The adoption of virtualization technology presents new challenges for environments that must be concerned with security, integrity, reliability, or regulatory requirements. And with the potential cost savings that virtualization can afford the adoption rate is growing day by day...but so are the concerns:

Virtualization Security Questions

• 1) Is virtualization secure?

  • The Virtualization Vulnerabilities section below presents a list of some of the most prominent VM exposures.

• 2) If used, is your business at risk?

  • The Published Works section presents some analysis of virtualization security overall.

• 3) Are there products that can mitigate these risks?

  • Yes, Tresys VM Fortress mitigates the risks associated with virtualization. With these converns put to rest you can securely consolidating your desktop environment.

Virtualization Vulnerabilities

The following links present a some of the current virtualization vulnerabilities:

• VMware’s security advisory regarding seven different vulnerabilities. The exposures associated with this single announcement range from Denial of Service (DoS) vulnerabilities to privilege escalation opportunities.

  • From VMware
  • From Network World

• This is a public announcement disclosing a vulnerability in VMware Workstation, Player, ACE, and Server products. VMware’s implementation of Network Address Translation (NAT) was subject to a “heap overflow” allowing a guest to execute arbitrary code on the host.

  • From Secunia

• Secunia announces six vulnerabilities offering DoS and privilege escalation opportunities to malicious users. These vulnerabilities could lead to unintended information to flow between guests and hosts – a virus could spread from virtual machine to virtual machine.

  • From Secunia
  • From ZDnet

• Core Security discovered a flaw in shared folder implementation in VMware. This flaw provides guests with complete unmitigated access to data on the host. VMware was aware of this critical flaw for four months before they released a patch.

  • From Core via Packetstorm

Published Works

The following links present a sampling of the current vulnerabilities and/or views on virtualization security.

• Forbes.com reports on the discussion of virtualization security vulnerabilities at this year's RSA Conference in San Francisco and the Black Hat conference Washington, DC.

  “security researchers discussed...a new type of virtualization-based malware that could be used to take control of a machine running virtualization software.”

  • Forbes' RSA Conference Virtualization Security Report

• VMware acknowledges virtualization introduces new attack vectors and security of the host becomes even more critical.

  “By introducing a layer of abstraction between the physical hardware and virtualized systems running IT services, virtualization technology provides a powerful means to deliver cost savings via server consolidation as well as increased operational efficiency and flexibility. However, the added functionality introduces a virtualization layer that itself becomes a potential avenue of attack for the virtual services being hosted. Because a single host system can house multiple virtual machines, the security of that host becomes even more important.”

  • VMware's Hardening Guide

• Data published by Gartner reveals how traditional virtualization can actually weaken security.

  “Virtualization, as with any emerging technology, will be the target of new security threats,” said Neil MacDonald, vice president and Gartner Fellow. “Many organizations mistakenly assume that their approach for securing virtual machines (VMs) will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools. While this is a start, simply applying the technologies and best practices for securing physical servers won’t provide sufficient protections for VMs.”

  • Gartner Study Report from On-Demand Enterprise

• This article reports on the results of an emedia survey indicating companies foregoing virtualization because of security concerns. Additionally it reports on the chief security concerns of the respondents.

  “the chief security concerns were about virtualization patching and updates (32 percent), guest-to-guest attacks (27 percent), and the addition of new host software (22 percent).”

  • Virtualization Security Concerns from Dark Reading

• This paper was sponsored by Google to audit the security of mainstream virtualization today. The conclusion was simple: no modern virtualization system withstood the full battery of security tests they were thrown.

  • Google's Virtualization Security Paper

• On-Demand Enterprise reports on a Burton Group study released that codifies the Five Laws of Virtualization Security. Burton Group developed a set of five immutable laws to help IT organizations drive security decisions in virtual environments:

  • Law 1: All existing OS-level attacks work in the exact same way.
  • Law 2: The hypervisor attack surface is additive to a system's risk profile.
  • Law 3: Separating functionality and/or content into virtual machines (VM) will reduce risk.
  • Law 4: Aggregating functions and resources onto a physical platform will increase risk.
  • Law 5: A system containing a "trusted" VM on an "untrusted" host has a higher risk level than a system containing a "trusted" host with an "untrusted" VM.
    
    • Burton Group Study on Virtualization Security

return to top