Saturday, April 18, 2009

On the dangers of OVF

I know it's security's job to be the boogie-man, but it bothers me when people use potential edge cases in security as reasons not do "good things" (TM). OVF in a nutshell - "The Open Virtualization Format Specification describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software to be run in virtual machines. (OVF in more than a nutshell at DMTF) Kris Buytaert's posting cites one of his concerns with OVF is that it would serve as a vector for malware.
"A Virtual Machine image is the perfect vehicle for malware in your network … some prepares an image for you , you run it on your network, and you set loose the devil, who knows it does a networkscan in the background and sends the info"
He's absolutely right, it does allow for this, and will be abused, but I don't think that OVF will make the world a less secure place. Consider, USB drives are a vector of malware too (look at Conficker and Neeris) but they've made it easier to transfer data which probably improves productivity (or the sharing of the things you shouldn't be emailing since the boss may frown's on email delivered emails). If you're the sort that goes and acquires VM's or linux distro's or any sort of software from untrusted sources and don't perform validation exercises, it's not going to be OVF's fault that a mal-machine (TM - it's mine!!!) get's on your network. OVF was designed to provide security in the form of image integrity and package signing with a digital signature, so if anything it means that I'd know if someone had manipulated the VM package and if it actually came from a reputable source. I'd argue that if may make it even easier for automated analysis of VM's by anti-X technologies since it's easier to understand what resources are in the package. The other point about OVF encouraging VM sprawl is not something I can really comment on, but I think people tend to have lots of VM images anyways (storage is cheap) so again it's not a technology problem, it's more of process/governance framework/asset management issue. UPDATE: similar thinking I have to this one

No comments:

Post a Comment