On 10/24/07, Damien Miller  wrote:
> You obviously didn't read Tavis' virtualisation security paper. VM escape

quoted text
> vulnerabilites are not theoretical. Tavis found vulnerabilities in every

> VM he tested using only a couple of fuzzers.

Restating my earlier post again, in regards to Xen:
1. Ormandy states that Xen's design is congruent with good security
2. Ormandy doesn't actually demonstrate a DomU -> Dom0 escalation, and

in fact, didn't test any HVMs at all.
3. Ormandy hypothesizes that based on Qemu flaws, there may be lurking

issues. However, Qemu compromises != Xen HVM Qemu compromises
Furthermore:
1. Upstream patches already exist [1] in response to Ormandy's bug report [2]
On 10/24/07, Brian  wrote:
> Your first sentence is provoking these responses.  You cannot make this

quoted text
> claim unless you are 100% certain the virtualization layer is bug free.

The standard of security is 100% bug free code? If so, then OpenBSD is

certainly insecure, because the two remote root exploits demonstrated

in the last 10 years shows that OpenBSD is not 100% bug free. Also, a

flaw (along with demonstrated code) was pointed out earlier in this

thread by Christopher Eggart.
> If theres a bug in the virtualization layer that allows a NORMAL USER

quoted text
> [1] in any of the guests to compromise the VM layer, host, or any of the

> guests, the user has just escalated his privileges through a vector that

> would never have been there outside of this VM environment.

Usually, when someone makes a claim that OpenBSD is insecure because

of some hypothetical vulnerability, the response is (rightly)

"Demonstrate an exploit. You'll be famous."
Can someone demonstrate a DomU->Dom0 exploit in the current, patched

version of Xen?
On 10/24/07, Jason Dixon  wrote:
> There is *nothing* in any virtualization software that makes having

quoted text
> it *more secure* than not having it at all.

From my earlier post, did you look at:
http://shell.cse.ucdavis.edu/~bill/virt/virt.pdf
In particular, how does defending against certain classes of rootkits

and having known, good checksums for known, good binaries not increase

the security of the system?
Lets say DomU is OpenBSD (which HVM virtualizes fine, BTW). The few

rootkits (that could be installed by local, malicious users) for

OpenBSD can be detected using CDR, which wouldn't be the case

otherwise.
On 10/24/07, Theo de Raadt  wrote:
> And when physical servers cost less than some vmware licenses........
That I agree with.
But Xen is free ....
Adam
[1] https://launchpad.net/ubuntu/+source/xen-3.1/
[2] http://secunia.com/advisories/26986/

--

"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu