login
Search
A thread on the OpenBSD -misc mailing list began by discussing whether or not XEN had been ported to OpenBSD, "is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4?" Later in the discussion it was suggested that virtualization should be a priority for security reasons, "virtualization seems to have a lot of security benefits." OpenBSD creator Theo de Raadt strongly disagreed with this assertion, "you've been smoking something really mind altering, and I think you should share it." He went on to describe virtualization as "something on the shelf, [which] has all sorts of pretty colours, and you've bought it", explaining:
"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
Later in the thread, Theo went on to note, "if the actual hardware let us do more isolation than we do today, we would actually do it in our operating system. The problem is the hardware DOES NOT actually give us more isolation abilities, therefore the VM does not actually do anything what the say they do." He then suggested that companies marketing virtualization should soften their claims to something supportable, such as, "yes, it [increases] hardware utilization, and the nasty security impact might be low".
OpenBSD still exists? Too
OpenBSD still exists?
Too bad. The world would be better without security
fanboys in general. And exactly these are attacks against the
other security fanboys in general - i see kindergarten fights
happen here. To a bigger extent than on the Linux Kernel
Mailing lists too.
There is more to the world than security.
Yes, luckily it does.
"OpenBSD still exists? Too bad. The world would be better without security fanboys in general."
Yes, much better. For one, we'd still be using telnet rather than ssh. Those bastards!
Anyway, next time you want to troll, try to be a bit more convincing. Thank you.
SSH
Well, a variety of other SSH clients exist, as well as the official SSH distribution. Just because the OpenBSD guys released an as-of-now widely used flavor of the SSH server + SSH client, does not mean that without them, we would not have a freely available SSH server + SSH client.
Regardless, I appreciate the hard work by the OpenBSD folks, and appreciate multiple viewpoints. This world would be far more boring [and possibly less secure] without the likes of Theo de Raadt :)
code auditing
I sat on the cvs-commit mailing list for a short while a few years back.
I remember one was a routine fix for time synchronization in the IP stack. It wasn't listed as a security flaw, I suspect other subsystems protected that bug from being exploitable. Just a routine code-walk fix.
Three weeks later, Redhat, Freebsd and Debian had announced updated kernel packages for fixing network time synchronization features.
Six months later, equivalent patches had been released for on of the major Unix's.
18 months later, Microsoft had released a security update to their Operating system for I suspect the related fix (being derived from BSD IP stack).
SSH is only _one_ of the many gifts the OpenBSD group has given to the world.
Sure, but...
Sure, but then we'd be paying for it commercially as we would the average commercial Linux distro (or pirating it like a Linux distro) and then wishing they weren't a monopoly and begging for a Free, Open Source implementation of it.
Thank you OpenBSD for this and all other goodies, also thank you that it's portable to Linux and other OS's too. I've started slowly upgrading and migrating some Linux boxes to OpenBSD with much greater success than Linux has had thus far - great work! I've never seen an OS so clean and well done as OpenBSD so far either.
That may be true, but he was
That may be true, but he was talking about "security fanboys", not "the OpenBSD project", and all of those other SSH implementations (at least, the ones that actually work) have one thing in common:
They were written by security fanboys. So yes, without security fanboys, we'd all be using telnet, or something equally stupid.
I thought this comment was a
I thought this comment was a joke at first. I'm still not convinced. As far as operating systems are concerned, the two most important goals are security (see OpenBSD) and stability (see NetBSD). Speed is third (see Windows). Correctness is the most important thing, and correct code is stable and secure. If it is not correct, it is worthless.
*cry*
Speed is third (see Windows).
I'm at a loss of words to describe the ignorance of this particular fellow. I'll just go back to crying.
