VM-based Security Overkill: A Lament for Applied Systems Security Research (Position Paper, pre-proceedings version)

Virtualization has seen a rebirth for a wide variety of uses; in our field, systems security researchers routinely use it as a standard tool for providing isolation and introspection. The extent that researchers use virtual machines has reached, if not a fever pitch, then a level of orthodoxy which makes it difficult for the collective wisdom to consider alternative approaches to protecting computation. We suggest that, in many scenarios, virtual machines do not provide a suitable tool or appropriate security properties. We analyze the use of virtual machines in the systems security space, we highlight other work that questions the current (ab)uses of virtualization, and we present a case study of an alternative design for protecting privileged computation against malicious computation (i.e., a rootkit). The takeaway message of this paper is that “self-protection” mechanisms still represent an interesting and viable path of research. At some point, hypervisors (or whatever the lowest layer of software, firmware, or programmable hardware is) must rely on detection and protection mechanisms embedded within themselves.