As I talked about in this post, virtualization will offer new and interesting ways to improve security. VM state inspection (or “Introspection”) is one of the ways that this will happen. For clients, I talk about the transformative opportunities using virtualization and introspection techniques in these two research notes from 2008 – the first research note talks about the concept and the benefits and the second discusses some of the limitations of introspection.
VMware is the first virtualization platform to offer production releases of introspection capabilities with VMsafe in its vSphere release of its virtualization platform earlier this year. Since then, a few vendors such as Altor and Reflex Systems have released versions of their security and management tools that take advantage of VMsafe, primarily as a way to inject network security policy regardless of the network topology of the internal virtual switch. Last week, IBM started shipping its Virtual Server Security for VMware offering which takes the use of the VMsafe integration to a new level. Among the list of capabilities that the solution provides (e.g. IPS, vulnerability assessment and so on) is one particularly interesting capability: Rootkit detection / prevention.
In the 2008 research note I discussed a dozen or more ways that introspection will improve security, including this:
Protecting OS kernels is difficult, and OS-level rootkits are an ongoing issue VM state inspection is one of the few ways that OS-level rootkits can be detected — a nearly intractable problem in 32-bit Windows environments. Also, malicious software that tampers with memory (for example, buffer overflows) can be effectively blocked with this architecture. In the physical world, most styles of HIPS can only detect memory tampering after the fact. With VM state inspection, this type of access can be prevented outright. VM state inspection also provides a cleaner way to access kernel-level information than “hooking” or “patching” the kernel.
That’s exactly what IBM has done. IBM has the first commercial implementation of a rootkit detection/prevention offering that works from outside of the virtual machine it is protecting and thus can detect rootkits using introspection even if the rootkit is cloaked to detection from anything running in the same OS container. This is quite useful for protecting hosted virtual desktops running at servers (and where users run as administrators, making any security control running in the same container suspect as I talked about here.
These vendors are delivering against the vision I’ve been researching, writing and presenting on for the past four years — leading the way to reinvent security in virtualized environments. Very cool.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.