Slashdot Mirror

← Back to Stories (view on slashdot.org)

Godfather of Xen On Why Virtualization Means Everything

Posted by samzenpus on from the more-real-than-real dept.

coondoggie writes "While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosb, says virtualization actually holds a key to better security. Isolation — the ability to restrict what computing goes on in a given context — is a fundamental characteristic of virtualization that can be exploited to improve trustworthiness of processes on a physical system even if other processes have been compromised, he says."

32 of 150 comments (clear)

  1. OS design fail by Animats · · Score: 5, Insightful

    If OSs hadn't failed so bad on isolation, we wouldn't need so much virtualization. "Virtual machine monitors" are just operating systems with a rather simple application API. Microkernels, if you will.

    1. Re:OS design fail by bolthole · · Score: 4, Interesting

      True.

      Plus the minute you start sharing things within a virtual machine
      (ie: apache, cgi-type middleware, database all on the same machine), you've just lost all "extra" security from virtualization. You may keep the top level OS "protected", but who cares, you've lost private data from your database, through a hole in apache(or whatever). OOoops....

      The problem of security is slightly improved, if you run each thing on separate virtual machines on the same hardware. You should in theory get relatively fast interconnects. If you VM is any good, that is. But you're still losing efficiency, unless you're doing "zones" or something like that.
      And it's 3x the headache to manage 3 separate instances of OSs, for what is in effect just one top level system anyway.

    2. Re:OS design fail by White+Flame · · Score: 3, Insightful

      OSes haven't failed as a whole. The current desktop/server ones just haven't caught up to and rediscovered the proper design principles of the old mainframes.

    3. Re:OS design fail by betterunixthanunix · · Score: 3, Informative

      Funny how virtualization was started on mainframes...

      --
      Palm trees and 8
    4. Re:OS design fail by jd · · Score: 3, Informative

      You're correct. A security kernel that is provably (and proven) correct is hard to design, but has been doable for a long time. Any "Trusted" (as opposed to "Trustable" - which means "you can't actually trust it at all") OS is built around a verifiable level of isolation. (For example, if prior to the Common Criteria, you'd wanted Linux to be an A1-class OS, you could have done it even though Linux wasn't specified out from the start. A1 was perfectly achievable if the security kernel alone was specified from the start and the rest of the OS was merely audited to prove everything went through it.)

      Even that is unnecessary, though. GRSecurity went belly-up because there were not enough developers interested in it and no funding for it at all. Problems any of the commercial distros could have fixed in a heartbeat and any of the major vendors (IBM, you listening?) SHOULD have fixed in a heartbeat. That wasn't perfect isolation but it was vastly superior to what we currently have which is too limited in scope and too limited in usage.

      Remember, though, this last bit only applies to Linux. Some of the BSDs have MAC of some sort, but not all, though all of them could have it tomorrow if they wanted.

      Windows - the only relationship it has with MAC is the British image of a dirty old man in a raincoat. But even there, where was the necessity? It has a built-in hardware abstraction layer and a few other key areas that could, quite easily, have all linked up with a proper security kernel. Instead, we've got BS and I don't mean it earned a degree.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    5. Re:OS design fail by Grishnakh · · Score: 2

      I can understand virtualization being used to consolidate multiple servers onto larger servers

      Except that, in theory, you should never need to do this: if you have a bunch of servers running various processes, and want to consolidate them onto a single, larger server, you should be able to run all those processes at once on the big server. You shouldn't need to run separate OS instances for each one. The whole reason the timesharing multiuser system was invented was so that one computer could be used by lots of different people for different things all at the same time, without any of them affecting each other (except for resource constraints--the disk and CPU are shared).

      The fact that we're turning to virtualization means that OSes have failed in their mission.

    6. Re:OS design fail by causality · · Score: 2

      But to use for security? That's as lame as installing anti-virus software because you know your OS can't handle security.

      I've said for some time that anti-virus is not security. It is damage control, at best. The way it is currently marketed and commonly used, it really is a terrible substitute for the inability of an OS to maintain security. As damage control it isn't even very useful because the only correct response to a successful intrusion is to reformat and reinstall from (read-only) media that is reasonably known to be good. It is only in the Windows world of ignorant users and routine infections that anyone desires to doubt this, and even then only as an excuse to avoid many more reinstalls than already occur (which includes licensing/activation hassles and then the joy of separately reinstalling each application with no central package manager). Yet the truth is, it is a general principle and Windows is not a special exception.

