Slashdot Mirror
NSA + VMware = Crackproof Computing?
n8willis writes: "ZDnet is reporting on a VMware and NSA collaboration called "NetTop." The idea to run multiple virtual computers on one box, to eliminate the need for government workers to have separate PCs--and indeed separate networks--for classified and unclassified data. The challenge is making the virtual barriers as secure as the physically separate networks. NSA and VMware say they've done it. What do you think?" Will copying between virtual machines be impossible? I wonder when (or if) NSA changes will make their way into the various distributions' boxed releases.
As I understand it now, the present system where multiple machines are used in government institutions has a black machine that contains secret data, and a white machine that contains only sensitive data. Much harder to type something into the wrong machine when the color of it is immediately apparent to you, I would think.
--
I dunno, but if it is, someone'd better call RIAA and MPAA to let Ms. Rosen and Mr. Valenti know about it :)
I work for a national laboratory where we have two separate networks: one for unclassified, one for classified. We use an air gap to separate the two networks. The classified one has no connection to the outside world, and the only way to get information to the classified net is through tape and sneakernet, and the only people who have access to do this are subject to polygraphs. In fact, for those of us who have classified and unclassified computers in our office, the network cables must be separated by 6 inches (15cm), and this is actually audited by computer security folks. There are so many rules in place, we even have classified keyboards -- you cannot hook a keyboard up to an unclassified computer that has been contaminated by being connected to a classified one. The hardest part about this is that you cannot have classified and unclassified data on the same hard drive. The point is, there are so many rules in place designed to prevent this, no other government agencies but the NSA would ever consider this. We would rather pay twice for two separate sets of computers and networks.
Once upon a time, the U.S. government write a set of specifications for multi-level secure computers, called the orange book. This worked pretty well for mainframes: Multics was rated B2, and was on the 'net as dockmaster.mil.
It was a bit clunky, but had been continuously updated over time, so I still have a machine running Trusted Solaris 7 in my basement.
It's arguably the same task to do this sort of thing with a virtual machine monitor as it is with a security monitor: both create trusted computing bases, which enforce the security rules.
It would look almost exactly like an unmodified system, with optional colored bars on the windows indicating the security level and subject matter that was displayed there.
The rules the TCB would enforce are things like "thou shalt not copy from higher security down to lower security", so the TCB gets asked if it should allow a top-secret cut buffer to be pasted into an merely restricted document.
The Trusted Computing Base (the VMM) gets to say no, and so refuses to allow mapping of that page. The X server gets a -1 return code and errno=NOWAYJOSE, so it then pops up a "sorry, that was a security breach" message... which is exactly what my TS system does when I klutz and try to copy stuff from my confidential files into my unclassified email!
davecb@spamcop.net
The point is that you have 3 systems running:
Host
/ \
inter- intra-
net VM net VM
If you compromise the internet VM (which we assume can happen -- this is why they are currently different machines, physically) this doesn't necessarily give you any means to access the meta level Host computer.
If that were possible, then yes, the attacker could compromise the supposedly secure intra-net VM (NB: copying its state would only give you a snapshot -- it would be much better just to relay all of its communication traffic to the internet).
So now we need to prove that it is impossible to get access to the meta level from the internet. This comes immediately from the virtualisation requirements -- each hosted OS has no way of realising it isn't running on the base hardware.
Even if we are not able to prove this, the fact that the internet connected machine is virtual gives us the abilty to snapshot its state at a fully booted uncompromised point in time; In order to make cracking it hard, we can just kill the entire machine every 5 minutes and reinstate the snapshotted version. Any attacker now has to crack not only the inter-net VM, but also the Host machine in 5 minutes.
However, this all assumes a trusted user. If the user has the ability to do screen captures from the intra-net VM, they could then conveniently send these via the inter-net VM.
Or, Maybe the NSA is having a hard time keeping up with these new CPUs and they can't process all the information about us that they want to. So really this is just a big ploy for us to install VMWare and /really/ have things slow to a creep... And hell, what's better than one instance of VMWare running... two or three!!! hell yeah!!
-Andy
It seems to me that this approach would still be very succeptible to various forms of covert timing channels. Since the different systems are running on the same hardware, you could still signal between them by having one system hog system resources or not as a way of signaling bits to the other system. There was some discussion of this approach to covert channels in this discussion here on slashdot.
There's no point in questioning authority if you aren't going to listen to the answers.
Is this like a single point of failure thing?
I saw at the VMware booth at linux world expo yesterday a demonstration of a product called VMware GSX, which is not out yet, but is going to be their "enterprise level" product. Rather than running a virtual OS on top of a real OS, it runs multiple VM's straight on the hardware level.
If the NSA thing is using this it would cut out a whole layer of security that they have to deal with.
"Last year, the company also released a version of its software that runs on Windows NT and 2000, enabling users to run Linux (or any other operating system) in a virtual machine on top of Windows. "
I can imagine a blue screen of death that would still have a VMWare window with Linux that is still running in it...
You can't handle the truth.
It's probably possible, at the very least in theory, to separate two virtual machines more or less completely. You can simulate the BIOS, the hardware clock, the PRAM, the ethernet card PRAM, and all those other sneaky places that most people don't think about as writable areas of their PC.
Peripherals are a different matter. They had better be sure that only the insecure side is capable of sync'ing to the Palm Pilot!
-- Brian