Security is a major area of concern for any organization deploying a virtual environment. The introduction of VMs has created security considerations unheard of just a few years ago. This report provides insight into managing these new risks, and shows how Booz Allen’s expertise helps organizations develop comprehensive and secure virtualization solutions that comply with federal security standards.

1. IT Security Risk Mitigation Report
Virtualization Security
by
Wilson Leung
leung_wilson@bah.com
Nima Khamooshi
khamooshi_nima@bah.com
Theodore Winograd
winograd_theodore@bah.com

3. IT Security Risk Mitigation Report
Virtualization Security
Abstract new computing paradigms. For example, the hypervisor,
Virtualization is the act of emulating individual computer which is the software that mediates all interaction
between the VMs and the physical host, serves as
systems within a single physical host system. Organizations the only separation between different VMs on a single
have typically relied on the physical separation of servers host while maintaining communication channels to the
(e.g., a separate machine for e-mail, one for Web Services, individual VMs (see Figure 1). Any successful attack
and another for the Domain Name Server [DNS]) to prevent on these communication channels will successfully
a single server’s compromise that then directly contributes hijack the VM itself. Similarly, virtualization’s support
to the subsequent compromise of other systems or network for server imaging increases the likelihood that a
malicious agent can copy and send an image of an
services within the enterprise. Although this practice has organizational system to a remote site for testing and
proven security benefits, it also adds a number of costs and analysis; it also enables the introduction of potentially
obstacles to the information technology (IT) infrastructure. malicious VM modifications while the VMs are at rest.
With the introduction of virtualization, organizations can This paper identifies the most prevalent risks of
now leverage processing power that would otherwise sit virtualization and describes selected countermeasures
idle by deploying a separate virtual machine (VM) for each that are available to mitigate these risks.
network service on one physical host while maintaining
a level of separation between distinct servers. Although Introduction
Virtualization decouples the operating system
VM deployment has its own security risks (e.g., increased (OS) from the physical hardware platform and the
availability risks as result of a single point of failure), applications that run on it. As a result, organizations
organizations have achieved practical benefits from can achieve greater information technology (IT)
virtualization. Cloud Computing takes virtualization to the resource utilization and flexibility. Virtualization
next step. It allows multiple organizations to deploy all of allows multiple virtual machines (VM), often with
their individual VMs on the same virtualization platform heterogeneous OSs, to run in isolation side by side on
the same physical machine. Each VM has its own set
(e.g., one or more physical hosts) and leverage their of virtual hardware upon which the OS and applications
hardware in previously impossible ways. are loaded.
Today’s organizations are increasingly taking advantage
Figure 1|Exhibit 1 | Virtualization Overview
of various forms of virtualization to leverage new Virtualization Overview
capabilities, ranging from server consolidation and
enhanced recovery to increased secure computing
operations through support of virtual networks and
“sandboxing.” Because of its ability to enable a single
physical platform to host multiple isolated and unique
computing environments, virtualization has emerged
as a key technology for supporting Cloud Computing
Host OS
delivery models, such as Infrastructure as a Service
(IaaS), Platform as a Service (PaaS), and Software as a
Service (SaaS).
Although virtualization has many benefits, it introduces
a number of risks into the enterprise—caused in part Guest Guest Guest
by the increased complexity brought by the virtualized
environment management (the “hypervisor”) and other
OS OS OS
1

4. Virtualization has been gaining immense popularity Continuity of Operations and Data Recovery
with both IT professionals and executives because it Business continuity of operations (COOP) and disaster
represents an approach to data center consolidation, recovery (DR) initiatives have gained recognition over
improved asset utilization, and improved control over the past few years. Customer demand and federal
systems and other IT assets. However, virtualization regulations, including civil and Department of Defense
has actually been around for more than three (DoD) regulations, have helped accelerate these efforts
decades in one form or another, maturing this past and give them the attention they have needed for
decade. Once only accessible by the large enterprise, some time. Virtualization is an ideal platform for most
virtualization technologies are now available for cases of data recovery because it eliminates the need
virtually every aspect of computing, including hardware, to purchase an excessive amount of equipment. Most
software, and communications. software vendors of backup/recovery products support
Although organizations can realize many benefits as the restoration of operational systems and applications
they adopt and implement virtualization solutions, of physical servers to virtual servers.
