Re: About Xen: maybe a reiterative question but ..

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Steve Shockley <steve.shockley@...>

To: Misc-Openbsd Listserv <misc@...>

Subject: Re: About Xen: maybe a reiterative question but ..

Date: Wednesday, October 24, 2007 - 9:53 pm

L. V. Lammert wrote:
quoted text> The more discrete the security model (i.e. File/Print users are not 
> valid on the httpd server) the better.

There's something I think you don't see here.  Let's assume, for a 
moment, that you have a VM host running two guests, one OpenBSD, one 
Windows.

Now, the OpenBSD box is reasonably secure.  The Windows box, perhaps, is 
not quite so secure.

An attacker compromises your Windows box.  He discovers that the machine 
is running in a VM, and uses a vulnerability in the virtualization 
server to execute code on the host itself.

Now, he can edit the memory of the OpenBSD guest, read/copy the disk, 
whatever.  Even encryption doesn't help, you can just read the keys out 
of RAM.  The OpenBSD guest is completely compromised, without exploiting 
any vulnerability in OpenBSD itself.

Theo's point (I think) is that x86 virtualization is so hopelessly 
complex that there's no way a human could account for every possible 
attack.  That's why x86 virtualization reduces security.

I use VMware all the time, I just don't pretend it's a way to increase 
security.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 4:18 am)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 9:31 am)

Re: About Xen: maybe a reiterative question but .., Dave Anderson, (Wed Oct 24, 11:45 am)

Re: About Xen: maybe a reiterative question but .., Lars Hansson, (Thu Oct 25, 12:50 am)

Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 11:12 am)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 1:48 pm)

Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 2:03 pm)

Re: About Xen: maybe a reiterative question but .. , L. V. Lammert, (Wed Oct 24, 2:41 pm)

Re: About Xen: maybe a reiterative question but .., Darren Spruell, (Wed Oct 24, 3:27 pm)

Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 4:16 pm)

Re: About Xen: maybe a reiterative question but .., Jason Dixon, (Wed Oct 24, 4:37 pm)

Re: About Xen: maybe a reiterative question but .., Darren Spruell, (Wed Oct 24, 9:46 pm)

Re: About Xen: maybe a reiterative question but .., bofh, (Wed Oct 24, 4:48 pm)

Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 3:46 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 4:31 pm)

Re: About Xen: maybe a reiterative question but .., Kevin Stam, (Wed Oct 24, 5:04 pm)

Re: About Xen: maybe a reiterative question but .., Lars Noodén, (Thu Oct 25, 2:14 am)

Re: About Xen: maybe a reiterative question but .., Richard Toohey, (Thu Oct 25, 3:28 am)

Re: About Xen: maybe a reiterative question but .., Richard Toohey, (Thu Oct 25, 3:37 am)

Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Thu Oct 25, 9:16 am)

Re: About Xen: maybe a reiterative question but .., , (Thu Oct 25, 2:36 pm)

Hardware support for secure virtualization (was: About Xen: ..., Rodrigo V. Raimundo, (Thu Oct 25, 6:50 am)

Re: Hardware support for secure virtualization (was: About X..., Stuart Henderson, (Thu Oct 25, 7:13 am)

Re: About Xen: maybe a reiterative question but .., Lars Noodén, (Thu Oct 25, 4:00 am)

Re: About Xen: maybe a reiterative question but .., Richard Toohey, (Thu Oct 25, 4:06 am)

Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 5:41 pm)

Re: About Xen: maybe a reiterative question but .. , Jack J. Woehr, (Wed Oct 24, 6:52 pm)

Re: About Xen: maybe a reiterative question but .., Daniel Ouellet, (Wed Oct 24, 5:19 pm)

Re: About Xen: maybe a reiterative question but .., Paul de Weerd, (Wed Oct 24, 3:22 pm)

Re: About Xen: maybe a reiterative question but .., Matthew Weigel, (Wed Oct 24, 6:35 pm)

Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 2:57 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 4:48 pm)

Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 5:31 pm)

Re: About Xen: maybe a reiterative question but .. , L. V. Lammert, (Wed Oct 24, 5:59 pm)

Re: About Xen: maybe a reiterative question but .., Steve Shockley, (Wed Oct 24, 9:53 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 11:02 am)

Re: About Xen: maybe a reiterative question but .., Brian, (Wed Oct 24, 8:06 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 9:14 pm)

Re: About Xen: maybe a reiterative question but .., Damien Miller, (Wed Oct 24, 10:01 pm)

Re: About Xen: maybe a reiterative question but .., Adam Getchell, (Thu Oct 25, 10:30 am)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 12:11 pm)

Re: About Xen: maybe a reiterative question but .., bofh, (Wed Oct 24, 9:46 pm)

Re: About Xen: maybe a reiterative question but .., Brian, (Wed Oct 24, 9:51 pm)

Re: About Xen: maybe a reiterative question but .., Damien Miller, (Wed Oct 24, 10:05 pm)

Re: About Xen: maybe a reiterative question but .., Tony Abernethy, (Wed Oct 24, 11:07 pm)

Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Thu Oct 25, 9:04 am)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 12:09 pm)

Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 10:01 pm)

Re: About Xen: maybe a reiterative question but .., Tom Van Looy, (Thu Oct 25, 12:54 pm)

Re: About Xen: maybe a reiterative question but .., Subcommander l0r3zz, (Thu Oct 25, 4:36 pm)

Re: About Xen: maybe a reiterative question but .., Matt Rowley, (Fri Oct 26, 8:34 am)

Re: About Xen: maybe a reiterative question but .., Subcommander l0r3zz, (Fri Oct 26, 1:23 pm)

Re: About Xen: maybe a reiterative question but .. , Jeremy Huiskamp, (Wed Oct 24, 7:52 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 9:27 pm)

Re: About Xen: maybe a reiterative question but .., Shawn K. Quinn, (Sun Oct 28, 2:29 pm)

Re: About Xen: maybe a reiterative question but .., bofh, (Sun Oct 28, 5:34 pm)

Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Sun Oct 28, 6:18 pm)

Re: About Xen: maybe a reiterative question but .., Nick Holland, (Sun Oct 28, 10:31 pm)

Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Mon Oct 29, 8:43 am)

Re: About Xen: maybe a reiterative question but .., bofh, (Mon Oct 29, 9:11 am)

Re: About Xen: maybe a reiterative question but .., Douglas A. Tutty, (Mon Oct 29, 4:26 pm)

Re: About Xen: maybe a reiterative question but .., Balázs, (Mon Oct 29, 11:56 pm)

Re: About Xen: maybe a reiterative question but .., Karsten McMinn, (Thu Oct 25, 12:15 am)

Re: About Xen: maybe a reiterative question but .. , Tony Abernethy, (Wed Oct 24, 6:27 pm)

Re: About Xen: maybe a reiterative question but .. , L. V. Lammert, (Wed Oct 24, 6:44 pm)

Re: About Xen: maybe a reiterative question but .., Darrin Chandler, (Wed Oct 24, 8:43 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 9:20 pm)

Re: About Xen: maybe a reiterative question but .., Darrin Chandler, (Wed Oct 24, 9:54 pm)

Re: About Xen: maybe a reiterative question but .., Jason Dixon, (Wed Oct 24, 9:57 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 10:06 am)

Re: About Xen: maybe a reiterative question but .., Jason Dixon, (Thu Oct 25, 12:23 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 1:43 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Thu Oct 25, 12:26 pm)

Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 5:26 pm)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 6:00 pm)

Re: About Xen: maybe a reiterative question but .., Henning Brauer, (Wed Oct 24, 6:14 pm)

Re: About Xen: maybe a reiterative question but .., Paul de Weerd, (Wed Oct 24, 10:50 am)

Re: About Xen: maybe a reiterative question but .., L. V. Lammert, (Wed Oct 24, 1:16 pm)

Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 1:45 pm)

Re: About Xen: maybe a reiterative question but .., Adam Getchell, (Wed Oct 24, 12:46 pm)

Re: About Xen: maybe a reiterative question but .. , Theo de Raadt, (Wed Oct 24, 12:59 pm)

Re: About Xen: maybe a reiterative question but .. , Jack J. Woehr, (Wed Oct 24, 1:14 pm)

Re: About Xen: maybe a reiterative question but .., bofh, (Wed Oct 24, 3:39 pm)

Re: About Xen: maybe a reiterative question but .., Marc Espie, (Wed Oct 24, 1:44 pm)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Nigel Cunningham	Re: [Suspend2-devel] Re: CFS and suspend2: hang in atomic copy
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
Rafael J. Wysocki	[Bug #10821] rt25xx: lock dependency warning, association failure, and kmalloc cor...
git:
Martin Langhoff	Re: Change set based shallow clone
Karl	[StGIT PATCH] Don't use patches/<branch>/current
Andrew Morton	Untracked working tree files
Jon Smirl	! [rejected] master -> master (non-fast forward)
openbsd-misc:
Richard Stallman	Real men don't attack straw men
askthelist	Packets Per Second Limit?
GVG GVG	ssh_exchange_identification: Connection closed by remote host
Renaud Allard	Spamd default behaviour of accepting everything
linux-netdev:
Simon Horman	Re: [PATCHv2 RFC 05/25] IPVS: Add internal versions of sockopt interface structs
Lennert Buytenhek	[PATCH 08/39] mv643xx_eth: nuke port status register bit defines
Jiri Bohac	PATCH: fix bridged 802.3ad bonding
Natalie Protasevich	[BUG] New Kernel Bugs

Latest forum posts


make bzImage	8 hours ago	Linux kernel
make bzImage	9 hours ago	Linux kernel
collectl: the one performance monitoring tool for all your needs	11 hours ago	Linux general
Replacing Windows XP bootloader with GRUB bootloader	14 hours ago	Linux general
Anybody know where I can find an embedded sw engineer with good experience in digital video products???	16 hours ago	Windows
Problem in Inserting a module	19 hours ago	Linux kernel
stop process from getting scheduled out	1 day ago	Linux kernel
register_security LSM	1 day ago	Linux kernel
Process activity notification	1 day ago	Linux kernel
How to make my PCIE ATA storage device running in Linux	1 day ago	Linux general

Show all forums...

Recent Tags

more tags

Colocation donated by:

Online users

Syndicate