really isn't useful to argue about whether virtualization makes security worse or better. It clearly introduces new security requirements. Whether that's better or worse will depend on how well the security team understands the changes and what they do about them. Virtualization introduces the opportunity for improved security in the data center but teams will need to know how to deliver on the promise. VMs are very mobile by nature and can change state, etc. They are a different animal to secure than a physical server; yet they can be secured via the hypervisor layer. Thanks Greg
    0 pointsBadges:
  • Rick Vanover
    In my opinion, from a purely academic point of view, virtualization does not increase security. I'm not saying that it decreases or subverts, but it inherently does not increase security. I think certain applications, namely those where DMZ or Internet hosts are put on the same virtual host systems that run internal systems - while concurrently using traditional physical boxes and network devices, there is the risk of additional 'paths' to the internal network. There would also be increased risk of erroneous cabling and a mis-configuration that would lessen security. But, virtualization will be not be slowed by this (barring perpetual outbreaks, of course). So, the key will be to manage the technology more correctly to ensure these risks do not materialize.
    20 pointsBadges:
  • Hezi Moore
    The virtualization layer defiantly does not enhance a VM's security. Assuming the hypervisor is 100 percent secure (which is not achievable especially when the hypervisor keeps changing) both the virtual machine and the physical machine will have the same security level if the network environment is not considered. The security level of a server is also dependent on the environment and most people erroneously ignore this when evaluating the server's security level. For example, a virtual server will be more vulnerable for DOS attacks. Also the visibility inside a virtual network is limited and therefore places the entire virtual network at risk. In the case of a DOS attack the virtual switch and the virtual NIC will also be under attack, thus impacting the performance of the entire virtual environment. In the case of limited visibility, a malicious event can traverse the virtual network without being detected. In conclusion, a virtual server is more vulnerable for network attacks. Virtual network visibility is also a key requirement for security. A solution like VSA (Virtual Security Appliance) from Reflex Security can help administrators protect internal virtual networks. This solution can provide visibility inside virtual environments and can also protect the virtual network and VMs against internal or external attacks.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: