Virtualization

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Oct 12, 2006.

  1. Been reading some older Inquirer artcles on Intel's and AMD's respective
    virtualization technologies (start by following links from here
    <http://theinquirer.net/default.aspx?article=35011>).

    The last of the series on Intel's Vanderpool
    <http://www.theinquirer.net/default.aspx?article=21451> tries to explain
    some of the things you might use it for. E.g.

    The user side of the world may have some changes, but they are far out.
    The first class of things revolves around corporate user and machine
    management. If your VMM is part of your management package, you can
    load, unload, and tweak things right under the nose of the user.

    If they are using resources in a non-approved way, you can throttle them
    down, load or unload things on their HD, and even potentially patch
    programs on the fly. If they manage to muck the OS up to a degree that
    is all to common in modern corporate life, you simply blow the OS
    instance away and load up another snapshot.

    As a management tool, it can be everything a BOFH dreams of.
    Unintrusive unless you want it to be, undetectable, and impenetrable by
    clueless users. Spyware? Viruses? No problem, they can go away with the
    click of a mouse on a management console half a continent away.

    This assumes that you give users admin access on their desktop OS, but not
    of course on their desktop hypervisor, otherwise that puts you right back
    where you started. But what's to stop users demanding such access? It seems
    to me simpler to deny them admin access in the first place.

    Then:

    Further out in the nebulous timeline of IT progress comes the more
    interesting uses of virtualization. Instead of having your OS be
    completely virtualized, imagine a partially virtualized OS. Every
    program can be run in its own virtual machine, and messages passed back
    and forth in shared memory. It would be like hardware enforced threads,
    you spawn a new VM and run the program in it.

    But isn't this how properly-designed protected OSes work in the first place?
    (Yes, there are definite uses for virtualization in server/hosting type
    application scenarios, but all the extracts I'm quoting here are referring
    to deployments on the desktop.)

    But then things become clearer:

    Other than the stability issue, haywire programs can not get out of the
    VM and step on critical processes. This is a huge security benefit. The
    best is was one that will probably be a moot point by the time it
    happens. Three years ago, MS promised us in two years or so that they
    would have security under complete control, it is after all a Bill Gates
    proclamation.

    In the off chance that MS is not 100% secure by this time a year ago,
    VMs can help. One of the ideas tossed out by the Intel engineers was
    running IE in a VM. When you are done browsing, you shut down the VM,
    and all the malware and crud that comes along with running that browser
    goes off into the ether with nary a poof.

    If you set things up right so that the browser has specific information
    pulled from it before it shuts down rather than it writing all over the
    OS, it would be very hard for a virus to spread. When you run IE next
    time, it loads up a clean image, and has information like bookmarks and
    cookies pushed to it. While it is not an uncorruptible paradigm, it will
    certainly be much harder to circumvent controls that VT could put into
    place. Luckily, this will be a moot point by then, MS promised.

    Really, it seems like this virtualization thing originates from _giving up_
    on the idea that Microsoft, specifically, is capable of designing a
    securely-written OS running securely-written applications. And instead,
    trying to patch up the problems with Windows by adding another layer below
    it.

    But then, who is going to provide this layer for Windows? If Microsoft is
    involved, how can you ensure they won't stuff it up again?
     
    Lawrence D'Oliveiro, Oct 12, 2006
    #1
    1. Advertising

  2. Lawrence D'Oliveiro

    thingy Guest

    Vmware's ACE.

    Or Xen....

    There are so many uses for this.....give a contractor like a remote data
    inputer a ACE'd CD (with a specifically crafted Windows ISO inside it)
    to take home with a 3 month "mission impossible" fuse.....at 90 days it
    expires.....if the contract is extended, send them another ACE'd CD-r....

    You could even give them specific expensive applications with that 90
    day fuse, say Autocad or CS Photoshop safe in the knowledge that it
    cannot be altered and can only be used for remote working....for 90 days....

