Virtual Machine security

I read an interesting snippet from a security researcher the other day.

Apparently one of the recent bits of malware had specific code in it to detect if it was running on a virtual machine. And if so to shut down ASAP. Why? because the author knows that most researchers use VMs to investigate badware, reverse engineer it and come up with signatures that can be added to the AV detection list.

This then begs the question, would we be safer running on a virtual machine all the time? I keep meaning to do this, but never get around to investing the necessary time.

An interesting feature of VMware is the many freely available images you can download and try here. One thing someone pointed out to me that I had’t realised is any of these will run with the free version of VMware Player.

I don’t think Microsoft Virtual PC (also free now) can run them as they are mainly Linux based.

This strikes me as a great way to try out an operating system or product with no commitment, and no installation hassle. Stephane mentioned ages ago about distributing software as an ‘appliance’.

I love the idea, but I’m not clear how realistic it would be for a spreadsheet auditing tool for example. (compared to an xla and ignoring anyone who doesn’t use Excel). I have no idea of the licensing issues, but I assume using open source will be easier than proprietary.

Is anyone else evaluating their use of virtualisation s/w? What are your conclusions?

cheers

Simon

Advertisements

12 Responses to “Virtual Machine security”

  1. Ken Puls Says:

    Hi Simon,

    Recently, I got a new laptop which came with Vista pre-installed. Being a bit of a tech keener, I gave it a go, trying to install all the apps I needed for work. I ended up finding out that one will not work on Vista, and another blue-screens it constantly. While I could have wiped the laptop and installed XP, I figured that this would be a pain, as I’d have to try and find drivers for all the stuff that is built in to this machine.

    I ended up migrating my old XP workstation into a VMWare image using their converter, and work in that VM every day at work. Vista is a pretty expensive host, granted, but my VM is still faster than my old PC.

    For development and testing of apps, I honestly can’t think of a better way. VMWare’s snapshot ability absolutely rocks, and makes it super easy to have a variety of virtual machines at your disposal that you can activate at any time. Honestly, I’m floored that you don’t use it yet.

    We’re actually planning to take this one step further next year, virtualizing all of our servers next year. :)

  2. Ross Says:

    I’m beging to think about using VM, although i have not looked into it much, I’m not really ure how they work and feel, but i guess i will look into all fo that should i take the put.
    What are peoples feelings on system specs to run a decent VM set up?

    >>This then begs the question, would we be safer running on a virtual machine all the time?

    If everyone ran on VM then it would just be the same for the hackers, No?

  3. gobansaor Says:

    I use Mocha5 http://www.moka5.com/ (a VMware based desktop/USB virtual machine utility) to host a Windows 2000/Excel 2000 image to allow me to test for backward compatibility, I also have an a WindowsNT/Excel 97 image but rarely use it nowadays. I’ve also created a image using the trial versions of Vista and Office 2007 to see what the future holds!

    But my real interest is in “virtual dedicated servers”. I’m a big fan of Amazon’s EC2 service (XEN based) and have been using it to test on-demand in-memory OLAP “appliances” (using PALO and SQLite). Such appliances (to use Stephane’s term) could then either be hosted on EC2 (or Scotland’s http://www.flexiscale.com which offers both Windows and Linux VMs) or on a local virtual machine.

    Tom

  4. Dennis Wallentin Says:

    Since I have Ubuntu as the host system to all my wmWare’s configurations I work in a ‘virtualized mode’.

    When it’s time to show customers the solutions I just copy the relevant configuration to my laptop and off I go.

    Except for that, keep in mind that we non-English developers need localized as well as English versions of Excel 97 – 2007. That’s why I’m a happy user of vmWare for the last 5-6 years.

    I have one security policy (out of several!) and that’s that no one of the vmWare configurations are allowed to access Internet.

    Ross,
    You need at least 1 GB RAM to use vmWare in an acceptable way. Of course, the more RAM and the more powerful processor the better.

    Kind virtualized regards,
    Dennis

  5. Simon Says:

    Dennis
    Why no internet for your VMs? couldn’t you use rollbacks? I see there is a minimal web appliance that is a cut down Linux with only the key web bits running.
    I think I should go the same way, linux base os plus complete Win VM dev machine, then i can just move from box to box. The only trouble with that is the 30 Gigs of spreadsheet monsters I keep on my dev box. Sounds like a good excuse for a new ipod!
    cheers
    Simon

  6. Charlie Says:

    I have used Virtual PC over the last couple of weeks in order to accurately emulate a client’s install situation – and it works very well. I still have to tweak things because it takes longer than I expected to restart a saved state – but it only became obvious when the client was on the phone and I was trying to quickly answer their question.

    The more VM machines, though, the more that need to be updated when there is a change in Office/Windows.

    What do people do for AntiVirus protection? I am assuming it is needed on each VM.

    –Charlie

  7. Simon Says:

    hmm – maybe its not that secure after all:
    http://kerneltrap.org/OpenBSD/Virtualization_Security
    oh well!

