Death of antivirus software imminent
alien
alien at MIT.EDU
Wed Jan 2 21:35:29 EST 2008
Today's VMMs aren't even designed to fit the formal criteria for a VMM
(at least as expressed, intelligently, by Popek and Goldberg back in the
70s). VMM-aware malware leverages this: for example, by making calls to
VMware's "backdoor" communications channel from the guest (ie. jerry.c).
If the "equivalence" principle were actually upheld, this wouldn't be
possible-- but then again, users wouldn't have all those handy features
like cut-n-paste from guest to host.
Sherri
Leichter, Jerry wrote:
> Virtualization has become the magic pixie dust of the decade.
>
> When IBM originally developed VMM technology, security was not a primary
> goal. People expected the OS to provide security, and at the time it
> was believed that OS's would be able to solve the security problems.
>
> As far as I know, the first real tie of VMM's to security was in a DEC
> project to build a VMM for the VAX that would be secure at the Orange
> Book A2 level. The primary argument for this was: Existing OS's are
> way too complex to verify (and in any case A2 required verified design,
> which is impossible to apply to an already-existing design). A VMM can
> be small and simple enough to have a verified design, and because it
> runs "under" the OS and can mediate all access to the hardware, it can
> serve as a Reference Monitor. The thing was actually built and met its
> requirements (actually, it far exceeded some, especially on the
> performance end), but died when DEC killed the VAX in favor of the
> Alpha.
>
> Today's VMM's are hardly the same thing. They are built for perfor-
> mance, power, and managability, not for security. While certainly
> smaller than full-blown Windows, say, they are hardly tiny any more.
> Further, a major requirement of the VAX VMM was isolation: The
> different VM's could communicate only through network protocols. No
> shared devices, no shared file systems. Not the kind of thing that
> would be practical for the typical uses of today's crop of VM's.
>
> The claim that VMM's provide high level security is trading on the
> reputation of work done (and published) years ago which has little if
> anything to do with the software actually being run. Yes, even as they
> stand, today's VMM's probably do provide better security than some -
> many? - OS's. Using a VM as resettable sandbox is a nice idea, where
> you can use it. (Of course, that means when you close down the sandbox,
> you lose all your state. Kind of hard to use when the whole point of
> running an application like, say, an editor is to produce long-lived
> state! So you start making an exception here, an exception there
> ... and pretty soon the sand is spilled all over the floor and is in
> your eyes.)
>
> The distinction between a VMM and an OS is fuzzy anyway. A VMM gives
> you the illusion that you have a whole machine for yourself. Go back
> a read a description of a 1960's multi-user OS and you'll see the
> very same language used. If you want to argue that a small OS *can
> be* made more secure than a huge OS, I'll agree. But that's a size
> distinction, not a VMM/OS distinction....
> -- Jerry
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list