3661
Security / Re: What is the point of VM's?
« on: January 17, 2012, 03:22 am »
So I talked with some computer security experts regarding this matter. I hold all of them in as high of regard as Theo, they are true experts . In general, they all seemed to agree with what Theo was saying about the inherent security issues related to using full hardware virtualization, however they did not in general come to the same conclusion as he did (that you are better off to not isolate firefox from external IP address than to use full hardware virtualization to do it).
The summary boils down to this: using full hardware virtualization does (very likely) have some security consequences, which could be significant or could be minor. I need to do more research to fully grasp the security implications of using full hardware virtualization, but the people I talked with have at least decent understandings of the issues. Many of the people I talked with suggested using full hardware virtualization to isolate network facing applications from Tor, saying that the security benefits this certainly brings will likely outweigh the security issues involved with full hardware virtualization. However, parvirtualization such as Xen offers the same isolation benefits as full hardware virtualization does, and it indeed does not have as much potential (probable?) security risk associated with it.
If the user is able to configure and use a paravirtualization system for isolation, they should use it instead of full hardware virtualization. Additionally, OS virtualization such as jails, zones etc offer much of the same isolation benefits without any of the risk associated with hardware virtualization (full hardware or paravirtualization). OS virtualization is probably easier for an attacker to break out of than hardware virtualization (either full or paravirtualization) but it avoids the risks that Theo is talking about with architecture virtualization security issues. Regarding my hacker friend who had previously told me that hardware virtualization offers stronger isolation, I misunderstood what he said because I didn't have a good enough understanding of virtualization when he was talking about it. Paravirtualization is also hardware virtualization, just not full hardware virtualization. full hardware virtualization probably is harder to break out of than OS virtualization, but paravirtualization is also probably harder to break out of and it greatly reduces potential security risks that are present with full hardware virtualization (due to the architecture issues that Theo was discussing).
These virtualization techniques can be layered, however using full hardware virtualization may not be a good idea if you are already using paravirtualization / os virtualization for isolation, because full hardware virtualization may have implementation flaws (including in the hardware that supports it) that could be used as an attack vector. This potential attack vector will not be present if you are not using full hardware virtualization.
So in short, if you can only be bothered to use the easy to configure full hardware virtualization solutions like Virtualbox, you should still use them to isolate network facing applications, instead of not isolating network facing applications at all. However, if you can configure the same thing using paravirtualization or OS virtualization you should use them instead and probably should avoid using full hardware virtualization as an additional layer. However, it is possible that using full hardware virtualization as an additional layer will add more security. It also may make you more insecure than only using OS virtualization or paravirtualization. However, attackers who can penetrate one layer of virtualization based isolation can likely penetrate other layers, using more than one layer may technically increase the 'depth' of the isolation but it will likely only be slowing an attacker down if they are capable of breaking out of isolation at all. Also, using full hardware virtualization may give attackers an additional vector that they otherwise would not have.
The general theme I saw was "many attackers can not break out of virtualized isolation, however the attackers who can break out of virtualized isolation can probably break out of as many layers of it as you use". And using full hardware virtualization does have potential/probable negative security implications that are not as much of an issue with paravirtualization and I don't think are issues at all with OS virtualization. But the risks of using full hardware virtualization do not out weigh the benefits of isolating Firefox from your external IP address, so if you don't plan to use anything else you should still be using full hardware virtualization based isolation . But there are safer ways to isolate Firefox from external IP address than using full hardware virtualization that should be used instead, if you have the skill to configure them.
Also, if you have enough extra machines it is probably more secure to use them to isolate firefox from the external IP address than to use a virtualization based solution. However, this doesn't mean you shouldn't use virtualization to do the same thing if you do not have extra machines or the skill required to isolate Firefox in this way.
here are some quotes:
So there are some quotes from other people who are all security experts of the same caliber as Theo. Theo is also a security expert. They have different opinions. My personal feelings are that you should use paravirtualization or OS virtualization to isolate network facing applications from external IP address. If you can't be bothered to use paravirtualization or OS virtualization, you should still be using the easy to configure full hardware virtualization solutions. If you should use full hardware virtualization as an additional layer on top of OS virtualization or not is open for debate, it certainly has highly probable negative security implications, but it will also add an additional layer of isolation.
I hope that this helps to clear things up, or at least show another perspective on the issue. In the end nobody I talked with really disagreed with anything Theo said, they just think the risks of not isolating network facing applications from external IP address outweigh the risks of using full hardware virtualization to do so. Of course, they also all think that there are better solutions than using full hardware virtualization, they are just much more difficult to implement.
Another thing I would like to mention is that virtualization being used to isolate applications from external IP address has in practice prevented at least one hidden service from being traced after the feds pwnt it. I don't know the sort of virtualization that was used, but I think this is a clear example that there are serious benefits to using *some* sort of virtualization to isolate network facing applications from external IP address.
