Virtualization does not eliminate security concerns

December 20, 2007

Here is something that has struck me recently: virtualization and abstraction cannot eliminate security concerns, they can only move them from one place to another. In other words, virtualization by itself doesn't do anything to prevent security bugs; it just means that they happen in a different place.

(By virtualization I mean more than hardware and OS virtualization, I also include things like the JVM.)

The advantage of virtualization is that it moves the problem inwards, towards the center of the security onion, where fewer people have to get it right and it makes sense to devote much more effort to security. The disadvantage to virtualization is that abstractions are usually more general, which means that they are bigger and more complex, which is one of the things that are bad for security.

(The other disadvantage is that security bugs in the virtualization are much more dangerous and much more valuable to attackers, because they may compromise a whole bunch of people at once.)

In the face of this, views on abstraction are partly a matter of perspective. With a local view of your system, you can have less exposure to security issues from not having to trust large abstractions. But if you have a global view, if your goal is to not have any security issues in any of your systems, you are less exposed with abstractions because they reduce the overall amount of security sensitive stuff across all of your systems; without the central abstractions, everyone has to get it right all of the time, which is a very difficult challenge.


Comments on this page:

From 194.8.197.205 at 2007-12-21 10:11:06:

You have, I assume, seen Dan J. Bernstein’s thoughts on security after ten years of qmail 1.0?

Aristotle Pagaltzis

By cks at 2007-12-21 16:33:57:

I've read it, although I don't have anything coherent to say about it directly. (It certainly influenced this entry, but it's not the only thing; Matasano Chargen's general attitude on virtualization did too, for example.)

Written on 20 December 2007.
« Why setuid scripts are fundamentally a bad idea
A thought about Solaris 10 x86's boot process »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Dec 20 22:43:00 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.