VMSafe, what is it exactly?

Everybody must have already heard about VMware’s new feature called VMsafe. On day 2 of VMworld Europe, in the keynote speech, VMware founder and chief scientist Mendel Rosenblum announced VMsafe and gave an explanation of what VMsafe can do. To me it was a bit general and I tried to find some more background info on it and strip the marketing talk. I’ve merged information from a number of sources and added my own thoughts to it.

How do I install/activate VMsafe protection?
“VMsafe is a capability inherent within VMware Infrastructure and specifically within ESX Server. Once utilized and integrated with security partner solutions, customers need only purchase integrated solutions that will be available from partners. Solutions that integrate with VMsafe will be installed as virtual machines.”

So the VMsafe API will always be included in the default ESX installation and security products can talk to the API that is available on the ESX host. This API can only be used by a VM, running a third-party security product. This seems to me as a strong point, because malicious software first has to get into a VM before it could even abuse the API to get access to other VMs. And by having to go this way, malicious software first has to bypass that same API (or security software using the API) before it could get control.

What does VMsafe protect?
“VSAFE enables partners to build a virtualization-aware security solution in the form of a security virtual machine that can access, correlate and modify information based on the following virtual hardware:
1. Memory and CPU: VMsafe provides introspection of guest VM memory pages and cpu states.
2. Networking: Network packet-filtering for both in-hypervisor and within a Security VM.
3. Process execution (guest handling): in-guest, in-process APIs that enable complete monitoring and control of process execution.
4. Storage: Virtual machine disk files (VMDK) can be mounted, manipulated and modified as they persist on storage devices.”

In the physical world, malware first had to enter memory, disk or I/O before it would be detected and (hopefully) stopped. By using VMsafe, the malware can now be stopped before it enters the OS. Its like watching the whole block around a bank building for robbers instead of posting a security guard at every door and hoping you’re not missing a door.

By stopping the malware before it enters the guest, it can’t effect the guest in anyway, it is unable to run at the same privilege level as the guest security software, which sometimes enables the malware to kill the security software and take complete control. Having no OS the malware can run on makes it completely isolated.

Still, I’m wondering what the Security VM guest OS will be and if it will be impossible for malware to abuse the API and slip into the security VM. According to George Heron, chief science officer McAfee, this will not pose to be an issue. Quoting him from the VMworld News paper that was handed out to all attendees at VMworld Europe:

“Probably the most radical aspect of the VMsafe initiative is not the technology specifications, but the fact that VMware has made the bold decision to provide secure, third-party access to the information seen by the core of its technology – the hypervisor. Security purists and VMware’s competitors will undoubtedly argue that providing access to the hypervisor, albeit in a highly controlled manner, increases the risk of the hypervisor’s own integrity being compromised, and with it the security of every virtual machine that runs on top of it. VMsafe is architected in a manner that eliminates this threat by having the security product run in an isolated space outside of the context of the hypervisor.”

Ok, but still…. there is some talk between Security VM <-> ESX API <-> Guest VM. So how does this isolation work? I haven’t been able to figure this out yet, but I guess within short time there will be more articles and white papers available explaining things in detail.

Reading a lot of articles and press releases about VMsafe, I’m convinced that VMsafe is a great step into a safer enterprise environment. Being able to stop malware before it ever reaches the VM is really great. VMsafe will not just work outside the guest, it can also work at a deeper level then other security software could do before in a virtualized environment. And let’s not just look at anti-virus products, but on firewall level / network level there are great opportunities to. A lot of security products could not Already over 20 major leading security vendors have been talking with VMware to join their VMsafe program. With this step, VMware is painting a new vision on security in the data center.

Sources:

VMware VMsafe Security Technology
VMware’s VMsafe: Security Industry Defibrillator….Making Dying Muscle Twitch Again.
Archimedius

edit:
Duncan from http://www.yellow-bricks.com/ pointed me to a possible explanation of the technique used by VMsafe, Virtual Machine Communication Interface (VMCI). Read more about it here: http://pubs.vmware.com/vmci-sdk/VMCI_intro.html

6 thoughts on “VMSafe, what is it exactly?

  1. Thank you for the tip ! I’m missing the network stack in this, because I read that the network virtual switches can also be monitored with VMsafe. I’m wondering if for example McAfee can build an appliance that does some kind of virus scanning, checkpoint builds a network inspection appliance, etc. You would then have multiple security appliances per host. Not sure if this is what is desired.

    Gabe

  2. Hi Gabe,

    Nice article. Im wondering is it possible to access these API's directly from within the VM through any custom script/program. Im interested in developing an application to detect and analyse anomalies from several parameters like VM mem, cpu, network etc during various types of attacks.

    -Fahim

  3. Hi Gabe,

    Nice article. Im wondering is it possible to access these API's directly from within the VM through any custom script/program. Im interested in developing an application to detect and analyse anomalies from several parameters like VM mem, cpu, network etc during various types of attacks.

    -Fahim

Comments are closed.