Is virtualisation a viable alternative to MAC ?

Posted Aug 1, 2010 12:15 UTC (Sun) by copsewood (subscriber, #199)
In reply to: Is virtualisation a viable alternative to MAC ? by haradats
Parent article: AppArmor set to be merged for 2.6.36

Yes these slides do help answer this question. Perhaps the combination of MAC at the host level and virtualisation at the user level will work better than either in isolation, because this keeps the MAC policy much simpler (hence fewer human errors) with less need for local customisation, so more manageable than when using MAC in a shared login situation ? MAC in this scenario seems to protect against bugs in the virtualisation layer.

Saying that virtualisation is less secure than a previous scenario of separate hosts for different jobs seems obvious, but if the previous scenario is single host multiple logins (e.g. for shared webhosting) then virtualisation even with just different UIDs and DAC seems to offer better security than what existed before. I think this because this direction is how the hosting of my own websites has migrated, though I would expect my upstream VM provider to be looking at and implementing the kind of DAC solution as proposed in the slides.

typo

Posted Aug 1, 2010 13:36 UTC (Sun) by copsewood (subscriber, #199) [Link] (1 responses)

"implementing the kind of DAC solution" in my previous comment should have read MAC.

typo

Posted Aug 1, 2010 20:09 UTC (Sun) by drag (guest, #31333) [Link]

Absolutely.. a properly designed MAC policy combined with virtualization should yield superior results.

But the thing to remember, especially with container-style virtualization, is that even when combined with a MAC policy mechanism losing a single VM + having a single kernel-level exploit can easily lead to the loss of your entire machine.

For a full VM solution it's a bit better as the attacker has to find a exploit in the VM software first and theoretically it is going to be more difficult then finding a local kernel exploit. But I don't know much about that.

So in this case it's still good to think of it as your losing security compared to having dedicated hosting in exchange for much lower cost.. and the provider can use MAC to recover some of the lost security. But it's still not as nice as having a separate real machine. :)