I was recently reading through the NIST “Draft Guide to Security for Full Virtualization Technologies” (SP 800-125 draft) [http://csrc.nist.gov/publications/drafts/800-125/Draft-SP800-125.pdf]. It discusses various considerations relating to hypervisor security. One section that particularly struck me was the comparison of bare metal vs hosted hypervisors. These are also known as Type I and Type II hypervisors, respectively. The document states that choosing between them is a critical security decision. That started me wondering if it is actually true that Type I hypervisors offer superior security to Type II hypervisors. While a Type I hypervisor may have a small kernel, it relies on and trusts an entire OS instance in the resource-owning partition (Dom0 in Xen parlance) for device access. So while it might at first blush appear that a Type I hypervisor has a much smaller TCB than a Type II, the TCB is really just in a different place. Given imperfect knowledge of the implementations and similar size, complexity, and maturity, it would seem that Type I and Type II hypervisors would in general offer similar security. I can’t find any solid evidence to the contrary. I’d love to hear from someone who can clarify why the Type I vs Type II distinction is in any way a major factor in hypervisor security analysis.

Since the foundation of the Trusted Computing Group, previously named Trusted Computing Platform Alliance, the pillars required to win most of today’s security challenges have been heavily developed.

The Trusted Platform Module and the Trusted Software Stack are two of these. Now that we have in our hands the required enablement, the next expected step is to come up with the development of detailed and implementable use cases that were originally envisioned when starting the Trusted Computing Initiative.

The use case presented in this newly published Blueprint exploits the integrity measurement capability that the TPM provides. Other than using a passphrase as an authorization token, it describes how to use a machine’s integrity to authorize access to sensitive files, by means of a key sealed to those integrity parameters.

The parameters include the loaded kernel image, the bootloader and its configuration file, and the BIOS. Thus, if one tries to load a different flawed kernel image, those sensitive files won’t be accessible. It’s also worth mentioning that the bootloader used is able also to measure critical system files (e.g. the libraries placed at /lib), making the job of a rootkit even harder.

The next step is to attest a machine’s integrity using the Integrity Measurements Architecture (IMA) logs that contain a list of measurements of all files accessed by the root user during runtime.

Check it out at: http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaai/tpm/liaaitpmstart.htm

While Virtualization offers many benefits, there can also be increased security risks. For example, consider a system running two hundred virtual images. All two hundred images are at risk if a flaw in the hypervisor (or configuration) allows any virtual guest to “break out” into the host environment and affect other virtual guests.

sVirt is a project to improve the security of Linux virtualization. Svirt applies the Mandatory Access Control (MAC) features of SELinux to strengthen the isolation between virtual images. Svirt works with KVM/QEMU and other Linux virtualization systems where the virtual image runs as a Linux user space process.

sVirt is a community project, with founding authors from Red Hat: Daniel Berrange, James Morris, and Dan Walsh. sVirt is integrated with libvirt.

One of my favorite sVirt use cases is: “Strongly isolating desktop applications by running them in separately labeled VMs (e.g. online banking in one VM and World of Warcraft in another; opening untrusted office documents in an isolated VM for view/print only).” (From the 8/11/2008 sVirt project announcement at www.redhat.com/archives/libvir-list/2008-August/msg00255.html).

The project announcement also identifies an excellent design goal: “Initially, sVirt should “just work” as a means to isolate VMs, with minimal administrative interaction. e.g. an option is added to virt-manager which allows a VM to be designated as “isolated”, and from then on, it is automatically run in a separate security context, with policy etc. being generated and managed by libvirt.”.

You can find a 48 minute video of James Morris’s February 2009 presentation on sVirt at Linux.conf.au: video.google.com/videoplay?docid=5750618585157629496#

Slides from that presentation are at: namei.org/presentations/svirt-lca-2009.pdf

Privacy concerns for the ages, is anonymity sufficient? Facebook and Google: Contrasts in Privacy Is privacy an illusion or a social contract? Blakley’s blog post Gartner gets privacy dead wrong debates the issue. Will Facebook users go along with Facebook’s new policies and the sense that their privacy was an illusion, or will they revolt, pile on EFF’s FTC complaint and leave Facebook in droves?

This article covers a lot of ground on the impact to security of virtualization and cloud adoption. I like it right up the the abrupt ending. Virtualization Adoption Slips.

Three just for fun:

SearchEnterpriseLinux.com has a 2009 retrospective of Linux activity: A look at Linux in the recession. Somehow I missed the news about Hannah Montana Linux.

An octopus and its travel trailer: Tool Use Found in Octopuses.

There is a new specialty of female bodyguards in Egypt.

The Evil Maid attacks again:

• ITPro article: Researchers break into Windows encryption feature,
• the original research behind the attack,
• article about Microsoft’s response.

Two Trusted Computing articles:

• “openSUSE is now the first operating system to offer full TC support” (from 11/24/2009)
• Trusted Computing in the Cloud: Towards Trusted Cloud Computing (from Hot Topics June 2009).

An introduction to Tin Hat Linux which is a Linux distribution based on hardened Gentoo which “was conceived as a challenge to the old mantra that physical access to a system means full access to the data”.

Everybody is talking about the botnet on AWS: Zeus botnet finds hold in Amazon cloud. From now on, I fully expect that stories about botnets controlled from within a cloud will become a footnote, rather than noteworthy and they will be served with standard takedown notices.

The article starts off with chest beating about how revolutionary the article is since there is a lack of information on the efficacy of spam. But, in their background section, they mention the previous work on pump and dump spam which is relatively easy to study. Wikipedia links to 3 studies that show that pump and dump spamming drove up prices of the touted stocks by 6% between 2005-6. This is a pedantic point but distracts from the strength of their argument right away.

The deconstruction of Corman’s remarks is just outright weird. No telling why they didn’t just ask him what he meant and what numbers he was adding up. My guess is that instead of profit, he may have said or meant millions of dollars in damages, but I haven’t asked him either. The site that they link to doesn’t quote him, rather it attributes a paraphrased statement to him. This paraphrased statement is then put into quotes in the article, but the text in quotes doesn’t actually show up on the linked-to site. (Note, although we both work for the same company, I have never met nor talked to Corman.)

Gathering statistics by parasitic infiltration is ethically questionable. Counter attack is becoming more acceptable from a cyber war perspective, but it is not a generally acceptable security practice. I definitely do not consider it an ethical research practice. The paper extensively discusses the ethics of this practice and decides that since no one is left worse off than before that it must be ethically correct to allow it. I think this is disingenuous and disregards all of the arguments about why it is not an ethically sound security practice, primarily the argument that you might get it wrong and actually damage an innocent bystander inadvertently.

The spamalytics system alters the entity that they are studying and thus their statistics although interesting become questionable. The backend fulfilment or trojan delivery server is often quickly shut down in a real attack. They address this point in Figure 6, but don’t discount their conversion rate in any way nor do they site statistics about how quickly fulfilment servers are shut down to defend not discounting their conversion rate.

They wound up with 28 conversions for the pharmacy spam, but they didn’t allow the site to accept personal information. How many of the 28 users would actually have completed the transaction. How many of them were participants in the scam the scammers movement? Regardless, their conversion rate is amazingly low, as they state too low to sustain profitability for the spamming operation.

The researchers performed analysis on only one type of spammer – the ones motivated by money. The quality of the average spam clearly indicates that not every spammer is in it for the money. They are griefers, just like the griefers in online games who show up to “spoil it for the rest of us”. It would be worth running a similar research project on non-email spammers who are motivated by money to see if they are more profitable. Wired had an article about Craigslist in a recent issue and it included a paragraph on the problems that they have with spam. They manually remove spam from their listings. Captchas didn’t work because the spammers hired cheap labor to break the captcha. You can see this in Amazon’s Mechanical Turk where spammers offer users $0.01 to perform a spam like activity.

Because of these quibbles, I would not bet the house that spammers are unprofitable (or barely profitable) just based on these results. Despite these quibbles, I really enjoyed the time that I put in to reading this article and so I recommend that you go take a look too. Enjoy!

The openCryptoki project, a PKCS#11 provider for Linux with support for software and hardware tokens, has released new versions for both the openCryptoki code itself as well as for it’s associated library, libica.

• Libica-2 is a major cleanup from the previous versions. It has a new API and supports software fall-back (OpenSSL) when no Crypto hardware is present. The current version (2.0.2) has bug fixes and improved code examples.
• OpenCryptoki 2.3.0 includes support for Libica-2 and has a number of bug fixes and minor improvements

OpenCryptoki is the most common way that PKCS#11-enabled applications (including Java JCE aplications) can exploit cryptographic hardware in a Linux environment.

Congratulations and thanks to the TCG members who made this possible!

Tyler Hicks (from our team) recently attended the 5/25-29 Ubuntu Developers Summit for Karmic Koala in Barcelona, Spain.

Some of Tyler’s observations on Security topics:

• There are quite a few eCryptfs users out there and they are generally happy with the version shipped in Jaunty. Most were using the encrypted home feature, but some wanted more flexibility and had custom setups.
• eCryptfs encrypted swap is on the roadmap for Karmic.
• Michael Rooney has been working on graphical applications to compliment some of the eCryptfs userspace tools that are currently bound to the command line.
• Tyler held an eCryptfs roadmap talk about future eCryptfs features: eCryptfs on top of popular network filesystems, improved key management, and asking for someone interested in completing the eCryptfs GPG key module.

Some general observations from Tyler:

• Ubuntu would like to be the premier guest available in Amazon EC2.
• Ubuntu users will soon have a daily build of the virtualization stack available, which is a big win for both the upstream developers and the users.
• Dustin Kirkland http://blog.dustinkirkland.com/ gave a talk on leveraging the cloud for data center power savings.
• The Ubuntu kernel team committed to removing non-upstream kernel code that no one is using anymore.

See the whole story on Tyler blog at: http://blog.tyhicks.net

MD5SUM: 8858a47c667ffc4af840d72d8ced6605 amtu-1.0.7.tar.gz
SHA1SUM: 7f56a17ca616b6dc23564894c8503e5c5c75aa06 amtu-1.0.7.tar.gz

amtu is a small and simple machine check that is required for Common Criteria certification. It was originally released in 2003. You can find it at https://sourceforge.net/projects/amtueal/.