I am just hoping he meant
I am just hoping he meant speed of development, probably not the same "speed" you were thinking of.
speed of development... as
speed of development... as shown with vista's development time.... ;)
porl
I was trying to be succinct,
I was trying to be succinct, and apparently, people dislike that. For the record, stability is one of the main goals of NetBSD developers. And by speed, I do not mean speed of development. I mean that it's designed to run fast. Windows does run faster than Linux in many ways. For example, programs start up way faster, and I run Gentoo, so everything should be pretty much optimal. And I would have said that Linux's main priority was speed, but I thought it wouldn't fly well on a mainly Linux website.
While I'm at it, another Linux priority is to get as many options into the kernel as fast as possible.
Sorry for digressing, but
Sorry for digressing, but here's a rant:
In my opinion, the main reason why Windows is still faster on the desktop is that most of their current GUI framework was built back in the days of Windows 95, and the framework is so fragile that it has stopped them from adding too many new features to bloat it further. Back in 1995, Microsoft was way more performance-conscious than the open source world in 2007, simply because the hardware was orders of magnitude slower.
For comparison, in the Unix land you can see GTK+, Qt, window managers, breaking world records for bloat with each new release. Fast and lightweight code can still be written, but it's simply not a focus anymore. Want to see performance in the Unix land? Run a FLTK application; it will blow your mind.
So the metric you are looking for is not "how fast", it's "how lightweight". Another obvious example of "lightweightness" vs. speed is Java: you have all seen the benchmarks suggesting that various Java JITs are on par with C compilers. But regardless, Java is still sluggish and annoying in comparison, simply because it is (in most cases) not as lightweight as C code.
OpenBSD focuses on correct code
Having followed linux kernel development, I would say it was mostly focused on speed than anything else.
Speed?
speed? I thought they were focused on poorly done code/code bloat.
Stability, see NetBSD? I
Stability, see NetBSD? I really can't agree with this. NetBSD more for compatibility on a wide variety of hardware (not too sure what the number is now).
With OpenBSD, they don't just review the code on a regular basis for 'security holes', but it allows them to audit the code for other BUGS that cause instability issues.. But yes, compared with Windows and say, Linux, NetBSD is still much better for stability.
It does
Security "fanboys" are what keep you safe behind the scenes.
There is a lot involved in the world, security is a big part of it. I sure hope you don't handle IT network security for my bank, I like being able to go out for a nice steak dinner and not have a problem when it comes time to pay because someone just emptied all my bank accounts.
I currently do IT for a company, we're researching vmware, we currently have a lot of applications on their own servers, big waste of resources, and time is coming to replace servers and I don't want it to turn into a big waste of money either. I have to carefully choose which systems we can run in a virtualized environment, the potential for a security breach between virtualized OSes is definitely there, but like anything in this industry, its never 100% secure, you have to choose what you do carefully or you'll be opening the doors for huge data mining to take place and then you're F'd in the A my friend. You get what you pay for.
Those tinfoil-hat security fanboys do have their uses, you know.
I use OpenSSH on a daily basis and have enjoyed OpenBSD's reference IpSec suite to test new hardware for compatibility. I have to admit, though, that I have not yet gone back to running OpenBSD after my (486) firewall burnt out. I'm simply not that deep 'into the scene' anymore
Whilst there are good arguments to virtualization (along the lines of LVM and Quota for your hardware),
it should not be regarded as a security tool (for arguments stated above)
What Virtualization -does- allow you to do, is set up a fully featured Development-, Test- and Acceptance- server on the same piece of hardware. With a bit of trickery it even allows on-the-fly hybernation-type full backups and restores os a machine, without even stopping the machine itself. Like an Ignite tape on steroids.
I think the original question was a reasonable one, if only for the wrong reasons.
Virtualization allows for fully-controlled testing environments.
Copying the full DomU currently running on the firewall and restoring it to a testing/development server gives you an environment to test a new firewall design or to examine a hacked machine in a sandbox environment, without the hacker's scripts/tools finding out about it, allowing for forensic examination.
It's a tool, not a security measure.
Apples and Oranges?
Saying "more secure" or "less secure" is meaningless without context. I'm sure that they're right and that setting up multiple virtual guest OS instances on a single piece of hardware is less secure than setting up multiple boxes.
If you only have budget for a single server then setting up multiple VM instances may be more secure than setting up a single box for the various required services.
beat me to the punch
It's useful to talk about security in the abstract--however security is never truly decoupled from the real world.
it *will not* be any more
it *will not* be any more secure, but it *might* not be less secure
Weakest Link
Unless you put up one OS or set of services in one instance, which then becomes the weakest link in the chain. Such as, running OpenBSD and Windows as guest instances. OpenBSD now becomes susceptible to all the Windows exploits... or vice-versa.
Different perspectives
TdR: "You've already made the decision to decrease security by
de-compartmentalizing onto one physical box, so you are just thrilled
with the ability to decrease security more by de-compartmentalizing
the software further."
I look at virtualization from the opposite angle: I have money to spend on software, hardware, end-user support, and administrator time. Security is one of the axes on which such a system (or systems) are measured. End-user productivity, maintenance costs, failure tolerence, etc. are other things which might (or might not) matter to me.
Which is more secure:
. 3 applications, each running in a hypervisor supervised system
. 3 applications, running on a single system
. 3 applications, each running on a different system
I claim that the answer is not clear, and depends on all of the above factors. Saying that virtualization always decreases security is just hyperbole.
Note that I'm not claiming that Xen is the greatest example of a virtualization system; I do claim that a paravirtualized hypervisor can provide a narrower, more well-defined, and possibly more secure interface between 2 Unix-like operating systems compared to the interface between user-space and a Unix-like operating system.
Shush, you!
Damn your pragmatism. If we wanted to hear about you and your reasonable ways, we'd pound it out of you!
Though if you're talking about security in absolute terms, TdR is right; Option 3 is really the most secure assuming you have sufficient resources to dedicate to running and maintaining those machines and the software upon them. The thing I've noticed about the free/open software community is that the cost of labor does tend to be overlooked because we're all so used to spending a great deal of time hacking on, improving, and maintaining our own software. That's part of the price you pay for not purchasing a shrinkwrapped box.
It seems you didn't
It seems you didn't understood Theo's points: using virtualized environment does AUGMENT security holes BY DESIGN because the hardware architecture of the PC platform has flaws that when shared by multiple virtual machines are exploitable to escape the VM.
So an OS running in a virutalized environment is less secure that the same OS running directly on the hardware.
Also, every new layer of complexity in a system increases the risk of security holes, especially when the failures of the different layers can be combined.
no
1) Did I say anything about PCs?
2) I assert that a paravirtualized VM is an easier interface to {audit/understand/secure} than a Unix-alike kernel<->userspace (or kernel<->hardware for that matter) interface.
To support 2, I offer the following proposition:
I would like to (for some reason) run an operating system which I, myself, have never audited, in whole or part. I assert that running this operating system under a VM is more secure than running it on a physical hardware.
You might say that this is twisting the definition of security (security from vs security of). I claim that both are security, and anyone who argues that running on the bare metal is more secure than running against a paravirtualized interface is silly. In the case of the PC, you can even use Theo's dislike of PC hardware to make this argument.
HTH.
"and anyone who argues that
"and anyone who argues that running on the bare metal is more secure than running against a paravirtualized interface is silly."
*sigh*
http://taviso.decsystem.org/virtsec.pdf
Anyone who argues and does not understand the principals involved will be made to look silly.
@Oliver http://en.wikipedia.o
@Oliver
http://en.wikipedia.org/wiki/Netiquette
@Theo
Thank you for stating what many SA's already know. Hopefully, we can get the remaining 10% to come around or leave the industry. Virtualization does nothing more for security than chroot does, which is "nothing at all". Know that by stating it in such a rude and inflamitory way serves only to enlighten people about security, and drive them to choose an alternative kernel (alternative bieng one that you have nothing to do with).
