IT@Intel Blog

Previous Next
Click to view Matthew Rosenquist's profile
7

As the industry moves towards the next big leap, virtualization, I can't help wondering will this be a security professionals dream or nightmare?

Disruptive technology:
I generalize virtualization as the necessary separation and compartmentalization of resources so things can be moved, consolidated, and managed better, across a wide swath of hardware platforms, users, and networks. It is a "disruptive technology" (not a bad term) which represents a fundamental change in how computer systems will operate, communicate, and be designed. It is a leap forward and represents greater agility, more functionality, and lower costs. The interesting security question is, what are we leaping into?

In the virtualization world you can name your poison....er, pleasure: Server, Client, Hardware, Operating System, Software, even data portability virtualization exists or is in development. I am not going to differentiate or explain the differences. Instead I am taking the strategic point of view. All these areas will be developed and instituted in some fashion. The details are far from being worked out. From a security perspective, it is the big picture that is important at the moment.

History has shown that the attackers have the advantage of ‘initiative' in technology, over the defenders. Basically, the attackers innovate and security then responds. But will this hold true for virtualization?

The Security Dream:
Virtualization holds the promise of security paradise by making systems more robust, hardened, simpler, and enabling new capabilities to make security more effective and cost efficient.

  • Virtualization allows a much greater consolidation of hardware resources. Multiple OS, applications, and databases on a platform equate to less platforms to protect. Consolidation and portability for efficiency sake, may result in less network traffic to monitor, scan, and secure
  • Virtualization allows for effective security sandboxes to be employed for un-trusted or questionable applications and processes
  • Segregation of resources for applications, processes, OS's, and users means a compromise in one will be easier to contain due to compartmentalization. This makes it tougher for an attacker to break a weak link and begin to elevate their control over a system
  • Application restoration is a snap and full systems restoration becomes easier when a client does bite-the-dust
  • Systems and applications can be designed to operate with multiple environments of trust: very secure, secure, marginally secure, and not-so-trusting secure, all on one box (or the informal version: I trust you with my sister secure, I trust you with my wallet secure, I trust you as far as I can throw you secure, and I trust you will steal from me the first chance you get secure)
  • Virtualization will drive standardization of application design and data types making them easier to secure
  • Failover systems become less painful to design and implement at many different levels
  • System upgrades become seamless as jobs can be moved temporarily to other systems and then returned without disruption
  • Virtualization and other supporting technologies will drive advances in real-time security state monitoring, potentially across the enterprise and deeply into applications, OS's, data, and users
  • My personal favorite is that eventually we will have the ability to monitor for suspicious activities from a trusted person, versus just looking at applications or data. Think insider threats. This will be the first significant advance in a long time for this problem

The Security Nightmare:
Virtualization may be the very bane of security for decades to come by circumventing every type of security technology and enabling new capabilities for attackers to do real damage, thus forcing an entire redesign and reinvestment of security.
  • At the highest level, virtualization offers pure stealth to an attacker. Currently, malware must hide, lay dormant, or be very quiet in order not to be detected. This limits what the bad guys can do. They must trade capabilities and impact for stealth. Not so with virtualization. Malware could have the best of both worlds
  • Total Control - it's mine, you can't find me, and if you do, you can't make me leave! I can see everything, I can control everything, and I can do anything! Mine, mine, mine! Control can extend well beyond a single system and permeate across the virtual domains, with the persistence requiring an entire group of machines be burned down and rebuilt with great care
  • Now for the sledgehammer effect. Virtualization technology will undermine every current type of security control (the short list):
    • Anti-Virus, HIPS/HIDS, and Host Firewalls - Cannot detect or monitor an attackers activities in a higher plane of control, making them ineffective while still giving the illusion of security
    • Patching - Controlling virtual instances, more importantly creating false ones, will have patches installed on fake instances, leaving the real one vulnerable and under the intruders control
    • Security scanning, used to check the system's state-of-security, can be fooled. Reporting back that all is fine when it is not
    • Encryption - At the right level, an attacker will be able to see before encryption, after decryption, and have your keys to decrypt at their whim
    • Security monitoring devices and agents can also be deceived, by showing them what they expect to see and nothing else
    • User Privacy will be compromised at many different levels and open the risks of aggregation across multiple data sources
    • Adware/Spam filters can be subverted
    • Secure channels can be monitored by attackers and setup between compromised systems
    • Security forensics may become a nightmare for many years due to the complexities inherent to virtualization and the fact that a high level compromise invalidates the integrity of logs
    • Even NIDS/NIPS & Network Firewalls become less effective. Hardware consolidation translates to less traffic on the backbone network and more in-between systems on a platform and within a local subnet. This gives less information to these network monitoring devices and lowers the chances they will detect malicious activity
  • The very same ‘sandbox' which can be used to isolate risky activities can be employed against security applications and processes, limiting their ability to control and protect the system
  • Virtualization adds more complexity and therefore risking more confusion when it comes to system management. Especially for patching and system scanning. Keeping track of who owns what is bad enough today. But at least if you track down a server owner, you can normally have a quick decision on when to patch and reboot. In the future, the server owner, may not know who owns the virtual instances running on their machine. So how does one coordinate downtime, patching, or other change control issues? These delays may extend the window of vulnerability giving attackers more options and targets
  • Less systems but more diversity and ambiguity gives places to hide and more opportunity to find a vulnerability
  • Virtualization portability will drive the standardization of application design and data types, making them predictable and easier to locate and compromise
  • Very complex designs which continually change are extremely difficult to restore and recover. Additionally, cascading failures can occur bringing down multiple systems whereas in a stovepipe environment they would be more insulated

