Recent Features
| |||||||||||||
Is virtualisation a viable alternative to MAC ?Is virtualisation a viable alternative to MAC ?Posted Jul 31, 2010 20:31 UTC (Sat) by copsewood (subscriber, #199)In reply to: AppArmor set to be merged for 2.6.36 by dlang Parent article: AppArmor set to be merged for 2.6.36
"On the other hand, if you have a multi-user system and really need to protect one local user from another, SELinux is the way to go."
Splitting up a physical machine with a single host OS into multiple virtual machines, even though this was designed for purposes other than MAC, seems to achieve many of the same objectives of MAC in practice. Why not give each user that needs protecting from other local users a virtual machine instead? I've been using a single VM to host multiple services, domains and websites on the same physical hosting hardware shared by many other VMs run by people I don't know for years without problems of the sort which can occur on shared login hosts. So long as the VM can't escape it's memory and disk allocation isn't this arrangement just as secure as MAC ? Is it any more likely that a bug will occur in the virtual machine monitor which violates security, than a bug will occur in a MAC system such as SELinux or AppArmour which violates security ?
(Log in to post comments)
Is virtualisation a viable alternative to MAC ? Posted Jul 31, 2010 23:15 UTC (Sat) by haradats (guest, #44782) [Link]
The following slide by James Morris might help. In my personal opinion, virtualization is a nightmare for security.
Is virtualisation a viable alternative to MAC ? Posted Aug 1, 2010 0:22 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link]
I think that saying that virtualization is a nightmare for security is significantly overstating the problem.
I do think that the people who think that virtualization is the solution to all security problems are also drastically overstating the benefits and under estimating the risks.
Is virtualisation a viable alternative to MAC ? Posted Aug 1, 2010 0:31 UTC (Sun) by haradats (guest, #44782) [Link]
> I do think that the people who think that virtualization is the solution to all security problems are also drastically overstating the benefits and under estimating the risks.
Agreed.
Two things were in my mind when I wrote "a nightmare". While MAC tries to build up security from the bottom (TPM, boot, system call), guest OS can directly bound to the bottom. And the internal of guest OS can hardly observed (therefore confined) from the host (or hypervisor). However, "a nightmare" was too much as you suggested.
Is virtualisation a viable alternative to MAC ? Posted Aug 1, 2010 19:56 UTC (Sun) by drag (subscriber, #31333) [Link]
I believe that to properly assess the advantages of virtualization and determine how appropriate it is for a orginization it's extremely important to have the correct attitude and approach to it.
Virtualization should be mostly thought of as a cost saving mechanism and that is about it. It's a abstraction you can to use to accomplish something cheaply that otherwise would take more resources, be more difficult, or cost more.
And actually you end up sacrificing security for that lower 'TCO'.
For example:
You want to isolate network services so that if one is hacked the other will still be secure. Traditionally you would simply have to purchase multiple machines to run each service. However that is expensive and uses lots of space... so what you can do is use virtualization to isolate each service on one machine while saving money.
In that case I am sure that everybody here would agree that running multiple services on multiple physical machines is going to provide higher security then running multiple services in multiple VMs on a single machine.
So hence your trading some security for lower cost.
So it's all about proper perspective and it makes it much easier to judge the proper use of virtualization then if you get sidetracked and start thinking about security advantages. Virtualization vendors need to concentrate on promoting their products through the discussion of cost saving measures, not sort of any illusionary security advantage.
------------
Similar problems happen when people start discussing file systems, raid, and backups.
Is virtualisation a viable alternative to MAC ? Posted Aug 1, 2010 12:15 UTC (Sun) by copsewood (subscriber, #199) [Link]
Yes these slides do help answer this question. Perhaps the combination of MAC at the host level and virtualisation at the user level will work better than either in isolation, because this keeps the MAC policy much simpler (hence fewer human errors) with less need for local customisation, so more manageable than when using MAC in a shared login situation ? MAC in this scenario seems to protect against bugs in the virtualisation layer.
