DISQUS

Matasano Chargen: Dark Reading on Virtualization Security

  • lseltzer · 2 years ago
    Isn't it your hypervisor IPS that's likely to find your hypervisor malware? How can you ignore both?
  • dre · 2 years ago
    how about hypervisor IDS i.e. xenaccess?
  • Thomas Ptacek · 2 years ago
    Larry, I think you're conflating AV with IPS. Hypervisor AV has some value, albeit minimal (there are two hypervisor rootkits I know of and both are proof-of-concept and we own one of them). I predict Norton AV and McAfee will both have this checkbox by 2008.

    Hypervisor IPS sits in, above, or alongside your conventional hypervisor, and attempts to intercept attacks on the hypervisor, thus ostensibly preventing guest-to-guest attacks. There will be, I predict, 6 of these types of vulnerabilities in VMWare ESX over the next 8 years. Of them, 1 will be detectable by a shipping "Hypervisor IPS" within 6 months of the attack's disclosure on Bugtraq. You tell me whether it's worth it.

    Hypervisor IPS will have no play vs. Hypervisor Malware; by the time you've cracked ring -1, you're already implicitly past any IPS installed on the machine.
  • Mike Myers · 2 years ago
    Was this the article you meant the first link to go to?
  • Thomas Ptacek · 2 years ago
    Er, yes. Thank you. =)
  • ivan · 2 years ago
    just a minor additional point: everyone in the 'security through virtualization debate' seems to be taking for granted that all guest to guest and guest to host communications and data/code context switches WILL be effectively mediated by the hypervisor. That is not necessarily so.
  • Greg Ness · 2 years ago
    Thomas:

    The key factor for securing virtual servers behind the hypervisor will be a shield layer (within the hypervisor) that decodes protocols, etc. The idea of signatures for virtual server protection is dead:

    http://alwayson.goingon.com/permalink/post/9944

    G
  • Greg Ness · 2 years ago
    A Nemertes Issue Paper: Securing Virtualized Infrastructures

    http://www.bluelane.com/lib/pdfs/SecuringVirtua...

    To insert Andreas into the discussion... I think there will be at least two panels in Vegas during Interop week on this topic. I think Andreas is moderating one of the panels (Interop Data Center Summitt; Art Wittmann the other(Interop). FYI

    G
  • Thomas Ptacek · 2 years ago
    I hope Andreas came cheap. "Virtual Shield" is a Blue Lane brand; it's a bit of a tip-off when your independent analyst puts your brand in the title of his paper.

    I think there's a decent claim to be made for "the network security device that will sit between VMs because it's hard to filter between VMs".

    Of course, I also think modern enterprises are so far from having reasonable access control between the VLANs they already use without virtualization that it's not a "next 18 month" priority to install them.

    I think there's no claim to be made for the need to protect OS's from malware that will attack either hypervisors or kernel-level security products.
    After-market hypervisor security products introduce exactly the same types of security problems that after-market kernel security products do.
  • Nate · 2 years ago
    Wasn't Blue Lane the company selling "no patching" IPS? So I guess the marketing message is "protect the OS^H^Hhypervisor". Isn't my firewall really a "no patching" Windows SMB appliance?
  • Greg Ness · 2 years ago
    Thomas:

    We'll talk to you soon. That way we can give you a clearer picture of what we're doing and where.

    Nate:

    http://www.bluelane.com FYI- emulating the security functionality of the patch isn't patch replacement, except in the case of impossible to patch systems. In the case of hard to patch, it allows for a saner, lower risk schedule. I provided a link to our website.
  • grey · 2 years ago
    Also see the recent bugtraq post about xbox360 hypervisor privelege escalation vulnerability which allowed for running unsigned code (this is different from DVD firmware patching which has allowed for pirated signed code to run since about a month after the xbox release):

    http://www.securityfocus.com/archive/1/461489/3...

