Rational Survivability

Joanna Rutkowska took the time to respond to my "open letter" that I wrote this weekend regarding her presentation at RSA.  I truly appreciate that.  It was a little barbed, but so was mine, but all’s fair in love and blogging.

I chortled, however, when I realized that I was deserved of a response only for the following reasons:

1) technorati.com reported the blog’s authority as above 100 which suggests it has a reasonable number of readers, and also

2) because I believe this is a good example of the social engineering techniques used by my opponents

I just about coughed my latte through my nose when I read that.

Just to be clear, Joanna, I’m not an "opponent" and despite your assertions, I don’t provide PR services for anyone.  I *do* however rather like the fact that you’ve anointed me with the madly-133t-skillz of a social engineer. 😉

Let me make it perfectly clear (because I don’t think I have) that I find your research incredibly interesting and your work compelling.  What I question is the relevancy across use cases and the way in which you choose to present it.  This is despite your bemoaning to the contrary, the way in which you surrender your words to the fates (i.e. the press) and seem powerless to be able to ensure what you said is printed in context accurately. 

Rather than continue the enthralling debate regarding the vagaries of municipal fire codes, let me get to the meat of the redress which is what I focused on in the first place: what you said and what you may have meant to say are two different things, Joanna.

To wit:

2. Type I vs. Type II hypervisors confusion.

Hoff then switches to the actual content of the presentation and writes this:
“When I spoke to you at the end of your presentation and made sure that I understood correctly that you were referring specifically to type-2 hosted virtualization on specific Intel and AMD chipsets, you conceded that this was the case.”

This simply is an incorrect statement! On the contrary, when describing the security implications of nested virtualization (which was the actual new thing I was presenting at the RSA), I explicitly gave an example of how this could be used to compromise type I hypervisors. Kindly refer to slides 85-90 of my presentation that can be downloaded here.

I said that the code we posted on bluepillproject.org indeed targets type II hypervisors and the only reason for that being that it has been built on top of our New Blue Pill code that was designed as a Windows kernel driver.

This is exactly why I and a couple of other folks came up to speak with you at the end of your talk.  It was not at all clear as to which case you were referring.  I humbly accept the responsibility for a lack of cognition here.  When I sought that clarification, you specifically answered as I mention above which confirmed my understanding.  To that end, the gentleman behind me responded "Yeah, that’s what I wanted to ask, too" and thanked you for the clarification.  Now you’re suggesting that what we heard was not what you said…

3. Shit not giving. Mr. Hoff goes even further:

“When I attempted to suggest that while really interesting and intriguing, your presentation was not only confusing to many people but also excluded somewhere north of 80% of how most adopters have deployed virtualization (type-1 "bare-metal" vs. type-2 hosted) as well as excluding the market-leading virtualization platform, your response (and I quote directly) was: I don’t give a shit, I’m a researcher.”

Now that was a hard blow! I understand that the usage of such a slang expression by an Eastern European female during an informal conversation with a native speaker must have made an impression on him! However, I couldn’t give such an answer to this very question, simply because of the reasons given in point #2 (see above).

I don’t care whether you’re an "Eastern European female" or a cross-dressing circus clown from Bolivia.  What does concern me is that first you suggest that your making that statement must have been shocking to me and then you immediately maintain you didn’t say it…and you throw in the gender card!  Nice.

Joanna, your dismissal using this exact phrasing is exactly what got me riled up.  Your dishonesty and/or confusion about what you said and what you think you said is the entire point you’re missing…except hysterically you claim you are a victim of the very issue I highlight:

So, then Hoff quotes the Forbes article that was written after my presentation and accuses me that the article (written by some Forbes reporter) was too sensationalist. I definitely agree the article was very sensationalist (but correct) and when I saw the article I even got angry and even wanted to write a blog about it (but as the article was actually correct, I had no good arguments to use against it).

And you know why I was so angry? Because I actually spent over 40 minutes with this very Forbes reporter in the RSA’s speaker’s lounge just after my speech, I spent that time on clarifying to that guy what my presentation was about and what it was not about and what was the main message of the presentation. Still, the reporter had his own vision of how to write about it (i.e. make it into a sensation) and I hardly, as it turned out, could do anything about it…

Perhaps the fault is ours, but perhaps you should accept some of the responsibility here, too?  If you continue to be misunderstood, misquoted, and misrepresented, perhaps it has something more to do with than the fact that your intellect is "…too technical for an average CISSP to understand it?"  Perhaps you are hard to understand?  Perhaps you don’t do a good job of explaining?  Perhaps the language gap is confusing things?