Saying that virtualisation is less secure than a previous scenario of separate hosts for different jobs seems obvious, but if the previous scenario is single host multiple logins (e.g. for shared webhosting) then virtualisation even with just different UIDs and DAC seems to offer better security than what existed before. I think this because this direction is how the hosting of my own websites has migrated, though I would expect my upstream VM provider to be looking at and implementing the kind of DAC solution as proposed in the slides.
typo Posted Aug 1, 2010 13:36 UTC (Sun) by copsewood (subscriber, #199) [Link]
"implementing the kind of DAC solution" in my previous comment should have read MAC.
typo Posted Aug 1, 2010 20:09 UTC (Sun) by drag (subscriber, #31333) [Link]
Absolutely.. a properly designed MAC policy combined with virtualization should yield superior results.
But the thing to remember, especially with container-style virtualization, is that even when combined with a MAC policy mechanism losing a single VM + having a single kernel-level exploit can easily lead to the loss of your entire machine.
For a full VM solution it's a bit better as the attacker has to find a exploit in the VM software first and theoretically it is going to be more difficult then finding a local kernel exploit. But I don't know much about that.
So in this case it's still good to think of it as your losing security compared to having dedicated hosting in exchange for much lower cost.. and the provider can use MAC to recover some of the lost security. But it's still not as nice as having a separate real machine. :)
Is virtualisation a viable alternative to MAC ? Posted Aug 2, 2010 2:34 UTC (Mon) by raven667 (subscriber, #5198) [Link]
Reading that it wasn't clear to me how the security framework was going to help. The attack surface between the guest and the hypervisor is mostly in the form of abstracted hardware. I could see a buffer overflow or something against the virtualized hardware or tools interface but that would generally put you right in the hypervisor which would be game over man, right?
When it comes to the security of the whole system I would be far more concerned about the millions of network applications and OS exploits than buffer overflows in the handful of hypervisors which are in active use. A new exploit might be found on a common hypervisor platform, which is sufficient reason to put systems with radically different security zones on different hardware, but it probably isn't the biggest risk, probably not even in the top 10.
There is a lot more benefit to AppArmor, SELinux, TOMOYO, etc. in preventing applications with security vulnerabilities from accessing files, devices and system calls so that exploit payload isn't able to work.
Is virtualisation a viable alternative to MAC ? Posted Aug 1, 2010 13:45 UTC (Sun) by robert_s (subscriber, #42402) [Link]
"Why not give each user that needs protecting from other local users a virtual machine instead?"
Because it's a massive waste of memory, can cause a lot of IO performance problems, and doesn't really solve the problem, just gives up on OS security and pushes the problem one step up the stack.
Is virtualisation a viable alternative to MAC ? Posted Aug 1, 2010 21:53 UTC (Sun) by raven667 (subscriber, #5198) [Link]
Virtualization is definitely another way to approach this problem but I think having a single system image as well. Ultimately the problem that virtualization most solves is the system management problems of running many different applications on the same system. Virtualization is great but I don't think we should stop trying to solve the underlying system management problem. An OS kernel which can see the whole stack, from the hardware to the applications, is going to be able to make better scheduling decisions and be higher performance then one where everything is abstracted away, even on a modern system where most of the hardware costs of virtualization have gone away. I suppose on that tangent the outlier is disk subsystems, current RAID/SAN systems abstract IO away and miss an opportunity for the best IO scheduling decisions (can't have per-disk queues and elevators when you don't see the actual spindles).
Virtualization is a means to an end, if people could get some of the same benefits running on a single system image they will do it.
Is virtualisation a viable alternative to MAC ? Posted Aug 6, 2010 10:43 UTC (Fri) by job (guest, #670) [Link]
I would expect it to be _much_ easier to construct a secure chroot than to make a secure VM. All that hardware to control guest kernel access to must be a nightmare to get right. Plus it is considerably easier to verify the security.
|
|||||||||||||