Home > Blogs > VMTN Blog > Monthly Archives: August 2007

Monthly Archives: August 2007

New feeds in Planet V12n

If you are interested in virtualization and aren’t reading Planet V12n, you’re missing out. Things are busy here at VMware as we enter the runway for VMworld (and it’s going to be a good conference for the newbie or old hand), but the virtualization world keeps moving on.

We recently added a few new voices to the Planet. Let me introduce you:

  • p2vd.com – Ryan Glover links to virtualization news, but he has also been adding short, trenchant analysis to his links. Too many bloggers, including yours truly just link to an article in a hurry — adding a bit of insight is always welcome.
  • IT 2.0 – Massimo Re Ferre’ is a regular in the VMTN Community and has good insight into desktop virtualization and maintains this list of VDI brokers. Also very worth reading is his article on hypervisor architecture. Massimo will also be speaking on "Virtual Appliances and the New Data Center" at VMworld.
  • NTPRO.NL -  Eric Sloof first came to my attention at TSX Europe this year where his video interviews were outstanding. He’s also the author of the Virtual Machine MKS Client and other tools, and has recently started the tools directory vm4all.com.
  • Jumé B.V.  -  Bouke Groenescheij’s website and blog. Bouke will be speaking at VMworld this year on "The Complete Clustering How-To with VMware and Microsoft Cluster Server".
  • xtravirtJolliffe, Davey, and Mittell.  Just go and take a look — trust me on this one. Alex Mittell I know as a regular at VMTN, but the site from this group is great and looks good to boot. The VI tips feed alone is worth the visit, but with white papers like How to install ESX Server in Workstation 6, the VI3 Security Risk Analysis Template and other tools and utilities, you’ll spend a while here.

So go forth and virtualize!

vm4all.com: The VMware Tools Repository

Great new site from Eric Sloof (soon to be appearing on the right-hand blogroll as soon as I get a moment), vm4all.com. The tagline is "The VMware Tools Repository," and it lists both freeware and commercial utilities you can use with VMware Infrastructure. It has an RSS feed so you can keep up with changes and additions. There are 38 entries so far, with the latest being freeware from Massimiliano Daneri:

  • vdf+ (perl script based on our vdf utility to show mounted VMFS devices)
  • vmSSHjwc (free Java SSH terminal integrated into VI web access)
  • VMCL (free high availability software)
  • VMBK (free hot backup script)
  • VMTSPatchManager (free ESX Server patch manager)

Right now, it looks to be focused on the VMware Infrastructure side — is there a similar tools library for Workstation, Player, Server, and Fusion?

See also: virtualization.info Release search, VMTN User Solutions Forum, and Eric Siebert’s VMware-land.

Pocket Guide to Pocket ACE

Warren Ponder announces the availability of the Pocket Ace Guide.

Pocket ACE enables an ACE Administrator to deploy ACE instances using portable media devices such as USB keys (flash memory drives), Apple iPod mobile digital devices, or portable hard drives. When an ACE instance is deployed, you can attach the portable device to any x86-based host computer to run the ACE instance. When you finish using an ACE instance, you can shut down, detach the media, take it with you, and restart your session by attaching the portable media device to another host. …

Along with the technical details, this tech note spends about a page discussing some interesting use cases:

  • providing secure remote access for users working remotely using untrusted hosts
  • increasing the security and mobility of mobile users
  • providing temporary access to contract workers using untrusted hosts
  • providing access to offshore outsource partners
  • providing disaster recovery
  • distributing beta or trial software

Sample chapters from VI3 Advanced Technical Guide

Mike Laverick writes at RTFM Education: Vi3 Authors release sample chapter.

Myself, Ron Olgesby and Scott Herold have released a FREE sample chapter of our eagerly expected book. The PDF is free, and a hard-copy can be bought for a nominal fee. Remember this is not the full book just a free sample chapter. Enjoy!

http://www.lulu.com/content/1115401

It’s actually 3 chapters, VirtualCenter and Cluster Design, Recovery and Business Continuity, and Installing ESX 3.x. The hard-copy is $6.73 to cover the cost of printing the 110 page excerpt, which will take 3 weeks to arrive in your mailbox.

Good bedtime reading and a good way to prep for VMworld.

The site for the book is www.vi3book.com.

The best reason to buy a Mac Pro

The VMTN Blog’s Chief Fusion Correspondent Pete writes:


VMware Fusion just launched last Monday, and the folks at CNET Labs are already hard at work doing some benchmarking.  They compared different ways of running Windows on Mac OS X, including Apple’s Boot Camp 1.3 Beta, VMware Fusion, and Parallels Desktop 3.0.  The results were pretty strong for VMware Fusion, and we’re happy to see how well VMware’s newest virtualization product performed against the alternatives.

Results are here.

 

Fusion’s Virtual SMP technology takes advantage of the multiple cores of the Mac Pro, and it really shows up in their "most taxing" multimedia benchmark where Fusion accomplished in around 15 minutes what it took Parallels Desktop almost an hour to do (874 vs 3260 seconds).

Check out VMware Fusion. It’s the best reason to buy a Mac Pro.

Top 10 things you can do with VMware Fusion and your Mac






Share on Facebook

When you think of Macs and virtualization, what pops to mind?

  • What the hell is virtualization? (A: The ability to run another operating system in a virtual machine (VM) while still running Mac OS X)
  • Oh, right, that’s what Parallels does. (Yes, but read on…)
  • Wasn’t there an old Virtual PC product from Microsoft that they never ported over to Intel Macs? (You are truly old-skool. Fasten your seat belt – this is a rocket ship compared to older emulation products.)

Vmware_fusion_icon
Well regardless of what you think, there’s a new kid on the Mac virtualization block: VMware Fusion. And “new kid” isn’t exactly the right term. VMware pioneered x86 virtualization and has been doing virtualization for nine years now.  With Apple’s switch to Intel processors, all that experience can now be brought to your Mac.

Hold on to your mighty mouse, because when the granddaddy of virtualization turns its attention to your favorite MacBook Pro, you can do some crazy things.

These are some of our favorites:

  • SWITCH! Want to leverage the digital lifestyle of your Mac but have one or two Windows applications that you can’t live without?  You don’t have to be locked in anymore.  Outlook, Windows Media Player, Microsoft Project, AutoCAD, Solidworks…you name it.  They all can run in a Windows virtual machine on VMware Fusion.  Bring your USB peripherals with you as you switch too; they still work.

  • Walk and chew gum at the same time. With virtualization you are running, in effect, two computers at the same time when you run Windows on your Mac.  That can take some horsepower.  VMware Fusion’s mature technology means much less CPU overhead.  As Walt Mossberg of the Wall Street Journal noticed, “VMware Fusion has a much smaller impact on the Mac’s overall performance [than Parallels.]”  With VMware Fusion, Outlook in your Windows virtual machine doesn’t slow down your Safari session running on Mac OS X.

  • Use the full strength of your Mac hardware. VMware Fusion’s virtual SMP lets you assign up to two CPUs to a single VM.  Up to 8 GB of RAM too in a VM.  Want to test run the latest Oracle database in a 64-bit Linux VM, with 4 GB RAM and 2 cores?  Want to test SQL Server 2007 on Windows Server 2003 64-bit edition? You can do it.  Though you should probably be doing something else on your Saturday night.

  • Reduce, reuse, recycle…your RAM. VMware pioneered memory page file sharing.  So running a VM in VMware Fusion takes up much less of your Mac’s memory than other virtualization products.  And it gets better the more VMs you’re running at once.  Five Windows XP virtual machines at a time doesn’t mean 5x the memory of a single XP virtual machine.  By sharing the sections of memory that are common between the VMs—like with common OSs— you can “over commit” memory.

  • Run those Windows apps as if they were Mac apps. VMware Fusion’s Unity feature your Mac treats Windows applications like its own.  Windows applications show up in the Dock on launch and you can even minimize Windows apps down to the Dock too.  They fly around in Exposé, sport drop shadows around their edges, you name it.  As far your Mac is concerned, they’re native apps.

  • Don’t lose your head (or your way) with USB 2.0 support. Got a GPS unit that doesn’t support Mac?  With VMware Fusion, just load the software in Windows and plug the USB cable into your Mac.  Blackberry, USB VOIP softphones, webcams, scanners, printers, all of the above.  You can still use them with a Windows VM.  Just because you want to switch, doesn’t mean you should have to say goodbye to near and dear peripherals.

  • Bring that Mac into the enterprise. Usually there are a handful of applications that are absolute must-haves in the enterprise that are tying you to that PC.  VMware Fusion lets you run those in a Mac.  And VMware Fusion USB support means that the Crackberry monkey will still be on your back. VMware Fusion’s stability, and the amazing support network provided by VMware’s forums, make it a business-class solution. 

  • Run over sixty x86 compliant operating systems on your Mac.  Linux, Solaris, Windows from 3.1 through Vista Ultimate x64.  32-bit or 64-bit.  VMware Fusion can run it.  In fact, VMware Fusion can run over 60 operating systems on your Mac.  Sure, Mac OS X is great, but why not learn some Linux, FreeBSD, or even turn back the clock to Windows 3.1. You can even drag and drop files between Linux and your Mac or Windows and your Mac.

  • Go shopping for some appliances to match your pretty Mac.  There are over 550 virtual appliances available in the Virtual Appliance Marketplace, including pre-staged anti-spam and security appliances, demo software, you name it.  Pull one down, fire it up on VMware Fusion, and you’re up and running.  No install discs, .ISOs, or anything.  You can use those CDs for coasters, if you want.

  • Frag some baddies.  Experimental 3D graphics support allows you to play select DirectX 8.1 games in a Windows XP SP2 virtual machine.  If you’re jonesing for some Duke Nukem or Tony Hawk, fire up VMware Fusion.  Doesn’t help you with the latest and greatest in 3D video games, but c’mon, you should be working anyway.

So with those top ten things in your back pocket, come learn more about VMware Fusion or…

Download the 30-day Free Trial of VMware Fusion!

And, of course, here’s the famous video demo of the Unity feature of VMware Fusion:






Share on Facebook

Being Escorted out of the Cave

Posted by Charu Chaubal
Technical Marketing Manager for Datacenter Management

Recently, security consulting company Intelguardians presented at NDSS claiming they could execute
malicious code on the host OS of a computer running VMware hosted
virtualization software, such as the free VMware Player or the licensed VMware Workstation. Their subsequent presentation at SANSFIRE
2007, which was reported on in a number of blogs (such as PaulDotCom),
apparently extends the NDSS presentation and talked about some other similar
exercises (the slides from SANSFIRE 2007 are not yet posted anywhere so the
exact details can’t be referenced).

It’s important to understand that this whole issue of
guest-to-host compromise only exists for hosted virtualization platforms, such
as VMware Player, Server, and Workstation, which run on top of general-purpose
commodity operating systems. It
specifically does NOT pertain to VMware
ESX Server
, for reasons that will be apparent below.

Although this series of demonstrations of guest-to-host
attack does legitimately show one of the risks of virtualization, it is not due
to flaws in virtualization technology as some might like to claim. Rather, it shows the dangers of using a product
feature without fully understanding it.

So what should one make of these supposed new security exploits? All of them are based on the ability to pass
information from the guest OS to the host OS in a trusted manner. Specifically, there are several ways of doing this in VMware’s hosted
virtualization products:

  • Host-Guest Shared Folders
  • Host-Guest Drag-n-Drop
  • Host-Guest Cut-n-Paste

The security of each of these ultimately depend on the host
OS trusting the guest OS not to behave badly. If you trust the guest OS, then you believe that information that it
passes to the host OS is not malicious or compromised. If the security of the guest OS cannot be
guaranteed, then one should inspect any transferred file before doing anything
with it. Alternatively, this type of
functionality should be disallowed. For
this reason, VMware has provided configuration settings which allow you to
disable each of these. These settings
are described in the VMware Workstation User’s Manual, in the section
appropriately titled “Transferring Files and Text Between the Host and
Guest
”.

Bear in mind: these channels for passing information from
the guest to the host are not related to
the core virtualization layer
. They are
added on top of it, to provide ease
of management and operation. The ability
to transfer files from the guest to the host, e.g. without using scp, can be
very convenient. By disabling these
mechanisms, you lock out VMware-specific
means of transferring malicious files to the host OS. (There are, of course, plenty of other ways
of achieving the same thing – one cute way would be to have a hacked web server
in the guest serve up an AJAX
exploit to a browser on the host.)

