Virtual Machines: A Power Tool for Security

Virtualization is the hot new trend in corporate data centers today. Virtualization servers from Microsoft, VMware and XenSource allow many virtual computers to run on a single (real) computer system. In practice, this means that 20 or 30 physical servers in a machine room can be turned into the same number of virtual machines running on a single physical system with two, four or eight processors.

Turning 30 computers into one can dramatically reduce the need for power, cooling, cabling and management. And even though the typical virtualization server saps between 5 percent and 10 percent of the physical computer’s processing capabilities, virtualization frequently makes an organization’s applications run faster, not slower. That’s because the physical servers being replaced are quite often underutilized single-CPU machines running on hardware that’s a few years out of date. By contrast, new multiprocessor systems can give each virtualized machine a boost of CPU power at the precise instant when that CPU power is needed—and give that same boost to other machines when they’re the ones who need it most.

But besides being a powerful tool for saving money, virtualization is one of the up-and-coming power tools in the arsenal of today’s security practitioners.

Crash, Burn, Repeat

For example, just a few years ago most security consultants had one or more “crash-and-burn” machines for experimenting with potentially hostile programs like spyware, Trojans and computer viruses. These days most of this dissection and examination work has moved to the world of virtual machines. Besides the obvious savings in desk space and power, it’s easier to figure out what a piece of spyware has done to a virtual machine than a physical machine, because many of the tools of the virtualization server’s host operating system can be used in the analysis.

Using a virtual crash-and-burn machine can also be a lot faster than using a physical machine. One of the positively mind-numbing tasks with my old crash-and-burns was the need to install operating systems onto the hard drives, make “images” of these hard drives, restore the images after the spyware had done something nasty and so on. I had one 9GB drive configured with a copy of Windows 2000, another configured with Linux, and a lot of 9GB drives holding versions of these systems in various states of damage and attack. When I was done experimenting with a new nasty, I would take my reference hard drive and copy it block-for-block back over the work drive. This assured me that I had a nice clean install of the victim operating system ready for another experiment. But I had to boot from CD-ROM and then spend between 20 and 30 minutes to copy the blocks.

It’s faster to work with disk images of virtual computers because today’s virtualization servers are better at intelligently managing hard drives than physical servers ever could be. Instead of having a block-by-block copy of the logical drive, virtualization servers employ a variety of compression and remapping techniques so that the virtual disk contains only the disk sectors that the virtual computer actually needs. Some virtualization servers, like Microsoft Virtual PC, can even store virtual disks in two files: a “base” or reference file and a second file that just keeps track of the changes. With this kind of configuration, the second file contains a perfect record of the damage that the spyware has done. To restore the original computer, you just throw away that second file. What could be easier?

Throwaway virtual machines can be used for a lot more than testing spyware. Positively the safest way to browse the Web today is to download a copy of the VMware Player and the company’s “Browser Appliance” virtual machine. Start it up and within a few seconds you’ll have a virtual machine running Ubuntu Linux with a copy of Mozilla Firefox ready to surf. Firefox running on Linux is an extremely secure configuration for browsing the Web. And if some hacking group has managed to find an exploit that allows them to take over your virtual machine, what do you care? The worst that exploit will do is corrupt the virtual machine—there is no way for the hackers’ hostile programs to break out of the VMware Player and infect your desktop. Likewise, there is no way for a cross-site scripting attack to steal your home banking authentication cookies, and there’s no way for some zero-day exploit to search for your confidential documents.

Remote Possibilities

Organizations can also use the VMware Player as a tool for providing their employees with a consistent set of applications for their home computers or secure remote access. Instead of using a resource-intensive remote-access system like Citrix or Microsoft Terminal Services, you could create a VMware virtual machine that is preconfigured with a trusted operating system, all of your organization’s productivity software and a virtual private network client. Employees would run the virtual machine to access company software or network resources, storing their work either in separate virtual disks, in the host operating system or on network shares. Software updates could be distributed as whole-new VMs.

Increasingly, I’m also seeing VMs as a way to protect myself when I’m working on a sensitive network that belongs to a client. Instead of bringing up a VPN client on my home computer, I’ll create a VM and use that to connect to the client instead. Now I can be sure that no unrelated activity on my desktop will inadvertently make it into the client’s network. Likewise, I’m assured that any confidential information I download will be confined to that VM.

A number of academic researchers are trying to leverage this concept into an easy-to-use desktop interface that would partition the typical home computer into different virtual machines for the different kinds of “roles” that home users typically play. For example, I might have one virtual machine for word processing; a second for doing home banking and other high-value, high-risk activities; a third for browsing the Web and playing games; and a fourth for high-risk activities like running programs that people send me by e-mail.

Although many researchers seem enamored with the idea of using virtualization to solve the spyware problem, I suspect that such a system wouldn’t provide nearly as much security as its proponents imagine. The problem is that home users will surely want a way to move information between these different virtual desktops—and as soon as there is a way to move information, attackers might be able to exploit it. For example, an attacker might send the user an e-mail message claiming to be from his bank, which contains an allegedly “mandatory update to your secure home banking virtual machine.” Although it is possible to build a virtual machine that allows no communication with other desktop VMs as a matter of policy, it’s unlikely that consumers will want to use a system that doesn’t allow cut-and-paste between the different desktops.

Going to the Dark Side

Clever security mavens will realize that there’s a dark side to all of this virtualization as well. Because the cookies and browser cache files are stored in the virtual machine along with everything else, a bad guy who browses the Web inside VMware’s Browser Appliance won’t leave any of those telltale forensic trails on his PC. This can make it much harder to prove that someone has been using a computer for illicit purposes such as downloading child pornography. At a recent forensics conference I heard that some sophisticated attackers are doing this today so that they won’t leave traces when they break into other machines. Contrary to what’s frequently said in the media, virtual machines give us a way to browse the Web, download information and then completely clean a machine so that no trace is left behind.

Virtualization technology can also be used by attackers to hide the existence of viruses, Trojan horses and other kinds of malware, although currently such attacks are strictly in the proof-of-concept phase. The theory here is that the malware becomes the virtualization server itself; the victim operating system then runs as the client. To date the only person who has been able to pull this off is Joanna Rutkowska, a researcher at Coseinc, a Singapore-based IT security consultancy. Rutkowska’s creation, called “Blue Pill,” was the subject of much media hype last summer when it was first announced. The system is based on AMD’s SVM/Pacifica virtualization technology and reportedly can fool even Windows Vista x64. You’ll get a more realistic understanding of what the technology can and cannot do by paging through Rutkowska’s Black Hat PowerPoint presentation, which you can download from her blog at www.invisiblethings.org.

Virtualization is likely to be as big a step forward for computer security as protected-mode operating systems were back in the 1970s in academia and government (and in the 1990s, when business made the transition from DOS and Windows 95 to Windows NT). It won’t be a cure-all, but then again, nothing ever is. 

Simson Garfinkel, CISSP, is researching computer forensics and human thought at Harvard University. Send feedback to machineshop@cxo.com.