    Repeat after me: there is no silver bullet.
  • Greg Ness · 2 years ago
    There is no silver bullet. Probably never will be a silver bullet. Virtualization WILL erode the efficacy of static security solutions; and the best approach will be data center-centric vs trying to secure specific apps or tune signatures or play the hardware assist arms race.
  • Mitchel Ashley · 2 years ago
    No matter what new technology they come up with, there will be room for scanning and detecting products like my VAM scanner and Strataguard IPS. Regardless of the hyporvisor we can still scan the guest OS and detect mallicious code and vulnerabilities. It also doesn't stop out Safe Access NAC product which is equally effective at nipping the malware bud before it hits your network. We're also adding hypervisor detection in the next version of safe access.
  • Nate · 2 years ago
    I don't see the difference between 1. dropping a connection when there's an attempt to exploit a known flaw (IPS) and 2. "emulating" a patch when someone tries to exploit a known flaw (you). Do you really want to try to keep providing service to a clear attacker?

    And so my firewall is even better since it handles 0-day neither approach can predict.
  • Greg Ness · 2 years ago
    Patches don't typically (merely) drop connections because availability is of prime importance. They correct the traffic in a multitude of ways. Dropping connections does work some time, but it isn't a "silver bullet" either. Blocking needs to be highly accurate for starters (operational consequences) and there are cases where even accurate session interrupts can enable denial of service attacks.

    If it was the case (no difference between the block and the patch correction) then I'm assuming that your team doesn't patch... because there is a perception that IPS sig, etc blocking and firewalls settings have everything covered. Our position... patch on your schedule because we've applied the patch's security characteristics (multi-facted correction).

    The point of my earlier posts is that virtualization is inevitable and WILL change the security requirements for the network: complexity will mushroom; server counts will escalate and processing power/apps will be more mobile than ever, eroding the value proposition of security tech tied to physical location. The homerun is that with the right technology/practices in place virtual environments can be MORE secure than their physical environment counterparts. But it will require new thinking.
    G
  • Thomas Ptacek · 2 years ago
    Mitchell, I don't understand what you mean by "hypervisor detection".
  • ivan · 2 years ago
    @mitchell: I did not understand a word of your comment. Who are "they" and who are "we"? What's a VAM scanner? what's that stratathing IPS? are you talking about VMM security or running a surreptitious marketing campaign on security blogs? "nipping the malware bud before it hits your network"?! whoah! did you come up with that phrase yourself? do not worry, *we* are adding DMA-capable devirtualization agents with hypermophic payloads (tm) in on upcoming release RSN, it will roll up your NAC thing and smoke it for breakfast!
    @nate: attack behavior does not necessarily imply that the source of traffic is the real attacker, sometimes tearing down sessions -even if they are clearly part of an attack- could have unwanted consequences somewhere back/up-stream towards the traffic's source. I don't want some stupid thing reseting TCP sessions because it 'knows' an attack is going on and making some other stupid thing upstream blackhole the dst or src net because something is 'miss-behaving', let the transport layer be IFF you can deal with the issues at the app layer. That is a huge IFF and i'm yet to see this so called virtual-patching dealing with it and if it really is any different than an IPS
    @greg: Would you elaborate on the last comment? It seems obvious that with the right technology/practices anything can be more secure than something else without them but how is it that virtual environments are inherently more secure than their physical counterparts? a virtualized solaris still runs telnetd and Mitchell's "we" (or "they") can still own it with -fbin.
  • Greg Ness · 2 years ago
    The hypervisor clear text layer is a point of profound control/leverage over what goes on behind the hypervisor. While virtualization brings heightened mobility, complexity and quantity issues, it introduces a powerful point of leverage for protecting pools of processing power, with one off and group policies, corrections, access, etc.

    Again, the virtual processor pool WILL require new thinking, new approaches... that are not tied to physical location, etc. As I wrote in my Always On blog referenced earlier I think it is the beginning of the end of static security.
  • Greg Ness · 2 years ago
    Mitchell: The fluid nature of virtual environments meet scans can be rendered obsolete in the blink of an electron. The only way to stretch the time value of a scan is to set up policies that make virtualization less flexible... limit server creation and mobility capabilities to a predictable schedule. But who would virtualize only to try to run the virtual environment in the same way as the physical world? Does that really make sense?