Virtualization does not eliminate security concerns
Here is something that has struck me recently: virtualization and abstraction cannot eliminate security concerns, they can only move them from one place to another. In other words, virtualization by itself doesn't do anything to prevent security bugs; it just means that they happen in a different place.
(By virtualization I mean more than hardware and OS virtualization, I also include things like the JVM.)
The advantage of virtualization is that it moves the problem inwards, towards the center of the security onion, where fewer people have to get it right and it makes sense to devote much more effort to security. The disadvantage to virtualization is that abstractions are usually more general, which means that they are bigger and more complex, which is one of the things that are bad for security.
(The other disadvantage is that security bugs in the virtualization are much more dangerous and much more valuable to attackers, because they may compromise a whole bunch of people at once.)
In the face of this, views on abstraction are partly a matter of perspective. With a local view of your system, you can have less exposure to security issues from not having to trust large abstractions. But if you have a global view, if your goal is to not have any security issues in any of your systems, you are less exposed with abstractions because they reduce the overall amount of security sensitive stuff across all of your systems; without the central abstractions, everyone has to get it right all of the time, which is a very difficult challenge.
Comments on this page:Written on 20 December 2007.