One virtualization approach that I have not see mentioned on this thread is to run the virtual machine on a more secure OS than is used by the applications of interest.
For example, one could run VMware on SELinux and use VMware to host Windows/Vista. Thus, even if a virus subverts Windows it still has no more capabilities than any errant program in SELinux. And, the virus author has to cope with the complications created by the dual operating systems. Me, I do just the opposite. I browse the web with firefox running on SELinux (targeted policy) on VMware hosted on Windows XP. That would be secure if I didn't run as root half the time. Chuck Jackson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leichter, Jerry Sent: Wednesday, January 02, 2008 4:43 PM To: Anne & Lynn Wheeler Cc: Bill Frantz; Cryptography Subject: Re: Death of antivirus software imminent Virtualization has become the magic pixie dust of the decade. When IBM originally developed VMM technology, security was not a primary goal. People expected the OS to provide security, and at the time it was believed that OS's would be able to solve the security problems. As far as I know, the first real tie of VMM's to security was in a DEC project to build a VMM for the VAX that would be secure at the Orange Book A2 level. The primary argument for this was: Existing OS's are way too complex to verify (and in any case A2 required verified design, which is impossible to apply to an already-existing design). A VMM can be small and simple enough to have a verified design, and because it runs "under" the OS and can mediate all access to the hardware, it can serve as a Reference Monitor. The thing was actually built and met its requirements (actually, it far exceeded some, especially on the performance end), but died when DEC killed the VAX in favor of the Alpha. Today's VMM's are hardly the same thing. They are built for perfor- mance, power, and managability, not for security. While certainly smaller than full-blown Windows, say, they are hardly tiny any more. Further, a major requirement of the VAX VMM was isolation: The different VM's could communicate only through network protocols. No shared devices, no shared file systems. Not the kind of thing that would be practical for the typical uses of today's crop of VM's. The claim that VMM's provide high level security is trading on the reputation of work done (and published) years ago which has little if anything to do with the software actually being run. Yes, even as they stand, today's VMM's probably do provide better security than some - many? - OS's. Using a VM as resettable sandbox is a nice idea, where you can use it. (Of course, that means when you close down the sandbox, you lose all your state. Kind of hard to use when the whole point of running an application like, say, an editor is to produce long-lived state! So you start making an exception here, an exception there ... and pretty soon the sand is spilled all over the floor and is in your eyes.) The distinction between a VMM and an OS is fuzzy anyway. A VMM gives you the illusion that you have a whole machine for yourself. Go back a read a description of a 1960's multi-user OS and you'll see the very same language used. If you want to argue that a small OS *can be* made more secure than a huge OS, I'll agree. But that's a size distinction, not a VMM/OS distinction.... -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]