Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Is virtualisation a viable alternative to MAC ?
Posted Aug 1, 2010 0:22 UTC (Sun) by dlang (✭ supporter ✭, #313)
I do think that the people who think that virtualization is the solution to all security problems are also drastically overstating the benefits and under estimating the risks.
Posted Aug 1, 2010 0:31 UTC (Sun) by haradats (guest, #44782)
Two things were in my mind when I wrote "a nightmare". While MAC tries to build up security from the bottom (TPM, boot, system call), guest OS can directly bound to the bottom. And the internal of guest OS can hardly observed (therefore confined) from the host (or hypervisor). However, "a nightmare" was too much as you suggested.
Posted Aug 1, 2010 19:56 UTC (Sun) by drag (subscriber, #31333)
Virtualization should be mostly thought of as a cost saving mechanism and that is about it. It's a abstraction you can to use to accomplish something cheaply that otherwise would take more resources, be more difficult, or cost more.
And actually you end up sacrificing security for that lower 'TCO'.
You want to isolate network services so that if one is hacked the other will still be secure. Traditionally you would simply have to purchase multiple machines to run each service. However that is expensive and uses lots of space... so what you can do is use virtualization to isolate each service on one machine while saving money.
In that case I am sure that everybody here would agree that running multiple services on multiple physical machines is going to provide higher security then running multiple services in multiple VMs on a single machine.
So hence your trading some security for lower cost.
So it's all about proper perspective and it makes it much easier to judge the proper use of virtualization then if you get sidetracked and start thinking about security advantages. Virtualization vendors need to concentrate on promoting their products through the discussion of cost saving measures, not sort of any illusionary security advantage.
Similar problems happen when people start discussing file systems, raid, and backups.
Posted Aug 1, 2010 12:15 UTC (Sun) by copsewood (subscriber, #199)
Saying that virtualisation is less secure than a previous scenario of separate hosts for different jobs seems obvious, but if the previous scenario is single host multiple logins (e.g. for shared webhosting) then virtualisation even with just different UIDs and DAC seems to offer better security than what existed before. I think this because this direction is how the hosting of my own websites has migrated, though I would expect my upstream VM provider to be looking at and implementing the kind of DAC solution as proposed in the slides.
Posted Aug 1, 2010 13:36 UTC (Sun) by copsewood (subscriber, #199)
Posted Aug 1, 2010 20:09 UTC (Sun) by drag (subscriber, #31333)
But the thing to remember, especially with container-style virtualization, is that even when combined with a MAC policy mechanism losing a single VM + having a single kernel-level exploit can easily lead to the loss of your entire machine.
For a full VM solution it's a bit better as the attacker has to find a exploit in the VM software first and theoretically it is going to be more difficult then finding a local kernel exploit. But I don't know much about that.
So in this case it's still good to think of it as your losing security compared to having dedicated hosting in exchange for much lower cost.. and the provider can use MAC to recover some of the lost security. But it's still not as nice as having a separate real machine. :)
Posted Aug 2, 2010 2:34 UTC (Mon) by raven667 (subscriber, #5198)
When it comes to the security of the whole system I would be far more concerned about the millions of network applications and OS exploits than buffer overflows in the handful of hypervisors which are in active use. A new exploit might be found on a common hypervisor platform, which is sufficient reason to put systems with radically different security zones on different hardware, but it probably isn't the biggest risk, probably not even in the top 10.
There is a lot more benefit to AppArmor, SELinux, TOMOYO, etc. in preventing applications with security vulnerabilities from accessing files, devices and system calls so that exploit payload isn't able to work.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds