Slashdot Mirror
NSA + VMware = Crackproof Computing?
n8willis writes: "ZDnet is reporting on a VMware and NSA collaboration called "NetTop." The idea to run multiple virtual computers on one box, to eliminate the need for government workers to have separate PCs--and indeed separate networks--for classified and unclassified data. The challenge is making the virtual barriers as secure as the physically separate networks. NSA and VMware say they've done it. What do you think?" Will copying between virtual machines be impossible? I wonder when (or if) NSA changes will make their way into the various distributions' boxed releases.
As I understand it now, the present system where multiple machines are used in government institutions has a black machine that contains secret data, and a white machine that contains only sensitive data. Much harder to type something into the wrong machine when the color of it is immediately apparent to you, I would think.
--
Therefore, this would only help a PC user that is always working under his highest security.
----------------------
I agree... there's still a single machine running a single operating system underneath it all... Crackers would just have to start getting familiar with the way VMWare handles processes. Or, if they're just after the data, just crack the host OS and grab data from there...
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
Crap! I don't want VMWare to set up barriers around my virtual machines; I'd like very much for them to interoperate smoothly!
Then, you are left with penetrating the host filesystem and changing the vmware software. But of course, this isn't the point. You secure the host system from outside attack and then basically the only way the hackers can get in is through the guest operating systems. And these cannot talk to other guest systems.
Oceania has always been at war with Eastasia.
Grab whatever's in there and you've got a copy of what the user sees. Reprocess it and you've got the content a screen at a time. Get a trojan house onto the less-secured sode of the machine and you've got a window onto the more-secured side.
Similar to how the US bugged Xerox machines (and yes they were Xerox-brand) in the Washington Soviet Embasssy - put a mirror inside and simply dupicate-duplicated everything.
Is there any technique (that just-folks know) to encrypt/otherwise secure what's in a videocard yet still have it perform properly?
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Because it undermines a lot of the advantages of having a single system. If you allocate each separate VM a fixed percentage of system resources, you also prevent one process from being able to access complete system resources if none of the other ones are using them. IOW, if you have 2 VMs on a system and each is allocated equal resources, you won't ever be able to go over 50% usage with a single process. Admittedly, that may be acceptable in a system where you have a small number of separate security compartments, but if you have 10 different compartments on a single machine, it's just not acceptable to restrict each of them to 10% or less of system resources at all times.
In practice, it would probably be acceptable to go to a moderately coarse grained resource allocation scheme that would limit covert channel bandwidth (the secure computing guidelines suggest that any channel that can transmit data about as fast as a person can type is critical) and then audit any remaining channels. You may actually be better off letting people think they're getting away with something and catching them then shutting off something you know about and letting them find out about something you don't know about.
There's no point in questioning authority if you aren't going to listen to the answers.
He said Air _Farce_
A Farce is a charade, or pointless excercise in politics, or a drama played out in reality. For example, a high school student council.
I like it the way it was originally.
Vidi, Vici, Veni
Very important to the ZDnet article!!!!!!
I dunno, but if it is, someone'd better call RIAA and MPAA to let Ms. Rosen and Mr. Valenti know about it :)
Sounds like a reasonable idea, but wouldn't usermode linux for example be better? It would give much the same results but without the virtualisation overhead. Also, it would not be restricted to x86.
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
----
Comment removed based on user account deletion
I used to work computer security for the Air Force. I think this sort of thing would never be allowed.
The amount of regulations that would have to be rewritten would be astounding. That (esp. versus the small cost {for the DOD loves to spend your tax money} of buying a seperate computer) would keep that from ever happening.
Plus you are talking about a new idea. The military thrives on the status quo. New ideas are implemented over many many years of missed deadlines (example {for mil guys} DMS).
You wouldn't believe the paranoia that sorrounds security around here. I can't stress enough, that would never ever happen.
--------
get jiggy w/ ayn rand!
sheesh, it's like that douglas addams book Mostly Harmless where, in order to get around all the inconveniences of tight security, people carry around small credit cards with their mothers maiden name, fingerprints, retinal prints, dna pattern, etc etc holographically encoded.
i could live a little longer in this prison
And what's worse, since he was using cut-paste, he lossed the code once he closed the window, clearly not a very lucid move, and now we can not change the launch code without the old one. Isn't that a bummer?
I work for a national laboratory where we have two separate networks: one for unclassified, one for classified. We use an air gap to separate the two networks. The classified one has no connection to the outside world, and the only way to get information to the classified net is through tape and sneakernet, and the only people who have access to do this are subject to polygraphs. In fact, for those of us who have classified and unclassified computers in our office, the network cables must be separated by 6 inches (15cm), and this is actually audited by computer security folks. There are so many rules in place, we even have classified keyboards -- you cannot hook a keyboard up to an unclassified computer that has been contaminated by being connected to a classified one. The hardest part about this is that you cannot have classified and unclassified data on the same hard drive. The point is, there are so many rules in place designed to prevent this, no other government agencies but the NSA would ever consider this. We would rather pay twice for two separate sets of computers and networks.
I work in a particular five-sided building in Arlington, VA. Part of my job involves tracking down classified information that has been leaked onto uncleared computers and networks and 'sanitizing' them (degaussers are my friend). If I could have one wish in this world, it would be to rip every 3.5" floppy drive out of every computer rated 'Secret' and above.
Computers are very good at blindly following instructions. Humans, however, tend to suffer from problems such as laziness, ignorance, contempt, or outright disregard for the rules (and in the worst cases, greed...). No one has ever heard of a computer that decided to disregard its programming. Every case I have worked began with human error.
By their very nature, computers can't break the rules, but humans definately do.
As for the hard drive issue, I see two solutions:
1. Have a single drive for the entire machine, and the classified Virtual Machines (VMs) would operate with an encrypted file and swap space. Modify the OS so that unencrypted info can exist only in volitile RAM (I believe OpenBSD already does this).
2. Run at least two hard drives, one for the host OS and unclassified VMs, the other encrypted for the classified VMs. This would be easier to conform with existing regulations on classified handling and storage.
What about cut and paste? Screen grabs?
I really don't think this would work. Even if VMWare runs a multiple emulation layer straight from the hardware, this would still require strong crypto to protect data saved to disk.
Then again, multiple virtual machines and strong crypto would not protect against the type of small keyboard sniffers that the FBI (and other intelligence agencies) supposedly already have -- the kind that connects directly on your keyboard and stores everything that is typed.
Finally, I am almost certain that someone could come up with a virus that would infect one VMWare layer (think Win9x here) and would do the same password-gathering. With the right drivers, one can even imagine a virus/trojan horse mounting other filesystems and discreetly searching for interesting files and data.
In short, I really don't think this has any chance to work. Memo to NSA: use OpenBSD or your own (reinforced) version of Linux with ultra-strong crypto -- you'll run less risks this way.
After all, what's the point of emulating (slowly) multiple operating systems, when it's probably much faster to port all the tools users need to one "set" of platforms (Unix?).
Just my $0.02. I am not sure this rant makes sense.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Once upon a time, the U.S. government write a set of specifications for multi-level secure computers, called the orange book. This worked pretty well for mainframes: Multics was rated B2, and was on the 'net as dockmaster.mil.
It was a bit clunky, but had been continuously updated over time, so I still have a machine running Trusted Solaris 7 in my basement.
It's arguably the same task to do this sort of thing with a virtual machine monitor as it is with a security monitor: both create trusted computing bases, which enforce the security rules.
It would look almost exactly like an unmodified system, with optional colored bars on the windows indicating the security level and subject matter that was displayed there.
The rules the TCB would enforce are things like "thou shalt not copy from higher security down to lower security", so the TCB gets asked if it should allow a top-secret cut buffer to be pasted into an merely restricted document.
The Trusted Computing Base (the VMM) gets to say no, and so refuses to allow mapping of that page. The X server gets a -1 return code and errno=NOWAYJOSE, so it then pops up a "sorry, that was a security breach" message... which is exactly what my TS system does when I klutz and try to copy stuff from my confidential files into my unclassified email!
davecb@spamcop.net
It doesn't. You'd need an x86 emulator too.
Basically, ANY time you share a resource, you can monitor how others use it. The CPU is such a resource.
You could've hired me.
The point is that you have 3 systems running:
Host
/ \
inter- intra-
net VM net VM
If you compromise the internet VM (which we assume can happen -- this is why they are currently different machines, physically) this doesn't necessarily give you any means to access the meta level Host computer.
If that were possible, then yes, the attacker could compromise the supposedly secure intra-net VM (NB: copying its state would only give you a snapshot -- it would be much better just to relay all of its communication traffic to the internet).
So now we need to prove that it is impossible to get access to the meta level from the internet. This comes immediately from the virtualisation requirements -- each hosted OS has no way of realising it isn't running on the base hardware.
Even if we are not able to prove this, the fact that the internet connected machine is virtual gives us the abilty to snapshot its state at a fully booted uncompromised point in time; In order to make cracking it hard, we can just kill the entire machine every 5 minutes and reinstate the snapshotted version. Any attacker now has to crack not only the inter-net VM, but also the Host machine in 5 minutes.
However, this all assumes a trusted user. If the user has the ability to do screen captures from the intra-net VM, they could then conveniently send these via the inter-net VM.
Windows has been known to crash on VMware running on Linux, but I can assure you VMware does not exit - it just displays the BSOD in the same way a non-virtual PC would.
In some ways, Windows on VMware is actually more stable than Windows on real hardware, largely because VMware emulates hardware that has well proven drivers.
Or, Maybe the NSA is having a hard time keeping up with these new CPUs and they can't process all the information about us that they want to. So really this is just a big ploy for us to install VMWare and /really/ have things slow to a creep... And hell, what's better than one instance of VMWare running... two or three!!! hell yeah!!
-Andy
One friend of mine replaced 21 machines running web apps on NT with three of the same machines running multiple instances of NT under Linux.
The NT systems typically crashed every 5 hours. The first band-aid solution was to make one machine reboot all the others every 4 hours. Under VMWare, the NT apps still crashed, but they could be restarted from a memory image file in about 15 seconds instead of 5+ minutes.
If for some bizarre reason I ever needed an NT sysadmin, I'd hire the guy who was carrying a VMWare disk in his briefcase.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
1. Become root (choose your favourite exploit).
2. insmod fuck-vmware.o
3. Proceed to read and/or write all the address space your heart desires.
The entire idea is ridiculous. Nothing can be as secure as having separate networks, except not having secrets.
If the history of computer security has taught us anything, it has taught us that there is no software that is crackproof.
"Microsoft has made computing accessible to a population who would otherwise not be able to use computers" - B. Kernigha
First, there were centralized mainframes and user terminals for people to run apps and data through.
Then there were PC's where everyone had their own "little mainframe."
Now I'm seeing a trend back towards centralized computers. It started with client/server, and now this from the boys and girls at the NSA.
Can you say "pendulum swings?"
The reason I bring this up is because VirtualPC includes an API that lets Windows "see" your Mac hard drives and vice-versa. The API exists both inside the VM and outside, but I think it's only capable of letting Windows mount Mac directories, not the other way around.
In either case, this API effectively can let multiple Windows VMs see each other, so VMWare would have to certify that such an API doesn't exist in their NSA-approved VM.
--
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
This is a really good point; if the image from a running secure VM is captured, it will necessarily have any session keys in its memory.
However, these session keys are not the same as the (presumably) strong master key used to generate them. Many programs (such as PGP) go to great lengths to destroy the memory-representation of my master key after it is no longer needed -- tho this is mainly to avoid it being swapped to disk.
Other workarounds are keeping the master keys in hardware -- the NIC or in one of the IBM hardware locks. Neither of these are part of the VM state, but rather the base hardware, so they wouldn't be represented in the secure VM.
Another idea would be to have the Host do these as a trap -- have the secure VM think its running on hardware with an de/encryption primitive instruction. This instruction is trapped by the VMWare and executed by the host operating system.
In this last case, compromising the host would imply key loss; this is not necessarily the case in the hardware scenario.