      The real question is, when will the general public wake up to this fact? Given enough time I consider it inevitable. So, it's just a matter of when. I wonder how McAfee and Norton and others will respond then?

      --
      It is a miracle that curiosity survives formal education. - Einstein
    7. Re:OS design fail by Anonymous Coward · · Score: 2, Insightful

      The higher security certifications start to have WEIRD consequences for a general purpose system, we went over these a bit in computer science.

                For instance, under the (apparently now obsolete) orange book ratings, C2 is pretty normal, NT4 (not on a network) was certified to this level, and a certified version of HP-UX, Irix, VMS, etc. were sold back in the day at level C1.

                To get a B1 rating? Well, for one example, "covert communications" channels are banned -- so, no pipes, no sysv shared memory .. but ALSO no conventional UNIX signals, a B1 OS cannot even tell you a load average, CPU usage, or other types of info "top" shows, because a process could modulate it's CPU usage or renice/unrenice itself to pass information covertly.

    8. Re:OS design fail by chentiangemalc · · Score: 2

      But this just replaces the same issue - now I just hack the hypervisor or host of the virtual machines and I can gain control of all machines...

    9. Re:OS design fail by NeoMorphy · · Score: 2

      It's not the OS that failed, it's the applications. Different applications want the system settings changed to what they think is best, and you can't make them all happy. Granted, it should be possible, but today's application developers can be total idiots who have an egocentric view of the OS. I have Oracle support telling us we should increase the maxuproc to 16384, when it's obvious that the system will die long before that many oracle processes are running, which is defeating the purpose of maxuproc. "It's good practice", no it's not you checklist jockey. Networking settings are hard to set globally for everyone. You would think that any decent application would use setsockopt, but not too many do.

      Another problem is applying patches. If you have too many applications running in the same virtual machine, forget about finding a common window to apply them. A lot of vendors aren't that quick about supporting the OS at the latest patch level, you can even have multiple applications that can't run on the same version of Linux or AIX because one requires the latest version and another hasn't been certified on the latest so they still only support a much older version.

    10. Re:OS design fail by Bengie · · Score: 2

      It's not just about isolation, it's also about fail-over, live-migration, etc for any program without requiring the programs to understand.

      Some of the biggest things virtualization can give is live-migrations and fail-over with no configuration.

    11. Re:OS design fail by jd · · Score: 2

      In theory, there are exceptions. In practice, you're so close to 100% right that I'd need extended floats to find the exceptions.

      By the time you get into the Bs and As, which is where MAC gets involved, MAC is considered to encompass ALL communications, ALL memory management as well as ALL program access, except where otherwise noted. (Orange Book doesn't cover all the uses of MAC, so the Orange Book definitions alone aren't enough.)

      Thus, it is possible to have SYSV shared memory in B1, but all processes sharing memory have to have MAC labels such that you can't violate MAC through shared memory AND the memory being shared has itself to be in a region of memory that is authorized for access by that MAC label. In fact, you're supposed to have to security label even TCP/IP packets and not permit access control violations via regular networking. (This is in part why the anonymous coward's reference to MIC doesn't cover Orange Book-rated MAC.) Because nobody in their right minds implements Unix pipes or SYSV SHM with security labeling, only those in their left minds have non-covert forms of these. The rest of the population, as you correctly say, can't use top, kill, or almost anything else that forms the lifeblood of Unix use.

      Because Orange Book MAC is bi-directional (unlike MIC, which is uni-directional), you cannot access material that is on either side of the MAC classification. This is good, in some respects. You can't transfer a virus from an unknown source to a destination that has a different MAC classification, for example. The net result is that anyone going for B-rated OS' under Orange Book is likely to go with the weaker-end of the spectrum. The higher-end is simply too restrictive or, because there's a hell of a lot of overhead involved in de-coverting all the Unix communications channels, too expensive on the CPU and on the wallet.

      In consequence, even though solutions to the covert communications channel problem are permitted by the Rainbow series, almost nobody uses them.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    12. Re:OS design fail by drsmithy · · Score: 2

      Right, but again this is an OS failure. It shouldn't (in theory) matter what version of an OS you have, as long as it's not too old; there should be no such thing as a "legacy app" that only runs on a legacy OS, it should be possible to run the old app on a new OS version without any issues whatsoever. The fact that this isn't the case shows that there's a giant failure in OSes.