Take the High Ground - Sun Tsu "Art of War"
The ultimate sweet spot for any computer attacker is to gain the deepest level of control, which in turn can control all other virtual instances. This is the proverbial high ground which can see and control everything, yet not be seen if it does not want to. Attackers are already making great advances and shown the initial ability to take the high ground. Defenders are quick on their heals, finding ways of detecting and defending this vital area.

Who can make the final determination in this battle? Intel and other hardware designers, of course! You can't get any deeper than the hardware. Imbedded security controls will be the key to victory. But here is the twist. You may have assumed I meant the victory to the glorious and honorable path of security. You are wrong. It is just the key to victory, period. Security and administrative controls are just functions with great power. Whoever controls those functions will be the victor.

Sometimes, the computer industry itself is its own worst enemy. Infighting on standards, rushing products to market, designing security as bolt-on afterthoughts, ill designed security solutions, etc may cause temporary self destruction. Even when a security function is developed, there is no guarantee it will be embraced by the industry or the consumer. It will take a small army of very smart people across the hardware, OS, application, and security services to design robust controls which present a value proposition necessary for widespread adoption.

In the end, the age old battle will continue to rage on between the attackers and defenders. Virtualization is simply the next battlefield. A new landscape to which these players will innovate, respond, jockey for position, and struggle for dominance. The rules and possibilities have yet to be defined. All we know about computer security will be thrown on its side and everything we do now will need to be rebuilt from the ground up. Virtualization is a brave new world, sure to bring both dreams and nightmares.

Tags: security, virtualization, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist
Average User Rating
(0 ratings)


Add a comment Leave a comment on this blog post.
Oct 5, 2007 2:39 AM Reply Guest toby

Well written Matt.
I do have to take issue with one statement you made-
“Virtualization allows for effective security sandboxes to be employed for un-trusted or questionable applications and processes”
Unfortunately, all testing and research to date shows this to be incorrect. The general conclusion of all security researchers
looking at virtualization is that you absolutely cannot use it as a security control. As a result, the following statements all
become untrue or less true-
“Segregation of resources for applications, processes, OS's, and users means a compromise in one will be easier to contain due to compartmentalization. This makes it tougher for an attacker to break a weak link and begin to elevate their control over a system”
“Systems and applications can be designed to operate with multiple environments of trust: very secure, secure, marginally secure, and not-so-trusting secure, all on one box (or the informal version: I trust you with my sister secure, I trust you with my wallet secure, I trust you as far as I can throw you secure, and I trust you will steal from me the first chance you get secure)”

Which just makes the negatives even more persuasive. In addition, the first statement actually becomes a negative as well
because so many people are assuming that you can use virtualization as a security control and as a result lowering our
overall security.
The virtualization vendors are only encouraging this sort of poor thinking which makes our jobs harder unfortunately.

Regarding the argument that virtualization will be a security control the way antivirus is a security control, we have ways of testing and validating that AV is working correctly and we know the limits of what it provides. In addition, AV is not intended to replace other controls whereas virtualization is being offered as a way to replace multiple physical systems. This means we have to compare virtualized separation to what we get from physical separation and we have no effective method of doing so (yet).

I realize that there are efforts to use virtualization to implement multiple trust levels but the products being used are not the COTS products that 95% of people will use, even if the vendors are the same. Unless you are using a High Assurance solution, you cannot have confidence in the efficacy of the separation. Until we have that confidence, the separate trust levels will only be separate so long as no attacker chooses to breach them.

Oct 5, 2007 10:50 AM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist in response to: toby

Great thoughts Toby! I believe this is a forward looking perspective on the security risks and rewards for virtualization. Nobody knows exactly what the future will bring. The battle for virtualization supremacy is nowhere near won, nor or the features, capabilities, and most importantly the usage models. I do believe the use of virtualization sandboxes can be effective. I’m not saying 100% effective, but it has the potential to add cost efficient layers of security which could prevent a number of cyber incident occurrences, just as anti-virus (AV) is an effective measure today which prevents a large number of infections (again not 100% effective, but who is crazy enough to run without AV in their strategy?). In fact, AV has become a standard. If you don’t have AV then you probably are not on the Internet. If you are on the Internet without the benefit of AV, then you may be sitting in front of your PC but it is likely someone else owns it. Virtualization security features may eventually earn a place in defense-in-depth strategies to play a complementing role with other capabilities, in delivering the optimal level of security.