  8. Dennis Wallentin Says:

    Simon,

    >>Why no internet for your VMs?
    First of all, I’m a paranoid person. Second, when my present security system was built by a security consult the recommendation was to not have.

    >>the 30 Gigs of spreadsheet monsters
    C’mon, 30 GB is not that much. I recently updated my NAS so it now has 1 TB (2 x 500 GB).

    Charles,
    For some time ago I tested VPC 2004 and later 2007 as well. Compared with vmWare all I can say it’s slow, very slow.

    Kind regards,
    Dennis

  9. The Ken Puls Blog » Blog Archive » Virtualizing a desktop Says:

    […] saw that Ross was a little curious about virtualization at the Smurf on Spreadsheets blog, and figured I’d share my reasons, some experiences, and methods for working with this […]

  10. vineet Says:

    Virtual Machines are really an efficient tool for running the s/w away from the hardware and they really perform.
    but i wanted to know.. what are the threats to these virtual machines and virtual infrastructure.. and what exactly are the security measures for them.???

  11. master webhost Says:

    thanks for all this information

  12. Steve Says:

    Hi Simon
    Been looking closely at virtual stuff for some time now.
    Got it sussed.
    As with any new tech its painful at first but I now believe all the dust has settled.
    An important point to make is that it is now necessary to make a distinction between:
    a) Virtual Machines, and
    b) Virtual Hard Drives (VHD – new from microsoft)

    It may be virtual but it all starts with the physical

    Here is a list of some points to consider

    1. Hardware Assisted Virtualization (HAV)

    Higher end CPUs have supported HAV for about 3 years now.
    Download the HAV Tool from Microsoft and run it to determine if your CPU supports HAV.
    Then boot up into BIOS and ensure that there is a flag that you can change to enable HAV.
    Remember my VAIO – its CPU supports HAV but the BIOS does not allow me to enable it.
    You must check this when buying a new PC if your current ones do not support HAV.

    Ok, thats the hardware side of things sorted.

    2. Now the software

    Upgrade your OS to Windows 7 Ultimate. (needed for VHD)
    I did this this weekend, Vista Business to Win 7 Ultimate – very smooth.
    W7U supports VHD

    Important – VHD is natively supported by the W7U OS.
    This means that it is a native file system that the OS recognizes and allows you to BOOT from the VHD on startup on the physical pc OR boot the VHD in a VIRTUAL machine.

    What does this mean?
    Remember dual boot? When you had more than 2 OS on one machine.
    Each OS has to have its own physical partition on the HD.
    Now you can install one bare metal W7U OS with one physical partition for the entire C Drive. Make this very lean. A clean install of just the OS.

    Then you make an image of this to create as many VHD as you want.
    This is a file with a .vhd extension that contains the entire OS.
    The VHD Driver handles the interface between the VHD and the physical NTFS hard drive.

    How many OS permutations do you want? As many as you like.
    Say:
    Physical W7U OS (used to create each VHD image)
    VHD 1: Personal (install all day to day software)
    VHD 2: Office 2003 + Visual Studio 2008
    VHD 3: Office 2007 + Visual Studio 2010 Beta 2
    VHD 4: Office 2010 + Visual Studio 2010 Beta 2
    etc, etc, etc

    How do you get rid of a VHD, just delete it – no clutter
    How do you backup, just copy to say an external HD
    How do you start it, just reboot and select the VHD from the list (like the old dual boot)

    Important – Files saved in the “My Computer” – public folders on the bare metal drive are visible to all VHDs!!!

    Note that Virtual Machines have not been mentioned yet!!!

    3. Virtual Machines

    Now install Windows Virtual PC (the new one for W7 – free download)

    You use this to create the VHD mentioned above
    You can also use this as a normal virtual machine
    No point in using it to host W7 as a VHD is better, but you can host say, some linux OS, or another one of those funny open source systems.

    You can have a VHD that has a VPC that has a VHD (Yes) that has a VPC that hosts a linux variant

    The permutations are virtually (haha) unlimited

    Conclusion

    Its a bit of a pain but treat it as a long term solution – you will need to learn quite a bit of background detail

    Finally
    1. Level 1 – VHD
    2. Level 2 – VPC
    3. Level 3 – VASM

    I predict that the next evolution will be Virtual Assemblies (i.e. Programs and DLLs)
    Imagine installing say Visual Studio in a say .vhd with a “.vasm” setup
    Everything – and I mean EVERYTHING wrapped up in the .vasm
    No dependencies on any thing else on the PC
    It will even have its own “Mini Registry”

    Now imagine in the same HD or VHD
    VS 2010 Beta 1
    VS 2010 Beta 2
    VS 2010 RTM
    VS 2010 SP1
    VS 2010 …

    That would sort out that major COM & DLL problem once and for all

    :)

    Bye

    Stephen

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: