Secure Services on Virtual Machines?

Matt2000 asks: "With the growing number of package updates that cross my inbox for my redhat systems, and with the vast majority being buffer overflows, or overflows of some kind doesn't it strike anyone that there must be a better way? Instead of spending time auditing every piece of software for mechanically preventable bugs, why isn't there a common, audited virtual machine that people can build net facing services on? I would guess that sshd, httpd, and sendmail would be good candidates to start, as they are the most common and the most exploited. And please don't freak out performance junkies, if you run a website that serves 70,000 people a second and need to run native apache, then do so. Just accept that it will be less secure."

I think there is

[(trb001)]

Isn't Trusted Solaris basically just this? At an OS level, you associate trust levels that permeate throughout your network. Two (or more) people can work on the same box at the same time and view completely different boxes because of their trust level. One trust level can't talk to or look at another's processes without the proper authorization. Like Unix file privs only much, much more controllable.

Actually, trusted computing is a pain in the ass for standard development...we always wound up creating a super user program that can run stuff anything to get around priv issues during development. I can see using a system such as this post beta development or for production, but developing under it is a bitch.

--trb

Re:Why do you need a VM?

[ComputerSlicer23]

Yeah, the only problem is go out to any hacker site, and look for details on how to break out of a chroot jail. Hell just put in "break out chroot" as search terms into google, and 5000+ pages come up. While chroot's nice, it's not the almighty security tool most people believe it is. (I'm not sure that having a VM that runs your software would be). UML might be better, or possibly another VM layer. The problem is, you need your VM to be completely audited for all interactions to make sure nobody can break thru to a layer above it, as soon as they can, game over. I'd rather seem UML get more support then chroot. I think chroot is of very limited utility, where UML seems to have a lot more applications, both interms of security (honeypots and as a jail for specific services) and virtual servers/services. However, chroot is more production ready then UML is, so there you have it.

Kirby

Re:Why do you need a VM?

[0x0d0a]

True, chroot environments keep you from playing with other files outside the jailed environment, but they do nothing to address (for example) your ability to install and run a network sniffer on the target.

Well...that's true, if you're running a chroot jail with, say apache running as root. But if you don't have any suid binaries in the jail (apache is running as "httpd" or whatever) and your kernel is secure, it should keep you from putting a sniffer on the thing.

VMWare allows you to assign a number of different types of network interfaces to each VM, and using NAT you can prevent the VM's NIC from seeing traffic to/from any other host.

Hmm. I'm not saying VMWare doesn't work, but I've seen the VMWare site more and more lean toward trying to sell VMWare as a corporate solution to security. VMWare was always kind of a solution without a problem , and I have a sort of nasty feeling that VMWare (and VMs) are going to be the new stupidly-oversold-to-corporate-IT-people product, like firewalls were before them.