Is a VM only as secure as its host?

Question

Question

If one installs a VM with "high security" on a host machine with "low security", will the VM be only as secure as the machine it's installed on, or will the high-security aspects from the VM (e.g. latest service-packs and updates, anti-virus software, firewall, etc.) compensate for the fallibility of the host?

Background

In my line of work, I occasionally need to remotely access customer sites. Customers vary in their remote access processes. Some use dialup, some use VPN and some use web portals.

The customers also vary in their security procedures; some are fairly relaxed and some are far more rigid.

I have recently been asked to connect to a site via a web portal that does a sweep of my machine, looking for various things such as:

Approved OS level
Approved Firewall installed and active
Approved anti-virus software, spyware software, etc.
Several other factors

I discovered that my local machine's OS (Windows 8) is not supported by the tool; it looks for "More recent operating systems, such as Windows 7". My guess is the tool is a bit out of date... It also didn't detect our corporate firewall.

Anyway, the customer site recommended that I use VMWare on my machine and install an XP VM. I did this and it did pass all the security restrictions from the web portal.

Possible duplicates:

Would running VMs inside of VMs be a more secure way to study viruses, etc?

and

How secure are virtual machines really? False sense of security?

score 26 · Accepted Answer · answered Mar 20 '13 at 11:12

The host machine can impact and alter whatever it wishes in the guest VM. The host can read and write all the memory of the guest, stop and restart it on a per-instruction basis, and, by nature, sees every single data byte which enters or exits the guest. There is nothing which the OS in a guest VM can do to protect itself against an hostile host.

Thus, if the host is vulnerable and subverted (an hostile attacker takes control), then the guests are toast.

In your specific case, be assured that if the "protection software" is not aware of the existence of Windows 8, then it is indeed too old to be much good against virus. I bet your customer knows it, too; by recommending a workaround (the VM with Windows XP), he is showing you how work can still be done without having to openly rebel against a company policy. In big organizations, there are often legacy policies which outlast their usefulness by years but can be removed only by waiting for the responsible people to retire or be fired.

score 6 · Answer 2 · answered Mar 20 '13 at 12:14

There may be a fundamental oversimplification in your question and accordingly the answer may be no the system is stronger than the weak host.

Peter G. Neumann has pointed out that there is a logical fallacy in thinking that combining two highly secure systems creates a highly secure combined device. To the contrary, if the two systems were not designed with the other in mind the attack surfaces created by combining the two may well make the combined device extremely vulnerable. Thus the concept of additive security is fundamentally misguided.

We know that the VM and the host were designed to work with each other so that is a point in the favor of the weak/strong combined product. I suggest that if you are worried about the remote attack exposure of your total system the combination might be very strong. If remote access to the host is locked down (since you have physical access that should be practical) and only the strong VM is accessed remotely the combination should be stronger than an exposed weak host would be by itself.

In other words the answer depends on the attack surface you expose not general categories of strength and weakness and some additive property that does not exist.

score 5 · Answer 3 · answered Mar 20 '13 at 12:35

In theory, the host can do anything to the guest, so it's no more secure.

In practice, I'm not aware of any malware in the wild which would interfere with a guest OS (short of infecting shared filesystems with viruses, or attacking it as though it were a peer), so it is more secure.

Schemes like this host-validator on VPN connection are stupid on the surface, but they protect the company from non-malware related problems too. Consider p2p file sharing programs on the VPN client system or audit exposure through unlicensed software.

Although it can be circumvented with VMWare, whitelisting the approved OSes and having an aggressive blacklist makes life easier for the enterprise admin, and the end result isn't as bad as allowing anyone with the VPN client to connect to the enterprise network.

score 3 · Answer 4 · answered Mar 21 '13 at 21:10

There is another factor to consider : if you are connecting from a more secure OS, and the protocols you are connecting with are not intercepted by the host, then a secure OS can act as a sandbox to protect the host OS, so accessing a website on Windows XP with IE6 on a host OS may be less secure than accessing the same website in a Windows 8 guest with IE10 on the same system. However, I agree with Thomas that once the host is compromised, there's nothing you can do on a guest OS to secure it against the host.This is the reasoning behind systems such as UEFI secure boot - if you don't know what you're running in, you can't even trust yourself.

+1 for the argument *for* the VM being more secure than the host. — m-smith, Mar 22 '13 at 16:00

score 2 · Answer 5 · answered Mar 20 '13 at 10:32

Yes, the security of a VM depends a great deal on the security of the host machine. Anti-malware on a VM only protects the VM's OS, if an attacker hacked a VM's host then the attacker would be able to access shared memory and other resources that the VM uses, giving the attacker an opportunity to compromise the VM.

Is a VM only as secure as its host?

5 Answers5

Linked

Related