Thread: Server virtualization and security?
View Single Post
  #3 (permalink)  
Old 02-13-2008, 01:22 PM
Todd H.
Guest
  
Posts: n/a
Default Re: Server virtualization and security?
num_gg@laposte.net writes:

> Hi all,
>
> Don't know whether it's the good spot to post but this is a simple
> question and I did not find any studies about this point:
>
> I know that virtualization is seen as a great solution to managing the
> data center of the future; server virtualization enables besides a
> better way to address common issues like resources allocation and
> optimization, hot plug application deployment, space and energy
> consumption savings and so on...
>
> But: My question is from the security and anti-hacking protection
> point of view. Someone says that "virtualization allows securisation
> and isolation of a network as breaking a virtual system doesn't allow
> to take over the whole system (and especially the host system)".
> Personnally I wonder how one can be so sure.
>
> What if a server "virtually" hosting my app and another one which is a
> great security hole? If a hacker manage to take over the virtual
> system hosting the "loosely secured app" is it simple (or not?) for
> him to take over the other virtual systems or ,what's even worse, the
> whole system?
>
> Any idea?
> Any link where this issue is addressed?

Full escape from a VMWare virtual machine was apparently demonstrated
late in 2007. I saw a talk by SANS handler Tom Liston who was
discussing the issues they leveraged to perform it. Googling, I
found a mention of it in this blog
http://www.pauldotcom.com/2007/07/31...tualizati.html

Liston's 2006 presentation which is light on details due to disclousre
issues is here
http://handlers.sans.org/tliston/Thw...on_Skoudis.pdf

However, with modifications to the vmware configuration, things can
be locked down quite well. He mentioned several of these in a talk I
attended of his in mid-late 2007.

Also notable on this virtualization security front are the squabbles
between Tom Ptacek's Montasano security and Joanna Rutkowska (author
of Blue Pill).

http://theinvisiblethings.blogspot.c...challenge.html

Montasano's version provides more background though:
http://www.matasano.com/log/895/joan...t-us-prove-it/

Best Regards,
--
Todd H.
http://www.toddh.net/

Reply With Quote