Look, I find the following assertion really interesting, and had you allowed me to ask the question, would have loved to have discussed it with you further:

"Keep[ing] hypervisors simple, do not put drivers there, as otherwise we would get to the same point where we are with current OSes these days, i.e. no kernel security at all!”

…but I didn’t get a chance to.  I actually resonate with your assertion.  I didn’t bring it up because that’s not what I had a problem with.

Finally, to your closing point:

Now I wonder, maybe Christofer Hoff doesn’t do PR for any VMM vendor, maybe he just didn’t listen carefully to my presentation. Maybe he’s just one of those many guys who always know in advance what they want to hear and selectively pick up only those facts that match their state of mind? Otherwise, why would he not realize that my presentation was actually a pro-virtualization one and needed no (false) counter-arguments?

Sigh.

I came to your presentation the way I do to every other I attend.  With an open mind, open ears and a closed mouth.  I listened carefully, was confused by what I thought were contradictory statements between your slides and what you were saying and sought clarification.  Upon clarification and subsequent condescending dismissal, I closed my mouth and my ears and formed my conclusion based upon your response.

Perhaps you’ll use this as an opportunity to reflect upon how you present and interact with people.  Perhaps you won’t.  I know I will.  Either way, I appreciate your research and your response to my "letter."

/Hoff

The intellectual integrity scandal of the century has reared its ugly head once again. 

At RSA in the bar of the Westin, I was confronted by an unruly mob of Ex-@Stakers, fueled by their infamous ringleader Dan "El Guapo" Geer, who cornered me rather forcefully between a Bellini and a half-empty bottle of Dos Equis.  He suggested that were I not to cooperate, a true demonstration of punctuated equilibrium would be at my expense.

It was during this mental waterboarding session that I was unduly pressured to provide a public admission of guilt and forced to yield to photographic evidence of the event after El Guapo craftily scratched out "my " confession on a bar napkin which read "Hoff stole my preso."  At least he spelled my name correctly.

This was a sad day, indeed.  El Guapo sank my battleship 🙁

/Hoff

I’m going to highlight a prediction I had on a forthcoming security
offering from yet-to-be-named security solution providers for
virtualized environments as well as something I overheard at RSA.

In the next few days, I’m going to be releasing my post on the
evolution of some really concerning performance and configuration
limitations of security solutions in virtualized environments and this
will make a lot more sense, but until then, grok this…

Here’s Item #1 – Return of the Big, Honkin’ NIC Card…

Remember back when 3Com released this little beauty?

3Com® 10/100 Secure Server NIC
 

Server IPSec and 3DES Encryption at Wire Speeds
 

The 3Com® 10/100 Secure Server NIC is custom-designed for servers that
demand high performance and end-to-end security. Its onboard security
processor works with Windows 2000 or XP to offload key processing
tasks, reducing the load imposed on the CPU.

It never really took off and has long since been discontinued, but
here’s where I reckon we’re going to see a rebirth (like bellbottoms)
of something similar from security vendors, either as a NIC or an
offload card sitting in the virtual host.

In a virtualized server, most of the emerging security solutions are
going to take the form of agents/applications running in VM’s or as
virtual appliances in the host.  This is all going to be run in
software, with limitations on memory, CPU and I/O.  Imagine every flow
whether inter-host or intra-VM having to bounce back and forth across
the vSwitch and the security functions in software.

Ugh.

Despite API’s like VMsafe, which allow for hooks on a per-VM basis to
"redirect" traffic to a VM/VA for disposition in software, imagine if
instead of just having IPSec on a NIC, we also had DPI, firewall, IDP,
AV and other security functions also.

Rather than doing all of this stuff in software, the
agents/applications or virtual appliances could offload or allow the
hardware to perform them on their behalf.  This could take the form of
FPGA’s or custom silicon like Cavium’s multi-core Octeon security
processors.