    Lawrence D'Oliveiro wrote:

    8><----

    > Further out in the nebulous timeline of IT progress comes the more
    > interesting uses of virtualization. Instead of having your OS be
    > completely virtualized, imagine a partially virtualized OS. Every
    > program can be run in its own virtual machine, and messages passed back
    > and forth in shared memory. It would be like hardware enforced threads,
    > you spawn a new VM and run the program in it.


    Or have it virtualised and have all the instances talk over a virtual
    network then you can snoop on the "hub"....

    > But isn't this how properly-designed protected OSes work in the first place?
    > (Yes, there are definite uses for virtualization in server/hosting type
    > application scenarios, but all the extracts I'm quoting here are referring
    > to deployments on the desktop.)


    Other useful ideas....have a distributed number crunching system (like
    Condor) run on its own instance on each desktop in an organisation at a
    low priority while the user gets a high priority...user wont notice and
    cannot get to that data being crunched.....lots of free computing
    cycles, securely....cheaply

    > But then things become clearer:
    >
    > Other than the stability issue, haywire programs can not get out of the
    > VM and step on critical processes. This is a huge security benefit. The
    > best is was one that will probably be a moot point by the time it
    > happens. Three years ago, MS promised us in two years or so that they
    > would have security under complete control, it is after all a Bill Gates
    > proclamation.
    >
    > In the off chance that MS is not 100% secure by this time a year ago,
    > VMs can help. One of the ideas tossed out by the Intel engineers was
    > running IE in a VM.


    Yep, this will happen...an appliance....a dedicated OS only running a
    web browser....read only.....locked away in ram when it is used......

    When you are done browsing, you shut down the VM,
    > and all the malware and crud that comes along with running that browser
    > goes off into the ether with nary a poof.
    >
    > If you set things up right so that the browser has specific information
    > pulled from it before it shuts down rather than it writing all over the
    > OS, it would be very hard for a virus to spread. When you run IE next
    > time, it loads up a clean image, and has information like bookmarks and
    > cookies pushed to it. While it is not an uncorruptible paradigm, it will
    > certainly be much harder to circumvent controls that VT could put into
    > place. Luckily, this will be a moot point by then, MS promised.
    >
    > Really, it seems like this virtualization thing originates from _giving up_
    > on the idea that Microsoft, specifically, is capable of designing a
    > securely-written OS running securely-written applications. And instead,
    > trying to patch up the problems with Windows by adding another layer below
    > it.
    >
    > But then, who is going to provide this layer for Windows? If Microsoft is
    > involved, how can you ensure they won't stuff it up again?


    Yep, right on.....increasing server utilization means running more than
    one application on one piece of hardware, with standard Linux it is
    easier or easy to do this compared to Windows. With Windows
    significantly harder or impossible...........DLL hell and all that....

    So far from the faster and better hardware making Windows huge ungainly
    cludge work better it is actually starting to show it up for what it is....

    regards

    Thing
     
    thingy, Oct 12, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Knowing About

    Opsware Offers Virtualization View

    Knowing About, Sep 18, 2006, in forum: VOIP
    Replies:
    0
    Views:
    460
    Knowing About
    Sep 18, 2006
  2. 7
    Replies:
    6
    Views:
    540
    arachnid
    Nov 3, 2006
  3. Mark Gillespie

    x64 and Vanderpool virtualization.

    Mark Gillespie, Jul 18, 2006, in forum: Windows 64bit
    Replies:
    3
    Views:
    537
  4. Lawrence D'Oliveiro

    Why Virtualization?

    Lawrence D'Oliveiro, Aug 27, 2007, in forum: NZ Computing
    Replies:
    19
    Views:
    779
  5. Lodi

    Virtualization question - Kubuntu

    Lodi, Sep 28, 2007, in forum: NZ Computing
    Replies:
    17
    Views:
    643
    -=rjh=-
    Oct 4, 2007
Loading...

Share This Page