Gartner Blog Network

Doing Things Better With Virtualization

by Neil MacDonald  |  December 22, 2009  |  4 Comments

As I talked about in this post, virtualization will offer new and interesting ways to improve security. VM state inspection (or “Introspection”) is one of the ways that this will happen. For clients, I talk about the transformative opportunities using virtualization and introspection techniques in these two research notes from 2008 – the first research note talks about the concept and the benefits and the second discusses some of the limitations of introspection.

VMware is the first virtualization platform to offer production releases of introspection capabilities with VMsafe in its vSphere release of its virtualization platform earlier this year. Since then, a few vendors such as Altor and Reflex Systems have released versions of their security and management tools that take advantage of VMsafe, primarily as a way to inject network security policy regardless of the network topology of the internal virtual switch. Last week, IBM started shipping its Virtual Server Security for VMware offering which takes the use of the VMsafe integration to a new level. Among the list of capabilities that the solution provides (e.g. IPS, vulnerability assessment and so on) is one particularly interesting capability: Rootkit detection / prevention.

In the 2008 research note I discussed a dozen or more ways that introspection will improve security, including this:

Protecting OS kernels is difficult, and OS-level rootkits are an ongoing issue  VM state inspection is one of the few ways that OS-level rootkits can be detected — a nearly intractable problem in 32-bit Windows environments. Also, malicious software that tampers with memory (for example, buffer overflows) can be effectively blocked with this architecture. In the physical world, most styles of HIPS can only detect memory tampering after the fact. With VM state inspection, this type of access can be prevented outright. VM state inspection also provides a cleaner way to access kernel-level information than “hooking” or “patching” the kernel.

That’s exactly what IBM has done. IBM has the first commercial implementation of a rootkit detection/prevention offering that works from outside of the virtual machine it is protecting and thus can detect rootkits using introspection even if the rootkit is cloaked to detection from anything running in the same OS container. This is quite useful for protecting hosted virtual desktops running at servers (and where users run as administrators, making any security control running in the same container suspect as I talked about here.

These vendors are delivering against the vision I’ve been researching, writing and presenting on for the past four years — leading the way to reinvent security in virtualized environments. Very cool.

Category: next-generation-security-infrastructure  virtualization-security  

Tags: adaptive-security-infrastucture  next-generation-security-infrastructure  virtualization-security  vmsafe  vmware  vsphere  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Doing Things Better With Virtualization

  1. […] rest is here: Doing Things Better With Virtualization Plurk This Post Delicious Digg This Post MySpace Ping This Post Reddit This Post […]

  2. […] This post was mentioned on Twitter by Cloud Computing, craiglawson. craiglawson said: Gartner comment on our hypervisor rootkit technology that uses VMSafe "introspection" in this case to get it done – […]

  3. […] more: Doing Things Better With Virtualization Plurk This Post MySpace Ping This Post Stumble This […]

  4. […] ← Doing Things Better With Virtualization […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.