NSA + VMware = Crackproof Computing?

Very Interesting by Ben+Schumin · 2001-02-02 00:37 · Score: 1

I'm very pleased the way technology from some of the NSA's earlier projects has filtered out to us in some form or another. I hope that other projects do the same! What I don't understand though, is how can they really prevent copying from one OS to another? It's all in memory. Can't they just copy it from there? Or is the entire virtual os encrypted or something? That seems horribly slow. :) Ben

--

Ben Schumin :-)

Here's one problem.. by dmuth · 2001-02-02 00:37 · Score: 5

At home, I run Enlightenment, and often have multiple terminal windows open at once. I've already made stupid mistakes like trying to type my GPG passphrase or root password into the wrong window. My concern is that the NSA trying to do something similar could lead to similar problems. Given that governement employees aren't exactly know for being the sharpest pencils in the box, I could easily see someone going to the trouble of doing an hour or more of work, only to discover that they were typing it all in the wrong window on an unsecure network. Whoops!

As I understand it now, the present system where multiple machines are used in government institutions has a black machine that contains secret data, and a white machine that contains only sensitive data. Much harder to type something into the wrong machine when the color of it is immediately apparent to you, I would think.

--

Re:Here's one problem.. by Barbarian · 2001-02-02 02:57 · Score: 2

Like put a transparent background in the secret window with "SECRET" printed diagonally across the window again and again?
Re:Here's one problem.. by Coward+Anonymous · 2001-02-02 00:41 · Score: 1

Not to mention the lowly cut & paste.
A user could inadvertantly (or maliciously) cut text from one VM window and paste in another VM window using the host system's clipboard.
Re:Here's one problem.. by donglekey · 2001-02-02 04:23 · Score: 1

Welll, for one thing, I am sure they have thought of this and probably the VM does not even allow it. Second, workers of the NSA probably ARE the sharpest pencils in the box. Now patent workers and government employees of that nature? That's another story all together.

P.S. Why doesn't the government employee look out his window in the morning? So he'll have something to do later.

--

This Wiki Feeds You TV and Anime - vidwiki.org
Re:Here's one problem.. by SquadBoy · 2001-02-02 00:53 · Score: 3

This is why when I was in the Air Farce we had removable HDs. One for classified and one for unclassifed stuff. And of course all the various levels of secret. Where I had hands on with the system we had to take the network cable out but on that machine the network was not critical at that time. In any case my CO still got it wrong. This is a *very* bad idea in many ways.

--

Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Re:Here's one problem.. by Lizard_King · 2001-02-02 00:54 · Score: 1

actually, its not as easy as you think (thus timothy's question about copying between virtual machines). you would have to rely on a much more covert means of communication that a simple copy and paste. see this post.

--
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
Re:Here's one problem.. by thogard · 2001-02-02 08:52 · Score: 1

There are B rated computer system that do not allow you to cut and paste between windows decreasing security levels.

Read the outdated Orange Book for more details.

At higher security levels, the data packates must keep the access control list as well as the data.
Re:Here's one problem.. by ocelotbob · 2001-02-02 01:53 · Score: 1

I've had 2-3 computers at hand before, doing troubleshooting, playing with networks, etc, and I'd accidentally type on the wrong keyboard, causing the exact problem you just described. And I'd assume that you could do a similar thing with a virtual box such as this one, have a non-changeable color scheme set up so that they could see at a glance which system they were currently using; using a tan scheme for certain activities, a white scheme for others, for example.

--
Marxism is the opiate of dumbasses
Re:Here's one problem.. by bigpat · 2001-02-02 02:05 · Score: 1

Just having gotten a tour of a US aircraft carrier the Computers are tagged as either secure or unsecure. People can still physically put in a disk and copy what info they want to it and transfer it to a non secure computer.

So the point is not to make it impossible to copy between systems, but to make a trained worker aware of what environment they are working in.

there is no technological reason that the "air gapped" network needs to remain as long as the virtual spaces on the machine are kept visually different and idiot proof. Only cutting and pasting from secure workspace to non secure workspace and the like....
Clients should still have separate network interfaces for secret vs. public networks.

Securing by robbway · 2001-02-02 00:37 · Score: 2

Securing a system of this type, even if 100% successful, requires it be locked up according to the highest security clearance it operates under. There's a really good chance there will still be two computers: one in the secure area, and one for e-mail, word processing, etc, because it requires a great big physical effort to get the whole system out.

Therefore, this would only help a PC user that is always working under his highest security.

----------------------

Re:Crack Proof? by el_chicano · 2001-02-03 00:43 · Score: 1

If cocaine and crack weren't two different things, then yes.

But they are the same thing. IANA chemist, but IIRC crack is simply cocaine with the hydrochloride removed...
--
You think being a MIB is all voodoo mind control? You should see the paperwork!

--
A man who wants nothing is invincible

Colored computers? by Andy+Social · 2001-02-03 01:05 · Score: 1

Um, I've been working with classified materials on computers for the past 12 years, and in all that time I've not once seen color-coded machines.

We do have stickers on each machine, color-coded as well as with much verbiage, telling what level of material can be accessed on each machine. Hell, we've got classification stickers on Xerox machines! :-)

--
Illegitimi non carborundum

DMS? by Andy+Social · 2001-02-03 01:09 · Score: 1

You mean you've gotten DMS working? hehe

We're still getting contradictory instructions ever couple days on how to interact with "normal" email addresses, and new registry patches get pushed out seemingly daily.

Thank goodness I'm leaving next week.

--
Illegitimi non carborundum

Re:This is the Orange Book, redux by leighklotz · 2001-02-03 07:09 · Score: 1

As I remember it Mutlics went to insane lengths to get their rating -- first it was Mr. Secure Guy cannot set the system time because that would leak bits. Then it was weird stuff with trying to hide the paging behavior of Mr. Secure Guy from less secure people, since you could communicate bits down by paging in and out large amounts of memory and having someone at a less secure level monitor system resources. I can't remember how they camoflagued the paging behavior of the higher security levels, but it wasn't simple.

Re:Sounds familiar by qnetter · 2001-02-02 02:59 · Score: 1

By giving it direct access only to the virtualized MMU?

VMware is simply not secure by jesup · 2001-02-04 12:50 · Score: 1

Ignoring tricks/bugs that cause the machine to violate the partitioning, there are always other ways to get around VMware in theory. Data could be passed in display adapter memory, in "garbage" registers or memory, or you can even pass data between VMware/etc processes on a totally secure machine by having them affect task switch time (admittedly, this is a very low-bandwidth channel, but it does work).

Only if the other machine can measure it. by jogbra · 2001-02-02 03:01 · Score: 1

Why wouldn't they virtualize the resource measurement/allocation. Make it so that hardware resource measurement (disk I/O, processor, net I/O, etc.) is completely isolated between virtual machines.

Re:Only if the other machine can measure it. by rgmoore · 2001-02-02 03:40 · Score: 2

Because it undermines a lot of the advantages of having a single system. If you allocate each separate VM a fixed percentage of system resources, you also prevent one process from being able to access complete system resources if none of the other ones are using them. IOW, if you have 2 VMs on a system and each is allocated equal resources, you won't ever be able to go over 50% usage with a single process. Admittedly, that may be acceptable in a system where you have a small number of separate security compartments, but if you have 10 different compartments on a single machine, it's just not acceptable to restrict each of them to 10% or less of system resources at all times.
In practice, it would probably be acceptable to go to a moderately coarse grained resource allocation scheme that would limit covert channel bandwidth (the secure computing guidelines suggest that any channel that can transmit data about as fast as a person can type is critical) and then audit any remaining channels. You may actually be better off letting people think they're getting away with something and catching them then shutting off something you know about and letting them find out about something you don't know about.

--
There's no point in questioning authority if you aren't going to listen to the answers.

Re:Crack Proof? by naasking · 2001-02-05 05:27 · Score: 1

Well, let's analyze this then:

If you have some element with HCL as a constituent unit and then you remove the HCL, what happens? The two become chemically different. If two things are chemically different, then they are not the same.

-----
"People who bite the hand that feeds them usually lick the boot that kicks them"

--
Higher Logics: where programming meets science.

Re:Sounds familiar by qnetter · 2001-02-02 03:01 · Score: 1

Sorry, wrong thread...

Re:Crack is right by qnetter · 2001-02-02 03:03 · Score: 1

How? How about the fact that the unclassified VM has access to the virtualized MMU, not the real one?

Comment removed by account_deleted · 2001-02-02 03:05 · Score: 1

Comment removed based on user account deletion

Copy-Paste, Go to Jail by Dark+Coder · 2001-02-02 03:08 · Score: 1

Like it's going to prevent security clearance worker from snip-snip, paste-paste.

Re:Linux World by _Quinn · 2001-02-02 03:15 · Score: 1

Sounds like S/390. :)

-_Quinn

--
Reality Maintenance Group, Silver City Construction Co., Ltd.

most excellent comment by JAK · 2001-02-02 03:27 · Score: 1

I thought the best comment came at the end of the article. It confirms one of the fundamental advantages of open-source:

In a nod to the open-source community, he said that--for the NSA's purposes--seeing the source code and testing its security is extremely important. "You wouldn't want to do it on Windows NT, because you know nothing about what is going on inside NT," he said.

Re:Same CPU same RAM by tommck · 2001-02-02 00:37 · Score: 2

I agree... there's still a single machine running a single operating system underneath it all... Crackers would just have to start getting familiar with the way VMWare handles processes. Or, if they're just after the data, just crack the host OS and grab data from there...

--
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.

UML? by soybean · 2001-02-02 00:40 · Score: 1

Why can't we do the same thing with User Mode Linux?

No, dammit! by rkent · 2001-02-02 00:40 · Score: 2

Crap! I don't want VMWare to set up barriers around my virtual machines; I'd like very much for them to interoperate smoothly!

Re:No, dammit! by VirtualAdept · 2001-02-02 02:24 · Score: 1

Uhm. Then presumably you'd get the version of VMWare that they *aren't* developing with the NSA for that specific purpose.

same box, etc by moz25 · 2001-02-02 00:40 · Score: 1

It's still the same machine.. plus, don't even start thinking about (sniffable?) network connections, keyboards, etc.

IMO for complete security you want the physical boxes to be secure too...

Moz.

--
see a Text Widget

Re:same box, etc by jovlinger · 2001-02-02 01:33 · Score: 1

Presumably they would have separate NICs. Since the insecure VM is still a VM, the host can also control the events it is able to sniff.

Even timing attacks can be counteracted by introducing pseudorandom clock skew (a-la GPS) in the virtual machines. You just wouldn't be able to run any software that couldn't cope with the clock running backwards sometimes...

Re:Maybe I am confused but... by yamla · 2001-02-02 00:41 · Score: 2

This would indeed be a single point of failure if and only if the filesystem for the virtual machine is unencrypted. However, I would assume that they will be encrypting the filesystem.

Then, you are left with penetrating the host filesystem and changing the vmware software. But of course, this isn't the point. You secure the host system from outside attack and then basically the only way the hackers can get in is through the guest operating systems. And these cannot talk to other guest systems.

--

Oceania has always been at war with Eastasia.

Sounds like a dumb terminal concept to me by Mr.roboto · 2001-02-02 00:42 · Score: 1

A bunch of computers connnecting to the central computer to get their data/CPU power, vaguely similar. The critical thing is that they have good physical security of the lines that go to the server net, lest they get tapped into. Another idea might be to make dumb terminals with encrypted communications and connect those to the server. The day of huge centralized computers set up in such a manner was near ending I thought, but it may see a small revival in cases such as this. It may be possible to upgrade the ROM in a dumb terminal to handle an encrypted protocol, but it may be easier to design from the ground up I bet.

--
Don't call my crazy, that's what they called me back in the home!

Chokepoints by maggard · 2001-02-02 03:32 · Score: 2

As elaborate as the underlying software and systems might be it's all going to a video-buffer for presentation. Unless there's some technique I'm not aware of (and that's entirely likely) it's seems to me that this would be an exploitable chokepoint.

Grab whatever's in there and you've got a copy of what the user sees. Reprocess it and you've got the content a screen at a time. Get a trojan house onto the less-secured sode of the machine and you've got a window onto the more-secured side.

Similar to how the US bugged Xerox machines (and yes they were Xerox-brand) in the Washington Soviet Embasssy - put a mirror inside and simply dupicate-duplicated everything.

Is there any technique (that just-folks know) to encrypt/otherwise secure what's in a videocard yet still have it perform properly?

--
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.

Re:Air Farce? by grappler · 2001-02-02 03:40 · Score: 2

He said Air _Farce_

A Farce is a charade, or pointless excercise in politics, or a drama played out in reality. For example, a high school student council.

I like it the way it was originally.

--
Vidi, Vici, Veni

All my dreams come true! by foreigninvasion · 2001-02-02 03:42 · Score: 2

Guys, it's NSA INSANO WORLD and VMWARE INSANO WORLD

Very important to the ZDnet article!!!!!!

It just might work, with enough protection... by twivel · 2001-02-02 03:42 · Score: 1

If the linux host operating system was completely secure, in that it ran no services and provided stateful firewalling on the network interface, it may be able to protect the data that resides on the disk (including the virtual disk of the guest OS). Encrypting the vmware virtual disk would be help, but there are still ways to get at the data if they do gain access to the host operating system. They could either reverse-engineer the Vmware binary, they could try to grab the key out of the running vmware process, or they could even just access vmware's memory segment (or other kernel structures) directly to get the data. (not to mention offline brute-force attacks against the encrypted data). Anyway, keeping the host operating system secure is critical. I think they will be able to provide ample security to protect even their sensitive data if they do it right, though. Obviously, the host operating system would be behind the firewall anyway.

--
Twivel

Do it for grade schools by bataras · 2001-02-02 03:54 · Score: 1

I'd love to help my kids' grade school setup dumb X terminals connected to a big box that runs a vmware intance of windoze for each student who's logged in for a class. The collection of aging *shit* machines their school has is pathetic. Problem is I guess it would take such a huge monster linux box to run 30-50 simultaneous copies of vmware/windoze it wouldn't be practical

Someone call Hillary and Jack! by Tackhead · 2001-02-02 00:24 · Score: 5

> Will copying between virtual machines be impossible?

I dunno, but if it is, someone'd better call RIAA and MPAA to let Ms. Rosen and Mr. Valenti know about it :)

Is this the bast way to do it? by MartinG · 2001-02-02 00:25 · Score: 2

Sounds like a reasonable idea, but wouldn't usermode linux for example be better? It would give much the same results but without the virtualisation overhead. Also, it would not be restricted to x86.

--
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz .@adgimnoprstu

Re:Is this the bast way to do it? by epaulson · 2001-02-02 00:55 · Score: 1

Depending on the application, UML may run worse than VMWare. I did a rough study of their performance, and system calls were usually roughly an order of magnitude slower under UML than they were under VMWare.

Also, at the moment UML only runs on x86 as well, though in theory it's not hard to port.
Re:Is this the bast way to do it? by billcopc · 2001-02-02 01:45 · Score: 1

Problem : at least here in Canada, the government standard OS is Windows, not Linux. They have a commercial Unix 9 (dunno which vendor) that runs a single app, everything else is Windows/Novell. Governments aren't exactly notorious for jumping onto every piece of experimental hackware.

--
-Billco, Fnarg.com
Re:Is this the bast way to do it? by err666 · 2001-02-02 08:26 · Score: 1

Uh, last time I checked, UML only ran on x86. Also this restricts you to Linux, while a virtualized x86 computer (VMware) can run any OS a real machine can run.

I am skeptical though wether it's possible to completely isolate the VM from the surrounding operating system. If somebody has control of the sorrounding OS, (s)he can dump the memory anytime, so it's just a matter of cracking the encryption scheme of the VMs vemory.

Gerhard

--
reduce(lambda x,y:x+y,map(lambda x:chr(ord(x)^42),tuple('zS^BED\nX_FOY\x0b')))
Re:Is this the bast way to do it? by vox_gabrieli · 2001-02-02 02:26 · Score: 1

I didn't realize that the NSA was researching on the behalf of the Canadian government.

There is, of course, a moderately obvious problem: by Jester99 · 2001-02-02 03:57 · Score: 1

As soon as a user has physical access to anything, they have the ability to do a lot more with it. If at any point the data travels through memory or wires unencrypted (highly possible) nothing prevents a recording device being attached at that point.... Furthermore, if special chips are added at points in order to encrypt the data as it goes over a wire (for instance, as data travels to the monitor, from the video card), nothing prevents that particular chip from being replaced... Even assuming that harddrive data is encrypted, drives can be removed and transplated into a computer with less scruples, which could be set to work at cracking the encryption. Short of OTPs, every cryptography method is theoretically brute-force crackable. (And if users get careless, which is entirely possible, crypto-breakers may have an even easier time of it.) There's no such thing as perfect security. Then again, there's No Such Agency to worry about... :)

big iron by zonker · 2001-02-02 00:25 · Score: 1

it would seem that if you are going to emulate multiple systems on a single machine you are going to need some big iron to run it... course, what is tax money for anyway?

