Sunday, May 15, 2011

Virtualization and guest security: VMWare and Trend Micro "solution"

After taking part (as a guest) at the VMWare Forum 2011 in Brussel here is a tiny recap.
Virtualization technology is leading to brand new products and companies are collaborating to enjoy this new business although they don't come always with novel ideas.
VMware, as a leader in virtualization marke, usually organize conferences to present their products in order to "spread the verb" to business men who are very likely unaware of virtualization technology and maybe need nice words to be fascinated.
Around VMware old and new companies are eating another piece of the same cake. Thus collaborations with companies who produced standalone software to integrate, for instance in Microsoft Windows, are rising on a regular basis.
Basically, VMware makes a hypervisor, not minimal at all. It's actually a huge software beast which runs on capable machines in order to "virtualize" Windows guest operating systems.
VMware is enjoying business partners like Microsoft, as the main provider of their guest OS, Mitel for VOIP telephony, EMC2 for data storage, TrendMicro and Symantec for security.
Virtualization is coming up in several flavours and with several functionalities. While people are amazed by live migration - virtual machines can be migrated on the fly from one cloud to another in a fully transparent fashion - very few people are considering the security issues which might arise from this apparently simple operation.
Still about security Trend Micro and Symantec, well known antivirus producers in the era of standalone operating systems, are cooperating with VMware to guarantee the same degree of security by implementing their antivirus technology within the hypervisor.
One important feature of hypervisor technology is the strong isolation guaranteed by the hardware (provided correctness of the hypervisor code) among virtual machines and between each virtual machine and the hypervisor itself. Integrating a monitor or antivirus within the hypervisor is considered smart because the code that detects/protects the target system is isolated and cannot be compromised if the target system is attacked by, let's say, a rootkit.
When rootkits attack kernels the overall system is compromised. Moreover malicious code is executed with the highest privilege and (if that happens!) the best thing to do is to switch off the machine and destroy it. Alright don't do that. We can fix it. But what I am trying to say is that the damage might be insanely high.
The "novel" idea by Trend micro is basically a module which implements monitor functionality to be connected to the ESX hypervisor. Unfortunately, the guest must run a device driver, released by VMware and Microsoft (yes this stuff exists only for Microsoft guests), to send to the hypervisor all memory region addresses to protect. Is there someone who has a doubt about the design failure?
Well, if a rootkit can successfully compromise the guest kernel, it may compromise the driver too and communicate to the hypervisor  something like "hey buddy we're good here", and the module in ESX would simply be bypassed.
Implementing a monitor in an isolated system is smart. But leaving half of the protection system within the target system is a design flaw which avoids any benefit because it becomes part of the attack surface.
I have the impression that a traditional protection system is being implemented with the aim of new technology which doesn't seem to be compatible at all. Probably, my conclusion has no impact in the business world where the fact that a guest operating system might be compromised by a malicious device driver is not a big deal. "Their" assumption is based on the fact that installing an unsigned driver or a third party one will never happen. Thus, no worries. Does this really happen?
Beside this little security issue all the rest was great (starting with breakfast and lunch). People like graphs and despite virtualization, virtual cpus, virtual memory and virtual devices, people want to see pie and bar charts with their virtual things in action, just as they want to see where the bucks are.
VMware rocks in that. They provide a great GUI.