This is where the argument of "hey, all we need is COTS multicore hardware to scale" simply falls apart.

It’s not at all an original idea, as we’ve had offload/acceleration cards in appliances/’servers for a long time, but when the performance and
configuration limitations of virtual hosts arise, I predict we’ll see these things crop
up as a "solution" that is "new." 😉

Here’s item #2 – Bait and (Virtual) Switch

I’ve talked previously about virtualization platform providers like VMware ultimately providing a way of modularizing/isolating the vSwitch functionality in the VMM and allowing third parties to instantiate their own vSwitch instead. 

Further, I’ve written about how I/O virtualization is likely to change the way and where the virtual networking is performed. 

Intel is rumored (was this news at RSA, I can’t tell?) to be taking
another approach which is that they intend to embed the vSwitch
functionality directly into the underlying CPU chipsets.  This makes the vSwitch not so much ‘v’ (virtual) any longer.
You’ll have the network switching fabric and functions in the CPU itself.

I’m sure that if Intel is considering this, then AMD would not be far behind.

Thus some version of an upcoming CPU would provide this capability
natively, interfacing with the NIC card (or the super NIC above) and
the VMM.  This brings up some really interesting questions, no?

More later.

/Hoff

Dear Joanna:

I attended your session at the RSA conference last week titled "Security Challenges in Virtualized Environments" and was compelled to write you given our debate which you ended somewhat abruptly at the conclusion of your presentation.

Before I start in on the meat of the topic, I’m going to do what you seem to continue NOT to do.  Specifically, I am going to make clear certain disclosures and frame the context of this note in a way that I hope everyone can understand.

Sadly, there will not be an accompanying eight-slide melange of virtual machine state transitions, mention of TLB misses, GIF0 emulation or ASID conflicts…

Back to your presentation.

As the room filled to over capacity before your talk began, you were upset and couldn’t seem to understand why the conference organizers would not let people spill over from seats and sit on the floor and in the aisles to hear you speak.  The fact that fire and safety codes prohibit packing a room beyond capacity was something you attributed to people being "…crazy in America."  Go figure.

So let me further raise your ire by introducing you to another crazy American rule of law that is somewhat related: we don’t think it’s a good idea to yell "fire!" in a crowded theater, either.

What does this have to do with your presentation?  It’s quite simple actually.   I think that the way in which you are presenting your research is intentionally designed to be sensational first and concise and accurately portrayed a distant last.

During your presentation at RSA and throughout other presentations,
you have illustrated how your research featuring Blue Pill technology affects hardware-based type-2 hosted virtualized environments rather than type-1 bare-metal installs.

In many cases, given the depth and complexity of your presentations,
less experienced audience members and members of the press have
completely confused or overlooked this distinction and left your presentation thinking that your research and your testing applies directly and unequivocally to both environments, despite the fact that you continue to highlight Microsoft’s Vista desktop operating system as your test case.

When I spoke to you at the end of your presentation and made sure
that I understood correctly that you were referring specifically to type-2 hosted virtualization on specific Intel and AMD chipsets, you conceded that this was the case.

When I attempted to suggest that while really interesting and intriguing, your presentation was not only confusing to many people but also excluded somewhere north of 80% of how most adopters have deployed virtualization (type-1 "bare-metal" vs. type-2 hosted) as well as excluding the market-leading virtualization platform, your response (and I quote directly) was:

"I don’t give a shit, I’m a researcher."

So my problem with that answer is three-fold Joanna:

• As a researcher who is also actively courting publicity for commercial gain and speaking at
  conferences like RSA which are less technical and more "executive" in
  nature, you have a responsibility to clarify and not obfuscate
  (intentionally or otherwise) the facts surrounding your research.
  Allowing the continued sensationalized coverage of your research
  without clarification is not allowing concerned people to make clearly
  informed decisions regarding risk.

• No less than five times during your presentation, you highlighted marketing material in the form of graphics from Phoenix, positioned their upcoming products and announced/credited both Phoenix and AMD as funding your research. 

  Further, there have been announcements suggesting that Phoenix is looking to commercialize Blue Pill not as a rootkit but as an "ultra-thin" hypervisor.  This makes it hard to decide where the breakpoint between your "research" versus their "commercial" begins.

• Continuing to openly and negatively disparage those who seek to challenge your assertions is unprofessional.  Certainly you can disagree with them, but regardless of their approach or attitude, the continued pejorative nature of your rebuttals is getting stale. 

I think it’s only fair to point out that given your performance, you’re not only an "independent researcher" but more so an "independent contractor."  Using the "I’m a researcher" excuse doesn’t cut it.

I know it’s subtle and lots of folks are funded by third parties, but they also do a much better job of drawing the line than you do.

Despite your position on the matter and unlike you, I do give a shit, Joanna.  I care very much that your research as presented to the press and at conferences like RSA isn’t only built to be understood by highly skilled technicians or researchers because the continued thrashing that they generate without recourse is doing more harm than good, quite frankly.

Now, I know you can’t control the press or what they print, but you certainly don’t seem to invest much in terms of ensuring accuracy or clarifying the corner cases you’re talking about.  Here’s an example from a Forbes article based upon your RSA presentation:

At the security industry’s big annual confab, the RSA Conference, going on this week in San Francisco, security researcher Joanna Rutkowska described a new type of virtualization-based malware that could be used to take control of a machine running virtualization software. Because virtualization allows companies to store many virtualized software "images" of computers on a single physical machine, an attack like the one Rutkowska envisions would allow a hacker not only to control a single machine but to siphon data from any virtual machine it contains.

Rutkowska, the founder of security research firm Invisible Things Lab, in Warsaw, Poland, isn’t the first to target virtualization as a weak point in the emerging IT landscape. In the past few months, security researchers have revealed bugs in practically every piece of virtualization software, including products from virtualization heavyweights VMware (nyse: VMW – news – people ) and Microsoft (nasdaq: MSFT – news – people ).

Exploiting those bugs, attackers can use what researchers call "virtual machine escape," or "hyperjacking." By taking control of the hypervisor, the piece of software that controls all the virtual computers within a machine, an attacker can "escape" from any single virtual computer hosted on the machine and quickly multiply his or her access to a company’s data.

But the attack Rutkowska outlined goes even further: she described how an intruder could install what she calls a "blue pill," a second, malicious hypervisor that controls the original hypervisor and all of the virtual machines beneath it. Examining any PC or server hosted on the machine, it would appear that the machines were hosted normally by a hypervisor, but, she argues, it would be tough to detect another hidden hypervisor intercepting data or manipulating the virtualized computers.

"When you use virtualization to build malware, there are no hooks, nothing you can see within an operating system," she says.

So this reporter walked away from your presentation and basically represents — like every other reporter I have seen — that every virtualization platform is covered under your research and is susceptible to attack regardless of chipset, operating system or application, a fact that you already conceded during our short exchange as not being the case.  Do you not see how this can be confusing?

In this scenario, I can personally attest that Fortune 100 companies deploying VMware ESX 3i are unable to determine whether they are at risk or not.  You could certainly take the low-road and blame this on those interpreting your presentations this way, or perhaps recognize that this could be a direct result of your efforts.

Despite the fascinating research, I’m really disappointed in how you choose to continue to allow inaccurate representation of your research to continue unabated.  Instead of inflammatory, sensational and inaccurate portrayals, you could instead be really helping to educate the world in a way not dependent on fear, uncertainty and doubt.

I look forward to your next presentation.  I just hope it’s more accurately tempered next time so as not to cause the figurative stampede from the theater when there’s actually no fire.

/Hoff

Update: Joanna responded here.  I retorted playing ping to her pong here.  Enjoy.

It seems I forgot to specifically call out the fact that I’ll be in San Francisco attending the RSA Conference this week.

Monday had me at the America’s Growth Capital conference with the remainder of the week spread between sessions, briefings, meeting up with old friends and making new ones.  I’m leaving back to Boston Friday morning.

I’m speaking on Wednesday (DEPL-201)

/Hoff

Yes, I know it’s April, but I couldn’t get this all done in March, damnit.

Per the promise in my last driveby-post featuring Montego Networks, here’s a quick bit of insight regarding Altor Networks, another start-up recently out of stealth in the virtualization security space.

I spent some time with Amir Ben-Efraim, Altor’s CEO.  I  knew Amir from our days working together when he was at Check Point and I was at Crossbeam.