Please get help,
Frank
No response to logical debate
Hello,
I'm the OP that Theo first flamed, having started and extensively consulted on OpenBSD deployments at the University of California, Davis.
In the thread, I've made references to research and presentations done by my colleagues in the UC system discussing Xen security advantages, particularly work done by Bill Broadley at the Computational Science & Engineering group at UC Davis.
I've yet to see logical responses to points posted in this message:
http://marc.info/?l=openbsd-misc&m=119332410721337&w=2
Also, Christoph Egger has done extensive work porting DomU code to OpenBSD (as part of a Google Summer of Code project), and is working on Dom0.
Unfortunately, the OpenBSD developers haven't looked at his patches.
http://marc.info/?l=openbsd-misc&m=119323951310432&w=2
http://marc.info/?l=openbsd-misc&m=119323900009484&w=2
http://marc.info/?l=openbsd-misc&m=119324065212680&w=2
Except possibly Ted Unangst:
http://marc.info/?l=openbsd-misc&m=119324997127856&w=2
looking at my responses (in this thread)
It's too easy to slide into advocacy and silly flaming.
/me bows out
You're ignoring the point,
You're ignoring the point, putting an insecure system over top of a secure system is making the system less secure.
Security is all about compartmentalization
Over decades of evidence that operating system kernels are not secure, you still dare to make the assumption that they are?
You simply cannot solve security on a single level alone. If you have a single level of security, and this level is compromised, your entire system is compromised. In fact, Unixes have never supported just a single level of security; there have always been two levels: normal user and root user. Or a bit more abstractly, user level and kernel level (equivalent to root because root can inject code into the kernel). In many situations there is another layer of security provided by the application — e.g. a web browser has less privileges on the server than the HTTP server process; this is enforced by the HTTP daemon.
Given these three levels of security, if an attacker wishes to gain control over the whole system, they first have to compromise an unprivileged account on the system, then compromise the root account. Yes, privilege escalation bugs exist, and nevertheless we don't call this "putting an insecure system over top of a secure system", because this is simply untrue.
What virtualization does is that it adds yet another layer of security: To compromise the whole system from bottom up, the attacker has to break all layers: application, user, kernel and hypervisor.
And sometimes there are shortcuts you can take. A flaw in the kernel's TCP stack may compromise the whole kernel; the same of course applies to hypervisors. But this is the only downside.
In fact, the kernel<->hypervisor interface is in many ways simpler than the user<->kernel interface; it is conceivable that it could also have less bugs. Just consider that OS kernels have existed for decades, hypervisors/virtualizers have had a much shorter lifetime — no doubt they will have more bugs in their current stage. Just give them some more time to settle down and sort out the issues.
"a web browser has less
"a web browser has less privileges on the server than the HTTP server process; this is enforced by the HTTP daemon."
eh ?
How does that work then ?
This is somewhat irrelevant,
This is somewhat irrelevant, but I'll clarify anyway: A web browser (or any HTTP client) cannot just access any file on the server, which would technically be readable for the HTTP daemon; the daemon sanitizes all user-specified paths and checks whether they are within the /var/www/htdocs directory.
Similarly, the HTTP daemon could launch any process under its privileges, but it does not permit the HTTP client to do so without checking that the script lies in cgi-bin.
This means that to get the HTTP server to disclose/execute arbitrary files, you have to break the first layer of security — the application.
> I've yet to see logical
> I've yet to see logical responses to points posted in this message:
>
> http://marc.info/?l=openbsd-misc&m=119332410721337&w=2
point one has been refuted several times in the thread.
point two is irrelevant. does it matter that one person did not demonstrate an attack? What matters is one person who does.
Ditto with point three.
my primary concern with virtualization actually isn't security. it would have to be stable enough for my systems to stay up for me to worry about that.
Logical debate
Really? Where?
Proof by assertion doesn't count.
And again, where is the demonstration of a successful DomU->Dom0 attack against current Xen? Certainly, that's the standard that OpenBSD uses in its security.
And how does detecting rootkits not count for security?
