As I have discussed, x86 hardware virtualization creates a new IT platform that must be securely maintained (e.g. patch, configuration and vulnerability management) like any other IT platform we are responsible for. This layer is extremely sensitive as a compromise of this layer puts all of the hosted VMs at risk.
What’s really interesting is that the intersection of these two — the use of whitelisting in the virtualization layer/platform itself to control what applications are allowed (or not allowed) to execute in this critical layer.
With VMware’s ESX, this is an issue in the Linux-based service console (which can run compatible Linux applications). It is a much more serious issue with Microsoft’s Hyper-V parent partition architecture based on Windows Server 2008 “core” and Xen’s Dom0 based on Linux. With Hyper-V and Xen, a failure or compromise of the parent partition puts all of the child VMs at risk.
From a security perspective, thinner is always better, so ideally we wouldn’t run any additional software in the parent/Dom0 partition. Sounds like a perfect application of application whitelisting, doesn’t it? And, since we don’t have pesky end-users downloading and executing arbitrary code at this layer (or browsers, or email, or …), it makes the approach of whitelisting much, much easier to apply.
As I discussed in a comment on this post, we should expect our IT platform vendors to provide whitelisting capabilities built into the platforms they sell us. Likewise, basic whitelisting capabilities should be built into our virtualization platforms and should not require that we install an additional agent to achieve this.
(virtualization platform providers, repeat after me: agents at the hypervisor/VMM layer are a bad thing, agents at the hypervisor/VMM layer are a bad thing)
However, none of the virtualization platform vendors that I am aware of provides application control as a standard built-in capability (yet). This is another no-brainer that I would expect to appear as a standard capability in virtualization platform solutions within the next 12-24 months.