/ k.d / earth trickle / Monkeys vs. Robots Films /

--

Large print giveth, and the small print taketh away

Re:VMWare firewall by AntiPasto · 2001-02-02 00:42 · Score: 2

I had something like that as a side effect. VMWare was binding to the wrong adapter, and the virtual machine took over the IP lease from my cable provider. I guess theoretically you could run some MS-Dos NAT or the linux-firewall-on-a-floppy stuff... Could be nice... or at the very least confuse some black hats for a little bit.

----

Re:Slow down... by CoderDevo · 2001-02-02 00:42 · Score: 1

Or, Maybe the NSA is having a hard time keeping up with these new CPUs

Yeah, right. Nobody has more experience with using fast CPUs than NSA. Besides, we don't generate more internet traffic because our CPUs are faster. It's because of the cheaper bandwidth available.

Also note, this is for people who do work on both classified networks and non-classified networks. Do you know anybody who works on a classified network? It certainly isn't joe home user.

secure, eh ? by paulbd · 2001-02-02 00:45 · Score: 1

... gain root access ...

cat /proc/kcore > ~/my-copy-of-memory

Re:secure, eh ? by Bistromat · 2001-02-02 01:01 · Score: 1

sorry, won't work. the point of running virtual machines is that they're -not aware of each other-. there is always a mechanism involved to isolate the virtual machines so that a process running on one VM won't trash the entire mainframe should it start to trample memory.

the -real- interesting part of hacking VM's, and the principal point of security, is virtual isolation. now, if someone could crack -that-... then the fun would begin.

--nick
Re:secure, eh ? by coolgeek · 2001-02-02 02:17 · Score: 1

I believe he is talking about issuing the command in the host copy of Linux, that VMWare is running under.

--

cat /dev/null >sig

Covert Channels - XTX/STOP by rasilon · 2001-02-02 00:45 · Score: 1

Passing information by system utilisation is not a new concept. For instance the various versions of STOP, from Wang Federal, implement a form of jitter on resource reporting and quanta so that the noise is greater than the signal. You can be reasonably certain that the NSA are familliar with these techniques and how to circumvent them.

Re:Covert Channels - XTX/STOP by rgmoore · 2001-02-02 04:30 · Score: 1

Or you can design ways to monitor possible covert channels and alert computer security if something suspicious is going on. This should actually work pretty well together with various covert bandwidth reduction approaches. If you can reduce bandwidth to, say, 1 bit/second, it will take several minutes to send even the most trivial message covertly, and that should give you plenty of time to notify the bandwidth police to monitor the situation and stop it if something fishy is going on. And if you save all of your critical data as MS Word files, it will take all day to get through the endless Word headers and make it to the vital data ;-)

--
There's no point in questioning authority if you aren't going to listen to the answers.
Re:Covert Channels - XTX/STOP by davet · 2001-02-02 02:48 · Score: 1

Nice idea, too bad it doesn't work. All the noise would do is put an upper limit on the covert channel's bandwidth. The only way this method could work perfectly, is to return purely random values for any resource reported. (i.e. time(), etc.)

What you have to do in this case, is determine just how much bandwidth you'll accept for a covert channel. 1-bit/second? 1-bit/hour? If it has to be zero, you need an air gap.

Comment removed by account_deleted · 2001-02-02 00:46 · Score: 2

Comment removed based on user account deletion

Regulations would never allow it by //violentmac · 2001-02-02 00:46 · Score: 2

I used to work computer security for the Air Force. I think this sort of thing would never be allowed.

The amount of regulations that would have to be rewritten would be astounding. That (esp. versus the small cost {for the DOD loves to spend your tax money} of buying a seperate computer) would keep that from ever happening.

Plus you are talking about a new idea. The military thrives on the status quo. New ideas are implemented over many many years of missed deadlines (example {for mil guys} DMS).

You wouldn't believe the paranoia that sorrounds security around here. I can't stress enough, that would never ever happen.

--
--------

get jiggy w/ ayn rand!

Re:Regulations would never allow it by //violentmac · 2001-02-02 01:49 · Score: 1

Specifically I was refering to the idea of having classified and unclassified material on the the same computer.

The DOD has the idea that once a device comes into ANY contact with classified information that device has been infected and must be "sanitized". They call this "remanance security" (sp?). Hell in the regs even a freaking monitor??!! has to be sanitized after it has had classifed displayed on it.

You aren't dealing with normal people here. This is the military. They are psychotic about classified shit, because lives (in theory) are at stake.

--
--------
get jiggy w/ ayn rand!
Re:Regulations would never allow it by coolgeek · 2001-02-02 02:19 · Score: 1

Bottom line, the air-gap is a fail-safe mechanism. Removing it decreases the depth of the defense. Anyone is free to choose to ignore the basic principles of computer security, usually there is some type of price attached to such ignorance.

--

cat /dev/null >sig

That won't change anything. by 7-Vodka · 2001-02-02 00:47 · Score: 1

That won't change anything. The same silly security breaches would still plague them. In my oppinion, the best way to insure these stupid security breaches don't occur is to use a nix, and only hire people who know or learn something about computers.

It's ridiculous to assume that an end user who can only use a simple (windows-like?) GUI will know anything about security.

If I were in the position of improving the general level of security within government branches, I would:
Move every computer onto linux
Force every single employee to take computer/security/*nix classes before allowing them access to the institution's computers or issuing one
Start an R&D team of developers on developing GPL'd secutiry tools as needed.
Install smart GPS hardware/software into laptops which can do things such as alert a central security office when a laptop leaves the building, goes into a dissalowed area, is left unatended in an insecure area.

That would be a good start.

--

Liberty.

Copying between virtual machines trivial if... by fatphil · 2001-02-02 00:47 · Score: 1

... if they want it to be.
What you need is a filesystem which is accessable from either/any virtual machine. There are cryptographic techniques so that any subset M (or more) from N passwords will permit decoding the data (see Schneier Applied Cryptography for how). Our case is effectively M=1, N=2. However, you're then in a state of having an idiot putting things on the shared filesystem rather than where it should go. In which case you'd need to impose some handling restrictions to prevent misuse. Enforcing these restrictions would be not 100% possible I'd guess, but little to do with humans is.
The other idea would be that the shared are should only be accessible if you can prove that you have both keys. That limits the number of people who can access the shared area, and may impose a bottleneck.

I'm sure anything's possible, it's just a simple matter of coding! (tongue in cheek, there :-))

Phil
-- Real Men Don't Use Porn. -- Morality In Media Billboards

--
Also FatPhil on SoylentNews, id 863

Douglas Adams would be proud by pezpunk · 2001-02-02 04:00 · Score: 2

the whole POINT is that there's a PHYSICAL distance between the computers, so no possible bug could allow unauthorized access...

sheesh, it's like that douglas addams book Mostly Harmless where, in order to get around all the inconveniences of tight security, people carry around small credit cards with their mothers maiden name, fingerprints, retinal prints, dna pattern, etc etc holographically encoded.

--
i could live a little longer in this prison

Woops.. by djocyko · 2001-02-02 04:13 · Score: 2

Uh, Mr President, it seems China just got hold of our missle launch codes. Apparently one of our staff was using AOL Messanger on his insecure virtual computer and while cutting and pasting codes on his secure VM, an IM blinked up without him knowing it and he pasted and pressed enter before noticing the window. It turns out that with the disallowment of computer speakers in the office, it's impossible to predict this scenario occuring.

And what's worse, since he was using cut-paste, he lossed the code once he closed the window, clearly not a very lucid move, and now we can not change the launch code without the old one. Isn't that a bummer?

Re:Crack Proof? by flafish · 2001-02-02 04:47 · Score: 1

Honeypot or a way of getting into everybodies machines ? The NSA ( or its military branches ) is not stupid. If they can convince somebody to run their version of some software, what makes you think it is crackproof from them ( NSA )?

