The worldwide x86 server virtualization market is expected to reach $5.6 billion in 2016, and Gartner estimates it has reached its peak, having significantly matured. OS container-based virtualization and cloud computing have gained in popularity, with organizations' server virtualization rates reaching up to 75 percent.
While hypervisor technologies have been split into Type 1 (native – or bare metal) and Type 2 (hosted) paradigms, security solutions have mostly focused on integration with Type 2 hypervisors. Traditionally, this has proven an effective approach when dealing with malware, but recent threat developments have shown traditional security ill-equipped to handle advanced malware and attacks.
Challenges for Traditional Virtualization Security
One of the most common misconceptions about virtualization is that, in case of virtual machine compromise, simply spawning a new machine will ensure service continuity and minimum downtime. The issue of data loss is not addressed and, while an eventual attacker could lose his foothold, he could at least make away with the data stored in the VM.
Current solutions use a VM security agent and a security appliance to offload the scanning part, solving the performance aspect of resource consumption. However, these guest operating systems are still vulnerable to exploits, APTs and other custom threats an in-guest security solution may not be able to detect in a timely manner.
Ultimately, the security solution depends on the information provided by the operating system and, if that system is compromised, the entire security suite could be bypassed. This opens up the same can of worms as traditional single-guest security, except that now remediation is far more cumbersome as virtual infrastructures come with far more dependencies.
The concept of building security at the hypervisor level has been regarded with skepticism, as it was deemed extremely difficult to pull off, especially since it involves a lot of low-level knowledge. However, one of the main advantages of this would be that security for guest operating systems would truly be agentless.
Successful integration of security with a Type 2 hypervisor would result in no performance penalties on VMs, as long as the entire introspection is not dependent on in-guest OS information. This means that a method for reading raw memory through hypervisor APIs would offer far more insight into how the guest OS is behaving, thus completely bypassing any potentially tampered information from the OS.
Instead of focusing on detecting malware samples and threats, a hypervisor-integrated security solution could only focus on attack techniques, such as buffer overflows, heap spray, code injection and other techniques that involve memory manipulation. With the ability to read raw memory pages, the security solution could offer complete visibility into any type of threat, and act as a real-time attack detection mechanism, before the guest OS is actually compromised.
Security experts believe each new layer in the security stack can add new attack vectors and compromise methods. While this is true, we can’t afford to ignore the security opportunities brought by hypervisor technology, especially since virtualization has picked up traction.
Addressing problems like context-versus-isolation and the level of privilege of both security software and advanced threats face is a never-ending battle. However, the future of cloud security should ultimately be decided by how fast security and virtualization vendors work together on overcoming such technical challenges.