Educause Security Discussion mailing list archives
Re: Securing VM servers
From: Alex <alex.everett () UNC EDU>
Date: Thu, 29 May 2008 14:39:45 -0400
I would also be interested. -Alex -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Lococo Sent: Thursday, May 29, 2008 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Securing VM servers Reposting with a proper subject line. I must have deleted it by accident, apologies. Thanks, Mike Lococo Mike Lococo wrote:
Greetings, I'm very interested in connecting offline with other folks who are thinking about the architectural implications of virtualization with regard to security boundaries. We've poured a lot of thought into it in my office, had fairly extensive conversations with VMWare technical staff, and still have a lot of uncertainty about the best path forward for our environment.You might do a little searching for the research that Ed Skoudis and Tom Liston did on escaping virtual machines. Below is an article that summarizes some of it. http://blogs.computerworld.com/node/5936That article is pretty thin on details. I've never found a paper from from Ed and Tom on that research, but some the most authoritative links I've seen are: * Foolmoon has a writeup of what Ed and Tom presented at Sansfire 2007: http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=11855 93255 * Ed posted a comment at the following blog with some details: http://www.cutawaysecurity.com/blog/archives/170 * Tavis Ormandy wrote an excellent paper paper on fuzzing various virtualization environments, all of which had crash bugs: http://taviso.decsystem.org/virtsec.pdf It's worth noting that none of the research above applies to ESX, it's all been done on Workstation or Server. That's not to imply that ESX has no flaws, just that it's a different architecture/codebase which makes any kind of specific comparison to the public research difficult. Thanks, Mike Lococo PS CISecurity has some hardening guides for VMWare, but they completely punt on how/where to enforce trust boundaries.
Attachment:
smime.p7s
Description:
Current thread:
- Securing VM servers Michael Jewett (May 29)
- <Possible follow-ups>
- Re: Securing VM servers HALL, NATHANIEL D. (May 29)
- Re: Securing VM servers Jenkins, Matthew (May 29)
- Re: Securing VM servers Jeff Wolfe (May 29)
- Re: Securing VM servers Mike Lococo (May 29)
- Re: Securing VM servers Paul Keser (May 29)
- Re: Securing VM servers Alex (May 29)
- Re: Securing VM servers John Ladwig (May 29)
- Re: Securing VM servers John Hoffoss (Jun 06)