Re:Will never be used in practice by mperrin · 2001-02-02 04:54 · Score: 1

Agreed. I worked for the NSA several years ago, and the importance of the air gap was paramount. I don't see how they can possibly be thinking of getting rid of that.

Even assuming that you have one physical machine running n independent virtual machines which are absolutely and utterly independent of each other (note that I don't think this is actually possible, I'm saying just assume that it is), there remains the problem of getting information in and out of the box. As it stands, you've got seperate ethernet cables, routers, the whole nine yards for the outside internet and the classified intranets. With VMWare, would you be running that over one physical network? I suppose you could try to tunnel the secure box's connections over the unsecure ethernet, but that just seems to me like you're asking for trouble.

Basically, it boils down to, with two networks and an air gap, you know you're secure as much as is humanly possible. The moment you start running all your data over one pipe, you open yourself up to all sorts of trouble, with intercepted connections, eavesdropping, and all that. I can't ever see this sort of thing being approved by the people in charge of security, no matter how much the cost-cutters beg.

Re:Air Farce? by flafish · 2001-02-02 04:55 · Score: 1

For people in the other branches of the US military it has always been known as the Air Farce. Its been called part of the Disney Company also because they have a Mickey Mouse ( Goofy )way of doing things.

Sounds like good ol' VM/370 from IBM by Ocelot+Wreak · 2001-02-02 05:07 · Score: 1

VMware's software is just another implementation of IBM's original "VM/370" resource manager OS from the 1970's. Back in the 1970's, we ran intelligence systems under IBM's VM/370 Virtual Machine architecture for the same resaons. Worked great security-wise, as long as you didn't then connect your mainframe to the outside world... IBM recently demoed (Slashdotted too as I recall?) 45,000 seperate copies of Linux running in seperate virtual machines on one mainframe using their VM OS.

--
"I figure you're here 'cause you need some whacko who's willing to stick his finger in the fan. So who are we helping?

Don't they share the same hardware & host OS? by debaere · 2001-02-02 00:49 · Score: 1

Correct me if I am wrong, but it seems that multiple virtual machines still share the same hardware (hence, memory space, harddrives) and same host OS. Seems to me that an exploit could still target the host which would allow access to the memory spaces on both virtual machines... then your back to square one...

DOS is dead, and no one cares...

--

DOS is dead, and no one cares...
If there's a Bourne Shell, I'll see you there

Re:Crack Proof? by bpowell423 · 2001-02-02 00:49 · Score: 1

I agree. As long as there is connected hardware, somebody will figure out how to get at it. And even if the VM's are completely isolated and unbreakable (doubtful), aren't they talking down the same NIC? C'mon, NSA can't believe that nobody will ever crack that, can they? I thought these were the people of Faraday cages, white-noise on the windows, etc. Now they're going to throw their most secret data onto one big happy ethernet with Sue's email from her Mom? Sounds like a honeypot to me.

Maybe I'm REALLY confused... by somethingwicked · 2001-02-02 00:52 · Score: 1

Feel free to tell me if I'm mad wrong...

Doesn't that mean that each individual client has a key to the one single file that is the single point of failure? So, getting a backup of even just a client would be a start to reversing the encryption

I'm sure I'm over simplifying this, but its a job requirement in the real world...

--

---"What did I say that sounded like 'Tell me about your day?'"---

Re:Maybe I'm REALLY confused... by yamla · 2001-02-02 00:57 · Score: 1

Client as in person or client as in virtual machine? The key would be stored in the brain, not in the machine. Sure, there are single points of failure here, but there are under the current implementation.

--

Oceania has always been at war with Eastasia.
Re:Maybe I'm REALLY confused... by jovlinger · 2001-02-02 01:27 · Score: 2

This is a really good point; if the image from a running secure VM is captured, it will necessarily have any session keys in its memory.

However, these session keys are not the same as the (presumably) strong master key used to generate them. Many programs (such as PGP) go to great lengths to destroy the memory-representation of my master key after it is no longer needed -- tho this is mainly to avoid it being swapped to disk.

Other workarounds are keeping the master keys in hardware -- the NIC or in one of the IBM hardware locks. Neither of these are part of the VM state, but rather the base hardware, so they wouldn't be represented in the secure VM.

Another idea would be to have the Host do these as a trap -- have the secure VM think its running on hardware with an de/encryption primitive instruction. This instruction is trapped by the VMWare and executed by the host operating system.

In this last case, compromising the host would imply key loss; this is not necessarily the case in the hardware scenario.

PIB = Pengiun in Black by Vodak · 2001-02-02 00:52 · Score: 1

I know the NSA looks to be doing good work with Linux but I just can't trust an agency thats so damn big brotherish to the point we dont know anything realy about them.

Will never be used in practice by hawkstone · 2001-02-02 00:54 · Score: 3

I work for a national laboratory where we have two separate networks: one for unclassified, one for classified. We use an air gap to separate the two networks. The classified one has no connection to the outside world, and the only way to get information to the classified net is through tape and sneakernet, and the only people who have access to do this are subject to polygraphs. In fact, for those of us who have classified and unclassified computers in our office, the network cables must be separated by 6 inches (15cm), and this is actually audited by computer security folks. There are so many rules in place, we even have classified keyboards -- you cannot hook a keyboard up to an unclassified computer that has been contaminated by being connected to a classified one. The hardest part about this is that you cannot have classified and unclassified data on the same hard drive. The point is, there are so many rules in place designed to prevent this, no other government agencies but the NSA would ever consider this. We would rather pay twice for two separate sets of computers and networks.

Re:Will never be used in practice by garbuck · 2001-02-02 11:41 · Score: 1

we even have classified keyboards -- you cannot hook a keyboard up to an unclassified computer that has been contaminated by being connected to a classified one.
Here is an example of why they worry about keyboards :).
Re:Will never be used in practice by aburnsio.com · 2001-02-02 01:28 · Score: 2

It's not just in national labs and defense work; key financial networks also use a similar strategy. Take Fedwire, for example, the network that transmits enormous quantities of money electronically every day. The network connections have special nodes with plastic coverings that are designed to corrode the chips if you ever try to open them. The nodes are accessed through sneakernet at banks.
Fortunately, (The Matrix aside), it's still harder for crackers to break the electronic barrier than the physical barrier.

I don't get it... by Xibby · 2001-02-02 00:55 · Score: 1

From what I read, there are different physical networks for different security clearences. As a result, a computer in the classified class can't access info in lower clearance levels, so the worker need a different computer for each clearance level. How does that make sence? So here I am writing a top secret document that references a few sensitive documents and a top-secret document. To properly reference the document in this system, I would have to physically switch to a different computer.

They're security just seems flawed, and this soultion isn't a fix. I'm sure they have reasons for doing so (probally classified reasons), but what about useing different NICs for the different networks (hey, a Quad ethernet adapter or two and you would be set.) of just get one and use IP Aliasing? Why use seperate networks at all? Different servers for each level of access, with strick control over who can access the info from where, and strong encryption, and you have a perhaps better soultion.

If anyone can figure out their securiy model and reasons behind it, please enlighten the rest of us. :)

--
I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.

...nothing is certain in security... by capoccia · 2001-02-02 05:26 · Score: 1

I think this one phrase from the "Makes sense" section pretty much sums up the problem.

I hope the NSA takes their time in evaluating VMWare's stuff. Right now, they have a working system. Is it really worth it to throw this system out in favor of an unproven technology.

I am not saying VMWare is unproven technology, but merely this new use for the product. Again, from the article, "the current VMware technology is not up to a level of assurance necessary for this."

Of course an obvious point is that there is no such thing as "Crackproof Computing." No matter how good this product becomes, there will always be a chance that there are remaining security holes. It may be a while before this risk is at an acceptable level for the NSA.

Re:Hmmm... by jamesbulman · 2001-02-02 05:36 · Score: 1

I think we started at one extreme (completely centralized mainframes) and swung to the other extreme (completely indepented pcs), and now we settling in a happy medium. People do not want to go back to having dumb terminals or thin clients, there are still to many things which can't be done well over the wire.

Witness the failure of Suns java station and Larry Ellison's net pc concept.

There is a place for both distributed and centralized setups, but for the majority of people having a compromise works well.

Remember VM/370 by Hodag · 2001-02-02 05:46 · Score: 1

Back in the early 1970s, the CIA used IBM's VM/370 operating system for secure computing inside the agency. Like the VMWare product, VM/370 creates an virtual machine on which you can run an operating system designed to run on a real machine.

The advantage of this approach comes from the precision with which machine architectures are specified, and the very limited number of communication paths available between machines.

IBM also did some work with VM/370 where they completely virtualized the clocks on the system. While they did this project to allow benchmarking hardware that had not yet been built, the same facility can be used to greatly reduce the bandwidth of covert channels between virtual machines.

If the VMWare system has these features, it may well be a B level system, and be approved for the kind of multi-level security application described.

What about hardware malfunctions by quickcasey · 2001-02-02 06:16 · Score: 1

This approach can never be trusted. You can't have data of different security levels on the same media, circuitry, network, ..., what ever. Even if you could create secure software - yeah right, this would not protect against a hardware malfunction. Any number of failures could cause secure data to be available at a lower level. Something as simple as scrapped wires touching, or a staple shorting two contacts could echo data into a different virtual machine. Of course such a "malfunction" could be introduced by any person with physical access to any part of the system/network that "sees" this data.

Ken

Re:What? by Type-R · 2001-02-02 06:29 · Score: 1

Heh, except of course you can't run *any* operating system. They've taken a few shortcuts that mean you can't boot unsupported OS's in many cases. (For example OS/2).

I disagree by Global-Lightning · 2001-02-02 06:46 · Score: 2

I work in a particular five-sided building in Arlington, VA. Part of my job involves tracking down classified information that has been leaked onto uncleared computers and networks and 'sanitizing' them (degaussers are my friend). If I could have one wish in this world, it would be to rip every 3.5" floppy drive out of every computer rated 'Secret' and above.

Computers are very good at blindly following instructions. Humans, however, tend to suffer from problems such as laziness, ignorance, contempt, or outright disregard for the rules (and in the worst cases, greed...). No one has ever heard of a computer that decided to disregard its programming. Every case I have worked began with human error.
By their very nature, computers can't break the rules, but humans definately do.

As for the hard drive issue, I see two solutions:
1. Have a single drive for the entire machine, and the classified Virtual Machines (VMs) would operate with an encrypted file and swap space. Modify the OS so that unencrypted info can exist only in volitile RAM (I believe OpenBSD already does this).

2. Run at least two hard drives, one for the host OS and unclassified VMs, the other encrypted for the classified VMs. This would be easier to conform with existing regulations on classified handling and storage.

Re:I disagree by irish_spic · 2001-02-02 08:41 · Score: 1

You forget about physical 'tempest' requirements.
If your monitor or other device/connector is not properly shielded, someone can detect the signal, sync it and display it remotely. Therefore, the whole system has to be in a secure area; negating some of the savings mentioned in the original article.

--
A truth that's told with bad intent, Beats all the lies you can invent. -- William Blake

C'mon by DerMarlboro · 2001-02-02 00:57 · Score: 2

What about cut and paste? Screen grabs?

Crack proof? Yeah, right... by Noryungi · 2001-02-02 01:36 · Score: 2

I really don't think this would work. Even if VMWare runs a multiple emulation layer straight from the hardware, this would still require strong crypto to protect data saved to disk.
Then again, multiple virtual machines and strong crypto would not protect against the type of small keyboard sniffers that the FBI (and other intelligence agencies) supposedly already have -- the kind that connects directly on your keyboard and stores everything that is typed.
Finally, I am almost certain that someone could come up with a virus that would infect one VMWare layer (think Win9x here) and would do the same password-gathering. With the right drivers, one can even imagine a virus/trojan horse mounting other filesystems and discreetly searching for interesting files and data.
In short, I really don't think this has any chance to work. Memo to NSA: use OpenBSD or your own (reinforced) version of Linux with ultra-strong crypto -- you'll run less risks this way.
After all, what's the point of emulating (slowly) multiple operating systems, when it's probably much faster to port all the tools users need to one "set" of platforms (Unix?).
Just my $0.02. I am not sure this rant makes sense.

--
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)

Re:Crack proof? Yeah, right... by Dwonis · 2001-02-02 12:27 · Score: 1

MY Memo to NSA: Get a bunch of people together and get them to design the entire system from scratch, and threaten to and do kill coders who get lazy and write weak software.
--------
Genius dies of the same blow that destroys liberty.

Can you Imagine a... by AbraCadaver · 2001-02-02 01:01 · Score: 1

Ok, so I wont say it :) Seriously, though, there are some problems with this kind of technology: 1) you may have several "secure" virtual machines, but what if the OTHER non-secure VMs are comprimised, and are set to crack/infiltrate your secure VMs? You'd have crackers beating down your door, and they wouldn't even necessarily have to be pounding on some port... 2) unless you are doing SMP and have OTHER processors to split amongst these tasks, wouldn't several VMs on one machine slow the piss out of it, even with all the speed advances in processors, etc 3) unless the "task-switching" mechanism is built into the hardware, and the data for it are taken from some type of rom, you're risking the chance of one process getting under that very task-switching mechanism, like we used to do with tunneling interrupts, to get in UNDER the interrupt and get our routine called before/instead of the one that was intended. Afterward, the switching would be compromised, yeilding the possibility of nabbing "secure" data, or maybe giving a bogus VM false secure status, or how about even giving certain VMs a higher execution priority: you have a remote connection to a machine running your VM in addition to 7 others. You all are allotted an equal slice of time, but since you've "(task)switch-tunneled, you give your machine %75 percent of the allotted time, and leave the other poor bastards to fight over the remaining %25 percent. Apply that to a shared-resource business idea... Hmmm... wonder if that would help my frag count...

How about terminal sessions instead? by forkboy · 2001-02-02 01:04 · Score: 1

If they INSIST on being able to access their highly sensitive systems from an unsecured box, wouldn't they be better off using either A) an encrypted X-session or B) an encrypted Citrix / Terminal Server session?

Think about it...a virtual machine is still going to have access to RAM, ports, etc. Not to mention they're probably going to have each virtual machine running on private IP space over the same wire...that can be sniffed as well.

A central server that each person accesses through an encrypted link allows for secure network traffic, a central repository of the data in question, and allows for ACL's restricting which computers can even access it.

Sometimes the most elegeant solution isn't the most complex one.

Sure there are still risks associated, like hardware keystroke loggers, shoulder surfing, and shit like that, but that's a risk regardless, and I hope the DoD has measures in place to reduce physical security risks.

--
This message brought to you by the Council of People Who Are Sick of Seeing More People.

this is funny by cr@ckwhore · 2001-02-02 01:10 · Score: 1

I find humor in the fact that many so-called "technology" companies these days are touting old technology as the wave of the future. Perhaps computing in general is coming full circle... it started with large, "virtual computer" type systems that are gloriously known as "mainframes"... then, computing progressed to the PC with each his own, and now, somehow, combining computing back into a centralized mainframe layout is somehow revolutionary?

I think I'll invent "floppy" disks, and tout them as the future because one could fold up his data and carry it in his pocket.

--
Skiers and Riders -- http://www.snowjournal.com

cool idea , but.... by brad3378 · 2001-02-02 01:42 · Score: 1

A lot of these guys run dual platforms.
(i.e. a Windows P.C. and a Solaris Sparcstation).

It would be very interesting if VMWare could emulate other platforms such as running IRIX or HPUX on intel based hardware.

Regardless, I'll definitely be keeping my eye on this company!

--

Re:Depends what you talk to by ocelotbob · 2001-02-02 01:46 · Score: 1

It's actually pretty easy to virtualize the peripherals, probably even easier than virtualizing the bios. It's running under linux, so all you have to do is set up each job as a different user, and place them in groups so that they can access only their specific hardware, thus Joe Datagrabber's boss can have /dev/ttyS0 set up to only allow access from the virtual windows box. Standard stuff here, and any job trying to access a part they're not supposed to will get an access denied message.

--

Marxism is the opiate of dumbasses

This is the Orange Book, redux by davecb · 2001-02-02 01:47 · Score: 4

Once upon a time, the U.S. government write a set of specifications for multi-level secure computers, called the orange book. This worked pretty well for mainframes: Multics was rated B2, and was on the 'net as dockmaster.mil.

It was a bit clunky, but had been continuously updated over time, so I still have a machine running Trusted Solaris 7 in my basement.

It's arguably the same task to do this sort of thing with a virtual machine monitor as it is with a security monitor: both create trusted computing bases, which enforce the security rules.

It would look almost exactly like an unmodified system, with optional colored bars on the windows indicating the security level and subject matter that was displayed there.

