Monday, November 03, 2008

Security and Virtual Machines, Part II

I announced lately to get back to this virtual thing and the ramifications when talking about security. Here we go. Identity and ownership are important factors in the security realm. Both attributes are often handled different in the world of Virtual Machines (VM). The owner of the real box might not be the owner of the VM. Identifiers (port number, MAC address) can differ and old-fashioned identity-schemas can not be applied anymore. Another side-effect coming with VM’s is an increase of complexity for the patch and update management. This is because of the broad variety of operating systems and versions that can be installed (and that will be installed) on the top of VM’s. All of them got their own life-cycle and their security-patches that must be applied. The VM life-cycle which can be characterized by snapshots and rollbacks is definitely helpful for testing and other evaluation purposes. But there are operations in the area of cryptography that could suffer. Time, random numbers, seeds, initials vectors, transaction states – just to name a couple of potential vulnerabilities. I see some room for improvement, especially for randomness in a virtualized environment. This must be addressed in the scope of the security architecture for a given system.

No comments: