Wednesday, August 01, 2007

Hmm. That's not what I think I wrote...

I'm perplexed by this peculiar interpretation of our HotOS paper:

Security has been touted as one of the benign by-products of virtualisation – but according to a recent study, that’s no longer the case.

Huh? "Security" is a big concept, covering many possible applications. Our paper is just a tiny footnote in a complicated discusssion about the role of VMMs in providing security; in fact, to the extent we challenge conventional wisdom at all, we suggest that the purported security threat posed by VMM-based rootkits is non-existent. To get out the sock puppets: VMMs are always detectable, which is a good thing.

I think I see where the author got a bit tripped up reading our paper, though. Currently, there is a trend for malware to disable itself in the presence of VMMs. We argue that this trend cannot continue, not because VMMs are becoming undetectable, but because VMMs are becoming too ubiquitous for malware authors to ignore. Note that this current fad among malware authors of refusing to do dirty business in a VM is not an inherent security benefit of VMs!

A nice thought experiment when thinking about security applications of virtual machines is to replace "VM" with "laptop." Suppose, for the sake of argument, security researchers started building honeynets out of laptops, because it was more economical to do so. For a while, malware authors might decide to detect that they're running on a laptop, and refuse to do so, in order to thwart the security researchers. (Note, of course, that it's completely trivial for user-level software to figure out what sort of hardware platform it's running on; this information is intentionally, usefully exposed by, e.g., /proc nodes in Linux, or the \Device directory on NT, etc.). The answer to this situation is not to attempt to cloak the laptop-iness of the hardware platform, though; attempting to do so is a bottomless pit of wasted effort. Instead, we simply observe that there are a lot of laptops out there, and figure that, in the long run, malware that refuses to run on laptops will be giving up too many targets to represent a Nash equilibrium for the black hats.

Honestly, though, I'm not that happy with the paper. We're telling a complicated story, and I'm not sure we tell it clearly enough. Even if Manek Dubash's misinterpretation were intentional*, the fact that it the paper can even be plausibly distorted to read the way he suggests means that, at some basic level, we've failed. Good technical writing is hard.

* Purely speculating, here. I'm not casting aspersions on anyone's intentions; an honest misunderstanding is, sadly, possible.

4 Comments:

Blogger Philip Levis said...

Hey, glad to hear you had a HotOS paper. I liked your ASPLOS one. Cool that you're a dad. Came across your blog trying to find your ASPLOS paper to argue that saying "Lower is better" in a figure legend (when appropriate) is a good idea.

1:09 PM  
Blogger Casey said...

This comment has been removed by a blog administrator.

7:59 PM  
Blogger Manek Dubash said...

Keith - I've just come across your comment. If I got it wrong, it not intentional. But apologies anyway for the mis-interpretation. In my feeble defence I'd say only that you had (presumably) days or even weeks to write your paper while I had probably about 30 minutes to absorb and retransmit. I'll take another look.
Manek

3:33 PM  
Blogger Keith Adams said...

Manek,

I was wrong to imply that you might have been intentionally distorting the paper. It's in the nature of journalism that you have to quickly digest primary sources and "play expert" for your audience. To the extent that our message was uninterpretable, it's our fault as authors.

Best,
Keith

8:46 AM  

Post a Comment

<< Home