VMware shares software secrets of securing virtual machines

Virtualisation vendor VMware has quietly begun sharing some of its software secrets with the IT security industry under an unannounced plan to create better ways of securing virtual machines. VMware has traditionally restricted access to its hypervisor code and, while the vendor has made no official announcement about the API sharing program tentatively called "Vsafe", […]

Virtualisation vendor VMware has quietly begun sharing some of its software secrets with the IT security industry under an unannounced plan to create better ways of securing virtual machines.

VMware has traditionally restricted access to its hypervisor code and, while the vendor has made no official announcement about the API sharing program tentatively called "Vsafe", VMware founder and chief scientist Mendel Rosenblum told ZDNet Australia that the company has started sharing some APIs (Application Program Interfaces) with security vendors.

"We would like at a high level for [VMware's platform] to be a better place to run," he said. "To try and realise that vision, we have been partnering with experts in security, like the McAfees and Symantecs, and asking them about the security issues in a virtual world."

Rosenblum says that some of the traditional tools used to protect a hardware server work just as well in a virtualised environment, while others "break altogether".

"We're trying to fix the things that break, to bring ourselves up to the level of security where physical machines are," he said. "But we are also looking to create new types of protection."

Rosenblum said the APIs released as part of the initiative offer security vendors a way to check the memory of a processor, "so they can look for viruses or signatures or other bad things."

Others allow a security vendor to check the calls an application within a virtual machine is making, or at the packets the machine is sending and receiving, he said.

"I don't want to be reverse engineering our products to find exploits or figure out signatures," Rosenblum said. "Fundamentally that means we have to partner. Fortunately there is a bunch that are happy to partner and I encourage that."

The relative security of hypervisor technology has been the subject of controversy in recent months.

Publicly, VMware insists that its core technology is yet to suffer from a serious breach.

But scattered among the showcase floors of the VMworld conference in San Francisco were companies such as Catbird or BlueLane -- start-ups looking exclusively at the security of virtual machines.

Catbird ran a marketing campaign at the conference warning VMware users about the dangers of "running naked" -- paying scant attention to securing their virtual machines.

The start-up claims that by VMware's own admission, two-thirds of virtualisation users are "running naked".

"It's been the dirty little secret of the virtualisation industry," says Howard Fried, director of sales engineering at Catbird. "Security seems to be the last thing people are doing. Nobody seems to understand that in this whole transition to virtualisation, you can't apply an identical policy to how you secure a physical server."

"At the end of the day, a hypervisor is a bag of bits that needs to be added," he said. VMware's Rosenblum said some of the statements being made by the security start-ups are "a little self-serving, since they have a particular security solution they want to apply to it."

Full Article

VMware, Virtualization, Virtual Application, Virtual Server, Virtual Machine