BootCamp, RebootCamp, and Virtual Security

Along with a bunch of other folks, I’ve been following the numerous discussions about Apple’s Bootcamp with a bit of interest; “dual booting” isn’t a particulary new technology for most of us, but it’s interesting nevertheless. Today, I cam across a post on Peter O’Kelly’s Reality Check that made the topic even more interesting – a technology called “Parallels” that allows a Mac user to run a virtual Windows image. Ok, ok – virtual machines aren’t new technology either – but all these discussions about maximizing the flexibility of the new Apple hardware open up interesting possibilities for Mac users. Which leads me to something… Notice this language in the article that Pete references (emphasis mine):

Most people comment that an Intel Mac runs Windows faster than any PC they’ve ever owned. And if the Windows side ever gets bogged down with viruses and spyware, you can flip into Mac OS X and keep right on being productive.

While this isn’t really the point of the article, the obvious subtext is that virtualization technology increases the overall security of the platform. This is a view I hear more and more commonly; for example, Security Focus has an article that came out yesterday about the security advantages of virtualization:

Mike Danseglio, a Microsoft program manager in the company’s security group, recently had this to say at a security conference: “When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit.” So it’s come to that. Everyone reading this knew it all along, but there it is in black and white – if a Windows machine gets infected, wipe it and start again from a baseline install. Virtualization, however, makes that easy, affordable, and quick.

I think it behooves us to question the assumptions here – is it a given that virtualization will bring with it a corresponding increase in platform security? I used to think so, but now I’m not so sure… but we’ll get to that in a minute. Let’s start by looking at how some of the products out there enumerate the perceived security benefits.

• VMWare says, “Users protect their PCs against adware, spyware and other malware while browsing the Internet with Firefox in a virtual machine… isolation capabilities to prevent malware downloaded in the browser from propagating to the normal desktop.” Point 1: applications are “isolated” from the host operating system.
• IBM says, “The partitioning-capable server is designed so that one partition is isolated from software running in other partitions, including protection against software defects and even deliberate software attempts to break the partition barriers.” Point 2: applications are “isolated” from each other.
• Sun says, “N1 Grid Containers are shielded from the outside world and the tenants of a container are assured that no other users of a container on the same system can “see” what they are doing, or derive or compromise information. Additionally, an administrator, such as the traditional ‘root’ user, inside of a container only has authority over his own container, so if the container is illegally accessed, the container isolates the intruder inside the boundary.” Point 3: users are “isolated” from inappropriate resources.

Hmm… Sounds to me like the hubub is about isolation; in other words, the claim is that virtualization improves security because applications and users can now be grouped in any number of ways at the application level. Hearing no argument, if this type of isolation is the primary goal, what does that mean for us from a security perspective? Let’s look at it from the top down – can we make the broader statement that “isolation” in other contexts is always a security benefit? Is it true that segregation in and of itself has a clear security benefit in all cases? Some would argue with me on this, but I happen to think the answer is “no”… I think segregation improves security only to the extent that it is manageable… period. Without management, segregation adds nothing to security (best case) or even detracts from security (worst case).

By analogy, take isolation technology at the network layer. For a long time, a bunch of people thought that buying and deploying firewall technology (thereby isolating portions of their network) would solve a ton of security issues; but we learned over the course of events that it wasn’t the isolation itself that brought the benefit, but the broader context of how that isolation is used and maintained. In other words, a firewall won’t do anything unless you deploy it in an intelligent way. It’s fairly accepted nowadays that firewalls (while a useful tool in most cases) can also decrease security depending on how they are used and deployed.

It seems to me that virtualization is the same thing: use it intelligently as an isolation tool and you increase security – use it without thinking through how it will fit in your current world and you decrease security. Create a well-thought out and manageable set of virtual images/apps/whatever along with a well defined plan for how to maintain them and you probably will (as VMWare, IBM and Sun claim) create an environment in which security thrives. However, create yet another unmanageable mess (e.g. unmaintained VM images, unpatched “disposable” guest OS’s, etc.) and the only thing you’ve done is increased complexity, increased administrator workload, and built new “virtual” pathways to your assets. I guess the moral of the story is the same one I’ve made countless times: management first, technology second.

Thus endeth the rant.