Virtual Machine Security

matt_garman

Active Member
Feb 7, 2011
207
38
28
It seems like there's a decent number of VM guys here, so...

My employer has been slow to take advantage of virtual machines, largely due to a perceived security risk. In particular, this article talks about intellectual property/trade secret theft at a trading firm. A specific line from that article, "[the thief] used virtual machines to download Citadel’s proprietary software..." It's not a technical article, so it doesn't say how he "used virtual machines". But since my company is a trading firm, this story hits home with the company owners, and now they have it in their mind that virtual machine is synonymous with security risk.

My question here is, based on the extremely vague statement from that article, does anyone know how one might have "used virtual machines" to steal code? The implication is that the VM somehow enabled the circumvention of other security measures.

I've been trying to find more details on this, but am coming up short. There are risks associated with VMs---but they are in the same class of general infrastructure security risks, which need to be understood and managed appropriately. But I can't see any evidence that they are inherently insecure. I mean, if VMs allowed access to the host system, or any system outside of the guest itself, then how could any cloud provider (Amazon, Google, etc) run a business? But this rationale doesn't seem to be cutting it, so here I am. :)

Thanks for any feedback!
 

PigLover

Moderator
Jan 26, 2011
3,036
1,341
113
Pu planted a rogue machine on Citadel's network and used it to exploit vulnerabilities in their overall security plan. He just happened to use a VM to do it.

Think of it this way - in the "old days", an insider might take a server or laptop or even just a modem and attach it to the company network. Then he can use that device to do scans, find vulnerabilities and exploit the vulnerabilities he finds. Assuming he was good at it, he could even leave methods to access that rogue machine remotely and download the HVT source code that he collected through exploiting the network. Security teams close this "old school" exploit by having physical security on the LAN, doing scans for unknown/unauthorized MAC addresses, etc.

Pu effectively did the same thing but did it by hiding his exploit in a VM on a server that was hosting other VMs.

In the end this was not a security vulnerability of VMs - it was simply a VM that was used to exploit a network that had poor security practices in place. He could have done the same thing with a physical device attached to their network. Only difference is that somebody might have noticed something sitting around that wasn't supposed to be there. If he was good at what he was doing he could have done the exploit with a physical device and just made it look like it "belonged".

The real key to tight security is diligence. Know what is supposed to be attached to your network and scan for things that are not supposed to be there. Keep endpoints that are not supposed to be talking to each other secure with firewalls. Best practice of all is zero-trust, where you assume nothing can be trusted that you don't validate with certificates and protect with encryption. If you do these things then you don't really have to care if people are using VMs or physical servers or whatever. Not trying to suggest that effective security is easy - but if you don't do them and think you are secure because you "don't do VMs" then you are setting yourself up for a hard lesson.

In the end you are going to have a hard time convincing your boss. People distrust what they do not understand. And if he's tagged VMs as "insecure" its very unlikely that you are going to dissuade him... :(
 

pricklypunter

Well-Known Member
Nov 10, 2015
1,668
491
83
Canada
I agree, it's fear of the unknown. It's a real fear though, one I see commonly, and the boss is unlikely to be persuaded otherwise unless you can actually get to demonstrate to him something that will change his view :)
 

matt_garman

Active Member
Feb 7, 2011
207
38
28
Pu planted a rogue machine on Citadel's network and used it to exploit vulnerabilities in their overall security plan. He just happened to use a VM to do it.
( ... )
Thank you for the detailed response. What you wrote is precisely in line with my thinking.

Do you have access to some "behind the scenes" info on this case?

Thanks again!
Matt
 

MiniKnight

Well-Known Member
Mar 30, 2012
3,027
932
113
NYC
Another way to look at it is to look at the AWS, Google, Microsoft, IBM, Oracle and other clouds.

The vast majority of those workloads are virtualized with your VMs running on the same machines potentially of your competitors.

If virtualization was insecure, that would be a multi-billion dollar industry trusted by so many organizations.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
584
113
For low latency trading I would not be using a VM, for general duties yes.
Like anything security is in the design, for VM’s just keep in mind the host and the clients should all belong to the same security class or zone, meaning don’t have a hypervisor with connections to a DMZ and your trusted lan, you need a separate infrastructure for each as you do today.
 

cheezehead

Active Member
Sep 23, 2012
723
176
43
Midwest, US
There are always technology laggards, 100% physical (unless your a one physical file server company with internal tape vintage company) environments have gone the way of the dodo for almost all use cases. I can run in a half rack today what would have taken me 40+ full racks 15 years ago. That's a lot less power, equipment, and staffing overhead...ie money spent when it doesn't need to be. Run some calculations for running your entire environment for 5yrs 100% physical vs 80% virtual (many places have been 100% for years now). Don't forget to factor in power costs, cooling costs, staffing time, equipment, ect.

Maybe your in an edge case compute/network environment that really needs bare metal performance, if not then there's no reason not to outside the entrenched manager scenario at which point you can wait for retirement.

Another way to look at it is to look at the AWS, Google, Microsoft, IBM, Oracle and other clouds.

The vast majority of those workloads are virtualized with your VMs running on the same machines potentially of your competitors.
Exchange Online is 100% physical but their deployments follow more of the cheap and deep methodologies found in super computing clusters....then again when your scale is millions of servers you are already an edge case.
 

ecosse

Active Member
Jul 2, 2013
434
93
28
It seems like there's a decent number of VM guys here, so...

I've been trying to find more details on this, but am coming up short. There are risks associated with VMs---but they are in the same class of general infrastructure security risks, which need to be understood and managed appropriately. But I can't see any evidence that they are inherently insecure. I mean, if VMs allowed access to the host system, or any system outside of the guest itself, then how could any cloud provider (Amazon, Google, etc) run a business? But this rationale doesn't seem to be cutting it, so here I am. :)

Thanks for any feedback!
In my mind VM's or any logical separation has more risk. The hypervisor / container code is written by humans; its bound to have bugs. So by that virtue each VM is a threat to any other VM on that same piece of hardware - you don't get that on a 1:1 host:OS installation. There have been cases of guest escalation issues in most (I'd guess at all) of the top hypervisors. Its arguable easier to steal a VM image than a OS image. But these risks are real edge cases. The technology is proven or thereabouts. A VM is probably seen as legacy now anyway with containers the newborn star - until FaaS kills them (perhaps).

But of course just because you have VM technology doesn't mean you have to cram ever server you ever want on there. You still design your physical VM host deployments inline with your security boundary requirements (but probably you can tell me better than that)

First couple of links hit on google - the age of them shows how much a "redundant" question this should be :)

Last one added- just skim read but appears to give a number of valid reasons why VM's are better than physical

Server Virtualization: Top Five Security Concerns

How secure are virtual machines really? False sense of security?

http://www.enggjournals.com/ijet/docs/IJET09-01-01-02.pdf
 
Last edited: