Virtual Machines: A Power Tool for Security

Virtual machines have a lot to offer CISOs and security researchers alike. (And, unfortunately, hackers too.)

A number of academic researchers are trying to leverage this concept into an easy-to-use desktop interface that would partition the typical home computer into different virtual machines for the different kinds of "roles" that home users typically play. For example, I might have one virtual machine for word processing; a second for doing home banking and other high-value, high-risk activities; a third for browsing the Web and playing games; and a fourth for high-risk activities like running programs that people send me by e-mail.

Although many researchers seem enamored with the idea of using virtualization to solve the spyware problem, I suspect that such a system wouldn't provide nearly as much security as its proponents imagine. The problem is that home users will surely want a way to move information between these different virtual desktops—and as soon as there is a way to move information, attackers might be able to exploit it. For example, an attacker might send the user an e-mail message claiming to be from his bank, which contains an allegedly "mandatory update to your secure home banking virtual machine." Although it is possible to build a virtual machine that allows no communication with other desktop VMs as a matter of policy, it's unlikely that consumers will want to use a system that doesn't allow cut-and-paste between the different desktops.

Going to the Dark Side

Clever security mavens will realize that there's a dark side to all of this virtualization as well. Because the cookies and browser cache files are stored in the virtual machine along with everything else, a bad guy who browses the Web inside VMware's Browser Appliance won't leave any of those telltale forensic trails on his PC. This can make it much harder to prove that someone has been using a computer for illicit purposes such as downloading child pornography. At a recent forensics conference I heard that some sophisticated attackers are doing this today so that they won't leave traces when they break into other machines. Contrary to what's frequently said in the media, virtual machines give us a way to browse the Web, download information and then completely clean a machine so that no trace is left behind.

Virtualization technology can also be used by attackers to hide the existence of viruses, Trojan horses and other kinds of malware, although currently such attacks are strictly in the proof-of-concept phase. The theory here is that the malware becomes the virtualization server itself; the victim operating system then runs as the client. To date the only person who has been able to pull this off is Joanna Rutkowska, a researcher at Coseinc, a Singapore-based IT security consultancy. Rutkowska's creation, called "Blue Pill," was the subject of much media hype last summer when it was first announced. The system is based on AMD's SVM/Pacifica virtualization technology and reportedly can fool even Windows Vista x64. You'll get a more realistic understanding of what the technology can and cannot do by paging through Rutkowska's Black Hat PowerPoint presentation, which you can download from her blog at www.invisiblethings.org.