I’ve been giving some thought to using the host OS for security purposes for awhile. Check out the papers on virtual machine introspection (Building an IDS) at the XenAccess website. If you get a chance to read my blog post on Hardware VM security: past and present, be sure to check what I say about VMcasting as well. I think that virtualization can go a long way towards managing patches and working with (instead of against) vulnerability management and other areas of information security.

While not very comprehensive yet, Diane Barrett did a talk at LayerOne 2008 on Virtual Traces, which is digital forensics research into virtualization.

Good point on the availability of resources, definately as far as I know specific incident/security tools for hypervisors is a pretty new field (I guess that may be one of the uses for VMwares VMSafe API). I hadn’t considered the possible positive impact of having an operating system you could leverage for security as the host…

In terms of Host based virtualization I was thinking of things like VMware server, Windows virtual server (without Hyper-V) and Xen, which in terms of approach are all roughly similar (in that they have a general purpose operating system running on the host).

Smaller attack surfaces lower the possibility of attack, but they don’t eliminate attacks entirely. Ideally, you would be capable of responding to incidents with a vast array of tools and resources to help you for when it does happen.

Linux is just as good as any platform for this purpose. I have not seen equivalent tools such as Samhain or the99lb for other OSes. Although Windows does have some great digital forensics and e-discovery tools available, especially commercially-based.

I’ll have to disagree with your overall assessment of host-based virtualization solutions (I assume you’re speaking directly to Xen), although you do have some very attractive arguments. I like the way you think, but maybe there are other factors besides the ease in ability of compromise?

Thanks for the follow-up. The thinking would be that a bare-metal hypervisor presents a much smaller attack surface than a general purpose Host OS like windows or linux and as such the chance that there would be a feasible guest–>host compromise is lower.

Also bare-metal hypervisors may not provide the
facilities that a general purpose OS which may allow an attacker to leverege such a compromise (eg, network clients, compilation tools).

The idea of vendor implemented back-doors is always a tricky one and will depend on the companies risk profile and likely threats as to whether that’s going to be a concern, but the idea of guest–>host compromise and how easy or difficult it is will, I think , have quite a large effect on the take-up of virtualization in a lot of companies..

I don’t see why it wouldn’t apply to bare-metal solutions like ESX server. Worse, ESX server could contain backdoors that enable this functionality, ones that might be very difficult to detect. Look at Cisco IOS and other embedded OSes — same deal with privilege escalation and rootkits.

In 1998, I was part of team that tested and exposed problems with CatOS software, including testing of VLAN’s for security purposes. For a long time thereafter, it was thought that VLAN’s violated RFC 2196’s rules of separation.

Turns out that later I was one of the biggest proponents of using firewalls on a stick (or a firewall on the same switch, with different VLAN’s for the external and internal ports). This often confused people — why would I go through all the trouble of proving that something is insecure, later to only use it in that same way?

In some ways, these are questions that you are going to have to answer for yourself. With sHype and SELinux RBAC/TE, it might be the case that virtualization concepts still break the classification levels. However, so do the assurance models, if not taken into account (e.g. buffer overflow on a remote service or an open DAC policy on the memory or filesystem).

Many of these answers can be found in the Orange book (TCSEC). A proper balance of functionality and assurance is difficult to understand unless you look at all of the components and assess the level of risk of each as comprehensive as possible.

There seems to be a lot of business interest in the idea of Virutal machine farms that will host guests in multiple logical network segments at different classification levels, and if it does turn out to be possible to compromise the virutalisation segregation in some/most/all cases then that business model would seem to be very broken.