The rules the TCB would enforce are things like "thou shalt not copy from higher security down to lower security", so the TCB gets asked if it should allow a top-secret cut buffer to be pasted into an merely restricted document.

The Trusted Computing Base (the VMM) gets to say no, and so refuses to allow mapping of that page. The X server gets a -1 return code and errno=NOWAYJOSE, so it then pops up a "sorry, that was a security breach" message... which is exactly what my TS system does when I klutz and try to copy stuff from my confidential files into my unclassified email!

--
davecb@spamcop.net

Re:Slow down... by Webmonger · 2001-02-02 01:48 · Score: 2

It doesn't. You'd need an x86 emulator too.

Re:I submitted this story a day ago. by PKI+Champion · 2001-02-02 07:24 · Score: 1

I submitted the same story a couple hours before your time and it was also rejected. I wonder why? Perhaps they had to get NSA approval to post the story.....

Wouldn't it be easier by tie_guy_matt · 2001-02-02 07:24 · Score: 1

To just give everyone two computers? Computers aren't that expensive. Most people I know who do classified work on their computer have a jaz drive that they can boot off of. They pull the network cable, and the hard drive (which is usually on a removable mount) stick the jaz drive in and boot off of it. Seems to work reasonably well after all how often do you have to do classified and unclassified stuff at the same time? The only way you can be 100% sure this won't be cracked is to in fact get two computers.

Must be interesting by Iron+Webmaster · 2001-02-02 07:30 · Score: 1

Windows and linux can't talk to each other? Where have I been?

X Terminal by RottenApple · 2001-02-02 07:40 · Score: 1

Well, "main process runs on server. To reduce load on server, GUI runs on client" would be
better. And it's the X terminal.

And here in Korea, with Windows platform, there are already that kind of products.

The idea is not new. And for PC server hardware, I don't think it gives good performance.

5th floor in this building, there is a network lab. And they use their Dell server that way.
Performance? Is not as good as stand-alone PC.
Even for doing paper work.
Server should be very very very powerful because the numbers of users could be high.

Re:X Terminal by Meorah · 2001-02-02 10:32 · Score: 1

Performance on a decent server shouldn't be relative, since most terminal sessions require so few resources to run. As for performance, YOU'RE RUNNING THE SESSION OFF A SERVER INSTEAD OF A LOCAL PC! The only thing slowing it down could be a slow protocol or slow network connection. I'm sure the NSA can afford a few high-end servers and some gigabit ethernet drops.

Additionally, I'm sure there are alot of functional government machines that are probably pentium 200s or slower, with other crap hardware components. In those cases, they will notice a large improvement in performance when acting as a dumb terminal.

Of course, this is all assuming they're using the "locked down" server-based model for their top SEEKRIT data, and their "open" local client model for their other data. And I'm just not buying that, even with high encryption from client NIC to server NIC.

Protector of Capitalist views,

--
Protector of Capitalist views,
Meorah

... and rightly so -- proven impossible to secure by renehollan · 2001-02-02 01:12 · Score: 2

Consider a secure process that modulates use of swap space. This affects the running performance of other, non-secure processes. Measureing your own running performance allows you to use such a method for inter (secure to non-secure) process communication.

Basically, ANY time you share a resource, you can monitor how others use it. The CPU is such a resource.

--
You could've hired me.

What about the guest's disk image? by eap · 2001-02-02 01:12 · Score: 1

Won't the guest's disk image still have to be accessible from the host's file system? If this is the case, wouldn't it be as simple as saying cp secure.img unsecure.location?

The only solution I could see would be encrypting the guest image, but this is still insecure.

thinking about this.. by wildephyre · 2001-02-02 01:13 · Score: 1

now...they go along with this..the disk slices for each of the virtual machines are sitting on the platform, i'm assuming that at least. Is there not a chance of someone/thing copying those slices off, and loading them up in vmware on a seperate machine and then have access directly to the very "sensitive" material that they're trying to project? The thought really isnt much different than say, the cia director who kept classified info on a non classified computer, this just isnt copying the individual files, this is copying the whole disk slice.

VMS by mallsop · 2001-02-02 01:13 · Score: 1

Why don't they just take a step backward and get a mainframe?

--

Moving at the speed of government.

Re:VMS by Doctor+Memory · 2001-02-02 02:47 · Score: 1

ISTR there was a project to do this exact same thing (for exactly the same reasons) at DEC's Western Research Lab back in the mid-80s. They virtualized the VAX CPU and ran multiple copies of VMS inside a 'supervisor' version of VMS.

--
Just junk food for thought...

Re:Maybe I am confused but... by jovlinger · 2001-02-02 01:19 · Score: 3

The point is that you have 3 systems running:
Host / \ inter- intra- net VM net VM

If you compromise the internet VM (which we assume can happen -- this is why they are currently different machines, physically) this doesn't necessarily give you any means to access the meta level Host computer.

If that were possible, then yes, the attacker could compromise the supposedly secure intra-net VM (NB: copying its state would only give you a snapshot -- it would be much better just to relay all of its communication traffic to the internet).

So now we need to prove that it is impossible to get access to the meta level from the internet. This comes immediately from the virtualisation requirements -- each hosted OS has no way of realising it isn't running on the base hardware.
Even if we are not able to prove this, the fact that the internet connected machine is virtual gives us the abilty to snapshot its state at a fully booted uncompromised point in time; In order to make cracking it hard, we can just kill the entire machine every 5 minutes and reinstate the snapshotted version. Any attacker now has to crack not only the inter-net VM, but also the Host machine in 5 minutes.

However, this all assumes a trusted user. If the user has the ability to do screen captures from the intra-net VM, they could then conveniently send these via the inter-net VM.

Re:Bollocks. by Carnivore · 2001-02-02 01:20 · Score: 1

yeah... I mean, the article seems to talk about desk space and clutter.. why not just use rackmount systems and a KVM switch?
The only thing I can think is that cabling would be nasty, but who cares?

Wow...I can see the Drug Lords and Dons... by GeneralEmergency · 2001-02-02 01:51 · Score: 1

..lining up to buy theirs now.

But then...maybe that's the real plan here.

The Sig below has been sacked and I am currently accepting applications for a new one. - GeneralEmergency

"A microprocessor... is a terrible thing to waste." --

--
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency

Re:Crack Proof? by naasking · 2001-02-02 01:56 · Score: 1

If cocaine and crack weren't two different things, then yes.

-----
"People who bite the hand that feeds them usually lick the boot that kicks them"

--
Higher Logics: where programming meets science.

Re:Same CPU same RAM by coolgeek · 2001-02-02 02:03 · Score: 1

Or some type of boot sector virus. Lock the host copy of Linux into it's own VM (plex86, anyone?)and then you've got all the cards. Granted, somthing like this is definitely not your average 600 line assembler program.

--

cat /dev/null >sig

NSAkey by Picass0 · 2001-02-02 02:09 · Score: 1

I remember how the shit hit the fan when everyone thought the NSA had a backdoor built into Windows, but nobody finds anything alarming here. Do we really believe the NSA are acting like white hats and acting to make Linux and BSD more secure by contributing NSA code?

The only people I trust less with my computer than Microsoft is the U.S. Govenment.

BSODs on top of VMware by Cato · 2001-02-02 02:15 · Score: 2

Windows has been known to crash on VMware running on Linux, but I can assure you VMware does not exit - it just displays the BSOD in the same way a non-virtual PC would.

In some ways, Windows on VMware is actually more stable than Windows on real hardware, largely because VMware emulates hardware that has well proven drivers.

VMWare firewall by smartin · 2001-02-02 00:26 · Score: 1

I've always wondered whether a machine running VMWare would make a good firewall. You could run are really stripped down virtual machine that controls access to the outside ethernet inteface and mediates access to the host OS.

--
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.

Re:VMWare firewall by DennisZeMenace · 2001-02-02 02:28 · Score: 1

I think it would, and one of the interesting VMWare feature here is that you could setup your virtual firewall to use a non-persistent disk (the disk is writable, and it appears as though things are saved to the virtual disk, but it's only cached in memory and the actual disk file is unchanged).
That means that even if it's broken into, you can thrash the virtual disk all you want, nothing is damaged, and the entire virtual firewall can be restored by clicking on a button, in a matter of seconds.

Slow down... by whydna · 2001-02-02 00:27 · Score: 3

Or, Maybe the NSA is having a hard time keeping up with these new CPUs and they can't process all the information about us that they want to. So really this is just a big ploy for us to install VMWare and /really/ have things slow to a creep... And hell, what's better than one instance of VMWare running... two or three!!! hell yeah!!