The summary boils down to this: using full hardware virtualization does (very likely) have some security consequences, which could be significant or could be minor. I need to do more research to fully grasp the security implications of using full hardware virtualization, but the people I talked with have at least decent understandings of the issues. Many of the people I talked with suggested using full hardware virtualization to isolate network facing applications from Tor, saying that the security benefits this certainly brings will likely outweigh the security issues involved with full hardware virtualization. However, parvirtualization such as Xen offers the same isolation benefits as full hardware virtualization does, and it indeed does not have as much potential (probable?) security risk associated with it.
If the user is able to configure and use a paravirtualization system for isolation, they should use it instead of full hardware virtualization. Additionally, OS virtualization such as jails, zones etc offer much of the same isolation benefits without any of the risk associated with hardware virtualization (full hardware or paravirtualization). OS virtualization is probably easier for an attacker to break out of than hardware virtualization (either full or paravirtualization) but it avoids the risks that Theo is talking about with architecture virtualization security issues. Regarding my hacker friend who had previously told me that hardware virtualization offers stronger isolation, I misunderstood what he said because I didn't have a good enough understanding of virtualization when he was talking about it. Paravirtualization is also hardware virtualization, just not full hardware virtualization. full hardware virtualization probably is harder to break out of than OS virtualization, but paravirtualization is also probably harder to break out of and it greatly reduces potential security risks that are present with full hardware virtualization (due to the architecture issues that Theo was discussing).
These virtualization techniques can be layered, however using full hardware virtualization may not be a good idea if you are already using paravirtualization / os virtualization for isolation, because full hardware virtualization may have implementation flaws (including in the hardware that supports it) that could be used as an attack vector. This potential attack vector will not be present if you are not using full hardware virtualization.
So in short, if you can only be bothered to use the easy to configure full hardware virtualization solutions like Virtualbox, you should still use them to isolate network facing applications, instead of not isolating network facing applications at all. However, if you can configure the same thing using paravirtualization or OS virtualization you should use them instead and probably should avoid using full hardware virtualization as an additional layer. However, it is possible that using full hardware virtualization as an additional layer will add more security. It also may make you more insecure than only using OS virtualization or paravirtualization. However, attackers who can penetrate one layer of virtualization based isolation can likely penetrate other layers, using more than one layer may technically increase the 'depth' of the isolation but it will likely only be slowing an attacker down if they are capable of breaking out of isolation at all. Also, using full hardware virtualization may give attackers an additional vector that they otherwise would not have.
The general theme I saw was "many attackers can not break out of virtualized isolation, however the attackers who can break out of virtualized isolation can probably break out of as many layers of it as you use". And using full hardware virtualization does have potential/probable negative security implications that are not as much of an issue with paravirtualization and I don't think are issues at all with OS virtualization. But the risks of using full hardware virtualization do not out weigh the benefits of isolating Firefox from your external IP address, so if you don't plan to use anything else you should still be using full hardware virtualization based isolation . But there are safer ways to isolate Firefox from external IP address than using full hardware virtualization that should be used instead, if you have the skill to configure them.
Also, if you have enough extra machines it is probably more secure to use them to isolate firefox from the external IP address than to use a virtualization based solution. However, this doesn't mean you shouldn't use virtualization to do the same thing if you do not have extra machines or the skill required to isolate Firefox in this way.
here are some quotes:
Quote
"It is clear that you should try to keep network facing applications away from your external IP address"
"Using full hardware virtualization is better than not isolating Firefox, and it is much easier to configure than anything Theo would approve of"
"If they want to argue that full hardware virtualization is worse than not isolating Firefox away from your external IP address, ask them for an exploit that works against a full hardware virtualized system and not on an unisolated Firefox. They will not have one."
"Or ask for an easy to configure Theo approved solution for keeping Firefox isolated from the external IP address."
"One of the main things to keep in mind is that it is much easier to configure full hardware virtualization isolation than to configure any of the potentially better systems"
So there are some quotes from other people who are all security experts of the same caliber as Theo. Theo is also a security expert. They have different opinions. My personal feelings are that you should use paravirtualization or OS virtualization to isolate network facing applications from external IP address. If you can't be bothered to use paravirtualization or OS virtualization, you should still be using the easy to configure full hardware virtualization solutions. If you should use full hardware virtualization as an additional layer on top of OS virtualization or not is open for debate, it certainly has highly probable negative security implications, but it will also add an additional layer of isolation.
I hope that this helps to clear things up, or at least show another perspective on the issue. In the end nobody I talked with really disagreed with anything Theo said, they just think the risks of not isolating network facing applications from external IP address outweigh the risks of using full hardware virtualization to do so. Of course, they also all think that there are better solutions than using full hardware virtualization, they are just much more difficult to implement.
Another thing I would like to mention is that virtualization being used to isolate applications from external IP address has in practice prevented at least one hidden service from being traced after the feds pwnt it. I don't know the sort of virtualization that was used, but I think this is a clear example that there are serious benefits to using *some* sort of virtualization to isolate network facing applications from external IP address.