threats and risks are associated with these solutions. Traditional recovery plans are often difficult to test
In the following sections, we address virtualization and keep up to date, and they depend on exact
security benefits, threats to virtualized environments, execution of complex and often manual processes.
attack vectors and security considerations, and They also require duplicating either the entire
attacker VM detection methods. production infrastructure or the major or key portions
of that infrastructure—which, for reasons of surety,
Virtualization Security Benefits often equates to the total system. Although many
Virtualization is not just a compelling solution organizations deploy total failover sites, smaller
for server consolidation. It is becoming the most organizations may benefit from using a virtualized
important security infrastructure element for security environment because more compact virtualized
managers. Virtualization provides a wide range systems can be used for failover/backup and recovery
of security benefits spanning key items, such as purposes. Recovery testing is simpler because it
environment “sandboxing,” data recovery, malware/ allows for the execution of potentially disruptive tests
forensic analysis, virtual machine introspection (VMI), using existing resources. Larger organizations may also
and virtual machine live migration (VMLM). 1 benefit from virtualization by increasing the number
of tests without straining the organization with a full
Environment Sandboxing system-wide test of recovery procedures. Hardware
A sandbox is a security mechanism for separating independence eliminates the complexity of recovery
running programs. It is often used to execute and site maintenance by eliminating failures caused by
validate the operation of new or untested code or hardware differences.
untrusted programs from unverified third parties, Another area that increases costs and complexity in
suppliers, and untrusted users. It offers a monitored any organization is the deployment of standby and
and controlled environment so the unknown software failover servers to maintain system availability during
cannot harm the real hosting computer system. times of planned or unplanned outages. Although
Sandboxing is achievable simply by blocking some capable of hosting the targeted workloads, such
critical operations or implementing a complete virtual equipment remains idle between those outages and
environment, wherein the processor, memory, and in some cases is never used at all. Thus, the expense
file system are simulated and the real system is provides primarily psychological, emergency, and
inaccessible by the tested application. Virtualization is obligatory compliance value but little to no operational
effective at providing a tightly controlled set of resources value to the organization. Virtualization helps solve
for guest programs to run in, such as scratch space on this problem by allowing just-in-time or on-demand
disk and memory. Network access, the ability to inspect provisioning of additional VMs as needed. A VM that
the host system, and the ability to read from input has been built and configured can be put into an
devices are often disallowed or heavily restricted. inactive state, ready to be activated when a failure
occurs. When needed, the VM becomes active without
hardware procurement, installation, or configuration.
In addition, modern virtualization solutions provide
1In the following discussions, references are made to commercial products as examples of current tools. No endorsement is intended.
2

5. Exhibit 2 | Sample Malware Infection
Figure 2 | A sample of malware infection
1 Hacker inserts
2 Web User visits 3 User is redirected
malicious URL
Good Web site to Bad Web site
4 Badsite sends obfuscated
exploit for vulnerability
on end user’s system
6 Malware sends 5 Malware installed
private data without User noticing
to hacker
mechanisms for ensuring trans-system synchronization, “Trusted” Application Test and Deployment
or VMLM, when performing hot-swapping or failover Most organizations do not have spare IT assets
across multiple VMs. Unlike a physical system, or the time to provision an application that is not
hypervisors can communicate the state of VMs’ associated with an approved project. As a result, most
internal memory across the network—ensuring of the “proof of concept” applications and systems
two VMs are running in the identical configuration are either set up on inadequate equipment, such as
at the time of failover and thereby simplifying desktops, or not established at all. This situation
previously complex and sometimes unwieldy system presents a significant risk if and when applications
synchronization for failover or hot-spare activation. go to “production” status without appropriate testing.
Virtualization helps resolve such problems.
