The Ghost Of Future’s Past: VirtSec Innovation Circa 2002
One of the things I try to do when looking forward for inspiration in solving problems is to ensure that I spend enough time looking back to gain perspective. I’ve been thinking a lot about models for virtualization security lately.
As I surveyed the options (or lack thereof) splayed about before me in terms of deployment options and available technology to solve some of the problems I’ve been researching, I was struck by what I can only describe as a ghost of future’s past.
It shouldn’t really surprise me like it does, but I always giggle when reminded of my own favorite saying: "Security is like bellbottoms — every 20 years or so, the same funny-looking kit comes back into style."
As it is with jeans, it is with security solutions.
I dredged up some of my collected research from moon’s ago on the topic and dusted off a PDF that I had completely forgotten about as I was trying to piece together some vague semblance of something that strangely reminded me of VMware’s VMsafe.
I cracked a gigantic smile when I saw the authors — Tal Garfinkel and some guy named Mendel Rosenblum (now co-founder and chief scientist at VMware.)
The PDF in question is titled Virtual Machine Introspection ("productized" as LiveWire) and presents the following case:
In this paper we present a new architecture for building intrusion
detection systems that provides good visibility into the state of the
monitored host, while still providing strong isolation for the IDS,
thus lending significant resistance to both evasion and attack.
Our approach leverages virtual machine monitor (VMM) technology. This mechanism allows us to pull our IDS “outside” of the host it is monitoring, into a completely
different hardware protection domain, providing a high-confidence
barrier between the IDS and an attacker’s malicious code.We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.
I got to thinking about the relevance of this approach because of some of the arguments that Simon Crosby made in our debate recently. I wanted to spend some more time thinking about the architectural differences between VMware and Xen so I could try an appreciate the genesis of Simon’s comments in context.
This paper and the Livewire prototype was created circa 2002. It’s six years later and we’re just now starting to see products and technology being announced as "new and fresh" that is basically just like Livewire.
While it’s certainly not the first and only research on this topic, it’s interesting to see that sometimes the wisdom of the past just takes just a little longer to cook before it’s fully baked, ready for icing and ready to be consumed.
If VMsafe is an example of the evolution of prior art like Livewire, what else do we have to look forward to that’s buried somewhere waiting to come back to life? Oh wait, those mainframes are coming back, aren’t they? What’s old is new again.
/Hoff
{Update: I also found some cool related stuff from Tim Fraser called Virtual Machine Introspection for Cognitive Immunity (kernel rootkit mitigation using VM Introspection) from Komoku which was acquired about a month ago by, gasp, Microsoft…}
What better way to create constantly oscillating product cycles that drive revenue without having to actually develop all that much new tech…?
Mainframe to Client Server to Network Computer/Browser to Web 2.0 to Grid/Cloud to…
I expect Grid/Cloud will be a hybrid of the same centralized/decentralized computing battle.
Let's just call it Centrally Distributed Computing so the marketoids never have to come up with another term to describe the swings of the same pendulum.
One thing to point out though is stuff like the LiveWire issue often comes a bit early so the thought cycle is inside the curve of the actual technology. We see that a good bit and it has to find wind in the sales somewhere in order to actually become considered a "valid" technology or course of action. I think that is Pundit Law Chapter 1 Verse 3.
Maybe it is something like the artist having to die for his/her work to become extremely valuable…
Now that was a stretch on my part.
–David
What better way to create constantly oscillating product cycles that drive revenue without having to actually develop all that much new tech…?
Mainframe to Client Server to Network Computer/Browser to Web 2.0 to Grid/Cloud to…
I expect Grid/Cloud will be a hybrid of the same centralized/decentralized computing battle.
Let’s just call it Centrally Distributed Computing so the marketoids never have to come up with another term to describe the swings of the same pendulum.
One thing to point out though is stuff like the LiveWire issue often comes a bit early so the thought cycle is inside the curve of the actual technology. We see that a good bit and it has to find wind in the sales somewhere in order to actually become considered a “valid” technology or course of action. I think that is Pundit Law Chapter 1 Verse 3.
Maybe it is something like the artist having to die for his/her work to become extremely valuable…
Now that was a stretch on my part.
–David
Funny you mention Garfinkel & Rosenblum's VMI paper, I also ended up reading it after your tiff with Simon. Check out other Garfinkel titles such as: 'Overshadow: A Virtualization-Based Approach to Retrofitting protection in Commodity Operating Systems'. Tal has been on the forefront of securing virtual environments for the last 5 years, and this latest paper is eye opening. Chris seems like you and Tal could be long lost relatives?
I wonder what the virtual environment would look like with a universal (VMWare, Xen, Microsoft) security framework including a hypervisor API and overshading memory protection?
Kevin
VMware Chief Scientist developed VMsafe in 2002
Christorfer Hoff, Chief Security Architect at Unisys, spotted a whitepaper presented in 2002 by Tal Garfienkel
Is Microsoft working on a VMsafe-like framework?
The upcoming set of VMware APIs known as VMsafe has the potential to dramatically change the way we secure
My favorite Garfinkel-Rosenblum paper is "When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments". Btw, I am pretty sure Garfinkel now works at VMware and I suspect neither of them is suggesting that virtualization has any security problems ;-).