Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virtualization Decreases Security

Posted by kdawson on from the more-chances-to-blow-it dept.

ParaFan writes "In a fascinating story on KernelTrap, Theo de Raadt asserts that while virtualization can increase hardware utilization, it does not in any way improve security. In fact, he contends the exact opposite is true: 'You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.' de Raadt argues that the lack of support for process isolation on x86 hardware combined with numerous bugs in the architecture are a formula for virtualization decreasing overall security, not increasing it."

3 of 340 comments (clear)

  1. Re:History teaches once again... by alan_dershowitz · · Score: 5, Informative

    You're missing the point. Your virtualization product is an application, which weakens the security of the OS running under it. So now you can have attacks from both sides. As Theo says, now an OS crash (inside the VM) can become an attack on the host system, and application attacks on the VM can become an attack on the OS running in the VM.

    His position has many facets. As I understand it:

    * programmers make buggy code, and now programmers are programming virtual hardware
    * the hardware they are emulating (PC architecture) is a nightmare, they have to do crazy, unsafe crap to implement it.
    * application flaws in the VM can compromise the guest OS.
    * OS flaws in the guest OS can potentially compromise the host OS.
    * virtualizing hardware is inherently less secure than the physical segmentation of using actual, separate machines, so when you consolidate many machines onto a VM system you have a net loss in security.

  2. Re:Perhaps a Different Train of Thought by Colin+Smith · · Score: 4, Informative

    This doesn't just go for Theo. Many geeks have a superiority complex that causes them to be acerbic, arrogant, and dismissive in technical discussions. Actually caused by strong feelings of insecurity. The secure don't need to attack to try to constantly prove their superiority.

    --
    Deleted
  3. Re:Uh oh by CrazedWalrus · · Score: 4, Informative

    The fact is that very little hardening is typically done on the inside of the organization. A lot of organizations have the hard crunchy outside with a soft chewey center. (Don't remember who I heard make that analogy, but it's apt.) Most IT departments seem to have hardened servers at the border, but the inside is run-of-the-mill software and hardware. What this means is that maybe virtualization isn't great for the border proxies and firewalls, but it probably fits right into the controlled chaos on the inside, where nothing is especially secure anyway.