Malware Analysis and Defeat Rapid provisioning or minimal additional hardware
As computers became more sophisticated, so did the investment, safety, security, and reliability are the
malware problem. Workgroup networks were affected computing environment qualities needed to quickly
by viruses that could infect not only local (server, build a proof-of-concept environment. If proof of
node, or workstation) files but also the files of other concept is successful, the VM application can be
users in the network. Malware researchers need a efficiently and effectively migrated from the test
way to truly see what malware does to a server or a infrastructure to the production virtual infrastructure
host in the workgroup network to have any hope of without additional cost. In addition, virtualization
finding a way to prevent and recover from malware enables companies to streamline their software
infections. Virtualization can be used to quarantine and/or system life-cycle development model. From
malware in a controlled environment where it can be development and testing through integration, staging,
studied, observed, tested, and eventually defeated and deployment, and management, virtualization offers
eradicated, and future instances can be prevented. a comprehensive framework for virtual software life-
Figure 2 illustrates that traditional malware infection cycle automation that streamlines these adjacent
cycle. Using virtualization, the user’s machine in Step yet sometimes disconnected processes and
5 can be controlled and monitored to understand the simultaneously closes the loops between them. By
malware itself while simultaneously preventing the pushing a staged configuration into production after
compromised system from launching further attacks. successful testing, virtualization can minimize errors
associated with incorrect deployment and configuration
of the production environment.
3

6. Virtual Machine Introspection wherein a hacker submits malicious SQL code into an
The recent development of virtualization products has online web application.
led to the evolution of VMI techniques and tools to The need to update the software installed on the host
monitor VM operations and behavior. VMI tools inspect itself a result of the increasing trend in client-side
a VM from the outside to assess what is happening software attacks. Administrators should also address
on the inside, making it possible for security tools, direct attacks against services, such as Domain Name
such as virus scanners and intrusion detection and Server (DNS), Dynamic Host Configuration Protocol
prevention systems (IDPS), to observe and respond (DHCP), Active Directory, etc. As with any system,
to VM events from a “safe” location outside the system administrators must ensure they have fully
monitored machine. A major advantage of VMI is secured the system and all of its applications to
knowledge capture of context and environment, which provide the best protection profile.
is critical to proper event interpretation. VMI allows
event replay, which can determine whether analysis Although many of the standard attacks apply to any
must be performed in real time as the target system system—virtual or physical—virtualization-specific
executes or at a later time under the analyst’s control. considerations also exist. Many of these virtualization-
specific attacks take advantage of the specific nature
of the virtual environment and are not exploitable in
Threats to the Virtualized Network non-virtualized systems. These attacks are known
Environment in the IT community as VMEscape, VMchat, VMcat,
Virtualization in a network environment complicates VMdrag-n-hack, VMdrag-n-sploit, and VMftp.2
the enterprise’s security needs. The standard threats
and attacks to the enterprise infrastructure remain,
VMEscape
and the introduction of the virtualization software
One of the most critical attacks on the virtualization
simultaneously increases the surface area of attack.
environment is the potential for a VM “escape.” In
This situation creates a significant need to harden and
this attack, a malicious actor gains access to a VM
secure the virtualization system and protect against
guest OS using one of the standard threats mentioned
the standard attack channels.
earlier. Once the hacker has access, he or she will
The virtualization software itself is of particular escape the VM guest OS to gain access to the host
concern. If an attacker can gain access to a virtualized OS. As previously mentioned, the host has direct
environment, the attacker can potentially escape the access to all guest OSs. By taking over the host, a
VM and move up the chain to the virtualization host. hacker has increased potential to negatively affect all
Because this host runs, monitors, and administers the VMs managed under that host. Figure 3 illustrates a
guest OSs contained under its purview, the host can successful VMEscape attack.3
be a jumping off point for additional system access
by an attacker. In an environment where a single host Exhibit 3 | VMEscape
can have numerous guest OSs running mission-critical
Figure 3 | VMEscape
network services, the problem is clear. If an attacker
can gain access to the host, then it is an easy task
for the attacker to gain access to the virtual guests
controlled by that host.
As mentioned earlier, the standard computing attacks Host OS
are still present in the virtual environment. A system
administrator must apply security patches, updates,
service packs, hotfixes, etc., to secure and protect the
OS against malicious attacks. The administrator must
also ensure that any software installed on the VM
(e.g., web server software or other client-side software)
Guest Guest Guest
is up to date. Likewise, the system developers must OS OS OS
use high-quality coding practices to ensure the system
is not vulnerable to other forms of attacks, such as
Structured Query Language (SQL) injection attacks
2These names are based on the presentation from IntelGuardians at SANSFire 2007, which is referenced in the following web pages: http://www.cutawaysecurity.com/blog/archives/170 and
http://www.foolmoon.net/cgibin/blog/index.cgi?mode=viewone&blog=1185593255/, accessed June 15, 2009.
3Joab Jackson, Government Computer News, “VMware vulnerability allows users to escape virtual environment,” http://gcn.com/articles/2008/02/28/vmware-vulnerability-allows-users-to-
escape-virtual-environment.aspx, accessed June 15, 2009.
4

7. VMchat
Figure 4 | 4 | Memory in virtual environment
Exhibit Memory in a a Virtual Environment
One of the benefits of utilizing virtualization in a
network is the ability to separate machines logically,
thereby placing each OS into its own separate sandbox
free from external inputs. However, utilities like VMchat
raise certain issues. VMchat is an administration utility
in which the system administrator is able to send Shared
instant messages (IM) between VMs. This function Memory
gives system administrators the ability to communicate
service interruptions or other administrative issues
Host
to pertinent staff. The problem, however, lies in the Guest
potential for a malicious actor to take advantage of OS
OS
this shared memory space and inject a malicious
Dynamic-Link Library (DLL) into memory. When a
hacker does this, he or she has effectively bridged the
sandboxed memory space of each VM. VMdrag-n-sploit file in memory, which in turn executes
on both of the VMs. The VMdrag-n-sploit file provides
VMcat functionality to exploit VMchat or VMcat attacks.
VMcat is a netcat equivalent software for the
virtualized environment. Netcat is popularly known as VMftp
the hacker’s “Swiss Army Knife.”4 It allows a plethora As seen with the other utilities, VMftp opens up yet
of capabilities, including port scanning, file transfer, another channel for communication between VMs.
IM/chat, and command shell sending. Netcat is a VMftp provides the ability to send files between VMs
hacker’s tool of choice because of its numerous quickly and easily. It operates in much the same way
capabilities and small file size. The problems with as a traditional File Transfer Protocol (FTP) system.
VMcat are apparent. A system with VMcat installed It presents problems because it can potentially allow
can facilitate the exfiltration of files and data in the a malicious actor to exfiltrate any file, as well as
same way hackers use netcat. VMcat also supports take advantage of the shared memory space issues
secondary attacks and OS fingerprinting, thereby described above.
increasing its threat capabilities once installed.
Security Considerations
VMdrag-n-hack Although virtualization offers a number of benefits to
VMdrag-n-hack is an exploit where an attacker organizations, like any new technology, virtualization
attempts to take advantage of an unsuspecting system increases the attack surface of systems within an
administrator’s ability to drag and drop files between organization. In many cases, the risks associated
VMs. As the administrator drags a file between the two with virtualization can be mitigated in an effective
systems, he or she is unknowingly executing malicious manner; however, it is important to fully understand
code. An attacker can determine the area of memory these risks before introducing virtualization into an
that is read and written to as the administrator moves organization’s infrastructure. This section provides a
the file between systems (see Figure 4). Because full description of these risks, along with discussions
of this, the attacker can inject malicious code into of the countermeasures organizations may put in place
memory that the secondary system will read, thereby to mitigate each of these risks.
allowing a hidden communication channel between the In general, the mitigation strategies for virtualization-
two systems. related risks are very similar to the defense-in-depth
strategies employed in any IT environment. Specifically,
VMdrag-n-sploit organizations should expand their security patching
VMdrag-n-sploit works very similarly to the VMdrag-n- programs to include the hypervisor, the host system, and
hack attack. In this attack, the malicious actor takes all VMs used in the organization. In the past, this wide
advantage of a user with system access who drags and coverage may have been difficult, but modern hypervisors
drops a file between two VMs. When the innocent party provide capabilities for patching VMs even when they are
performs this task, he or she unknowingly executes the
4More information about Netcat is available at http://netcat.sourceforge.net.
5

8. offline, removing the need for organizations to launch all • Artifacts in processes, the file system, or registry
VMs to deploy security patches.
• Artifacts in memory
Organizations should also ensure their hypervisors
are configured and deployed using least privilege: the • Hardware that describes itself as provided by a
administrators and permissions on the hypervisor virtualization vendor
should have privileges no higher than necessary to
complete their functions. In some instances, least • Artifacts in the instruction set architecture (ISA)
privilege may extend to hosting different categories that are accepted only by hypervisors.
of VMs on separate physical hypervisors to prevent
attacks against a single hypervisor from affecting the In light of these techniques, some virtualization
entire virtual infrastructure. In addition, organizations vendors aim to reduce the number of “fingerprints”
may take advantage of guidance for hardening provided by their virtualization software. Using the
hypervisors provided by virtualization vendors and virtualization extensions to the x86-64 instruction
other organizations (e.g., Center for Internet Security, set, it is becoming increasingly difficult for malware
Defense Information Systems Agency). to determine whether or not it is running in a VM.
Although malware’s ability to determine whether or not
VMEscape it is running in a virtual environment is becoming less
One of the most discussed attack vectors in of a concern (especially with the rise of Cloud services
virtualization security is the concept of VMEscape. leveraging virtualization), the difficulty of determining
VMEscape entails breaking out of the VM and directly which specific hypervisor is controlling a VM makes
interacting with the hypervisor. There are only a few deploying effective malicious attacks against the
instances of successful VMEscape occurrences. One of hypervisor even harder—adding to an organization’s
the most detailed writeups on this topic was published defense-in-depth posture.
in 2007 by Google’s Tavis Ormandy.5 In his paper,
Ormandy developed tools to perform fuzzing attacks Communication Channels
(e.g., sending random data to the hypervisor to assess Virtualization increases the number of communication
its security). He identified several vulnerabilities that channels in a computing environment. These
could potentially lead to a successful VMEscape. channels can range from virtual switches, networks,
and firewalls to communication paths between VMs
VMEscape has been highlighted as one of the
and the hypervisor. This section discusses these
most dangerous attacks an organization deploying
communication paths and mitigation strategies for
virtualization can face. To address this risk, virtualization
securing them.
vendors have begun developing “thin” hypervisors, with
the goal of reducing the size of the code base and
reducing the likelihood of exploitable defects. Virtual Switches and Networks
Virtual networking allows organizations to logically
deploy their VMs in a manner consistent with the
VMDetection
organization’s physical network. Organizations may
With the advent of security researchers using
configure virtual local area networks (VLAN), take
virtualization to monitor malware, malware authors and
advantage of switched port analyzer (SPAN) ports,
attackers have begun performing detection routines
and integrate with any existing network management
to determine whether or not they are running in a
infrastructure. Important key points to consider when
virtualization sandbox. Although most organizations
deploying virtual networks include—
may not explicitly deploy virtualization in this manner,
intrusion detection systems are increasingly offering • Ensuring VMs in promiscuous mode (i.e., utilizing
sandboxing as an effective tool for detecting zero-day a network card configuration that makes the card
exploits in an organization. pass all traffic it receives to the central processing
In their presentation On the Cutting Edge: Thwarting unit rather than only packets addressed to it—a
Virtual Machine Detection,6 Tom Liston and Ed Skoudis feature normally used for packet sniffing) may
identify a number of techniques malware uses to
access the necessary network traffic; this is
determine whether it is running in a virtual sandbox:
necessary when deploying an IDPS within a VM
5Tavis Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, http://taviso.decsystem.org/virtsec.pdf, accessed on June 15, 2009.
6Tom Liston and Ed Skoudis, On the Cutting Edge: Thwarting Virtual Machine Detection, http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf, accessed June 15, 2009.
6

9. • Ensuring the virtual network complies with possibility that the hypervisor may unintentionally store
appropriate policies and regulations regarding any sensitive information outside of the VM.8
network security devices; some organizations may
VM State
require an IDPS logically in front of the VM—an
Because virtual machines exist as an abstraction on
IDPS alone in front of the virtual network may be a hosted system, all state information is accessible
insufficient to the host system. This scenario means the Basic
Input/Output System (BIOS) does not reside within
• Ensuring appropriate COOP procedures are in
read-only memory (ROM) as it does on traditional
place; if an organization relies on the virtual computing systems. Instead, the hypervisor emulates
network for its mission, a failure of the physical the BIOS. In addition, most virtual machines are
host may compromise the entire virtual network often represented as a file on the hard disk of the
host OS, allowing any user with access to the file to
• Ensuring malicious activity within the network view—and potentially modify—the VM, even when it is
cannot leave the virtual network and affect external at rest. This file includes the current state of system
systems. memory for the VM, the state of the VM hard disk, and
information stored in central processing unit (CPU)
To support these activities, organizations should registers—providing a wealth of information that may
employ the same strategies they would in a physical benefit a potential malicious user.
network environment: taking full advantage of VLANs,
firewalls, IDPS, and—when necessary—MAC locking. Virtualization vendors offer solutions to mitigate the
In most virtual environments, the virtual switches, risks associated with VM files by limiting access
routers, and firewalls behave in a manner similar to to only the hypervisor and potential administrators.
their physical counterparts—possibly with additional Organizations can also take advantage of disk
capabilities. In addition, organizations should include encryption to ensure the VM—and any backups—cannot
their virtual networks in all network architecture be viewed directly from the storage device (this is
documentation and security risk assessments. especially true for network-based storage). Organizations
should also be aware that VM state information travels
over the network whenever VMLM is implemented—
VM Introspection
requiring assurance that the state transfer across the
VMI is a powerful tool. It allows organizations to
network is protected in transit as well.
deploy security solutions that cannot be compromised
by rootkits or other malicious software within the
VM. However, this functionality can introduce privacy Hypervisor
concerns in certain organizations. Although the When introducing virtualization into an organization, it
hypervisor traditionally has physical access to all is important to understand the various communication
components within a VM, VMI allows the hypervisor mechanisms between an individual VM and the
to actively monitor—and in some cases modify—the hypervisor. Although some of these communication
activities within the VM itself. This monitoring may be channels depend on the functionality deployed, the
inconsistent with an organization’s security and privacy majority of these channels are in use and often
policies. In addition, organizations offering Cloud required for the hypervisor to function properly. A
services may need to explicitly state that they are number of these direct channels are implemented
performing VMI to ensure customers are fully aware as extensions to the ISA as machine instructions,
that some level of monitoring is occurring.7 meaning they may be accessible to any application
on the system. It is important to note that in most
VMI tools can be configured to meet organizational cases, applications in user mode will receive a general
policy. For example, some instances of VMI simply offer protection fault when attempting to access these
on-demand analysis of the processes running within interfaces. Some common functions include—
the guest OS or the installed software; others may
perform real-time anti-malware analysis of the running • Clipboard sharing—Where the hypervisor shares
system. Software deployed within VMs may improve the contents of the OS clipboard between the
their level of security and privacy by ensuring their guest OS and the host OS
data is secure at rest and in transit—minimizing the
7This would be a part of the agreement between the user and the supplier in a services contract model.
8It is important to note that these privacy concerns are an inherent aspect of virtualization. Any information stored within RAM or on the VM’s hard disk may be accessible—often in plain text—
through the host system’s RAM or on its hard disk as a snapshot of the running VM.
