Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Don’t let VMware Become Internet Explorer

by Neil MacDonald  |  June 29, 2009  |  3 Comments

Piqued your interest? Bear with me. In a previous post, I promised to revisit the issue of “Fast-path” and “Slow-path” in the VMware vSphere platform.

With vShpere, VMware has released the first commercial implementation of its VMsafe set of APIs. As I have discussed, VMsafe is cool, but not a panacea. VMsafe provides developers two alternatives for where their security code runs – either in the hypervisor itself (ie Fast-path) or in a guest VM (ie Slow-path). As you might infer from the ‘accurate-from-an-engineering-perspective-but-horrible-from-a-marketing-perspective’ names of “Fast-path” and “Slow-path”, code running in Fast-path doesn’t incur the performance overhead of context switching and other activities associated with code running in a guest VM.

To overcome the performance penalties of running something like a firewall or IPS in a guest VM (Slow-path), vendors are looking to take advantage of the Fast-path capabilities of VMsafe. The problem is that putting unmanaged active code directly into the hypervisor is a bad idea just as putting unmanaged binary code directly into the browser was a bad idea with the original implementations of ActiveX inside of Internet Explorer years ago. Capabilities that help the good guys with better performance and access to raw platform capabilities can also be used by the bad guys if access to these capabilities is not carefully considered. We have lived through this already with the browser and are still dealing with the pain.

Let’s learn from our mistakes. Require third party code that will be installed in our virtualization platforms to be highly managed and trustable from the beginning and the platform underneath to be built assuming that attempts will be made to introduce hostile code. For example, require digitally signed code from the vendors and require the platform underneath to support Mandatory Access Controls on the use of APIs and to support whitelisting and blacklisting of code by administrators. And that’s just getting started. I’ve got a whole list of requirements for clients to use when evaluating the security capabilities of virtualization platforms. I’ll be discussing this and more in my session “Securing Virtualization and Virtualizing Security” Tuesday morning here at the Gartner Information Security Summit.

Faster performance? Great! But, I shouldn’t have to compromise the security and integrity of the entire platform (and all hosted workloads) to achieve this.

By the way, this is not just an issue with VMware and VMsafe. Running arbitrary third party code in the “parent” or “Dom0” partitions of Hyper-V and Xen respectively creates similar issues.

Virtualization is a new platform with a chance to do things better and differently. Let’s not repeat the mistakes of the past and allow poorly written or malicious third party code and a platform underneath that enables this without question to jeopardize security.

3 Comments »

Category: Next-generation Security Infrastructure Virtualization Security     Tags: , , ,

3 responses so far ↓

  • 1 Neil MacDonald   July 22, 2009 at 11:37 am

    Don’t give up. It is possible to change large vendor’s behavior by voting with your wallet. Look at Microsoft and security in the 2001-2003 timeframe. You started voting by buying Linux, Microsoft was forced to change.

  • 2 Moore’s Law Enables Virtualized Security   August 29, 2009 at 7:35 am

    [...] ever-increasing number of cores available along with advances like VMsafe and VMsafe’s “fast path” as well as improvements in i/o virtualization with next-generation processors will enable [...]

  • 3 Virtualization Security Challenges the Status Quo   February 19, 2010 at 11:22 am

    [...] “how much performance do you require”? I’m seeing test data using VMware’s VMsafe APIs in “fast path” mode for inline firewalling achieving in the 8 Gbps range inside of a server with 10 Gbps [...]