No one's claiming the primary focus of virtualization is security. But there are some nice side-effects there, too.
On the flip side, there's a lot of malware research going on to virtualize attacked systems as the means to construct better rootkits.
Just ingore the OBSD
Just ingore the OBSD fanboys. Most of them don't know anything about what Theo is talking about they just assume that he is right and knows everything. Their proof that your wrong is that Theo disagrees with you.
Also bashing x86 is popular. (Everybody should be using PPC, ya know!) That way through their computer tastes they can yet again show their superiority over the wintel crowd.
If you want proof that they don't realy understand what is going on just ask them:
"Can FreeBSD's Jail mechanism be used to increase security? "
If they say 'yes' and still tell you that virtualization is worthless for security you can know for a fact that they are clueless. (you can almost hear their brains clicking away trying to figure out how to explain to me that a weaker form of isolation (bsdjail) is better then a stronger form of isolation (xen). It's going to be tough for them to stay on the BSD side of things with that arguement. That is unless they think that Freentil is as worthless as Lintel)
You and I both know that implimenting security costs a lot. It costs a lot in term of time, hardware, and effort.
For example:
Sure if your running a web server and you have three servers with one being the front end (caching reverse proxy/firewall) and one being the webapp server and another being the database server.
That's the ideal situation and is the one that Theo would be advocating.
But what if you can't afford to have 2-3 seperate machines? What if you can't afford the extra space on the rack at the colocation? Are you doomed to running your firewall on the same machine that your running your database and web apps?
Nooo... because you can use virtualization to divide up the machines and isolate it.
You can provide a locked down base system that simply acts as host.. no network access no nothing. It runs no services, runs no gui, runs nothing except to help abstract the drive space and network interface.
On top of that you can run your seperate machines in virtualization. In order to break out of the VM sandboxes any attacker would have to find a flaw in your servers, exploit that. After they get access to the user account that the service is running in they have to find a local exploit in that OS to get root. Then after that they need to find a exploit in Xen or whatever VM technology you have in order to get root on the base system and then access the other servers.
Certainly it's better to run seperate machines, but you can't always run seperate machines.
Then in addition to that it provides a cheaper way to impliment IDS like AIDE and snort. That's not possible to do with a single OS machine. It's mostly pointless from a security standpoint.
Obviously it would be ideal to have a way to remove drives from your server or boot up from read-only media in order to correctly impliment Tripwire or AIDE. And it would be superior to have a switch with a tap port or a passive tap on your ethernet backbone somewere so that you can impliment a undetectable dedicated SNORT box... but you obviously can't do that in the (very common) situation I described and most companies (which are small to medium sized businesses) can't afford to do that even if they have a dedicated room for networking and server equipment.
All this shit is like _duh_.
w00t, UCD CS&E ftw!
w00t, UCD CS&E ftw!
Response to logical debate
Just read the slides you mentioned in the post. Nice research. It basically states that DomU -> Dom0 access is "difficult" and then proceeds to describe a system for checking the file integrity of DomU from Dom0.
However, presenting a "Possible, even nice, security related use" of VM's does not show that is a "secure" solution for replacing multiple boxes.
When you wrote "Virtualization seems to have a lot of security benefits", you were probably thinking about the above research.
However, most people think about VM and security in terms of isolation.
Quoting http://marc.info/?l=openbsd-misc&m=119323710806321&w=2
> Virtualization provides near absolute security
> - DOM0 is not visible to the user at all, only
> passing network traffic and handling kernel calls.
> The security comes about in that each DOMU is totally
> isolated from the the others, while the core DOM0 is
> isolated from any attacks.
The above was the post that really fanned the flames, and the research about 'security related use' was not relevant anymore.
It is obvious that there are many cool things that you can do with a VM setup. Snapshots, recovery, migration all have obvious and sometimes not so obvious security/recovery/forensics related _uses_.
