Security in virtualization must be rethought: Green Hills CEO

SANTA BARBARA, Calif.--Green Hills Software CEO Dan O’Dowd delivered a sobering vision of a virtualized computing world being overrun by uncontrolled hacks exploiting non-secure devices and drivers, and he urged the industry to turn thinking about virtualization on its head.

"Virtualization doesn’t add anything to security. You’ve got to add security to virtualization," he told a gathering of customers, partners and editors at Green Hills’ Elite Users Technology Summit here Monday.

O’Dowd highlighted recent media reports that indicated that just 60 percent of Pentagon computers have intrusion-detection systems. Referencing the widening WikiLeaks leaks scandal, he added:  “It’s out of control, and I assume will go wild in the next few years,” he said.

False sense of security
O’Dowd said that virtualization advocates argue that virtualization systems are more secure than traditional operating systems because they are less complex than traditional OSes. Viruses and worms will be contained within the virtual machine and can’t escape. But this only works if the virtualization system itself is secure, O’Dowd said.

Another challenge to using virtualization machines is the use of device drivers, which can serve inadvertently as well-oiled gateways to malicious code. The vendors supplying the hardware (such as USB devices, et.c) are generally less experienced with writing device drivers (and ensuring their security).

“These device drivers are a constant source of security vulnerabilities,” he said. Adriel Desaultels, cofounder and CTO of Netragard, has famously pointed out how the use of USB sticks can make systems vulnerable to hacks. (He spoke to the Green Hills gathering on a different topic Monday). 

O’Dowd said another supposed fix for such problems, IO memory management units (MMUs), is flawed. MMUs allow the device to access only certain parts of memory.

“It is an important tool in building a secure system,” O’Dowd said. “You can’t say just because I have one (IO MMU) , I’m safe. You have to use it correctly. We program it custom for each device.”