The SANS Virtualization Summit
I was fortunate enough to be able to attend the SANS Virtualization Summit in Washington DC last week. To me, the name SANS equates to quality, and the SANS Virtualization Summit did not prove to be any kind of exception to this rule.
Not unexpectedly, a great deal of the content covered in this workshop had to do with cloud computing. Whether we like it or not, many people equate virtualization and cloud computing. The difference in the SANS Virtualization Summit was that the cloud computing talks actually had some substance to them, unlike most of the other talks on this subject that I have attended at other meetings and conferences. My favorite one was by Matt Linton, who described an eloquent network architecture in which security processes were well-integrated into cloud services at NASA-Ames Research Center. In another session Alexander Meisel, CEO of Art of the Defense, pointed out an often overlooked advantage of cloud computing, namely that it can offer such extensive computing power that some complex business processes that may not run well in conventional IT environments may be able to run well in the cloud.
My main interest is not cloud computing, however, but rather virtualization, especially virtualization security. A few sessions focused on the difficulty of knowing just how many virtual machines (VMs) are running in virtualized environments. One IT director talked about an audit that was conducted. The auditors found a total of 250 VMs, but the director knew of only 50 of them. Imagine the security (let alone auditing) issues that this “VM sprawl” created! Other sessions focused on the differences between conventional physical networking and virtual networking. Traffic between VMs may travel routes that network and system administrators have never envisioned. Conventional security barriers such as firewalls and intrusion prevention systems might thus not be able to inspect and in some cases block some of the traffic in virtual networks. Fortunately, technology such as virtual firewalls that mitigate this problem has become available in the past few years.
One of the most interesting talks was by the conference chair, Tom Liston. He described his research efforts in trying to discover and exploit a vulnerability in VMware that would allow someone who had access to a guest VM to obtain access to the host VM without authorization. Many virtualization specialists claim that “bare metal” virtualization prevents this kind of thing from happening. He refuted this claim, saying that it is impossible for a virtual machine monitor (VMM) to run directly on hardware–there must be at least some operating system instructions available if the VMM layer is to function. This gives an attacker the ability to identify and exploit vulnerabilities in the operating system, even if the operating system is razor thin. Tom found that operating system instructions were written in assembly language, and that some of the commands were not part of the conventional instruction set, but were rather custom instructions. He discovered some coding flaws that could be exploited; one allowed him to crash one of the guest VMs to gain unauthorized access to the host VM on the same physical machine.
A good part of the second day of the conference dealt with compliance issues. Speakers and panelists described numerous complications that cloud computing and virtualization have presented in achieving compliance with various regulations. They then advocated solutions ranging from the use of certain technology products to forming partnerships with providers and/or writing and enforcing SLA provisions that help ensure that compliance requirements are being met.
Ed Ray and I co-presented a talk in which we asserted that the most fundamental problem with security in virtualized environments is vulnerabilities in virtualization software. We described vulnerabilities that have surfaced in virtualization products such as various flavors of VMware, Denali, and Windows Server 2008 Hyper-V over the years, and said that if you do other things right for security in virtualized environments, but do not create and implement a vulnerability patching process, virtualized environments are wide open to attackers. If you would like a copy of this talk, just send email to email@example.com.
I entered the virtualization security arena over four years ago, and have found it to be fascinating. I have done my best to learn as much as I can, and I have learned quite a bit over the years, but the SANS Virtualization Summit did more to accelerate my knowledge and understanding than anything prior to it. Good job, SANS, good job, Tom Liston.