Virtualization's secret security threats

Virtualization's secret security threats
Virtualization's secret security threats 

By Galen Gruman
March 13, 2008

Almost any IT department worth its salt is deploying virtualization 
technology today to reduce power usage, make server and OS deployments 
more flexible, and better use storage and systems resources. But as 
virtualization technology gains in popularity, it may bring with it new 
risks, said Don Simard, the commercial solutions director at the U.S. 
National Security Agency, the electronic intelligence and cryptographic 
agency once so secret its very existence was a secret. At the same time, 
virtualization technology may bring new protections, he noted.

One of the NSA's roles is to work with technology providers to help them 
make their wares more secure, both to help government agencies using 
them and to reduce threats that could affect the commercial sector and 
thus the national economy. Sometimes, the NSA also wants to ensure it 
has back-door access to commercial systems.

In the case of virtualization, the NSA has worked with EMC's VMware 
unit, IBM, AMD, Trusted Computing Group, and others for several years to 
identify potential threats and suggest workarounds. Later this year, 
chips from AMD and Intel will include technology that the NSA has helped 

The hidden hardware threat

Simard is a big fan of virtualization. The technology has helped NSA 
employees, as well as other military and intelligence agents, access 
multiple secure networks from a single computer. It used to be that each 
network had to be accessed from a separate computer -- the PC or laptop 
essentially acted as a hardware authentication token -- so analysts and 
coordinators had to move from one computer to another depending on which 
intelligence network they were using at the time. This led to equipment 
shortages and lots of boxes to carry around when traveling. In Simard's 
case, that meant using four computers, one each for the three 
intelligence networks he works on and one for unsecured, personal 
Internet access. Now he has one computer, with each network accessed 
from a separate virtual machine.

But the NSA realized that this benefit of virtualization also introduced 
a new potential threat. After all, Simard said, "graphics cards and 
network cards today are really miniature computers that see everything 
in all the VMs." In other words, they could be used as spies across all 
the VMs, letting a single PC spy on multiple networks. Although he's not 
aware of any such spyware today, it's not a problem the NSA wants to 
experience or see happen in other intelligence agencies.

That's where IBM and AMD come in. AMD's scientists had similar concerns 
to the NSA's, so they worked with the NSA to design an authentication 
mechanism at the chip level that would be able to control what hardware 
could do with the virtualization engines that rely on their AMD-V 
on-chip virtualization assistance technology. While no ship date has 
been announced, a new generation of AMD-V chips expected later this year 
will introduce the concept of chip-managed trusted hardware, said Steve 
McDowell, division manager for emerging technologies at AMD. Intel is 
expected to ship a similar technology as well, said Kurt Roemer, chief 
security strategist at Citrix Systems, which recently bought hypervisor 
maker Xen.

These new chips will have what AMD's McDowell calls a "device exclusion 
vector" that can authorize or block hardware access to VMs, as well as 
create a chain of permissions that flow from one device to another, so 
OS and hypervisor developers can control not only what hardware can do 
what, but also what flows among hardware devices are permitted. McDowell 
expects this approach to prevent the subsystem-as-spy problem that both 
it and the NSA identified.

Using virtual layers to add security

While virtualization is used commercially to have multiple operating 
systems run on one machine -- to get more usage from physical servers, 
to run Windows on Macs, and to easily set up testbed environments -- its 
origins trace back to a military security need. In fact, the VMware 
technology that popularized virtualization is a spin-off of Defense 
Department-sponsored research done at Stanford University; the military 
saw early promise in virtual machines to encapsulate networks and 
desktops from outside threats, resulting in an NSA-created OS called 
NetTop that in 2001 did for Linux what products such as Parallels 
Desktop and VMware Desktop do today: provide separate VMs that can't 
affect each other on one box.

Now the NSA sees virtualization protecting systems in a new layering 
approach, Simard said. The idea is to have an independent layer handle 
security, so even if an OS has security flaws, a separate layer that the 
OS can't compromise handles security threats such as viruses and worms 
or implements firewalls. Simard said it's inevitable that PC operating 
systems will have security holes: "The PC platform is a very 
feature-rich platform, and being feature-rich gets it into trouble."

The NSA, working with General Dynamics and IBM, has developed the first 
version of this technology, which it calls the High Assurance Platform 
workstation, for the U.S. Special Operations Command, using VMware, 
Novell SuSE Linux, and Red Hat Linux, Simard said.

"I believe strongly in doing antivirus and firewalling in isolation 
outside the OS," said AMD's McDowell. But Simard is concerned that this 
layered approach could compromise security if poorly implemented in 
commercial systems. The reason: If the security layer is compromised, 
such as through poor design, then an intruder now has access to all the 
VMs on the system. McDowell agreed with that concern, saying that such a 
layered approach can't replace security at the OS and network -- instead 
it must supplement those components' security. He also noted that 
applications are the most common route for vulnerabilities to find their 
way into an OS, so they too need to have their own protection 

A related concern is the hypervisor, the root layer that manages the 
VMs. If compromised, it could expose everything on the system. But 
McDowell is least worried about this scenario: "Hypervisors are very 
hard to write, and there are just three of them -- Xen, Microsoft, and 
VMware" -- so there's not broad expertise for hackers to tap into, he 

The leapfrog effect

Citrix's Roemer noted that the NSA's risk examples are on the extreme 
side. "They're onto something there, but a lot of their needs greatly 
exceed that of other organizations, he said.

The NSA's Simard agreed, but noted that there's a leapfrog effect, in 
which the NSA and other government agencies sometimes are the first to 
come across a threat, and feed that experience to commercial companies 
to help them improve their products. The commercial companies take the 
issue a step further and end up having better options than the 
government, which then pushes the envelope in its usage and discovers 
new issues.

He sees this being very true in the virtualization world, where the feds 
were the first to see the technology as a security aid and then, more 
recently, as a new potential threat vector. "Hopefully, industry will 
learn from our worries," Simard said.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods