"echKnowSECURITY

54

LRW5 DFIRTURLIZRTI

SECURITYVIRTUALIZATION TECHNOLOGY CAN DELIVER COST SAVINGS AND IMPROVEIT PERFORMANCE, BUT IT ALSO INTRODUCES NEW SECURITY CONCERNS.IN THIS SUMMARY OF A BURTON GROUP REPORT, SECURITY EXPERTPETE LINDSTROM EXAMINES THE SECURITY CONSIDERATIONS UNIQUE TOVIRTUALIZED IT ENVIRONMENTS.

THE VrRTUALIZATION OF CLIENTS AND SERVERS—AND THEimpact it has on networks and storage —is a hot topic in IT.As a result, it's also a hot topic in security:

There are multiple perspectives on how virtuaiizationimpacts security. Some claim that virtualization's isolationproperties make it beneficial to security, while others say theadded complexity ofthe overarching management software —known as the hypervisor—and the opportunity to "escape thevirtual machine (VM)" are detrimental to security

As with any new technology as broad and comprehensive asvirtuaiization, such security concerns are critical. In addition,the combination of technical details and marketing messagesfrom vendors can create a potent cocktail of ambiguity aboutthe real impact these new architectures have on risk manage-ment and security.

Beyond the superficial discussions of hypervisor-basedrootkits and discovery techniques are the very real issues ofallocation of information assets and the relative impact onthreats and vulnerabilities. Indeed, virtuaiization comes withits own set of unique security considerations. The appropriateprotection response to these inherent security characteristicsis a measured approach that carefully considers the impact onthe existing IT infrastructure; a factored analysis of threats,

vulnerabilities and consequences; and an understanding oftheimpact on existing security solutions.

Rules of the GameThere are five immutable laws of virtuaiization security It'sessential to understand them and use them to drive securitydecisions. They are:1, ATTACKING A VIRTUAL combination of operating systemsand applications is exactly the same as attacking the physicalsystem it replicates.

The beauty of a virtual machine is that it acts just like aphysical system. However, in most environments, that meansit can be attacked in the same way Any data on the VM canbe stolen, and if the VM has network access, it can be used asa stepping stone to attack other systems.2 . A VIRTUAL MACHINE poses a higher security risk than anidentically configured physical system running the same oper-ating system and applications.

This corollary to the first law accounts ior the additional vul-nerability of a virtual system's controlling software, the hypervisor.Because the hypervisor monitors and responds to a VM, it is sus-ceptible to attack. So it's important to recognize the risks inherentin the virtual environment and to offset them in other ways.

WWW.BASELINEMAG.COM

3. VIRTUAL MACHrNES CAN he made more secure than similarphysical systems when they separate liinctionalit)' and content.

When two processes share the same memory space, anattack against one process cart impact the other. One way tobenefit from virtualization is to separate functions and datainto isolated operating environments. Such segregation helpsreduce the risk added by the virtualization software that's partofthe second law.4 . A SET OF virtual machines aggregated on the same physicalsystem can only be made more secure than separate phys-ical systems by modifying the VM's configurations to offsethypervisor risk.

While separating resources reduces risk, combiningresources will initially increase risk (see #2). At this level ofaggregation, VMs must be reconfigured to attain the samelevel ot risk achieved through the third law. Turning offservices, adding controls and separating content can helpreduce overall risk.5. A SYSTEM CONTAINING a trusted virtual machine on anuntruste<I host poses a greater risk than a system containing atrusted host with an untrusted VM.

Attacks at lower levels pose greater risks than those athigher levels, because higher-level programs can be tricked

into believing assertions about trust and authenticity. It isimportant for deployments of trusted VMs in untrustedenvironments to consider the implications and harden theVM image accordingly

Putting the Laws Into PracticeThe answer to the question of security rarely has an absolutevalue. Instead, it is a matter of degrees. For most enterprises,the decision is not whether to vírtualize. because virtualiza-tion is here now. The decision involves determining where andwhen to apply controls that are sufficient in the environmentbased on risk tolerance. Ultimately, whether virtualization isbane or boon for security depends on how the systems areconfigured, deployed and managed.

To manage these new security concerns, it's important tounderstand the underpinnings of today's virtual systems.

The primary components of a virtual environment are:• VIRTUAL MACHINES AND THEIR ACCOMPANYING GUEST OPER-ATING SYSTEMS: These are the core components of the vir-tual architecture.

• VIRTUAL MACHINE MONITOR (VMM): The software componentresponsible for managing interactions between the VM andthe physical system.• HYPERVISOR AND/OR HOST OPERATING SYSTEM: The softwarethat handles kernel operations.

