Virtual operating systems have been used to provide security for computers by dividing computers into separate operational zones. By isolating processes in different zones within a computer system, a system, process, attacking user, etc. that obtains root access in one zone cannot in theory affect or even know about processes running in other zones in the computer. The “Solaris™ Zones” feature of the Solaris™ 10 operating system available from Sun Microsystems™ is an example of this approach. EMC™ Corporation's VMWare™ and other virtualization tools are further examples of technology for dividing a single computer into two or more virtual machines.
FIG. 1 illustrates a computer system on which a single instance of an operating system (OS) is running. In the example shown, four processes are running under the control of OS 100: process 102, process 104, process 106, and process 108. The security problem is that a process might gain root access with respect to OS 100 and then be able to affect all processes and resources associated with OS 100.
FIG. 2 illustrates a computer system with multiple zones. In the example shown, each of four zones has an instances of an operating system (OS) associated with it. In some implementations, each zone may be a virtualized runtime environment provided while running a single instance of the OS on the computer system, rather than literally running a separate instance of the OS for each zone. Under the control of OS (Zone 0) 200, self-contained subzones are defined. In the example shown, three virtual operating systems are running under the control of OS (Zone 0) 200: OS (Zone 1) 202, OS (Zone 2) 210, and OS (Zone 3) 206. Within each zone, one or more processes associated with the zone run under the control of the OS instance associated with that zone. In the example shown, process 204 is running under the control of OS (Zone 1) 202, process 212 is running under the control of OS (Zone 2) 210, and process 206 is running under the control of OS (Zone 3) 208. In the example shown, a single process is running within each zones, but more or fewer processes may be running with a zone at any given time. Within each virtual OS, the system appears to be a separate and entire computer system having its own IP address, network stack, file system, etc. If an unauthorized user uses a process operating in a given zone to gain root privileges in that zone, then although the unauthorized user can control other processes in that zone and resources associated with that zone, at least in theory the attacker would not be able to use root privileges obtained in one zone (other than the global zone, Zone 0 in the example shown in FIG. 2) to affect processes, access resources, and/or otherwise create mischief in other zones. For example, a user could configure the system shown in FIG. 2 to run a database in Zone 1, an application server in Zone 2, and a web server in Zone 3. If a process in zone 3, e.g., one associated with activities of an attacker connecting via the Internet to the web server running in Zone 3, breaches security and gains access to root, then there is at least in theory no way for that process to gain access to or control over the database running in Zone 1 and/or the application server running in Zone 2.
Even though in theory activities in a zone will be contained within that zone, there is a need to be able to detect any breakouts from a given virtual operating system, or zone, in order to assure security for the computer system.