      If someone writes their application to use deprecated (or, worse, undocumented) APIs and features, then its failure to run in more recent versions where said APIs and features no longer exist, or no longer have the same quirks, is not a failure of the OS.

      The use of hardcoded paths is another major screwup applications developers seem to love making.

    13. Re:OS design fail by JamesTRexx · · Score: 2

      Try Sandboxie.
      I've had good success with running apps and games in a sandbox with it. The only thing it lacks (although it's better security wise) is being able to pipe files between the boxes so you'll have to install programs multiple times if it's needed in more than one box (think PDF reader, zip stuff, etc.).

      --
      home
    14. Re:OS design fail by TheRaven64 · · Score: 4, Interesting

      The difference is, mainframes did it properly. The first system to support virtualisation was VM/360. It didn't just support virtualisation, it supported recursive virtualisation. This meant that any VM could contain other VMs, so you could use the same abstraction for isolation at any level. Operating systems provide a very limited form of virtualisation: processes. A userspace process is basically a VM for a paravirtualised architecture. Any time it wants to talk to the hardware, it has to go via the kernel. The problem is, it stops there. A process can't contain other processes which can only contact the kernel via the parent process, so programs end up adding their own ad-hoc isolation mechanisms. Things like the JVM, web browsers, even office apps all need to run untrusted code but have to isolate it without any help from the hardware. Fortunately, modern systems are providing things like capsicum, sandbox, and systrace, so it is now possible to create a child process with very restricted privileges.

      --
      I am TheRaven on Soylent News
    15. Re:OS design fail by causality · · Score: 2

      Try Sandboxie. I've had good success with running apps and games in a sandbox with it. The only thing it lacks (although it's better security wise) is being able to pipe files between the boxes so you'll have to install programs multiple times if it's needed in more than one box (think PDF reader, zip stuff, etc.).

      Thanks for the link. You can probably tell I don't use Windows myself and haven't for some time now (back in the day I used to dual-boot with Win98 until months went by without ever using the Windows system, so I reformatted it ext2 because ext3 didn't exist at the time). So, I'm not terribly informed about specific software available for that platform.

      Still, am I the only one who thinks it's terrible, borderline irresponsible that Windows doesn't come with something like this out of the box? Configured to work with major browsers and other widely-used programs? I mean compared to writing the OS, how much more effort would that have taken on the part of Microsoft? In this age of widespread malware? It's a shame that Microsoft Security Essentials doesn't provide something like this that can recognize common programs and correctly sandbox them. At least for software that is also written by Microsoft like Office.

      --
      It is a miracle that curiosity survives formal education. - Einstein
  2. I doubt it... by Yaa+101 · · Score: 2

    "While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosb, says virtualization actually holds a key to better security. Isolation — the ability to restrict what computing goes on in a given context — is a fundamental characteristic of virtualization that can be exploited to improve trustworthiness of processes on a physical system even if other processes have been compromised, he says"

    Given the track record of the companies in IT, I really doubt his words.
    It will probably become mass breaches of security made easy.

  3. Hmm... by fuzzyfuzzyfungus · · Score: 2

    Is the "Godfather of Xen" the guy I need to talk to if I need the Buddha 'removed from this cycle of suffering and reincarnation', so to speak?

    1. Re:Hmm... by BitZtream · · Score: 2

      You do know the difference between Xen and Zen ... right?

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Re:what. by bws111 · · Score: 2

    Zero? Based on what? IBM has EAL5 on their mainframe LPARs, which would seem to be more than zero trustworthiness.

  5. ad infinitum by More+Trouble · · Score: 3, Insightful

    And if the current level of virtualization isn't secure enough, adding another virtual layer will certainly improve security even more.

  6. Partioning and utilization by _LORAX_ · · Score: 2

    To me the biggest security win with VM's is the ability to properly size a system for what it is actually doing. No more adding "just one more" service to a box because it's got more horsepower than it needs. By doing more logical partitioning of the software you limit the commingling of data, administration, and crash risk between different services.

  7. Plenty does by Sycraft-fu · · Score: 2

    Reason is that money isn't a concern there, reliability is. So you can throw tons of technology at making something work well. There's plenty of stuff that mainframes do that we'd love to see on normal computers. The problem is being able to implement it at an acceptable level of performance and at an acceptable cost.

  8. I know why without reading anything! by BitZtream · · Score: 2

    Godfather of Xen On Why Virtualization Means Everything

    Well, HE thinks it means everything because without it meaning everything he is irrelevant.

    He also seems to think his OS is different than every other OS that came before it.

    Virtualization is just another layer of software to exploit, the real problem is that it allows idiots who may have separated services onto physically separate devices due to incompatibilities with various bits of installed software on the machines, now they are once again back on the same hardware with shared memory ...

    Virtual machines are useful for utilizing under utilized hardware for doing trivial things you wouldn't want to waste full hardware for and that are unimportant. ISPs are a great place for virtualization as they let the ISP 'sell a machine' with a lot less effort than would traditionally be required. Using the current 'virtualization' tech for security purposes just shows your ignorant.

    Adding more software and bugs does not add security, especially since you're just doing the exact same thing the original OS was supposed to do. So your argument becomes 'I'm better at it than you', and when ever that happens I run the other direction as fast as possible. If you have to tell me you're important, you aren't.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    1. Re:I know why without reading anything! by Bengie · · Score: 2

      "Virtualization is just another layer of software to exploit, the real problem is that it allows idiots who may have separated services onto physically separate devices due to incompatibilities with various bits of installed software on the machines, now they are once again back on the same hardware with shared memory ..."

      There are many real world scenarios that are currently only supported by virtulization. If all these people think virtulization is such a crutch, then they can solve the problem. Currently they have no answers and they only QQ

    2. Re:I know why without reading anything! by gweihir · · Score: 2

      I completely agree. And from what I have seen so far, the available virtualization systems are all actually less reliable than the same OS run on bare hardware (at least if the OS is Linux ;-). That would also imply they are less secure. For that reason, I don't think you can regard virtualization that runs as root as much of a security/isolation gain. It may even represent a net loss, except that the attackers have to invest a bit more into research. But they may gain portable attacks as a benefit.

      The two I know that are different are QEMU (runs as user and should be really, really hard to break out of, slow though as it is full software emulation) and UML (basically a kernel that runs as a user-process). Both do not run as root and UML even has decent speed. I use both for isolation purposes.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:I know why without reading anything! by TheRaven64 · · Score: 2

      On my laptop, Xen is a bit over 650KB, but the initrd image for my kernel is about 11MB.

      Two things here. First, the initrd image is a RAM disk containing a recovery filesystem. If you want to compare it to Xen, you need to compare it to the Xen admin tools as well as the kernel - and they are written in Python so come with 5MB of Python dependencies before you even get them to start. Secondly, 90% of the size of any modern kernel is device drivers. Xen does not contain any device drivers - it delegates all of that to the domain 0 guest (or to multiple driver domains).

      I'm actually quite surprised that Xen is 650KB. That seems a lot bigger than it should be for what it actually does: schedule VMs to run on the physical CPUs and allocate pages of physical memory to them.

      Often, you'd get root on a server because one of the service that is running has flows. Not because of a kernel root exploits. In this case, having things isolated means you'd get root only on a server running a single service

      This makes no sense. If you compromise, say, Apache, then you can control Apache, but nothing else. Apache runs in a chroot, so you can't even see the rest of the filesystem. You only get root if there is also a local privilege escalation vulnerability in the kernel, or if the user was stupid enough to run Apache as root (and if they're going to misconfigure services in an OS, what makes you think they won't misconfigure VMs?).

      --
      I am TheRaven on Soylent News
  9. Re:overkill...but necessary by bigstrat2003 · · Score: 2

    It's software his customers use, so it's not his decision. If he refuses to support it, his customers will indeed vote with their wallets, but it won't be Microsoft that loses in that bargain.

    --
    "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
  10. Creator of X says that x is the best thing by tokul · · Score: 2

    In other conferences Microsoft says that Windows Advanced server is the best tool for the job, drug dealers show benefits of increased cocain use and Hitler says that final solution to the Jewish question improves German ecosystem.

    Virtualization also leads to resource overbooking. If I run on two physical X5355 Xeons, I know that I have two physical X5355s at my disposal. If I run on two virtual X5355, I can't tell if provider does not use same X5355s for other clients.

  11. Re:overkill...but necessary by wmbetts · · Score: 2

    /s denotes sarcasm.

    --
    "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
  12. Re:overkill...but necessary by bigstrat2003 · · Score: 2

    Fair enough. Sorry, didn't know.

    --
    "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
  13. Recursive virtualization is now a Linux Feature by nutznboltz · · Score: 2

    Nested VMX (in Linux (kernel) Documentation)

    https://github.com/torvalds/linux/blob/master/Documentation/virtual/kvm/nested-vmx.txt