Virtualization Security: Fact or Fiction?


The adoption of virtualization technology presents new challenges for environments that must be concerned with security, integrity, reliability, or regulatory requirements. And with the potential cost savings that virtualization can afford the adoption rate is growing day by day...but so are the concerns:

 

1) Is virtualization secure?

The Virtualization Vulnerabilities section below presents a list of some of the most prominent VM exposures.

2) If used, is your business at risk?

The Published Works section presents some analysis of virtualization security overall.

3) Are there products that can mitigate these risks?

Yes, Tresys VM Fortress mitigates the risks associated with virtualization. With these converns put to rest you can securely consolidating your desktop environment.

Virtualization Vulnerabilities
The following links present a some of the current virtualization vulnerabilities:

VMware’s security advisory regarding seven different vulnerabilities. The exposures associated with this single announcement range from Denial of Service (DoS) vulnerabilities to privilege escalation opportunities.

http://www.vmware.com/security/advisories/VMSA-2008-0005.html
 http://www.networkworld.com/news/2008/031708-vmware-security-bugs.html

return to top

This is a public announcement disclosing a vulnerability in VMware Workstation, Player, ACE, and Server products. VMware’s implementation of Network Address Translation (NAT) was subject to a “heap overflow” allowing a guest to execute arbitrary code on the host.

http://secunia.com/advisories/18162/

return to top

Secunia announces six vulnerabilities offering DoS and privilege escalation opportunities to malicious users. These vulnerabilities could lead to unintended information to flow between guests and hosts – a virus could spread from virtual machine to virtual machine.

http://secunia.com/advisories/26890/

http://news.zdnet.co.uk/security/0,1000000189,39341144,00.htm

return to top

Core Security discovered a flaw in shared folder implementation in VMware. This flaw provides guests with complete unmitigated access to data on the host. VMware was aware of this critical flaw for four months before they released a patch.

http://packetstormsecurity.org/0802-exploits/CORE-2007-0930.txt

return to top

Published Works
The following links present a sampling of the current vulnerabilities and/or views on virtualization security:

Forbes.com reports on the discussion of virtualization security vulnerabilities at this year's RSA Conference in San Francisco and the Black Hat conference Washington, DC.

“security researchers discussed...a new type of virtualization-based malware that could be used to take control of a machine running virtualization software.”

http://www.forbes.com/2008/04/09/virtualization-rsa-malware-tech-virtualization08-cx_ag_0409virtual.html?partner=email

return to top

VMware acknowledges virtualization introduces new attack vectors and security of the host becomes even more critical.

“By introducing a layer of abstraction between the physical hardware and virtualized systems running IT services, virtualization technology provides a powerful means to deliver cost savings via server consolidation as well as increased operational efficiency and flexibility. However, the added functionality introduces a virtualization layer that itself becomes a potential avenue of attack for the virtual services being hosted. Because a single host system can house multiple virtual machines, the security of that host becomes even more important.”

http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf

return to top

Data published by Gartner reveals how traditional virtualization can actually weaken security.

“Virtualization, as with any emerging technology, will be the target of new security threats,” said Neil MacDonald, vice president and Gartner Fellow. “Many organizations mistakenly assume that their approach for securing virtual machines (VMs) will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools. While this is a start, simply applying the technologies and best practices for securing physical servers won’t provide sufficient protections for VMs.”

http://www.gridtoday.com/grid/1349303.html

return to top

This article reports on the results of an emedia survey indicating companies foregoing virtualization because of security concerns. Additionally it reports on the chief security concerns of the respondents.

“the chief security concerns were about virtualization patching and updates (32 percent), guest-to-guest attacks (27 percent), and the addition of new host software (22 percent).”

http://www.darkreading.com/document.asp?doc_id=127420

return to top

This paper was sponsored by Google to audit the security of mainstream virtualization today. The conclusion was simple: no modern virtualization system withstood the full battery of security tests they were thrown.

http://taviso.decsystem.org/virtsec.pdf

return to top

The Grid reports on a Burton Group study released that codifies the Five Laws of Virtualization Security. Burton Group developed a set of five immutable laws to help IT organizations drive security decisions in virtual environments:

Law 1: All existing OS-level attacks work in the exact same way.

Law 2: The hypervisor attack surface is additive to a system's risk profile.

Law 3: Separating functionality and/or content into virtual machines (VM) will reduce risk.

Law 4: Aggregating functions and resources onto a physical platform will increase risk.

Law 5: A system containing a "trusted" VM on an "untrusted" host has a higher risk level than a system containing a "trusted" host with an "untrusted" VM.

http://www.gridtoday.com/grid/2012878.html

return to top

.

© 2008 Tresys Technology, LLC. All Rights Reserved.