Virtual Machine

Security
Summer 2013

Presented by: Rostislav Pogrebinsky

OVERVIEW
• Introduction
• VM Architecture
• VM Security Benefits
• VM Security Issues
• VM Security Concerns
Introduction
• A VM is a software implementation of a machine that
execute programs like a physical machine
• A VM can support individual processes or a complete
system depending on the abstraction level where
virtualization occurs.
• Virtualization – a technology that allows running two or
more OS side by side on one PC or embedded controller
OVERVIEW
• Introduction
• VM Architecture
• VM Security Benefits
• VM Security Issues
• VM Security Concerns
VM Architecture
• Virtualization
 Host OS
 Guest OS
 Hypervisor
VM Architecture
•There are two common approaches to virtualization:
"hosted" and "bare-metal“

Hosted Bare - Metal

VM Architecture
• Thin Virtualization: Get Strong Security in a Small
Package
VM Architecture
• Security Concepts in Architecture
 Extended computing stack
 Guest isolation
 Host Visibility from the Guest
 Virtualized interfaces
 Management interfaces
 Greater co-location of data and assets on one box
OVERVIEW
• Introduction
• VM Architecture
• VM Security Benefits
• VM Security Issues
• VM Security Concerns
VM Security Benefits
• Abstraction and Isolation
• Better Forensics and Faster Recovery
After an Attack
• Patching is Safer and More Effective
• More Cost Effective Security Devices
• Future: Leveraging Virtualization to
Provide Better Security
OVERVIEW
• Introduction
• VM Architecture
• VM Security Benefits
• VM Security Issues
• VM Security Concerns
VM Security Issues

• VM Sprawl
• Mobility
• Hypervisor Intrusion
• Hypervisor Modification
• Communication
• Denial of Service
VM Security Issues
Issue Hosted Bare-Metal
Hosted virtualization VMware bare-metal
products run on general- virtualization is built
purpose operating around the “VMkernel”,
Vulnerability of the systems and are a special-purpose
underlying operating susceptible to all the microkernel that has a
system vulnerabilities and much smaller attack
attacks that are surface than a general-
prevalent on such purpose operating
systems. system.
Most hosted
virtualization products
Since ESX is designed
provide methods to
specifically for
share user information
virtualization, there is
Sharing of files and data from the guest to the
no mechanism or need
between the guest and host (shared folders,
to share user
the host clipboards, etc).
information between
Although convenient,
virtual machines and
these are vulnerable to
their host.
data leakage and
malicious code intrusion.
VM Security Issues
Issue Hosted Bare-Metal
VMware bare-metal
virtualization allocates
Hosted virtualization
resource intelligently
products run as
while isolating virtual
applications in the
machines from
Resource allocation process space of the host
underlying hardware
OS. They are at the
components. No single
mercy of the host OS and
virtual machine can use
other applications.
all the resources or crash
the system.
ESX is meant to be used
in production
environments in which
Hosted virtualization is the guest virtual
targeted for machines can
environments where the potentially be exposed
guest virtual machines to malicious users and
Target Usage can be trusted. This network traffic. Strong
includes software isolation and strict
development, testing, separation of
demonstration, and management greatly
trouble-shooting. reduce any risk of
harmful activity going
beyond the boundaries
of the virtual machine.
OVERVIEW
• Introduction
• VM Architecture
• VM Security Benefits
• VM Security Issues
• VM Security Concerns
VM Security Concerns
• Managing oversight and
responsibility
• Patching and maintenance
• Visibility and compliance
• VM sprawl
• Managing Virtual Appliances
QUESTIONS ???
 References
• Secure Your Virtual Infrastructure http://www.vmware.com/technical-
resources/security/overview.html
• Virtualization Security and Best Practices
http://www.cpd.iit.edu/netsecure08/ROBERT_RANDELL.pdf
An overview of virtual machine Architecture
http://www.cse.ohio-state.edu/~agrawal/760/Slides/apr12.pdf
• http://itechthoughts.wordpress.com/tag/paravirtualization/
• A Survey on the Security of Virtual Machines
http://www.cse.wustl.edu/~jain/cse571-09/ftp/vmsec/index.html#Garfinkel05
• Virtualization Technology Under the Hood
http://www.ni.com/white-paper/8709/en
• Computer and Network Security Module: Virtualization
http://www.cse.psu.edu/~tjaeger/cse544-s13/slides/cse543-virtualization.pdf
http://www.vmware.com/virtualization/virtualization-basics/virtualization-benefits.html
http://en.wikipedia.org/wiki/Virtual_machine
http://www.microsoft.com/windowsserversystem/virtualserver/