-Andy

VMWare anecdote. by jcr · 2001-02-02 08:58 · Score: 2

One friend of mine replaced 21 machines running web apps on NT with three of the same machines running multiple instances of NT under Linux.

The NT systems typically crashed every 5 hours. The first band-aid solution was to make one machine reboot all the others every 4 hours. Under VMWare, the NT apps still crashed, but they could be restarted from a memory image file in about 15 seconds instead of 5+ minutes.

If for some bizarre reason I ever needed an NT sysadmin, I'd hire the guy who was carrying a VMWare disk in his briefcase.

-jcr

--
The only title of honor that a tyrant can grant is "Enemy of the State."

Doesn't matter... by >:^D · 2001-02-02 08:59 · Score: 1

...WHAT hardware is running VMWare. It is DOG slow. Now, if only Win4Lin could do DirectX :)

>:^D

Not possible, sorry by The+Man · 2001-02-02 09:02 · Score: 2

1. Become root (choose your favourite exploit).
2. insmod fuck-vmware.o
3. Proceed to read and/or write all the address space your heart desires.

The entire idea is ridiculous. Nothing can be as secure as having separate networks, except not having secrets.

Re:Not possible, sorry by Dwonis · 2001-02-02 12:29 · Score: 1

Uh how about this:
1. Become root
2. Do whatever you want with /dev/mem
--------
Genius dies of the same blow that destroys liberty.

Crack Proof? by WindowsTroll · 2001-02-02 00:27 · Score: 2

If the history of computer security has taught us anything, it has taught us that there is no software that is crackproof.

--
"Microsoft has made computing accessible to a population who would otherwise not be able to use computers" - B. Kernigha

Re:Crack Proof? by Dwonis · 2001-02-02 12:21 · Score: 1

No, it has taught us that most programmers are too lazy to write crackproof code. The computer hardware does what it is told. We're telling it the wrong things.
--------
Genius dies of the same blow that destroys liberty.

crackproof is impossible by typical+geek · 2001-02-02 00:27 · Score: 1

I know, I've worked on a software hotline, and as long as those customers can get $3 crack on the street corner, they'll be messing with the software.

Hmmm... by Anonymous Coward · 2001-02-02 00:28 · Score: 2

First, there were centralized mainframes and user terminals for people to run apps and data through.

Then there were PC's where everyone had their own "little mainframe."

Now I'm seeing a trend back towards centralized computers. It started with client/server, and now this from the boys and girls at the NSA.

Can you say "pendulum swings?"

1. They're a govt org. 2. THEY'RE THE NSA!!! by Meorah · 2001-02-02 10:39 · Score: 1

They can do whatever the hell they want. Mostly because no one can stop them... but to you and me, "because its a matter of national security."

Protector of Capitalist views,

--
Protector of Capitalist views,
Meorah

So naive! by danFL-NERaves · 2001-02-02 11:53 · Score: 1

I just couldn't believe the naivete of this article.

First, being able to run files in separate memory spaces and as discrete units in no way confers the kind of security NSA must establish. I could see this running on very low security systems (unclassified and classified secret) with strong operational security. But no matter how strong VMWare's virtual machine technology is if data can be written to disk by the VMWare session it could be recovered by another VMWare session on the machine. Just the theoretical possibility of that occuring rules it out of being used for most classified data types.

Second, this 'Professor of Digital Forensics Investigation Fred Cohen' needs to go learn a little about NSA's requirements for C2 security classification. Microsoft MUST provide source code for review to achieve C2. Microsoft has achieved C2 for NT 3.5 and NT4. Therefore the NSA DOES know "what is going on inside NT".

Dan

Re:So naive! by __aakpxi9117 · 2001-02-02 12:36 · Score: 1

Windows got C2 huh? Can't help but wonder what OpenBSD would get!

Re:Covert Channels by SEWilco · 2001-02-02 01:24 · Score: 1

Indeed, any shared resource including CPU usage can be measured by something else on the same hardware.

Or someone with access to that hardware can accomplish copying through other means -- looped back serial ports, feeding video image to a machine with video capture card, making beeps and listening to them...

Re:Um, biggest security risk is REMOVABLE MEDIA! by sqlrob · 2001-02-02 01:24 · Score: 1

But if the "secure" box (virtual session) doesn't have access to executables or removable devices, how is the average user going to screw up the secure area?

I don't see how many executables (if it is possible, at least without a boot disk) to access the secure session from a non-secure one

VirtualPC API by LordNimon · 2001-02-02 01:26 · Score: 2

VirtualPC is a PC emulator for Macs. It emulates an entire PC, including the BIOS and peripherals, so that you can run pretty much any OS (including OS/2, which VMWare doesn't support).

The reason I bring this up is because VirtualPC includes an API that lets Windows "see" your Mac hard drives and vice-versa. The API exists both inside the VM and outside, but I think it's only capable of letting Windows mount Mac directories, not the other way around.

In either case, this API effectively can let multiple Windows VMs see each other, so VMWare would have to certify that such an API doesn't exist in their NSA-approved VM.
--

--
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart

Secure Computing by AlgUSF · 2001-02-02 01:29 · Score: 1

The only way to make a computer secure, is to lock it in a vault with only an AC outlet. But I guess that didn't work in Mission Impossible, so I guess we are out of luck... :-)

--

I want my rights back. I was actually using them when our government stole them after 9/11.

I am the ghost of Trusted Mach by Mr.+Slippery · 2001-02-02 01:30 · Score: 2

My first job out of graduate school was at Trusted Information Systems (now swallowed by Network Associates) on the NSA-funded Trusted Mach project.

The idea was that you would run different OS sessions, each of which would provide a POSIX, or OS/2 (guess that dates the project), or whatever, "personality", at different sensitivity levels on top of the Mach microkernel. Data could be copied between sessions subject to security contraints. It was targeted (though never evaluated) to hit the B3 TCSEC critera. Interesting stuff, but it never really went anywhere.

This sounds very similar.

Tom Swiss | the infamous tms | http://www.infamous.net/

--
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood

Two things. Simple short, and not stuipd. by Gulfie2 · 2001-02-02 02:17 · Score: 2

Remember DES? The NSA rolled out DES because it wanted everyone to use something it could crack.

Read the article and think. They have a linux distribution that they believe to be bullet proof. They are ging to use this to host other operating systems. A hardened linux box can cat as a security arbiter. That is all they are doing, they are building in a firewall in to every box they'll be using.

The effect of the second can be stunning. There admins will now be able to do anything they want to any Win XXX PCs on there network. Monitor it, patch it, replace the OS, lock out the user, sane and reliable network firewalling, anything they want.

They lose easily verifiable air gaps... which can be violated any time a security officer is not looking, and they gain the ability to truly manage there PC enviorment. Emagine IPSec wrappers for every one of your network transactions, even if the underlying (overriding) Win xxx does not support it. That is a huge win even on just sensitive networks.

Re:Maybe I am confused but... by ocelotbob · 2001-02-02 01:35 · Score: 1

In theory, yes this would be a single point of failure thing, but if you have a host system with a high level of security, such as the NSA's internally modified Linux system, this is a non-issue. You can also encrypt those host files, making it much harder to get at the info in there. The main goal of this seems to be to cut down on points of entry, because as the article says, some people have 5-6 systems on their desk in order to access items which have different classifications. With that many systems, monitoring network traffic for improper activities and troubleshooting seem to be a lot more dificult.

--

Marxism is the opiate of dumbasses

Air Farce? by BlowCat · 2001-02-02 02:22 · Score: 1

Do you mean Air Force or Air France?
If the later, I'm scared.

Re:Air Farce? by SquadBoy · 2001-02-02 02:44 · Score: 1

USAF and I typed it just the way I meant to. :)

--

Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.

We're talking about the NSA, right? by ThoreauHD · 2001-02-02 02:37 · Score: 1

Perhaps my memory is foggy, but hasn't everything the NSA touched in the past two decades been exploitable due to them? PGP? OS? Take yer pick. Their job is to fuckup and subvert encryption. Why the hell are we trusting them with linux? I'd bet my 3-assed Monkey that they won't release the source of the tech.

Covert Channels by rgmoore · 2001-02-02 00:28 · Score: 4

It seems to me that this approach would still be very succeptible to various forms of covert timing channels. Since the different systems are running on the same hardware, you could still signal between them by having one system hog system resources or not as a way of signaling bits to the other system. There was some discussion of this approach to covert channels in this discussion here on slashdot.