My first job out of graduate school was at Trusted Information Systems (now swallowed by Network Associates) on the NSA-funded Trusted Mach project.
The idea was that you would run different OS sessions, each of which would provide a POSIX, or OS/2 (guess that dates the project), or whatever, "personality", at different sensitivity levels on top of the Mach microkernel. Data could be copied between sessions subject to security contraints. It was targeted (though never evaluated) to hit the B3 TCSEC critera. Interesting stuff, but it never really went anywhere.
This sounds very similar.
Tom Swiss | the infamous tms | http://www.infamous.net/
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Remember DES? The NSA rolled out DES because it wanted everyone to use something it could crack.
Read the article and think. They have a linux distribution that they believe to be bullet proof. They are ging to use this to host other operating systems. A hardened linux box can cat as a security arbiter. That is all they are doing, they are building in a firewall in to every box they'll be using.
The effect of the second can be stunning. There admins will now be able to do anything they want to any Win XXX PCs on there network. Monitor it, patch it, replace the OS, lock out the user, sane and reliable network firewalling, anything they want.
They lose easily verifiable air gaps... which can be violated any time a security officer is not looking, and they gain the ability to truly manage there PC enviorment. Emagine IPSec wrappers for every one of your network transactions, even if the underlying (overriding) Win xxx does not support it. That is a huge win even on just sensitive networks.
It seems to me that this approach would still be very succeptible to various forms of covert timing channels. Since the different systems are running on the same hardware, you could still signal between them by having one system hog system resources or not as a way of signaling bits to the other system. There was some discussion of this approach to covert channels in this discussion here on slashdot.
There's no point in questioning authority if you aren't going to listen to the answers.
Is this like a single point of failure thing?
I saw at the VMware booth at linux world expo yesterday a demonstration of a product called VMware GSX, which is not out yet, but is going to be their "enterprise level" product. Rather than running a virtual OS on top of a real OS, it runs multiple VM's straight on the hardware level.
If the NSA thing is using this it would cut out a whole layer of security that they have to deal with.
"Last year, the company also released a version of its software that runs on Windows NT and 2000, enabling users to run Linux (or any other operating system) in a virtual machine on top of Windows. "
I can imagine a blue screen of death that would still have a VMWare window with Linux that is still running in it...
You can't handle the truth.
Crack proof means one can't hide a stash of cocaine inside the computer right?
I spent way too much time in the late 80s making things fit on System V/MLS, the AT&T System V Unix version that was certified as a B1 Orange Book System. The Red Book, which covers secure networking, was still pretty edgy research at the time, because authentication for machines you don
't directly control is a hard problem - doing it right requires crypto, and the NSA didn't want to let it out of the box at the time or let the military use civilian crypto, though there were a few IPSEC-predecessor networks that were certifiable.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
to that loaded question.
1)Could it be secure enough for their purposes? Possibly. Only THEY can decide this.
2) Is it as secure as separate workstations? Of course not. By definition it CAN'T be.
Note that systems like this will have some annoying limitations. For example, hardware graphics acceleration will not be used.
I have gotten VMWare to crash. If it crashes there is some behaviour that the programmers were not aware of. These behaviours may well be secrity problems (buffer overuns frequently cause crashes, only choosing the right data to overun with will show a security problem).
I wouldn't be very thrilled with the idea of VMWare being part of a secure system (even if it is more the CMW part then the "secure from the outside" part) until it pretty much is impossable to crash.
I've found that life seems to parallel life, and a lot of times when I don't know the answer to something in the realm of computers, I look to other things in life as an equivalent. So in other words, the question becomes: can making a copy of something that we have created be made impossible?
I think that, when the question is asked that way, the answer is clearly no.
-Daniel.
--
Have fun: Join D.N.A. (National Dyslexics Association)
It's probably possible, at the very least in theory, to separate two virtual machines more or less completely. You can simulate the BIOS, the hardware clock, the PRAM, the ethernet card PRAM, and all those other sneaky places that most people don't think about as writable areas of their PC.
Peripherals are a different matter. They had better be sure that only the insecure side is capable of sync'ing to the Palm Pilot!
-- Brian