« March 2007 | Main | August 2007 »

April 05, 2007

Security benefits of OS virtualizations: real or virtual?

Nowadays the way we communicate with other people is nothing like it used to be only a decade ago. A popular way to stay in touch is to use Skype. It is a great tool, in particular its voice conversation capabilities. Recently some research has emerged, alleging that Skype may be doing some not-so-transparent things while running on your machine. As a result, many corporate users have been banned from using Skype.

Being a security-conscious person, this prompted me to think what can be done as a precaution against potential breaches while still enjoying the service Skype provides.  I realized that I am using OS virtualization quite a lot in my professional activities. So, a natural thought is to run Skype in a sandboxed virtual OS image. Indeed, this is a useful approach that can be used to defend against some vulnerabilities. But what is the real security picture when OS virtualization is used? It is a good question with some surprising answers.

I summarized some of my findings in a paper. The abstract and introduction are provided below. The full paper is available here.

Abstract. Recently, people have begun to use OS virtualization as a tool for improving LAN security. While virtualization is very useful in optimizing hardware utilization, we show that its security benefits come at a price.


Operating system (OS) virtualization allows businesses and individuals alike to use their availablecomputer hardware resources much more efficiently and flexibly. This technology has become indispensable for many professional software developers and testers, allowing quick configuration of reference OS images that can be used in different contexts, often executing on the same computer [1].

There are two main technological approaches to OS virtualization [2]: standard and lightweight;lightweight further splits into containers and paravirtualization. Each approach has different architectural and run-time characteristics, hence different robustness of the isolation from the host OS.

Recently, an important security trend has emerged in OS virtualization usage. Consumers have begun to use virtualization as a tool for isolating processes, e.g., Internet browsers, in order to prevent malicious software (malware) from invading their main computing environment [2]. Using any of the available OS virtualization technologies, one can configure an image of an operating system with a browser and execute it on a computer as an isolated process within the host OS. A user can then utilize the browser in the image to explore the Internet without a fear that the main system will be invaded by malware. But are users safe, really? 

In this paper we consider the problem of process/application isolation through OS virtualization and examine how it can be used in practice for securing users’ computing environments.

Hosting by Yahoo!