Re: Know Your Enemy: Learning with VMware

[Bill McCarty <bmccarty () apu edu>]

--On Monday, January 27, 2003 7:00 PM +0100 Alexandre Dulaunoy
<adulau () foo be> wrote:

> ... Another  point  is  the  fingerprint   of  the  VMware
> hardware. How do you  solve that issue ? Is it a  way to do change the
> hardware description in VMware ? 

Apparently, your notion is that a production host would not likely be
running VMware, and therefore the presence of VMware must be masked in
a honeynet designed to attract skilled attackers. However, that notion
isn't always accurate. 

In particular, VMware offers an enhanced version of their product,
VMware ESX, that's designed for data centers and other high
availability applications. VMware ESX is available from VMware, as you
might expect. However, VMware ESX is also sold by IBM, bundled with IBM
servers based on Intel x86 processors. So, some of the juiciest
potential targets for attackers are running VMware.

A deeper question, I think, is the degree to which VMware's
virtualization is itself resistant to attack. The possibility exists
that an attacker may be able to escape a virtual host and obtain access
to the associated physical host. However, this risk is not peculiar to
VMware. UML and other emulation or virtualization technologies would
seem to share this risk.

---------------------------------------------------
Bill McCarty