Monday, December 6, 2010

Security holes are everywhere even in secure virtualization systems, says Green Hills Software CEO

Posted by John McHale
If the Wikileaks scandal shows anything it proves that no system is secure as people may think it is -- especially software virtualization systems, said Dan O'Dowd, chief executive officer of Green Hills Software during the company’s Software Elite Users Technology Summit. "Virtualization adds nothing to security," he added.

O'Dowd pointed out that virtualization systems have less code, "but that just means they are less bad, not more secure. Running bug-ridden operating systems in virtual machines does not solve the security issue unless the virtualization system itself is secure."

He then made a point that I think resonates well beyond virtualization systems. "The security claims of popular virtualization systems are just marketing fluff to exploit the desperate need of all computer users for security," O'Dowd says. These systems have only been evaluated to the National Security Agency's (NSA's) Common Criteria EAL4+.

According to the Common criteria EAL4+ "makes them appropriate for protecting against 'inadvertent or casual attempts to breach system security,'" O’Dowd said. It's as if they have five doors to their house but only locked four, he added.

O'Dowd was working up to making the case for his company's EAL6+ secure virtualization software, but, I think he's also right on that this is not just a virtualization security phenomenon.

People are lazy when it comes to securing their computers. They all want their systems to be secure, but typically buy into the marketing fluff of certain technology because they like the convenience it provides. However, in the long run they are setting themselves up for security breaches.

It reminded me of something an export compliance officer at a major aerospace company once told me that he tells his employees who travel overseas. He says they need to assume that their emails are being read and their phone conversations are being listened to. It doesn't make you paranoid, it makes you vigilant, he said.

Speaking of vigilance, let's get back to the secure virtualization discussion.

During their work in this area O'Dowd's engineers found security vulnerabilities in standard device drivers in virtual machines. He said they attempted to use I/O memory management units (MMUs) to improve the security of virtual machines, but found that "it doesn't work.

"We weren't looking for vulnerabilities, we were just trying to make the device drivers work," O'Dowd said. "Modern I/O devices often contain huge software control programs consisting of hundreds of thousands lines of code and they have just as many security vulnerabilities as traditional operating systems."

He made the case that if users want to be vigilant with their virtualization systems they need to use an EAL6+ secure system like that offered by Green Hills. Makes sense but with that vigilance also comes cost.

Systems like Green Hills do not come cheap, so it becomes a matter of managing risk. Military and avionics systems cannot take that chance, but companies in less mission/life critical applications may be able to get away with it.

What's more expensive paying for the security ahead of time or not paying and hoping nothing happens? I guess it depends on whether or not you think you, your company, or your technology is actually a target.