VMware shares secrets in security drive

Virtualisation vendor VMware has quietly begun sharing some of its software secrets with the IT security industry under an unannounced plan to create better ways of securing virtual machines.

This is an important step by VMware - while there are currently no known problems, they will come as virtual targets become more prolific…

(Via ZDNet Australia.)

VMware has traditionally restricted access to its hypervisor code and, while the vendor has made no official announcement about the API sharing program tentatively called ‘Vsafe’, VMware founder and chief scientist Mendel Rosenblum told ZDNet Australia that the company has started sharing some APIs (Application Program Interfaces) with security vendors.

“We would like at a high level for [VMware's platform] to be a better place to run,” he said. “To try and realise that vision, we have been partnering with experts in security, like the McAfees and Symantecs, and asking them about the security issues in a virtual world.”

The relative security of hypervisor technology has been the subject of controversy in recent months. Publicly, VMware insists that its core technology is yet to suffer from a serious breach. But scattered among the showcase floors of the VMworld conference in San Francisco were companies such as Catbird or BlueLane — start-ups looking exclusively at the security of virtual machines.

The start-up claims that by VMware’s own admission, two-thirds of virtualisation users are “running naked”. “It’s been the dirty little secret of the virtualisation industry,” says Howard Fried, director of sales engineering at Catbird. “Security seems to be the last thing people are doing. Nobody seems to understand that in this whole transition to virtualisation, you can’t apply an identical policy to how you secure a physical server.”

“At the end of the day, a hypervisor is a bag of bits that needs to be added,” he said. VMware’s Rosenblum said some of the statements being made by the security start-ups are “a little self-serving, since they have a particular security solution they want to apply to it.”

ESX Server 3i has considerable advantages over its predecessors from a security standpoint. In this latest release, which will be available in November, VMware has decoupled the hypervisor from the service console it once shipped with. This console was based on a version of the Red Hat Linux operating system. As such, ESX 3i is a mere 32 megabytes in size, rather than 2 gigabytes. Some 50 percent of the vulnerabilities VMware was patching in prior versions of its software were attributable to the Red Hat piece, not the hypervisor. “Our hope is that those vulnerabilities will all be gone in 3i,” Rosenblum said.

See original artcile by Brett Winterford here.