Amir has brought forward what he learned from his time served at CHKP and understands the gaps between how the current crop of security toolsets fall short in virtualized environments.

Altor’s solution called "Virtual Network Security Analyzer" is the company’s initial offering which is billed as providing the following functionality:

Altor’s Virtual Network Security Analyzer (VNSA) delivers unprecedented, granular, real-time, and historical visibility into the virtual switch traffic.

Built from the scratch for the virtual environment, VNSA’s integration with virtualization platform management like VMware Virtual Center greatly simplifies product configuration.

VNSA has two main components as shown in the diagram:

Altor Agent – The Altor Agent plugs-into the virtual switch and passively monitors the virtual switch traffic. Only one Altor Agent is needed per physical server.

Altor Center – Information from multiple Altor Agents is consolidated by the Altor Center giving administrators a centralized view of the virtualized data center.

Altor Agent and Center are delivered as virtual appliances ensuring installation and uninstallation with zero downtime.

When Amir and I first spoke, I had trouble understanding how the product differentiates itself from "legacy" competitors in the IDS/monitoring space as well as those emerging in the VirtSec space.   So we dug appropriately one layer down.

Many of the emerging VirtSec companies are hitching their ponies to the "we protect against intra-vm abuse" barn and given the current constraints around the underlying networking mechanics, there’s not a lot of differentiation therein until VMsafe arrives which ultimately levels the playing field for everyone.

So one has to ask that if the mechanics of intercepting and inspecting traffic are fairly commoditized, what’s the secret sauce that makes a solution a better mousetrap? 

With Montego — at least for the next 6 months or so until VMsafe arrives — it’s the partnering model of integrating other 3rd party security applications based upon intelligent classification; if it sees traffic that matches a particular profile, it applies some level of security "magic" natively and then ships it off to vendor A’s virtual appliance, etc…

So when looking for Altor’s secret sauce, the reality is that VNSA is actually much more of a network configuration, analytics and policy management solution; it is really focused in it’s first iteration on detection/monitoring and understanding how the virtual switches and virtual machines are configured and profiling what traffic is flowing between them via integration with VMware’s Policy Center.

The product differentiates itself by first focusing on re-capturing the lost network-based visibility inherent in the current vSwitch architectures but does so from a unique perspective. 

Rather than position VNSA as a pure "security" tool focused on prevention, it’s an operational tool meant to shed light on questions which are seldom easily answered regarding exactly what is going on in the vSwitch, the dependencies from a VM perspective, the interaction from a network perspective, and allowing operators to group applications and assets into a hierarchical management framework that allows policies to be attached to them.

Namely, VNSA provides a single pane of glass from which a server, network or security admin. can capture not only how the vSwitch and VM’s are configured from the virtual infrastructure perspective, but also regain network statistics, troubleshooting, optimization and standardization views into the vNet.

Now that the servers, networking and security are all collapsed as a function of virtualization and the network and security teams are somewhat at odds as to where the boundary and separation of duties exist and who is responsible for what, VNSA offers all a single tidy view.  The web-based UI is quite nice and easy to use.  I found the statistics and insight it provides as decent for a first-run product and I can see how operators will gain value quickly given the information one can extract.

As the product evolves, security and configuration policies will be "attached" to the VM’s based upon VM ID’s that will allow enforcement of policy regardless of which physical host houses them.   Application detection capabilities beyond port will ultimately allow for even more automated app. grouping and application of policy.

The next step is then the more prevention-focused capabilities which will allow the same profiling of traffic from VNSA to be used as the intelligent basis for selective "firewalling" of traffic between VM’s based upon historically observed behavior.  This will be accomplished via the second product coming later this year tentatively called "Virtual Network Firewall."

I do hope they drop the "firewall" moniker and use something else as I know that depending upon who they’re selling to, mentioning the "f word" could cause some to turn off to the idea before they even consider it…

I think the approach and implementation is well thought out.  I think that the solution will appeal to the server admins who need to gain as much visibility about the virtual network configuration as well as the network and security teams who have lost context and visibility.

I’ll leave the more technical review up to Scott Lowe who is promising to give us the in-depth exploration of VNSA soon.

Next up, Blue Lane’s new solutions…