--

There's no point in questioning authority if you aren't going to listen to the answers.

Maybe I am confused but... by Dios · 2001-02-02 00:29 · Score: 5

So I guess the goal would be to hack into the 'host' system. That way you can copy the virtual machines data file (isn't it just one big nice file in vmware?) and have a complete copy of the virtual system... and all its data...

Is this like a single point of failure thing?

Linux World by Cire · 2001-02-02 00:30 · Score: 3

I saw at the VMware booth at linux world expo yesterday a demonstration of a product called VMware GSX, which is not out yet, but is going to be their "enterprise level" product. Rather than running a virtual OS on top of a real OS, it runs multiple VM's straight on the hardware level.

If the NSA thing is using this it would cut out a whole layer of security that they have to deal with.

Re:Linux World by qnetter · 2001-02-02 02:57 · Score: 1

Actually, VMware GSX Server, which you saw, does use a host OS. VMware ESX Server, which is still in beta, doesn't.

What? by roman_mir · 2001-02-02 00:31 · Score: 4

"Last year, the company also released a version of its software that runs on Windows NT and 2000, enabling users to run Linux (or any other operating system) in a virtual machine on top of Windows. "
I can imagine a blue screen of death that would still have a VMWare window with Linux that is still running in it...

--
You can't handle the truth.

Sounds familiar by LoneWolf308 · 2001-02-02 00:31 · Score: 1

Gee, sounds like they want X-terminals with an encrypted data link...

Crack Proof? by baywulf · 2001-02-02 00:34 · Score: 2

Crack proof means one can't hide a stash of cocaine inside the computer right?

It's backwards by __aakpxi9117 · 2001-02-02 12:33 · Score: 1

So let's say you want to steal some classified data... You break into the 'restricted' system one way or another and simply install a keystroke recorder, a screen grabber (VNC works nicely) or any of a million other programs that will not care which window you are tying the data into!

The only way to get this to work is to reverse the process... Get VMware running the 'restricted' stuff on the 'secured' computers, that way the secured computer has to be compromised to get the secured data rather than the inverse (easier, less secure) way to do it.

Re:Bollocks. by erlenic · 2001-02-02 02:41 · Score: 1

I've seen a lot of that done, and they actually keep the desk clutter down pretty well. They use those cables that have mouse, video, and keyboard attached to each other, running from the KVM under the monitor to the two towers on the floor. Works great, until the KVM switch freaks out, then you have a few Lt Cols pissed off. Just happened to me last night :(

Egan thought of this in Permutation City by nekid_singularity · 2001-02-02 13:27 · Score: 1

In Permutation City, the main charecter has two virtual machines running, one on top of another, for security purposes in order to quarantine executable code in email. She also has a Email screening program with a neural net roughly comparable to a goldfishes brain, that tries to fool the email into thinking it is being seen by a human. The first prediction has come true, I wonder when the second will?

--
Numbers 31:17,18 Now kill all the boys. And kill every woman who has slept with a man,but save for yourselves every virg

aol viruses funny by chompz · 2001-02-02 14:18 · Score: 1

AOL users are so fucked. AOL has become a distributed virus network, kinda like gnutella.

Anyhow, theoretically, instead of using a buffer overflow to gain root access, I could use it to modify memory on other virtual machines on the same network? So, if I were an authorized user on one machine, I could spawn a shell for myself, with or without root privlidge, on one of the other VM's. Bind that to a port, say 10000, and I have access to another vm, without having to login.

Dangerous. Dangerous.

--
Spring is here. Don't believe me, look outside!

too late for security by RussP · 2001-02-02 14:52 · Score: 1

The Clinton Administration already took care of it.

--
I watch Brit Hume on Fox News

Red Book for networks was harder, but yeah. by billstewart · 2001-02-02 18:04 · Score: 2

Agreed - you don't need multiple machines if you've got a multi-level secure operating system. (And you don't need multiple machines very often if you've got removable disk drives, as someone else said.) But maintaining MLSs hasn't been mainstream commercial business for a while, certification is way too expensive, networking is too important, and everybody wants to use Windows anyway (which means getting a POSIX compliance waiver, if they still enforce that.)

I spent way too much time in the late 80s making things fit on System V/MLS, the AT&T System V Unix version that was certified as a B1 Orange Book System. The Red Book, which covers secure networking, was still pretty edgy research at the time, because authentication for machines you don
't directly control is a hard problem - doing it right requires crypto, and the NSA didn't want to let it out of the box at the time or let the military use civilian crypto, though there were a few IPSEC-predecessor networks that were certifiable.

--

Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks

2 answers by mindstrm · 2001-02-02 18:50 · Score: 2

to that loaded question.

1)Could it be secure enough for their purposes? Possibly. Only THEY can decide this.

2) Is it as secure as separate workstations? Of course not. By definition it CAN'T be.

This could work by Animats · 2001-02-03 00:29 · Score: 2

This makes a lot of sense. Isolated virtual machines have been done successfully. IBM mainframes have had them since the 1970s. Several efforts funded by the intelligence community have produced specialized secure operating systems. But they generally lacked application software. This is a way to run common applications in a secure environment.

Note that systems like this will have some annoying limitations. For example, hardware graphics acceleration will not be used.

More on Hardware by DanHS · 2001-02-02 02:50 · Score: 1

The way I understand it, it seems that VMware's plan is to not focus at all on software end of the security problem but put most of it's focus on the hardware end. You can read more at CNET.com's site
there they seem to say that the strength of VMware is that it emulates the underlying hardware. I suppose that given that you could have multiple operating systems which just reside on one computer and use the same computer but have nothing to do with one another. The way it sounds to me is that it's (possibly) an easier version of a dual or tri- boot. But if one were to try to do that within an operating system there seems like there would have to be a tremendous number of obstacles to overcome. Maybe it would just be better if they used a bootloader like the one that comes with Partition Magic or LILO. Encrypt each partition (or separate hard drive) or something so that they were each separate and you couldn't just boot into any partition. And run the system that way were each different partition is separate and encrypted.

If it crashed it prob isn't secure... by stripes · 2001-02-02 02:53 · Score: 2

I have gotten VMWare to crash. If it crashes there is some behaviour that the programmers were not aware of. These behaviours may well be secrity problems (buffer overuns frequently cause crashes, only choosing the right data to overun with will show a security problem).

I wouldn't be very thrilled with the idea of VMWare being part of a secure system (even if it is more the CMW part then the "secure from the outside" part) until it pretty much is impossable to crash.

I submitted this story a day ago. by cornflux · 2001-02-02 02:57 · Score: 1

I submitted this story a day ago and it was rejected:

2001-02-01 19:33:16 NSA to use VMware for security (articles,news) (rejected)

We're talking a whole day here -- can anyone explain why it was rejected?

Look to by dmccarty · 2001-02-02 00:35 · Score: 2

Will copying between virtual machines be impossible?

I've found that life seems to parallel life, and a lot of times when I don't know the answer to something in the realm of computers, I look to other things in life as an equivalent. So in other words, the question becomes: can making a copy of something that we have created be made impossible?

I think that, when the question is asked that way, the answer is clearly no.

-Daniel.
--

--
Have fun: Join D.N.A. (National Dyslexics Association)

Depends what you talk to by GlobalEcho · 2001-02-02 00:35 · Score: 4

It's probably possible, at the very least in theory, to separate two virtual machines more or less completely. You can simulate the BIOS, the hardware clock, the PRAM, the ethernet card PRAM, and all those other sneaky places that most people don't think about as writable areas of their PC.

Peripherals are a different matter. They had better be sure that only the insecure side is capable of sync'ing to the Palm Pilot!

-- Brian

Better hope memory freeing zeros out memory by elan · 2001-02-02 00:36 · Score: 1

Otherwise one virtual OS may free a physical page and the other one might allocate it and get remnants of data...assuming of course the OSes share physical memory to some degree. -elan

Secure RAM and sidestream information leakage by clay+pigeon · 2001-02-02 00:36 · Score: 1

It would seem that giving up physically secured machines in favor of a virtual security mechanism would exacerbate problems of classified data leaking out from alternate channels. I'd like to know how that is being addressed.

--

[ This space for rent ] - Your full service media whore

Slashdot Mirror

NSA + VMware = Crackproof Computing?

157 comments