Friday, July 30, 2010

Random Rant: VMSafe at the VM Security Panel at Catalyst 2010

VMware was given some crap at the panel for providing APIs to allow visibility and control into the operation of guests running in the hypervisor. 

The argument against this was it was "too dangerous" and provided "too attractive a target to attack."   The most inane argument was "if you crack the hypervisor, then this gives you unfettered access to the guests."  Seriously? If you crack the hypervisor, you are already toast. Try making the argument that "well, sure, the guy got root but I didn't have adb installed so he couldn't have done anything bad after that."

I've been looking forward to VMsafe since it was announced and disappointed by the lack of  any apparent activity.

I want a libpcap port which would then enable a whole slew of open source utilities. I want to see system and application profiling and debugging tools built on this. I want to see monitoring and management tools aggregating the rich information that could be mined from this and reporting it back to an analysis engine (so like AppSpeed done right).   But what do we have now, years later? Nothing.

To be clear, I'm not saying that this should be enabled by default for every VM or you can just telnet to port 39558 to start poking around. Don't be stupid but also don't be afraid of something seriously useful (and oh, by the way, your competitors don't seem to have it).  

Maybe the main problem was targeting the security weenies. Maybe you should have called it 'VMDebug.'

No comments: