L. V. Lammert wrote: > On Wed, 24 Oct 2007, Brian wrote: > >> Hi! >> >> I think you are missing the point about x86 hardware being a mess. Theo >> made an excellent point about the architecture itself having so many >> filthy quirks. If a VM is compromised through any means, that attacker >> can now leverage the dirty architecture to bypass the hypervisors >> (supposed) isolation techniques. If the attacker can utilize the VM to >> infiltrate the hypervisor, even more damage can be done. >> >> The entire point is this: You cannot increase security by putting more >> things on one physical server. You can run your different 'Application >> Domains' on different physical servers. That is much closer to security >> than through obscurity. >> >> -Brian >> > Hi! > > Sorry, it's YOU that missed the point! I never said or made any comparison > to physical machines - the entirety of that I said is: > > "Running services/application domains in VMs increases security." As I > said in a previous email, only an idiot would think that separatey > physical machines would NOT increase security, and I give this crowd much > more credit than that so I did not bother to include such information. > > I still stand by my original statement. Running application 'domains' in > VMs instead of on a single server increases security. > > Lee
Quoted directly from your first e-mail on this subject: "Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks." Your first sentence is provoking these responses. You cannot make this claim unless you are 100% certain the virtualization layer is bug free. If theres a bug in the virtualization layer that allows a NORMAL USER [1] in any of the guests to compromise the VM layer, host, or any of the guests, the user has just escalated his privileges through a vector that would never have been there outside of this VM environment. Do you see what we're saying now? You are adding a complex layer of software to isolate things, when in fact you have no guarantee this layer cannot cause an escalation by a normal user. All of the theoretical attack vectors are exactly that: theoretical. But by adding complex layers does not guarantee any increase in security. If your application 'domains' are properly isolated on a single server, by privilege separation and chroot'ing processes, all you have left to worry about is that NORMAL USER escalating his privileges through some unknown bug in the OS you choose to run. You do not have to worry about the complex VM layer having its own set of unknown bugs. So, in the end, you are still not getting the point. There are possible attack vectors in both single server setups, and virtualized setups. By making the claim that security is increased by virtualizing is fundamentally wrong. You just don't know of or have heard of any significant holes in the virtualization layers yet (minus vmware tools). -Brian [1] Think Dom0's job of virtualizing hardware for the guests. If there is some obscure bug in the Dom0's code, it could be possible for the normal user inside the guest to provoke this bug through the guest OS into causing DoS or possibly worse. I don't know of any bugs myself, but the attack vector may exist and can become an entire class of security holes. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