As alluded to earlier, this issue doesn’t exist with ESX
Server, since the “host” in this case is a purpose-built, thin, light-weight
kernel which only runs code that ships with the product (for more information,
see this white
paper
on the security architecture of VMware Infrastructure 3). There is neither any mechanism nor any reason
for transferring files from the guest to this “host” OS.

The real lesson, however, is that VMware needs to be more
prolific in educating the market about what features require implicit
trust. (It doesn’t help that Drag-n-Drop
and Cut-n-Paste are enabled by default when a VM is created.) Instead of “Escaping the Cave,” as PaulDotCom
says, it’s more like “Being Escorted Out of the Cave.” In the end, security exists only to the
extent of your least trusted component, and VMware will strive to provide more
proactive guidance in the future that clearly details this.

I spy a blue pill: detecting the theoretical rootkit

We seem to be writing a lot about Blue Pill for something that’s pretty hypothetical at this point.

A bit of background if you haven’t been following this: Blue Pill is theoretical/proof of concept rootkit that uses virtualization — a hypervisor architecture — to insert itself and hide under your operating system.  Previous coverage on the VMTN Blog here, here, and here.

Here are excerpts from a longer background explanation by VMware’s Beng-Hong Lim.

First off, it is important to understand that this threat targets the
operating system.  It is not
about vulnerabilities in
virtualization. … An interesting implication of the study is that
operating systems that
are already running in virtual machines are actually less vulnerable.
… A bare-metal style virtualization system, such as VMware ESX
Server,
does not have a general-purpose host OS, and is not vulnerable to the
same attack points as on Windows and Linux operating systems.

A lot of claims have been made at this point, with hype as well as scoffing about undetectable rootkits. I know that you can’t prove that something will never happen, but the computer scientists I talk to say this is very unlikely. The basic argument, most recently laid out by VMware’s own Keith Adams and collaborators, is that it’s easy to detect that you’re inside a virtual machine, and in fact it’s much easier to detect a hypervisor than to hide one. The disparity is so great that this isn’t the same cat-and-mouse game that is being played with current malware. Here the good guys always stay ahead.

Recent work on applications ranging from realistic honeypots to
stealthier rootkits has speculated about building transparent VMMs –
VMMs that are indistinguishable from native hardware, even to a
dedicated adversary. We survey anomalies between real and virtual
hardware and consider methods for detecting such anomalies, as well as
possible countermeasures. We conclude that building a transparent VMM
is fundamentally infeasible, as well as impractical from a performance
and engineering standpoint.

Joanna Rutkowska, Blue Pill author, now has released a new version of Blue Pill as well as this blog post, wherein she claims that (and here I am paraphrasing in a slightly snarky way):

  • her real point is that a monolithic kernel like Windows Vista is always going to be vulnerable to some sort of attack (OK)
  • just detecting you’re on a hypervisor is different than detecting that you’re on an evil hypervisor (OK, but if you’re on a hypervisor, first of all, you’re now talking about vulnerabilities in ESX Server vs Windows, and eventually the hypervisor has to talk to the physical hardware and can detect that, as Thomas Ptacek explains here. Thomas seems to have taken the title of chief blue pill debunker along with colleagues Nate Lawson and Peter Ferrie. )
  • some theoretical methods of detecting a hypervisor don’t work so well in the real world, or at least in her hands (OK, I buy that as well — theory doesn’t always do well meeting reality; however, as Keith explains in here, they are really defending themselves against a straw man, not a real detection method)
  • and if we have to resort to building in Symantec anti-rootkit technology into a hypervisor we’ve failed as well. (And again, with no disrespect to the fine ladies and gentlemen of Symantec, I’ll agree with that too.)

OK, I’ve agreed with all of Joanna’s points, but I don’t think they’ve done much to convince me, the technical layman, that a completely undetectable rootkit is possible. 

If you want to dive deep on this topic, don’t stop with misleading articles in the tech press. Go straight to the sources like this and this and this.

Fusion team blogs (updated)

VMware Fusion is now generally available. I’ll update this post with links to blogs and other quotes from the Fusion team as they come out.

