Vmware For Security

Discussion in 'other security issues & news' started by DasFox, Jan 24, 2008.

Thread Status:
Not open for further replies.
  1. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I've been digging around here, but I didn't notice to much talk about Vmware for security purposes, meaning to use it for your online activities, essentially turning VMware into the sandbox and let the issues be dealt with there, and no more worries about ruining an OS or important/valuable data on the HOST OS.

    The only problems I see here is, hardware compatibility for some, the cost of Vmware for greater flexibility, and performance for those lacking CPU or Ram. As far as the cost side of things go there is always Vmware player which is free.

    I don't know how great the hardware support is for the latest version, but I'm testing it out right now on an AMD XP 3000+ 2.0ghz and 1gb of ram, and when you place the guest OS in full screen you can hardly tell you are in Vmware, the speed is just like the real thing.

    Also I heard someone mention here that Vmware is harder on the hard drives, is this true?

    As far as the CPU is concerned, I did notice when you first start an application in Vmware the initial spike in the CPU is higher. For instance you click on 'My Computer' in XP, and watch the task manager. On my box it kicks the CPU up to around 15-18%, but in Vmware it will be typically double that. So in the long run I wonder if Vmware could really tax the CPU.

    Personally I think using Vmware for some makes for a simpler sandbox idea, what do you think?
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    No point when it consumes multiple times more system resources and doesn't offer any advantages over what the average sandbox these days can do.
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    There's actually a reasonable number of mentions here. While VM Player solves the cost issue, I played with it a while and tossed it - not my cup of tea. Full VMware at a much cheaper price would have been a viable option - but I can see why it's priced where it is.

    Some of the other solutions that are mentioned here much more often are probably much more appropriate to the current audience, feature set needs, and overall tradeoff in attributes.

    As for it being simpler - it's virtually never true that more flexibility and options yields a simpler solution.

    Blue
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Hi Dasfax

    I use VMware's Workstation for a number of reasons. One of them is for security with riskier activity, another is for testing. Finally I use them to install certain software I want to use, but don't want to install on the host machine.

    If you have adequate resources, I don't see them as being harder on the drives.

    One thing they offer that goes beyond any of the sandbox, and recovery software is their snapshot ability. It sort of has a similiar functionality as Rollback, but nowhere's never the speed. That being said the snapshot facitlity can recover to a point, regardless of what you do to the machine. For example our old favorite. I can let it take down the drive, and wipe out the partition table. Then restore to a snapshot, and everything is back.

    Another good example of usage is if you want to try some odd partitioning or something with the disks. You can try it on the virtual machine, watch what messages, warnings or whatever comes up, and if you screw up, you just restore a snapshot and try again. That way when you do it on real hardware you know what to expect.

    Pete
     
  5. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    For me it seems like the logical choice for people that love to test software and try out the latest, and there does seem to be a handful of those around here, then for that benefit alone, it seems like such a simple application to use, looked at like your virtual OS sandbox.

    Personally I love it, and no pc geeks box should be without it. ;)
     
  6. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    vmware doesn't properly sandbox to be honest. due to kernel sharing, if you compromise a guest so that you can execute code in ring-0, there goes the day for the host too. :ninja:
     
  7. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Well if you can infect guest XP into host XP, then I'll consider using Linux as a guest box for a sandbox, that will take care of it. ;)
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    I also use Shadowdefender, and just to avoid this issue, when I am doing anything really dangereous in the VM, I shadow all my drives on the host.
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Exactly what I do Pete and I also have vmware for linux - not that I'm really worried, I haven't seen a problem with this.

    vmware workstation 6
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    I haven't either, but it doesn't hurt to be a bit cautious.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    I run VMware Server both on Win / Linux mainly for testing / compatibility / education purposes less for malware isolation and such. But even on Windows, the simple separation provided by default configuration should be enough.
    Mrk
     
  12. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    as i said, ring 0... shadow or whatnot, nothing helps when executing in ring 0.

    we're talking kernel level here, way above any antivirus or other security software :shifty:
     
  13. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    A bit irritated that your FUD isn't being taken as seriously as you'd like it to be, ethernal?
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    There is nothing to worry about here. Most vulnerabilities are either detected by the VMWare security team, or by research teams and released straight to VMWare.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Do you have something to test to verify that. If so PM me. Don't post it.

