VMware shares secrets in security drive

Virtualisation vendor VMware has quietly begun sharing some of its software secrets with the IT security industry under an unannounced plan to create better ways of securing virtual machines.

VMware has traditionally restricted access to its hypervisor code and, while the vendor has made no official announcement about the API sharing programme tentatively called "Vsafe", VMware founder and chief scientist Mendel Rosenblum said that the company has started sharing some APIs (Application Program Interfaces) with security vendors.

"We would like at a high level for [VMware's platform] to be a better place to run," he said. "To try and realise that vision, we have been partnering with experts in security, like the McAfees and Symantecs, and asking them about the security issues in a virtual world."

Rosenblum says that some of the traditional tools used to protect a hardware server work just as well in a virtualised environment, while others "break altogether".

"We're trying to fix the things that break, to bring ourselves up to the level of security where physical machines are," he said. "But we are also looking to create new types of protection."

Rosenblum said the APIs released as part of the initiative offer security vendors a way to check the memory of a processor, "so they can look for viruses or signatures or other bad things".

Others allow a security vendor to check the calls an application within a virtual machine is making, or at the packets the machine is sending and receiving, he said.

"I don't want to be reverse engineering our products to find exploits or figure out signatures," Rosenblum said. "Fundamentally that means we have to partner. Fortunately there is a bunch that are happy to partner and I encourage that."

The relative security of hypervisor technology has been the subject of controversy in recent months.

Publicly, VMware insists that its core technology is yet to suffer from a serious breach.

But scattered among the showcase floors of the VMworld conference in San Francisco were companies such as Catbird or BlueLane — start-ups looking exclusively at the security of virtual machines.

Catbird ran a marketing campaign at the conference warning VMware users about the dangers of "running naked" — paying scant attention to securing their virtual machines.

The start-up claims that by VMware's own admission, two-thirds of virtualisation users are "running naked".

"It's been the dirty little secret of the virtualisation industry," says Howard Fried, director of sales engineering at Catbird. "Security seems to be the last thing people are doing. Nobody seems to understand that in this whole transition to virtualisation, you can't apply an identical policy to how you secure a physical server."

"At the end of the day, a hypervisor is a bag of bits that needs to be added," he said. VMware's Rosenblum said some of the statements being made by the security start-ups are "a little self-serving, since they have a particular security solution they want to apply to it".

Internal efforts
VMware is making some of its own efforts to calm user fears about the security of virtual machines.

Announced at the VMworld conference, the vendor will ship the latest version of its hypervisor (ESX Server 3i) embedded in the high-end hardware lines of IBM, Dell, HP, NEC and others.

ESX Server 3i has considerable advantages over its predecessors from a security standpoint. In this latest release, which will be available in November, VMware has decoupled the hypervisor from the service console it once shipped with. This console was based on a version of the Red Hat Linux operating system.

As such, ESX 3i is a mere 32MB in size, rather than 2GB.

Some 50 percent of the vulnerabilities VMware was patching in prior versions of its software were attributable to the Red Hat piece, not the hypervisor.

"Our hope is that those vulnerabilities will all be gone in 3i," Rosenblum said.

The vendor is also making some progress toward embedding its own security solutions within future versions of its products.

Mukil Kesavan, a VMware intern studying at the University of Rochester, demonstrated his research into the creation of a host-based antivirus scanning solution for virtualised servers at the conference. Such a solution would enable users to pay for a single antivirus solution across a box running multiple virtual servers, rather than having to buy an antivirus solution for each virtual machine.

VMware is also working on integrating the memory firewall technologies it gained via the acquisition of Determina in early August.

Determina's software protects a system from buffer overflow attacks, while still allowing the system to run at high speeds. It also developed "hot-patching" technology — which allows servers to be patched on the fly, while they are still running.

"I thought they were both cool technologies and we are looking forward to trying to combine them with what VMware does," Rosenblum said. "At a high level it would be nice to have a box in [VMware's management console] V-Center that you would tick to run extra security features. It would be an option — you might run slightly slower but it protects you against attack."

In his address to the VMworld conference, Intel senior vice president Patrick Gelsinger said security is one of the main challenges of virtualisation — as many customers won't deploy virtual machines until the industry can offer quality of service around them.

"As virtual machines get more and more popular, new attacks and security threats will emerge," he said.

The risk with virtual machines, Gelsinger said, is that "10 points of failure now become one".