7

10. • Memory management—Where the guest OS Acronyms
communicates with the host OS to coordinate BIOS Basic Input/Output System
the amount of physical memory in use for the COOP Continuity of Operations
application CPU Central Processing Unit
• Device management—For some devices (e.g., DHCP Dynamic Host Configuration
Protocol
processor, graphics card, network interface
card), the hypervisor mediates all communication DLL Dynamic-Link Library
between VMs and physical devices9 DNS Domain Name Server
DoD Department of Defense
• Others—Depending on the vendor solution,
DR Disaster Recovery
additional communication channels exist; for
FTP File Transfer Protocol
example, when using paravirtualization solutions, all
system calls are implemented as function calls to IaaS Infrastructure as a Service
the hypervisor rather than as software interrupts. IDPS Intrusion Detection and
Prevention System
Because many of these interfaces are implemented as
IM Instant Message
simple commands (e.g., as machine instructions), it is
possible to minimize their accessibility to only those ISA Instruction Set Architecture
processes and applications on the VM that must have IT Information Technology
access to these systems. In addition, organizations
OS Operating System
deploying virtualization environments that do not need
specific functionality (e.g., clipboard sharing) may simply PaaS Platform as a Service
disable the communication feature, preventing malicious ROM Read-Only Memory
users or software from taking advantage of it. SaaS Software as a Service
Conclusion SPAN Switched Port Analyzer
Virtualization security is a major area of concern for SQL Structured Query Language
any organization deploying a virtual environment. As VLAN Virtual Local Area Network
shown in this report, the introduction of VMs creates
VM Virtual Machine
new and profound security considerations that were
unheard of just a few years ago. Booz Allen is the VMI Virtual Machine Introspection
one firm that can help clients solve their toughest VMLM Virtual Machine Live Migration
IT security problems. Our experienced and proven
staff works side by side with our clients, helping
them achieve their missions every day. Our security
experts have the experience and knowledge to help
the Federal Government develop comprehensive and
secure virtualization solutions. Booz Allen not only
understands and implements the federal security
standards that protect our homeland but also advises
the policy organizations and contributes to thought
leadership by helping them develop the policies on
which those standards are created. Booz Allen is
committed to delivering results that endure.
9Some devices (e.g., universal serial bus interface) have a channel-based architecture. With these devices, the hypervisor needs only to assign a specific channel to the VM and the majority of
the interaction need not be mediated directly.
8

11. About Booz Allen
Booz Allen Hamilton has been at the forefront of technology, systems engineering, and program
strategy and technology consulting for 95 years. Every management, Booz Allen is committed to delivering
day, government agencies, institutions, corporations, results that endure.
and not-for-profit organizations rely on the firm’s
With more than 22,000 people and $4.5 billion in
expertise and objectivity, and on the combined
annual revenue, Booz Allen is continually recognized for
capabilities and dedication of our exceptional people
its quality work and corporate culture. In 2009, for the
to find solutions and seize opportunities. We combine
fifth consecutive year, Fortune magazine named Booz
a consultant’s unique problem-solving orientation with
Allen one of “The 100 Best Companies to Work For,”
deep technical knowledge and strong execution to help
and Working Mother magazine has ranked the firm
clients achieve success in their most critical missions.
among its “100 Best Companies for Working Mothers”
Providing a broad range of services in strategy,
annually since 1999.
operations, organization and change, information
Contact Information:
Wilson Leung Nima Khamooshi Theodore Winograd
Associate Associate Associate
leung_wilson@bah.com khamooshi_nima@bah.com winograd_theodore@bah.com
703/604-7557 703/984-7533 703/377-5544
To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton
publications, visit www.boozallen.com.

12. Principal Offices
ALABAMA KANSAS OHIO
Huntsville Leavenworth Dayton
CALIFORNIA MARYLAND PENNSYLVANIA
Los Angeles Aberdeen Philadelphia
San Diego Annapolis Junction
San Francisco Lexington Park SOUTH CAROLINA
COLORADO Linthicum Charleston
Colorado Springs Rockville TEXAS
Denver
MICHIGAN Houston
FLORIDA Troy San Antonio
Pensacola
Sarasota NEBRASKA VIRGINIA
Tampa Omaha Arlington
Chantilly
GEORGIA NEW JERSEY Falls Church
Atlanta Eatontown Herndon
HAWAII McLean
Honolulu NEW YORK Norfolk
Rome Stafford
ILLINOIS
O’Fallon WASHINGTON, DC
The most complete, recent list of offices and their and addresses and telephone numbers can be found on
www.boozallen.com by clicking the “Offices” link under “About Booz Allen.”
www.boozallen.com ©2009 Booz Allen Hamilton Inc.
10.134.09-A