A virtualized environment consists of a VMM and one ormore VMs. The VMs and VMM interact with either a hyper-visor or a host operating system to access hardware, local I/Oand networking resources. In addition to these components,virtualization architectures leverage virtual networking,virtual storage and terminal service capabilities to completetheir architectures.

This minimum set of components makes up virtual 55

WWW.BASELINEMAG.COM

SECURITYenvironments in several distinct ways:> TYPE 1 VIRTUAL ENVIRONMENTS are considered full virtualiza-tion environments and have VMs running on a hypervisor thatinteracts with the hardware.> TYPE 2 VIRTUAL ENVIRONMENTS also are considered full virtu-aiization environments, but work with a host operating systeminstead of a hypervisor (though sometimes the VMM is calleda hypervisor).> PARAVIRTUALIZED ENVIRONMENTS make performance gainsby eliminating some ofthe emulation that occurs in full virtu-aiization environments.> OTHER DESIGNATIONS include hybrid virtual machines(HVMs) and hardware-assisted techniques.

From a security perspective, the most important thing toremember is that there is a more significant impact in aType 2environment where a host operating system with user applica-tions and interfaces is running outside of a VM at a level lowerthan the other VMs. Because of the architecture, the Type 2environment increases risk through its incorporation of poten-tial attacks against the host operating system. For example, alaptop running VMware with a Linux VM on a Windows XP

quickly Obviously, this creates a problem whereby the risk-tolerant behavior impacts the risk-averse requirements. Anisolated temporary environment can provide a way to allowrisk-tolerant behavior without significantly impacting the risk-sensitive resources.

One technique for virtual environments involves cre-ating a "sandbox" VM and using it for risky activities.Assuming the content being created and the changes beingmade are insignificant in the long term, a user can "turnback time" to a point where the VM configuration was"known good"—typically reverting to the standard image.An obvious use for such a configuration is for shared sys-tems, such as training systems and kiosks, to allow formaximum flexibility on the user side without creating anylong-term damage.

The sandbox scenario also provides an obvious case inwhich streamlined recoverability is useful. In fact, the morefrequent the reversion to a known-good state, the lower thepotential for harmful consequences.

VMs also can be multiplied and distributed in manydifferent ways. This flexibility is a boon to disaster recovery

OF COURSE, A VIRTUAL SYSTEM IS NOT WITHOUT ITSÄ"VECTORS.

56

THREATS THAT SHi

system inherits the attack surface of both operating systems,plus the virtuaiization code ofthe VMM.

Security BenefitsShared content and resources are the bane of security pro-fessionals, who spend most of their time collecting, catego-rizing, grouping and then separating resources in ways thatmake sense. Sometimes this grouping is done by businessunits, and sometimes it's done by other means, such as theclassification ofthe content.

A virtual environment can provide a way to separate programresources and content to enhance security Shared resourcesalso share risk at the aggregate level. Separating resources andcontent allows for stronger protection of higher-risk resourcesand reduces the overall impact of a compromise. A number ofvaluable uses could come out of this. For example:• A SINGLE APPLICATION or a set of applications could be runin a VM guest (or compartment) separate from all otherapplications.*• A CONSULTANT WORKING for two different companies coulddo work for each client in a separate VM.• AN INDIVIDUAL WORKING on a personal computer could useone VM tor business and another for personal finances andother home-related work.

User behavior can vary widely—from strong risk toleranceto strong risk aversion. Sometimes, this behavior can change

lUATED FULLY.

specialists looking for ways to increase availability. Maintainingreplicated environments that are physically separate andcreating images that can be recovered quickly contribute tothe overall availability ofthe resources.

Attacking VirtuaiizationOf course, a virtual system is not without its attack vectors.Rogue hypervisors and the VM escape are two aspects ofthreats that should be evaluated fully.

In the past few years, much attention has been given to theuse of virtuaiization in support of rootkits. Rootkits gain theireffectiveness when they are hidden, and hypervisor rootkits —sometimes paradoxically called VM-based rootkits —hide bylaunching a rogue hypervisor and porting the existing oper-ating system into a VM.

The guest operating system within the VM believes it is run-ning as a traditional operating system with the correspondingcontrol over local hardware and networking resources affordedto these systems—but it isn't. The hypervisor has control and canmanipulate the activities on the system in any number of ways.

In 2006, a security researcher named Joanna Rutkowskaintroduced what she called the "blue pill," a hypervisor rootkitthat inserts itself into memory, subordinates the real oper-ating system to VM status and gains a level of invisibility byextension. To date, the rogue hypervisor is of greater concernto security researchers than to the enterprise. In fact, using

WWW.BASELINEMAG.COM

virtual systems becomes a sort of protection in itself, sincemaJware installed in a VM would not execute its payload.

