By David Marshall

published: Friday, April 04 2008

Christopher Bolin, CTO of McAfee, was the sole representative for security vendors making it on stage at VMworld Europe 2008 during the announcement for the new VMware VMsafe security technology.

During his presentation, Bolin said there was a virtual tsunami of malware in 2007, with 37% of all malware coming in during that very same year.  On an average business day, McAfee sees over 500 unique pieces of malware coming into their research department.  And still Bolin said that with all of the academic and online discussions about potential threats to VMware and other virtualization technologies, and despite these discussions taking place, his company still hasn't seen any real malicious attacks against virtualization or VMware specifically. 

I must admit, I can't help but find it a wee bit humorous that one of the biggest takeaways from the VMsafe announcement was that there was no record of any attack on the hypervisor yet.  That's great news for us in the virtualization community today; and thankfully, these 20+ vendors plan on beating malware to the punch. 

But if there haven't been any real malicious attacks against the hypervisor as of yet, why all the hoopla now?

Andi Mann, Research Director at Enterprise Management Associates, says it bodes well for the future that VMware is thinking about security.  "For a long time it was one of the biggest unaddressed issues in virtualization. With few exceptions (e.g. Blue Lane, Configuresoft), virtualization security meant people and process management. And if your people and process failed you? Well, you were completely exposed."
 

So, what's changed? 

Mann said, "With no significant detail, no products, and no documentation, this announcement is barely relevant to enterprises. In my latest research (scheduled for publication later this month), security management ranked top on the list of disciplines that got harder in a virtual environment. Unfortunately nothing about this announcement changes that. Until someone produces some actual product, this is really just vaporware."
 
"Of course, for security vendors it is a potential goldmine. Enterprises are clamoring for more secure virtualization environments, and this gives them the opportunity to meet that demand - sometime in the (hopefully near) future. But the announcement as it appeared, alongside 20 or so accompanying vendor press releases, seemed very cynical to me. For most of the security vendors, it was about generating new traction, much more than it was about actually securing enterprise environments. This will hopefully change over time, but with no product, enterprises are still left with just people and process to secure their virtual environments." 
 
So while VMware's VMsafe technology made the rounds within a growing list of security vendor press releases, what escaped me was whether or not these security vendors were planning anything similar for other hypervisor technologies.  After all, if hypervisor security is really bubbling up to the top of their list of concerns, what about other technologies like Xen?  The platform is completely open to third-party developers - all the way down to the source code.  So shouldn't that make it easy for these security vendors to protect Xen?  Are there things already in the Xen hypervisor to make this possible?

Simon Crosby, CTO of the Virtualization and Management Division at Citrix Systems, explained things to me and helped me wrap my arms around it more.  Crosby said the core technology of VMsafe has three core elements.  One such element is the ability to inspect network packets and another is the ability to inspect the block traffic.  Citrix does both of these today and the same infrastructure vendors who plug into VMware's data paths can also plug into those provided by Citrix.  

Crosby added that the one element that essentially comes from VMware's Determina acquisition is where you take a page of memory, hand it up to some scanner which then goes over the page memory and then looks for vulnerabilities and attacks - then it marks it as checked, read/only, and pushes it back down for execution.  He said this was entirely doable with Citrix and that it is being worked on right now with their shadow page table code in Xen. 

He said, "It isn't there yet, but it is pretty straight forward.  And again we would want to serve the exact same set of vendors with the same set of interfaces."

Crosby told me that handing up pages to an inspector, at first, seems like pretty cool technology.  And he said Citrix could hand these pages up to an inspector as well, but immediately if he were an attacker, he would rewrite his attack to run over a 4k boundary so that its not clear that this provides all the inspection that you need to be able to identify an attack if they wrap over or scroll over multiple pages. 

His final take on our conversation topic, "It's not a panacea, but it's a help." 

As the number of virtualization deployments and adoption continues to increase, so too does the attackable surface area.  Security is a key concern in a production data center, so hopefully, VMsafe technology and technologies like it from Citrix and others can help quiet these concerns.  And I agree with Simon Crosby's sentiment.  This solution may not be perfect (time will tell), but I'm glad that we are finally addressing it and that someone is shining a light on it.