L. V. Lammert wrote:

quoted text
> On Wed, 24 Oct 2007, Brian wrote:

>

>> Hi!

>>

>> I think you are missing the point about x86 hardware being a mess.  Theo

>> made an excellent point about the architecture itself having so many

>> filthy quirks.  If a VM is compromised through any means, that attacker

>> can now leverage the dirty architecture to bypass the hypervisors

>> (supposed) isolation techniques.  If the attacker can utilize the VM to

>> infiltrate the hypervisor, even more damage can be done.

>>

>> The entire point is this:  You cannot increase security by putting more

>> things on one physical server.  You can run your different 'Application

>> Domains' on different physical servers.  That is much closer to security

>> than through obscurity.

>>

>> -Brian

>>

> Hi!

>

> Sorry, it's YOU that missed the point! I never said or made any comparison

> to physical machines - the entirety of that I said is:

>

> "Running services/application domains in VMs increases security." As I

> said in a previous email, only an idiot would think that separatey

> physical machines would NOT increase security, and I give this crowd much

> more credit than that so I did not bother to include such information.

>

> I still stand by my original statement. Running application 'domains' in

> VMs instead of on a single server increases security.

>

> 	Lee

Quoted directly from your first e-mail on this subject:
"Virtualization provides near absolute security - DOM0 is not visible to

the user at all, only passing network traffic and handling kernel calls.

The security comes about in that each DOMU is totally isolated from the

the others, while the core DOM0 is isolated from any attacks."
Your first sentence is provoking these responses.  You cannot make this

claim unless you are 100% certain the virtualization layer is bug free.
If theres a bug in the virtualization layer that allows a NORMAL USER

[1] in any of the guests to compromise the VM layer, host, or any of the

guests, the user has just escalated his privileges through a vector that

would never have been there outside of this VM environment.
Do you see what we're saying now?  You are adding a complex layer of

software to isolate things, when in fact you have no guarantee this

layer cannot cause an escalation by a normal user.
All of the theoretical attack vectors are exactly that: theoretical.

But by adding complex layers does not guarantee any increase in security.
If your application 'domains' are properly isolated on a single server,

by privilege separation and chroot'ing processes, all you have left to

worry about is that NORMAL USER escalating his privileges through some

unknown bug in the OS you choose to run.  You do not have to worry about

the complex VM layer having its own set of unknown bugs.
So, in the end, you are still not getting the point.  There are possible

attack vectors in both single server setups, and virtualized setups.  By

making the claim that security is increased by virtualizing is

fundamentally wrong.  You just don't know of or have heard of any

significant holes in the virtualization layers yet (minus vmware tools).
-Brian
[1] Think Dom0's job of virtualizing hardware for the guests.  If there

is some obscure bug in the Dom0's code, it could be possible for the

normal user inside the guest to provoke this bug through the guest OS

into causing DoS or possibly worse.  I don't know of any bugs myself,

but the attack vector may exist and can become an entire class of

security holes.
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]