[Nottingham] Virtualisation security
James Moore
jmthelostpacket at googlemail.com
Fri Nov 11 07:38:36 UTC 2011
On 02/11/2011 09:47, Jason Irwin wrote:
> On 01/11/11 22:31, Martin wrote:
>> Any concerns for the security/vulnerability of the hypervisor?...
> Not that I know of but like any software, if there are holes they will
> be exploited at some point.
>
> If they already have enough access to the host with which to launch an
> attack on the hypervisor - it's game over anyway.
>
> From within the guest, the obvious vectors I can think of are the
> clipboard/file sharing (not over the network, I mean the sharing
> provided by the hypervisor) and the virtualisation drivers for
> networking and graphics.
>
> Certain hypervisors (e.g. VMWare) will do memory sharing between guests,
> allowing one to over-utilise the host memory. Obviously memory (by the
> page, I think) can only be shared when it is considered identical
> between guests. Perhaps it would be possible to subvert this somehow
> and have one guest inject malicious code into another?
>
> Once they have the hypervisor, they could conceivably do lots of things
> but probably only to the guests. And security measures within the
> guests would probably be unable to detect the breach as, from their
> point of view, there isn't even a hypervisor in play.
>
> Some hypervisors can expose services to the outside world, such as
> remote desktops and guest control, but like any service you'd run;
> that's something you'd be accounting for in your firewalls etc.
>
> Mostly it comes down to only exposing what services you need and making
> sure each guest is secured just like any other computer on your network.
> Certainly if it's Windows! And the merry japes to trying to convince
> the firewall/AV to /not/ shit all over your virtual network [*shakes
> fist at Symantec*].
>
> Of course, there is always the possibility that the hypervisor itself is
> evil, you didn't download it from www.t0pw4r3z.net did you? :)
>
> I use Virtualbox for personal stuff and VMWare Workstation for my job.
> They both kinda do the same thing, but I prefer Virtualbox. They're
> both type 2 (hosted) hypervisors and not what one would use for proper
> virtualisation.
>
> I'd be happy yo help with a talk on virtualisation, my own level of
> knowledge is basic& bullshit (see above :D).
>
I do prefer VirtualBox, and have used it for a few years now. My first
foray into serious use of it was in building a thin client home network.
I didn't want to use an application server, mainly because I didn't have
four grand to splash on the hardware. The most powerful box I had at the
time was a dual Athlon MP with 4GB RAM (which also doubled as the head
node in my permanent cluster). That, inevitably, became my host machine.
On went a stripped XP Pro install and VirtualBox and several images
(Slackware, SuSE, XP Home, ME), then the thin clients consisted of
little more than a processor, 500MB local hard disk for paging and
bootstrap into the most basic Zipslack install imaginable, and a Gig of
memory. Worked like a charm.
More information about the Nottingham
mailing list