Challenges of Virtual Machine Security are Multiplying

 

Virtualization is a boon for data centers and other scenarios in which concentrated computer resources are necessary.

Significant questions about the security of the technology persist, however. Indeed, it seems that the questions are proliferating. At Black Hat DC last week, a researcher demonstrated how to hack into VMware and Xen products during the movement of the virtual machine from one physical machine to another.

Dark Reading reports that the University of Michigan's Jon Oberheide introduced Xensploit, a tool that can take over the virtual machine's hypervisor and applications and, ultimately, gain access to data. Oberheide said that the data is moved in the clear, which can leave the process open for the type of man-in-the-middle attacks generally associated with public Wi-Fi schemes.

In still another piece of bad news for VMware, ZDNet reports that Core Security Technologies has released proof-of-concept software that demonstrates the ability of a hacker to create or modify executable files on the host operating system. The story goes into good detail on the exploit, the damage it can do and how it came to light.

Apparently, the issue of security and virtualization is coming to a head. On one hand, the story says, VMware is nearing an announcement on a security initiative with other companies. On the other, Core is pushing the issue by timing release of the news of the exploit during the VMworld event in Cannes. The hope was to pressure the company into taking action. Core, according to the story, says that VMware had known about the flaw for four months.

Security is only a small part of a recent Tech Republic piece, which relates 10 important facts about virtualization. The overall piece is a worthwhile read, however. Especially important is the first item, which makes the important point that virtualization actually covers five operations: desktop virtualization; virtual testing environments; presentation virtualization; application virtualization and storage virtualization.

The security element of the piece actually offers a rare positive spin. The writer says that isolating servers on discreet virtual machines can be more secure than running several servers on the same operating system. She also points to the ability to isolate applications in "sandboxes." In an item related to security, the writer says that disaster recovery can be done much more quickly in a virtual environment than one in which the operating system, application and data all must be reinstalled.

Recently, a paper written and presented by a Google researcher at CanSec West was summarized in this Smart Security blog posting, since its level of complexity is great. The blogger sums up the security status of virtualization smartly enough that it is worth quoting:

Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in.

The paper, the blogger says, mostly identifies flaws such as buffer overflows. At this point, even the blogger's explanation became a bit obtuse. It is clear, however, that the paper backs up the growing belief that virtualization is vulnerable.

A recent Data Storage Today piece takes a high-level look at virtulized security. Specifically, it looks at four major concerns that have been expressed about the platform. Potential users are concerned about "virtual machine escapes," which are the movement of an attack from a hypervisor to the virtual machines resident on the same physical host. The second worry is that virtual machines increase patching burdens. The third concern is the challenge of whether or not to run virtual machines in the DMZ. Finally, the fact that hypervisors are new and untested is thought likely to attract hackers.

Despite the hype surrounding virtualization, some security managers are holding off on the technology because of lingering security issues. This article addresses the top four security concerns surrounding virtual environments. Managers are largely concerned that virtual machine escapees could propogate security problems, virtual machines increase patching problems, about the challenge of running virtual machines in the DMZ and that the newness of the technology could invite hackers. Read the full article at: http://www.data-storage-today.com/?full_skip=1&/story.xhtml?story_id=122009V81MIG


Article Source: http://EzineArticles.com/?expert=Carl_Weinschenk

 

 

 

Information

• A Virtual HR Department Needs Virtual Communications
• Challenges of Virtual Machine Security are Multiplying
• Factory Floor Management Going Virtual
• How to Restrict USB Flash Drive to Virtual Machine
• How To Stop Windows Viruses From Infecting Mac Files in VmWare Fusion
• Installing Linux on Virtual Machines
• Java Virtual Machine
• Linux Training For the New Linux User - Download Tips For Linux Virtual Machines - System Admin
• Linux Training for the New Linux User - Linux Virtual Machine Tips & How to Use Linux in Windows
• Linux Training for the New Linux User - Using Linux Virtual Machines to Run Linux in Windows!
• Many Advantages of a Virtual Private Server
• Stop Trashing Your Computer, Use A Virtual Computer
• There Is a Computer Virtual Machine in Your Personal and Professional Lives - Part 1
• There Is a Computer Virtual Machine in Your Personal and Professional Lives - Part 2
• Train Your Mind Into a Virtual Visual Memory Machine
• Virtual Fax Services
• Virtual Office Phone Answering
• Virtual PC - Slicker Than Oil
• Virtual Server Web Hosting
• VMware & the Benefits of VMware Training Courses
• Web Hosting - Virtual Private Servers (VPS) Explained
• What is Java Virtual Machine and Does it Work?
• Why a Virtual Desktop? I Want My Apps!
• Will Your Virtual Infrastructure Pass Its Health Check?
• WoW Auctioneer - A Virtual Gold Machine