VMware shares secrets in security drive

Company has started sharing some APIs with security vendors, in a bid to create better ways of securing virtual machines.

Virtualization vendor VMware has quietly begun sharing some of its software secrets with the IT security industry under an unannounced plan to create better ways of securing virtual machines.

VMware has traditionally restricted access to its hypervisor code and, while the vendor has made no official announcement about the API sharing program tentatively called "Vsafe," VMware founder and chief scientist Mendel Rosenblum said that the company has started sharing some APIs (application program interfaces) with security vendors.

"We would like at a high level for (VMware's platform) to be a better place to run," he said. "To try and realize that vision, we have been partnering with experts in security, like the McAfees and Symantecs, and asking them about the security issues in a virtual world."

Rosenblum says that some of the traditional tools used to protect a hardware server work just as well in a virtualized environment, while others "break altogether."

"We're trying to fix the things that break, to bring ourselves up to the level of security where physical machines are," he said. "But we are also looking to create new types of protection."

Rosenblum said the APIs released as part of the initiative offer security vendors a way to check the memory of a processor, "so they can look for viruses or signatures or other bad things."

Others allow a security vendor to check the calls an application within a virtual machine is making, or at the packets the machine is sending and receiving, he said.

"I don't want to be reverse engineering our products to find exploits or figure out signatures," Rosenblum said. "Fundamentally, that means we have to partner. Fortunately, there is a bunch that are happy to partner and I encourage that."

The relative security of hypervisor technology has been the subject of controversy in recent months.

Publicly, VMware insists that its core technology is yet to suffer from a serious breach.

But scattered among the showcase floors of last week's VMworld conference in San Francisco were companies such as Catbird or BlueLane--start-ups looking exclusively at the security of virtual machines.

Catbird ran a marketing campaign at the conference warning VMware users about the dangers of "running naked"--paying scant attention to securing their virtual machines.

The start-up claims that by VMware's own admission, two-thirds of virtualization users are "running naked."

"It's been the dirty little secret of the virtualization industry," says Howard Fried, director of sales engineering at Catbird. "Security seems to be the last thing people are doing. Nobody seems to understand that in this whole transition to virtualization, you can't apply an identical policy to how you secure a physical server."

"At the end of the day, a hypervisor is a bag of bits that needs to be added," he said. VMware's Rosenblum said some of the statements being made by the security start-ups are "a little self-serving, since they have a particular security solution they want to apply to it."

However, VMware is making some of its own efforts to calm user fears about the security of virtual machines.

Announced at the VMworld conference, the vendor will ship the latest version of its hypervisor--ESX Server 3i--embedded in the high-end hardware lines of IBM, Dell, HP, NEC and others.

ESX Server 3i has considerable advantages over its predecessors from a security standpoint. In this latest release, which will be available in November, VMware has decoupled the hypervisor from the service console it once shipped with. This console was based on a version of the Red Hat Linux operating system.

As such, ESX 3i is a mere 32MB in size, rather than 2GB.

Some 50 percent of the vulnerabilities that VMware was patching in prior versions of its software were attributable to the Red Hat piece, not the hypervisor.

"Our hope is that those vulnerabilities will all be gone in 3i," Rosenblum said.

Featured Video