Virtual Machines: A Power Tool for Security

Virtual machines have a lot to offer CISOs and security researchers alike. (And, unfortunately, hackers too.)

Virtualization is the hot new trend in corporate data centers today. Virtualization servers from Microsoft, VMware and XenSource allow many virtual computers to run on a single (real) computer system. In practice, this means that 20 or 30 physical servers in a machine room can be turned into the same number of virtual machines running on a single physical system with two, four or eight processors.

Turning 30 computers into one can dramatically reduce the need for power, cooling, cabling and management. And even though the typical virtualization server saps between 5 percent and 10 percent of the physical computer's processing capabilities, virtualization frequently makes an organization's applications run faster, not slower. That's because the physical servers being replaced are quite often underutilized single-CPU machines running on hardware that's a few years out of date. By contrast, new multiprocessor systems can give each virtualized machine a boost of CPU power at the precise instant when that CPU power is needed—and give that same boost to other machines when they're the ones who need it most.

But besides being a powerful tool for saving money, virtualization is one of the up-and-coming power tools in the arsenal of today's security practitioners.

Crash, Burn, Repeat

For example, just a few years ago most security consultants had one or more "crash-and-burn" machines for experimenting with potentially hostile programs like spyware, Trojans and computer viruses. These days most of this dissection and examination work has moved to the world of virtual machines. Besides the obvious savings in desk space and power, it's easier to figure out what a piece of spyware has done to a virtual machine than a physical machine, because many of the tools of the virtualization server's host operating system can be used in the analysis.

Using a virtual crash-and-burn machine can also be a lot faster than using a physical machine. One of the positively mind-numbing tasks with my old crash-and-burns was the need to install operating systems onto the hard drives, make "images" of these hard drives, restore the images after the spyware had done something nasty and so on. I had one 9GB drive configured with a copy of Windows 2000, another configured with Linux, and a lot of 9GB drives holding versions of these systems in various states of damage and attack. When I was done experimenting with a new nasty, I would take my reference hard drive and copy it block-for-block back over the work drive. This assured me that I had a nice clean install of the victim operating system ready for another experiment. But I had to boot from CD-ROM and then spend between 20 and 30 minutes to copy the blocks.