I would not trust a VM layer to provide isolation between my critical applications. I would use a VM, on an isolated box, for investigating an unknown, possibly malicious program for the snapshot and rootkit detection benefits (Though some recent malware try to detect a VM and change their behaviour. Now, what if the malware author happened to have a 0 day exploit for the particular VM system I am using. Hmm ...)
As long as you know and understand the risks, you can use any system, any way you like. But making blanket statements like "Virtual Machines are absolutely secure" is very dangerous. Not only to the one making the statement, who probably deserves to get burned, but to others who believe these statements and fall into a false sense of security.
Can
Virtualization and security.
Hi!
Joanna Rutkowska from invisiblethings.org has some interesting things to say about this topic. Let's just say that security is an issue....
Check: http://bluepillproject.org/
and
http://www.invisiblethings.org/
-Tryggve Knutsson
This whole thread is pretty
This whole thread is pretty ridiculous, people are spouting hyperbole left and right on both sides.
Virtualization in and of itself does not magically give you better security, that should be pretty obvious. If implemented poorly, it surely could open up a lot of holes, and I don't doubt that there are some in existing systems.
However, a hypervisor's interface is much much smaller and simpler than the interface for an operating system. So that weakens the "operating systems are insecure, therefore hypervisors must be just as bad" argument.
People have mentioned the x86 architecture being messy and making isolation difficult. This is true, it has definitely made virtualization tough, especially on systems before Intel and AMD released their HV systems allowing for full virtualization. However, I haven't seen any sort of proof or even specific evidence that would indicate that the x86 architecture makes it impossible to properly isolate a VM, or that current offerings from Xen or VMware or what have you don't properly isolate VMs.
That said, this is my main point: the possible security benefits of virtualization are not inherent in virtualization itself, but are made possible by it. Specifically, the knowledge of what a VM is doing can allow you to do a lot of things that would otherwise not be possible, at least without making specific modifications to the guest operating system, something which is usually either impossible (see: Windows, unless you are MS), or impractical (if you need to run a wide variety of guest operating systems).
In short, the idea is that virtualization has both wins and losses in the area of security.
To stoop to the level of our friend Theo here:
"And anyone who thinks there is any security advantage at any level knows nothing about PC architecture."
I would respond:
"Anyone who thinks that there are no potential security advantages to a virtualized environment knows nothing about PC architecture OR virtualization."
If I were an asshole.
PC arch is a mess
True, PC arch is a mess. But most attacks today are focused on userland applications and thus the virtualization practically increases security.
If you want a *real* virtualization you have to use architectures which were designed for it from the beginning. E.g. IBM POWER. Linux runs on those pretty well.
BTW: The Xen hypervisor control is written on OCaml. I would definitely trust more to OCaml code than to something written in a "buffer overflow please" C code (even if it's made Theo himself).
What about AMD64? x86-64?
What about AMD64? x86-64? Are they a mess too in this regard? If not, I wonder why Apple's servers ditched POWER...
de-railed...
This discussion has been derailed into a discourse on the theory of secure. Secure is a relative term. It is not absolute. The practice of security has more toppings than your average ice cream joint. Theo has made a very solid argument in that the foundation of the "security model" in the architecture he is referring to isn't up to his standard of "secure". Theo (and the BSD community in general) has made immeasurable contributions to the tools us IT folks use every day. I do believe the most secure server I ever ran in production was openbsd on sparc. (remember, secure is relative...) I have also supported some pretty firm NT servers in my time. I have dedicated 12 years of practice to information security and I still learn something new every day.
Successful security practitioners understand that there is no such thing as secure. There is no such thing as secure. The instant you say that (we are secure) to your management is the day you bet your farm. ...and you will lose that bet if you, some half-wit coder, or some other person who happens to pick up the phone on the wrong day, actually puts it on the table (on behalf of you) in front of criminals with intent, time and nothing to lose.
Get out of your box people.
Thank you Theo, I proudly wear the tag of "fanboy". I'll stick it right beside my CISO title.