Death of antivirus software imminent

alien alien at MIT.EDU
Wed Jan 2 21:35:29 EST 2008


Today's VMMs aren't even designed to fit the formal criteria for a VMM
(at least as expressed, intelligently, by Popek and Goldberg back in the
70s).  VMM-aware malware leverages this: for example, by making calls to
VMware's "backdoor" communications channel from the guest (ie. jerry.c).
If the "equivalence" principle were actually upheld, this wouldn't be
possible-- but then again, users wouldn't have all those handy features
like cut-n-paste from guest to host.

Sherri



Leichter, Jerry wrote:
> Virtualization has become the magic pixie dust of the decade.
> 
> When IBM originally developed VMM technology, security was not a primary
> goal.  People expected the OS to provide security, and at the time it
> was believed that OS's would be able to solve the security problems.
> 
> As far as I know, the first real tie of VMM's to security was in a DEC
> project to build a VMM for the VAX that would be secure at the Orange
> Book A2 level.  The primary argument for this was:  Existing OS's are
> way too complex to verify (and in any case A2 required verified design,
> which is impossible to apply to an already-existing design).  A VMM can
> be small and simple enough to have a verified design, and because it
> runs "under" the OS and can mediate all access to the hardware, it can
> serve as a Reference Monitor.  The thing was actually built and met its
> requirements (actually, it far exceeded some, especially on the
> performance end), but died when DEC killed the VAX in favor of the
> Alpha.
> 
> Today's VMM's are hardly the same thing.  They are built for perfor-
> mance, power, and managability, not for security.  While certainly
> smaller than full-blown Windows, say, they are hardly tiny any more.
> Further, a major requirement of the VAX VMM was isolation:  The
> different VM's could communicate only through network protocols.  No
> shared devices, no shared file systems.  Not the kind of thing that
> would be practical for the typical uses of today's crop of VM's.
> 
> The claim that VMM's provide high level security is trading on the
> reputation of work done (and published) years ago which has little if
> anything to do with the software actually being run.  Yes, even as they
> stand, today's VMM's probably do provide better security than some -
> many? - OS's.  Using a VM as resettable sandbox is a nice idea, where
> you can use it.  (Of course, that means when you close down the sandbox,
> you lose all your state.  Kind of hard to use when the whole point of
> running an application like, say, an editor is to produce long-lived
> state!  So you start making an exception here, an exception there
> ... and pretty soon the sand is spilled all over the floor and is in
> your eyes.)
> 
> The distinction between a VMM and an OS is fuzzy anyway.  A VMM gives
> you the illusion that you have a whole machine for yourself.  Go back
> a read a description of a 1960's multi-user OS and you'll see the
> very same language used.  If you want to argue that a small OS *can
> be* made more secure than a huge OS, I'll agree.  But that's a size
> distinction, not a VMM/OS distinction....
> 							-- Jerry
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list