It is widely believed that the use of a virtual machine monitor (VMM) is at least as secure, if not more secure than separate systems. In reality, the security of a single system running in a virtual machine can never be as secure as that single system running in its own dedicated physical hardware. If for no other reason, the security of that system in a virtual machine depends on the correct operation of both the operating system and the hypervisor software, while in a dedicated physical computer, it depends only on the correct operation of the operating system. The VMM case always has more opportunity for exploitable security flaws. While many people view virtual machine monitors as something special and different, in realty they are just special-purpose operating systems. The major difference is that the API to a virtual machine monitor is the instruction set of the virtual machine, while the API to an operating system is a set of system calls to manipulate processes, file systems, perform I/O, etc. To the extent that a particular VMM uses paravirtualization, it begins to look more like a classical operating system than a VMM.
[1]
B. D. GOLD,et al.
A security retrofit of VM/370
,
1979,
1979 International Workshop on Managing Requirements Knowledge (MARK).
[2]
C. Richard Attanasio,et al.
Penetrating an Operating System: A Study of VM/370 Integrity
,
1976,
IBM Syst. J..
[3]
Mary Ellen Zurko,et al.
A Retrospective on the VAX VMM Security Kernel
,
1991,
IEEE Trans. Software Eng..
[4]
Stuart E. Madnick,et al.
Application and analysis of the virtual machine approach to information system security and isolation
,
1973,
Workshop on Virtual Computer Systems.
[5]
Peter Ferrie.
Attacks on More Virtual Machine Emulators
,
2007
.