Hi all. I recently read this article on Tom's Hardware guide that put me on to some cool aspects of virtualization. Namely this portion of the article for maximizing security:
This sounded intriguing and I've been trying to figure out how to set something like this up.Alan: How about some practical tips? Although most of your research involves the bleeding edge of security research, the vast majority of malware currently in the wild does not operate at levels this close to the metal. How should our readers secure their own system?
Joanna: That's a very generic question and it is hard to give one answer that would fit all.
Alan: What do you do for your regular systems?
Joanna: First, as stated, I believe in the Security by Isolation approach. The problem is, however, that all current popular OSes, like Vista, Mac OS X, or even Linux, do not provide a decent isolation to its applications. This is primarily a result of all those systems using big monolithic kernels that consists of hundreds of third-party drivers that operate at the same privilege level as the rest of the kernel. As a result, it is relatively easy for a malicious application to break into the kernel and consequently to bypass any OS-provided security mechanisms.
So, I'm trying to get around this weak isolation by using virtualization. I use different virtual machines to host various types of browsers that I use for different kind of activities. So, I use a "Red" VM to do daily browsing, something totally non-sensitive like news reading, Googling, etc. I use a "Yellow" machine to do some semi-sensitive tasks, like online shopping, updating my blog on Blogger, etc. Finally, I have a "Green" machine to access my bank's account.
I totally don't care about a compromise of my "Red" machine--in fact I revert it to a known snapshot every week or so. I care much more about my "Yellow" machine. For example, I use NoScript in a browser I have there to only allow scripting from the few sites that I really want to visit (few online shops, blogger, etc). Sure, somebody might do a man-in-the-middle (MITM) attack against a plaintext HTTP connection that is whitelisted by NoScript and inject some malicious drive-by exploit, but then again, Yellow machine is only semi-sensitive and there would not be a big tragedy if somebody stole the information from it. Finally, the "Green" machine should be allowed to do only HTTPS connections to only my banking site. It is quite important to make sure only HTTPS is used for this machine to mitigate potential MITM attacks, that might occur, for example on any hotel Wi-Fi.
I've been using this setup for quite a while and it seems to work pretty well for me. My partner, who is a totally non-tech person, also uses a similar setup on her Mac, and she finds it usable. So, I guess it's not as geeky as it might sound.
There are quite a few more details one should also consider when using such a setup, for example handling updates, the use of clipboard, the transfer of files between the machines and the host, where to keep one's email client, why to use a Green machine and not just the host's browser, etc. But I guess this is not the best place to go into all of the details now, or our interview would transition into a How To.
Still, I cannot say I'm totally satisfied with my setup. To run all of my virtual machines, I use a type II hypervisor (VMWare Fusion), which is a fat application running on my host. From the theoretical point of view, there is no good reason to believe that it would be harder to find a bug in the type II hypervisor than it would be to find a bug in the OS kernel itself. Both are big and fat, and have many drivers inside them. But practically, it seems that it is more difficult. The attacker must first find a way to execute code in the guest's kernel. Remember that the attack starts from being able to execute code in the browser only, then he or she must find a way to attack the VMM (hypervisor). So, to break out of the VM and finally do something reasonable in the host's kernel, which might be a totally different OS then the guest's kernel (I use Windows in my guests and Mac OS X on the host).
I already use VirtualBox on my current desktop to run Windows XP, hosted by Ubuntu 10.04. Problem is this desktop is ancient and needs replacing. I've been looking around and it seems there are many options for setting up a system to maximize virtual machine performance.
For example, I read about IOMMU in AMD's 890fx chipset. Seems like a nice thing to have.
So does anyone recommend hardware for building a desktop that could maximize VM performance? I'm currently thinking of a Phenom II X6 1055T with an ASUS 890FX mobo. I had been leaning towards the 890GX since it's cheaper and has a built in video card but I hate to leave IOMMU off the table. So how valuable is IOMMU to virtualization? I'm assuming this setup would support AMD-V.
Let me know what you think. Thanks!
Adv Reply
Originally Posted by griztown
Re: Setting up virtual machines
Bookmarks