As I talked about in this post, virtualization will offer new and interesting ways to improve security. VM state inspection (or “Introspection”) is one of the ways that this will happen. For clients, I talk about the transformative opportunities using virtualization and introspection techniques in these two research notes from 2008 – the first research note talks about the concept and the benefits and the second discusses some of the limitations of introspection.
VMware is the first virtualization platform to offer production releases of introspection capabilities with VMsafe in its vSphere release of its virtualization platform earlier this year. Since then, a few vendors such as Altor and Reflex Systems have released versions of their security and management tools that take advantage of VMsafe, primarily as a way to inject network security policy regardless of the network topology of the internal virtual switch. Last week, IBM started shipping its Virtual Server Security for VMware offering which takes the use of the VMsafe integration to a new level. Among the list of capabilities that the solution provides (e.g. IPS, vulnerability assessment and so on) is one particularly interesting capability: Rootkit detection / prevention.
In the 2008 research note I discussed a dozen or more ways that introspection will improve security, including this:
Protecting OS kernels is difficult, and OS-level rootkits are an ongoing issue VM state inspection is one of the few ways that OS-level rootkits can be detected — a nearly intractable problem in 32-bit Windows environments. Also, malicious software that tampers with memory (for example, buffer overflows) can be effectively blocked with this architecture. In the physical world, most styles of HIPS can only detect memory tampering after the fact. With VM state inspection, this type of access can be prevented outright. VM state inspection also provides a cleaner way to access kernel-level information than “hooking” or “patching” the kernel.
That’s exactly what IBM has done. IBM has the first commercial implementation of a rootkit detection/prevention offering that works from outside of the virtual machine it is protecting and thus can detect rootkits using introspection even if the rootkit is cloaked to detection from anything running in the same OS container. This is quite useful for protecting hosted virtual desktops running at servers (and where users run as administrators, making any security control running in the same container suspect as I talked about here.
These vendors are delivering against the vision I’ve been researching, writing and presenting on for the past four years — leading the way to reinvent security in virtualized environments. Very cool.
Category: Next-generation Security Infrastructure Virtualization Security Tags: Adaptive Security Infrastucture, Next-generation Security Infrastructure, Virtualization Security, VMsafe, VMware, vSphere