Another security concern involves what is known as"e.scaping" the virtual machine. This ability to move malwareoutside the VM and execute arbitrary code on the physicalhost is considered the holy grail of virtualization securityresearch. Given that the intent of virtualization is to be trans-parent to existing functionality, the hypervisor is the only newcomponent that need be assessed.

The ability of the hypervisor to withstand attack and pro-vide some level of isolation among VMs is at the root of howrisk will fare in these environments. Since the hypervisor is,after al!, a software program, it stands to reason that addi-tional softvifare initially increases the risk in any environment,simply because there is more code implemented with morecomplexity than with traditional IT environments.

Several researchers have demonstrated rudimentary VMescape exploits, and as the popularity of virtual systemsincreases —and the platform becomes a more lucrative attacktarget —the threat will continue to increase.

The Impact on RiskAlthough the benefits of a virtual environment are clear, theyare not always realized in every atchitccted environment.The fact is that the various characteristics will be mixed andmatched with other IT resources. Given that probable out-come, it is useful to review risk principles and apply them toa virtual environment. The Burton Group defines risk as afimction of threats, vulnerabilities and consequences, and anincrease in any of these three elements increases overall risk.* THREATS: At this Stage of virtualization technology develop-ment, the likelihood that malicious attackers will target virtualenvironments is relatively low. That said, as more people gettrained on and learn about virtualization, attackers are boundto iollow. Ciiven the adoption rate of virtualization technology,it's reasonable to assume this threat is accelerating quickl)^• VULNERABILITIES: The vulnerability of a system is a measure ofits attack surface: the nature and extent of resources that arcexposed and therefore attackable. Of course, if isolation mech-anisms like firewalls or operating system access controls fail,the attack surface balloons to encompass the entire machine.The question, then, is whether the attack surface of a system(ir i)i an enterprise IT environment as a whole increases ordecreases with the deployment of virtual environments.

The attack surface increases with the increased availabilityof services on any IT resource. This means that the additionof a system to an enterprise environment increases the attacksurface. At a more granular level, starting services, openingTransmission Control ProtocolAJser Datagram Protocol (TCP/UDP) ports and registering remote procedure call (RPC) end-points also increase the attack surface. If more resources areconsumed, more risk is incurred.

Most virtual environments aim to make themselves trans-parent throughout the environment. However, something newis behind the scenes of the systems: the hypervisor and VMM.The addition of the hypervisor resource increases risk, just as

any other additional service does.So, if everything else remains

constant, the vulnerability com-ponent of risk is increased in vir-tual environments. Everythingelse does not have to remain con-stant, however, l b whatever extentother resources can be reduced,eliminated or isolated so they areno longer part of the attack sur-face, that will offset the increasedattack surface and reduce overall vulnerability.

• CONSEQUENCES: The final component of risk is the impact orconsequences of a successful attack. In most IT environments,the value of information assets is increasing as organizationswork to squeeze out more benefits from systems. As thesefunctions take on more mission-critical capabilities, associ-ated losses increase as well.

Security SafeguardsSecurity teams should take a number of steps to ensure theimproved protection of virtual environments, including:• USE ALL EXISTING SECURITY MECHANISMS. Since one of theprimary goals of virtualization is transparency, all current host-based solutions should operate in exactly the same way, withlimited need for modifications. Existing solutions may not beoptimal, but they'll provide reasonable security.• GET YOUR ADMINISTRATIVE ACT TOGETHER. The dynamicnature of the VM lifecycle and the potential for VM sprawlhint at an even more difficult asset-manage ment environmentin the virtual world. It is prudent to ensure that administra-tive procedures are ready for identitying and tracking VMsthroughout the environment.• LOOK FOR WAYS TO MOVE SECURITY OUT OF THE VM. Enterprisescan reduce or eradicate agents from VMs and create separateprocess spaces for user activities and security fianctions.• MANAGE VIRTUAL MACHINES LIKE FILES AND SYSTEMS. T h e

portability of VMs makes them vulnerable to file-styleattacks, so they must be protected in a similar fashion.The goal of file-oriented management is recognizing thefile objects and providing cryptographic and access-controlprotection for them.• ENCRYPT NETWORK TRAFFIC WHERE POSSIBLE. E n c r y p t e d

communications provide some protection against localsniffing threats that may come from other VMs or thehypervisor• PRACTICE SEGREGATION OF FUNCTIONS. Because multipleVMs can be run un the same machine, it may be possible tocreate separate compartments for security components. Strongcandidates for segregation include logging events externally,maintaining separate keys for encryption, and separatingpolicy and configuration from the image, i

PETE UNDSTROM, A SENIOR ANALYST AT THEBURTON GROUP, SPECIALIZES IN SECURITY METRICS,

RISK MANAGEMENT WEB 2.0/SOA/WEB SERVICES SECURITY ANDSECURING NEW TECHNOLOGIES.

WWW.BASELINEMAG.COM