Virtualization as an Antivirus (cont.)
Over at Jon Rentzsh’s Red Shed, there was a bit of a discussion begun recently about using virtual machines as a sort of antivirus mechanism.
Since Jon doesn’t include a comment form with his posts, and since I reckon he’d rather not become the middle-man for an extended discussion, I wanted to post my additional comments here, where they could be picked apart (or not) without having to bother Jon.
Okay. On to my response:
In an addendum to the original post, Peter da Silva writes:
You’re still using discretionary access control… in a MAC system, you wouldn’t be able to transfer information from the environment with a higher classification to the environment with a lower classification even from the environment with the higher classification.
I think there may be a misunderstanding here. I’m not sure what Peter specifically means by “classification”, but I don’t think this is really addressing the meaning of Mandatory Access Control.
If by “classification” Peter means a “security level” (in the sense of a Multi Level Secure system), then it is true that many security architectures use MAC to ensure that there is no information flow from “high” to “low” levels. This is the much-discussed Bell-LaPadula security model. While this is one common security model (and the one that got the most attention until relatively recently), it is not the only context in which you can find Mandatory Access Control. SELinux, for example, features MAC in its implementation of a different model: type enforcement.
The main point here is that MAC is a lower-level concept than any particular security model or information flow goal. MAC simply ensures that access decisions—however they may be designed—are not granted to the user to make at their own discretion. Neither are they—and this is often more to the point—granted to the program the user runs.
What you’re using is an extreme version of the principle of least privilege. You’re creating an environment that doesn’t have the privilege of writing to any local non-volatile storage.
Well, sure. Although, I was under the impression that many (most?) VMs will at least store state on disk, so I’m not sure that’s the only granted privilege (someone feel free to educate me on this). Aside from that, if this limitation is established in a way that the programs running within the VM have no way of changing, then it is a mandatory control of their access. i.e. MAC used while implementing a particular security goal: least privilege.
I’ll admit to not knowing very much about the deep dark secrets of how virtualization is implemented. Jon mentioned that the XP in the virtual machine can access the XP on the host, which would indeed break the model.
The issue is further muddied by the fact that we’re not looking at a well defined set of access vectors which we can turn on or off individually for the programs in the VM. We get a set of properties that the VM brings along for the ride, and “designing” our security model here mostly means trying to figure out if throwing this hunk of code at our applications will confine them in a meaningful and helpful way. Do we care if the user can copy and paste information in and out of the VM? Maybe, maybe not. Do we care if the program running in the VM can reformat the hard drive of the host? Yup. Definitely.
I mainly just wanted to point out that, presuming that a virtual machine really does abstract away the host hardware and operating system, those applications running within the virtual machine have effectively been confined to a certain set of resources in a mandatory way (modulo an unclean separation between virtual machine and real machine). If the controlled access is both sufficient and mandatory, then you get to relax a bit, knowing that the programs running in the VM do not have free reign.
I don’t want to give the impression that the commonly available commercial VMs really are the solution for serious security concerns. But in this case it sounds like the virtual machines Jon uses provide sufficient confinement for the threat model he is trying to defend against.
It’s also worth pointing out that there are virtual machines designed specifically for security. These systems really do provide the complete separation of resources that those designed with other goals in mind do not provide.
My goal was to sketch out the wider context here, with Jon’s use of virtual machines as a way to highlight the concepts involved. But I should have more explicitly pointed out the places where theory probably doesn’t meet up with reality. My apologies on that.
June 9th, 2006 at 10:30 am
Actually, in the example given above, the virtual machines themselves weren’t designed for security, but they were integrated with a security policy on the host system that does the job of confining them. The point being that the system as a whole uses virtual machines as the basis of separation, and has been designed to do it with rigor.
September 8th, 2006 at 8:05 pm
I still do not see that Virtualization as an solution to Antivirus. The initial author of the postings claims that he uses the VMWare images to browse the web (virus prone) adn incase of virus attact he destroys the images (or undo changes).
I think this is tedious to maintain many images and making the machine overloaded is over kill. The simplest solution would be to use the updated anti-virus and some kind of personal filrewall and spyware detectors.
=Venkat
September 9th, 2006 at 2:05 pm
Hi Venkat,
The question of whether it is a tedious solution to viruses is different from whether it is effective.
The problem with anti-virus software is that it continues to fail. Keeping it updated is tedious in itself, and even if it is updated it may not catch a virus that it does not know about.
In general, this is the shortcoming of the “patch the problem” approach. It’s not really fixing the root cause of the problem. This is why I think you’ll start to see more fundamental security mechanisms making their way into mainstream usage in the next ten years or so.
I think the original post’s intent was that using a VM is a clever use of today’s technology to produce an anti-virus mechanism that is more fundamentally sound than the plain old “update more often, scan more often, hope you don’t miss anything” solution.
March 25th, 2007 at 1:12 pm
Christopher is apparently using VirtualPC, which allows access from virtual pc to host. I too use virtualization to protect my pc against viruses etc. while surfing the web, but I do not use Microsoft Virtual PC. I use VMware, which (unless you specify otherwise) prohibits the virtual pc/os from seeing the host in any way, shape, or form. In my view, having this any other way defeats the purpose.
That being said, there are other options. Instead of incurring the hassle and overhead of a virtual pc, one can use sandbox and behavior control technologies to restrict the ability of common applications to act as transmission mediums for viral and other attacks. For example, DefenseWall is a sandboxing technology that isolates web browsers and the like, limiting their privileges to the mimimum necessity. Additionally, applications like Cyberhawk and PrevX use behavior analysis and control techniques to detect and stop malicious code. By these means, new threats can be identified and thwarted in real time without the need for “updates” and signature databases. As a matter of fact, sandboxing and HIPS are the primary protection methods I use for my day-to-day activities, virtualization of an entire pc is only necessary when I intend to surf uncharted and questionable territories (in which case I fire up my vmware ubuntu browser ‘appliance’ and revert it back to prior state when I’m done).