I do believe (although we have not seen it materialize yet) that the smart application vendors will use virtualization to setup multiple states of trust on a single system (front end and/or back end). I recently read somewhere the US Department of Defense is evaluating just such a system now. Traditionally, all data within a specific security classification (or people with that level of access) could not use a system with a different level of classification. They were all isolated and compartmentalized. Same was true for the back end servers. With virtualization, they can in theory, all use the same hardware and still control the necessary compartmentalization with the software. The same principles can be applied to a regular user in an ordinary business or personal setting. I could see a robust virtual instance being created anytime someone logs into a computer as a Guest, to better isolate what they can do. Or create a temporary virtual instance when someone opens a website which should have more security, providing protection from software on the client trying to monitor activity as well as potential malware coming from the site back to the user. Again, nothing will be bulletproof, but nothing in security ever is. The question will become how effective and cost efficient will it be?

Oct 15, 2007 6:13 PM Reply Guest Paul

Matthew - how long will it take to secure virtualization - virtualization will not stop, hackers will not stop - what is IIRS' strategy? This is a bad blog - it is a request for information not my comment on the "world situation."

Oct 18, 2007 1:43 PM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist in response to: Paul

Paul,

All security programs exist in an evolving state. The attackers get smarter, move faster, and grow. The defenders get better at responding and even taking the initiative for short periods. The battlefield itself morphs as technology, by which information flows, rapidly changes. Virtualization is a great example. It will continue to be a dynamic battle as long as something valuable is at stake.

My crystal ball says the battle to secure ‘virtualization’ will be won when it is no longer used. Until that time, we can strive to continually evolve security to align to the changing landscape of the attackers, their methods, and alterations in the environment being protected.

Optimally, an organization should spend the amount of money on security which prevents enough loss to bring the residual losses to an acceptable level. Winning, is really just keeping it at the optimal point.

Oct 19, 2007 11:15 AM Reply Click to view Matthew Rosenquist's profile Matthew Rosenquist in response to: Matthew Rosenquist

Note, this conversation occurred internally within Intel via email and is a repost of select dialogue. Thanks to all the contributors who granted me permission to post their comments.

Efi Kaufman:
…What I can add is a mentioning different ownership of logical virtualized resources and not just different security context. The security issue is one when you have one owner for the physical system and for all the virtualized resources versus an owner for the physical system and multiple owners for the different logical instances.

Computing history has shown us that you can very easily replace virtualization in Matt’s post with “laptops”, or “wireless”, “USB drives” and so forth…this is the way things has always been. IT shops and IT geeks are rushing to adopt new promising technologies, leaving security aside. Think about laptops. Think about wLan WEP. Think about USB flash drives.

Julian Braham:
My 2 cents to the blog and the discussion:
1) I agree that the Virtualization space will be the new battleground, especially in the control of the hypervisor. This will be the space where both the attackers/defenders will be investing and researching so as to control and own machines from a single spot.
2) This being said – I don’t think it differs from controlling existing physical machines today (as what Efi correctly points) – the only difference is that when controlling the Hypervisor – it gives instant access to multiple machines, but on the other hand taking ownership of the hypervisor is not that simple, and even if breached – then it also provides a single point of repair.
3) I think that we should understand that virtualization only removes the need for managing multiple hardware, and it enable OS instances to run in parallel on the same h/w. This does not mean that we are removing the manageability and security of each logical virtual machine running under the hypervisor. These machines will still need to be patched and maintained as today – the only difference is that the management and patching of the machine becomes more simple when updating virtual images.

I foresee virtualization, although it may sound weird, easy to handle it terms of security, security controls and collecting indicators. Talking with people that are doing server consolidation today I see it handled very well by the ‘sane’ sysadmins. They treat every logical virtualized instance as an OS on it’s own, manage it separately and looking for all the recent patches for their virtualization software.

All the latest “Virtualization-beware!” articles are in place and I don’t think that they are false-alarms, but still, the specific security issues for virtualization are not something out of the ordinary for such a new (iteration) of technology.

Matthew Rosenquist:
I think we are viewing this technology on different scales. I see server, client, application, and data virtualization as a fundamental change in how technology we obtain, process, store, disseminate, and organize data. It is not a simple change in end user use-cases like the introduction and slow adoption of laptops. It would be more akin to the changes which occurred when the industry moved from mainframe to personal computers, or the introduction of local LANs connecting trusted standalone systems, or even the connectivity among non-trusted systems as the Internet took hold. Those were real disruptive technologies which changed how data was obtained, processed, etc. Each of those events was pivotal to information security technology and processes.

Virtualization is the same. Maybe not today in its current form, but forward looking it will be. If you conduct a risk assessment only looking at the technology, threats, and consequences of the present, then the results will be antiquated before the ink is dry.

Apr 4, 2008 4:22 PM Reply Guest Glen

I have high hopes for Virtualization Security. There are so many products being released during the summer and fall that, if some of these companies support their claims, will establish a promising future. I've been watching the new virtual firewalls that are coming out shortly. Montego Networks, TBD Networks, and Altor Networks are coming out with very similar products. Hopefully one of these will be a success with regards to innovation. If anyone has any insight I'd love to hear. Thanks!

Aug 30, 2008 7:52 AM Reply Guest NFL Picks in response to: Glen

Virtualization is important but implementation is the hard work.