VMware's secret security plan revealed

Imagine a whitelist-checker running in the safety of the hypervisor kernel and monitoring VMs in real time


VMware has shown off a working prototype of “Project Goldilocks”, its long-hinted-at plan to develop a new approach to security.

The new idea is inspired by the NSX network virtualisation product's ability to create network “microsegments”, isolated virtual networks walled off from the rest of the network in a “least privilege environment” that only permits communications set in policies. Microsegmentation's popularity has taken VMware by surprise, but users like the way it lets them create virtual networks that just can't get to the outside world as restricted comms means that even if malfeasants get in, they struggle to get out. And because microsegments are virtual, they can be snuffed out while attackers are inside.

VMware's security plan riffs on microsegmentation and brings its concepts to securing compute and data.

The idea is explained in this video of a VMworld session* delivered by Tom Corn, VMWare's senior veep for security products. In the hour-long talk, Corn offered the opinion that endpoint security has scarcely advanced in recent years, or even decades. While endpoint security stood still, Corn says, everything else has become vastly more complex which means current approaches to security struggle to cope. Some policies are simple – web servers don't need to talk to storage – but implementing that policy when apps cross the data centre perimeter to reach other resources creates immense complexity. Cord said this complexity means firewalls can sometimes be asked to run 23,000 rules.

Project Goldilocks calls for applications to instead be given a “birth certificate” when they are in their gold state. That certificate should include all permissible behaviour for that application, detailing the expected executables, network infrastructure the app will touch, the ports it will use to reach that network and anything else that describes the application's state.

VMware then proposes to monitor all of those expected behaviours from within the hypervisor kernel, a location chosen because it is a different trust domain to the host or guest VMs. Corn said it's hard to detect wrongdoers, and harder to stop them, from the same trust domain as an attacker.

From its just right vantage point in the hypervisor kernel Goldilocks will monitor what Corn called a “manifest” of all expected VMs' “birth certificates” and provide “attestation services” that monitor the guest OS kernel, processes and communications. If the VM displays behaviour not explained in the manifest, up goes a red flag!

Here's how the console reporting on VMs looks in the Goldilocks demo.

VMware project goldilocks console

And here's a close-up of the reporting it produces.

VMware project goldilocks reports

And here's what happens next: once sysadmins or folks in the security operations centre receive alerts about unexpected behaviour, they'll get options to quarantine, harden, or otherwise intervene in a VM's operations.

VMware project goldilocks actions

Corn also said VMware hopes to apply a similar approach to data, again planning to describe data and its expected uses and destinations before enforcing policy about how to encrypt or otherwise protect it when passing over networks that have the potential to be compromised.

When you've got a hammer ...

When you have a hammer, the old saying goes, everything looks like a nail. And it's often been observed that to VMware any problem looks like it can be knocked into shape with virtualisation.

Yet Corn's ideas are interesting because most of todays computing infrastructure was built to be open and then secured afterwards. Hypervisors were designed to offer a more constrained environment. So maybe VMware is on to something here.

One thing Corn did not mention is when Goldilocks might become a product. But the video depicts real code running live, so clearly VMware is a fair way down the road towards having something to sell. We'll try to figure out what's on the way and when. ®

* A session that co-incided with a Michael Dell press conference, wasn't repeated at VMworld and has only just appeared online in the last few days. Apologies also for fuzzy screen grabs, which are an artefact of the video quality on offer.

Similar topics


Other stories you might like

  • VMware customers have watched Broadcom's acquisitions and don't like what they see
    It's not hard to find unpleasant precedents for what might happen to Virtzilla

    VMware customers have seen companies acquired by Broadcom Software emerge with lower profiles, slower innovation, and higher prices - a combination that makes them nervous about the virtualization giant’s future.

    The Register offers that assessment after spending the day at a VMware user group conference in Melbourne, Australia, where we interviewed over a dozen VMware customers to ascertain their reaction to Broadcom’s surprise acquisition of the virtualisation giant. The customers all requested that The Register not use their names, or those of their employers, as none were authorized to speak to the media.

    One of those customers was a sysadmin at a sporting organisation that has decided to drop Symantec products because product evolution has slowed under Broadcom’s ownership. The sysadmin has also heard, from multiple sources including Broadcom partners, that the company uses price hikes to discourage customers it does not want.

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading
  • Broadcom to 'focus on rapid transition to subscriptions' for VMware
    Offers comforting vision for core customers, products, channel – though warns efficiencies are coming

    Broadcom has signaled its $61 billion acquisition of VMware will involve a “rapid transition from perpetual licenses to subscriptions.”

    That's according to Tom Krause, president of the Broadcom Software Group, on Thursday's Broadcom earnings call. He was asked how the semiconductor giant plans to deliver on its guidance that VMware will add approximately $8.5 billion of pro forma EBITDA to Broadcom within three years of the deal closing – significant growth given VMware currently produces about $4.7 billion. And subscriptions was the answer.

    Krause also repeatedly said Broadcom intends to invest in VMware’s key product portfolio and is pleased to be acquiring a sales organization and channel relationships that give it reach Broadcom does not currently enjoy.

    Continue reading

Biting the hand that feeds IT © 1998–2022