    Pete
     
  16. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    i certainly don't understand you guys.

    i might be new on the forum, but everywhere i post you more or less tell me that i either suck, or i am being incompetent.

    in case you're wondering, the vmware application runs at ring 3, whereas the vmx and other drivers run in ring 0. if you successfully manage to run arbitrary code in a guest system at ring 0, you can execute code on cpu level, affecting both host and all other guests.

    i am not sitting here on a proof-of-concept code that will own any machines, neither am i inclined to write one.

    i merely offer my experience and thoughts.
    none of you lot are helpful at all, except for the occasional user posting here mostly saying "hi, i suck, and you guys rule, please help me because i am too stupid to understand it myself".. then they get ample help.

    what proof is it you're looking for to accept me and discuss with me in a civil manner? do i honestly have to post my resumé before anyone takes me seriously? sigh.
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    Posting a resume could, theoretically, help.

    Now, regarding the execution - in theory, if successfully executed, the code can do ANYTHING, regardless of the software in question. But, for all practical purposes, this is not something so easily achieveable. And you may notice that VMware team releases updates to their software, whenever they find something that might potentially be exploited.

    All in all, you're safe running anything inside VMware without extra precaution, but if you really must, Linux host is your best bet.

    Mrk
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    All I can say is that, yes I´m paranoid, but not THAT paranoid, I´m really not going to load up a whole OS just for safe browsing LOL. I use VMware only for testing purposes, not for security. I believe that my HIPS should be able to take care of any zero day risks, and besides, even in a VM you can still get infected not?
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Ethernal

    This isn't about you, but I have tested some Ring 0 POC stuff in VM machines, and it hasn't gotten out. So far VM machines by VM ware have held up. Thats why I asked if you had something that proved otherwise as opposed to just talking in theory. And yes I do accept there is always a theoretical possiblity. Thats why when playing with this stuff I shadow the host.

    Pete
     
  20. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    ethernal I don't feel your grievances are justified, but anyway I'd be happy anytime to discuss any PoC released or a suggested vulnerability.
     
  21. ethernal

    ethernal Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    132
    Location:
    Stockholm, Sweden
    it's not about this particular thread, it's about every single one i participate in.

    i feel it is very unnecessary to automatically assume somebody is an incompetent idiot due to low post count.

    i was asked to join this community by ESET, since they asked me to become authorized reseller and service provider for their corporate products.

    is that proof enough for you that i, in fact, am not a complete retard?
     
  22. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
  23. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Being a new member and making rather strong claims may generate some rejection by the community :)
    The Psychology of Security
     
  24. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    As far as I know nobody here thinks that way. I would say its content if anything and then, everyone can have their opinion and debate that, if they wish. I hope you come to feel most welcome here.
    If you have any links to papers or have any other thoughts on vmware for security I would be most interested.
     
  25. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Hey ethernal: breathe :)
    I use VMWorkstation too: like it: oh yeah.
    I am happy to have any information you may have.
    I've tried hard to break my system ( without going mad) from the VM side, and get past the snapshots: for me so far no issues.

    I dont doubt that there are mals that will ( and check the accelerating demand for it around the world as VMs take off :eek: ) compromise virtual systems through to the host.

    Just for the moment anyway there seems no reason to panic.

    Any of the above power endusers; some who code and some who test and some who like BZ have abandoned VMs as being too fussy are well aware of potential issues.

    All have systems in place.

    Prolly even here only a small number of users are 'into' VMs

    Heh I can assure you post count is no indication of expertise and that is well recognized.

    Longboard = 1720 ;)

    Bontchev = 32 !!
    EraserHW = 185 !!

    and so on

    Dont go away .
     
    Last edited: Jan 27, 2008
Loading...
Thread Status:
Not open for further replies.