Srinivas Krishnamurti on the Fusion release with some more background on packaging. Link: Elvis has left the building

Fusion_3While not quite Apple-esque, we felt that this was a clean look and
conveyed the essence of our product.  We all felt that black background
was more appealing than other colors we considered.  Perhaps the
coolest and most unique part of this design is the front flaps that open in
the middle on the front.  After spending an entire Sunday afternoon at
Best Buy, I realized most software boxes either have no flaps at all or
have a flap that opens like a book.  Boooring!  We didn’t want to be
just another box.  We wanted to be proud of the box, just like we
wanted to be proud of the software we have built.  The VMware Fusion box has
two front flaps that open down the middle – think of the monitor opening up
down the middle.  Each of the flaps has three screenshots showcasing
the product while the middle of the box (once you open the flaps) has
detailed description of the product.

Later: Regis Duchesne talks a bit about the beginnings of the project:

In January 2006, I started porting the VMware hosted virtualization
engine to Mac OS X by myself. I had never touched an Apple computer
before.

A year and a half later, we have built a world-class
team of Mac engineers, and on behalf of the team I’m happy to announce
the general availability of VMware Fusion 1.0.

Later II: Ben Gertzfield is really excited as well:

For the first time in my life, I use my own software every day.  And I love it.
Pretty much everyone I know who’s played with it has told me how it’s
become a part of their everyday life; as a software developer, those
are the best words you could possibly hear.

What was really cool about creating Fusion was that the idea
and implementation was completely driven by engineers from day one, and
that VMware gave us humble coders the power to take it from
proof-of-concept all the way to the svelte black box soon to be on the
shelves at the Apple Store.  Most companies treat software developers like Lego bricks: identical, fungible commodities to be placed wherever the product requirements demand them to be.  But at VMware, engineers are given full leeway to design things right the first time, and that totally rules.

Later III: Shawn Morel on how the new UI was designed to be Mac-like:

I was the first UI developer to start working on what became Fusion
along with a few senior devs hacking away on porting the virtualization
platform and more devs joining us later in the effort to bring this
product to market.

… We wanted to
emphasize was that Fusion is not just a straight Workstation port. We
re-designed (rather than re-wrote) from the ground up to meet the needs
of Mac consumers. There was a lot that was written in a cross platform
way that we were able to leverage. We could have even taken large parts
of the GTK UI from Workstation on Linux and run that under X11 on OS X.
We don’t think that would have been the optimal solution for our
customers – we strongly believe that this is a different market
segment. This was also a great opportunity to take a great product like
Workstation and learn from the evolution it’s undergone over the years
and start fresh; cut off some of the cruft, simplify and refine the
user experience.

How do you like our new look?

Redesign

Notice anything different around here? We’ve put up some new curtains and rearranged the furniture. The VMware website has been completely renovated. We hope you like it and find it useful.

Along with the new paint, notice that we’ve reorganized. The five main tabs along the top of the page now contain the major sections of the site.

VMware. This is the main section, with information on  VMware, our products and services, and our partners. Here you can also learn more about virtualization in general.

Communities. This section gathers together the VMware Technology Network discussion forums as well as other communities where VMware, our customers, and our partners can all interact. Blogs are also in this section, both from VMware as well as the greater virtualization blogosphere.

Virtual Appliances Marketplace. The VAM finally gets its own tab. Learn more about virtual appliances, and then download any of the over 550 virtual appliances, including production-ready appliances for your virtual infrastructure.

Store. Purchase products and support as well as manage your account, licenses, and contracts.

Support. Everything you need to successfully deploy and manage your virtualization infrastructure, including documentation, the knowledge base, and tools to interact with our support organization.

Everything that was here should still be here, so please poke around a bit if we’ve moved a side table or lamp. If you notice problems or can’t find something, please use this website feedback form. That’s the most direct way of reaching the web team. Feel free to leave general comments, both positive and negative, here on this blog post.

Led by the web team, an entire swath of VMware has worked to make this happen, including corporate marketing, sales operations, IT applications, IT operations, and QA. We’re proud of the new site and we hope whatever you need is both easier to find and easier to use — and looks better as well.

– John on behalf of the team

p.s. If I can get her to stand still, next week I’ll try to get Sindy Braun, senior director of web marketing, to say a few words here on the blog about the design philosophies and motivations that went into the redesign.