VMware researcher Oded Horovitz got an earful when he told a group of security buffs his company's virtualization software was theoretically impenetrable. Speaking at the CanSecWest conference in Vancouver, his hour-long presentation, titled Virtually Secure, included a slide titled "VM Escape" that carried the following bullet …
This topic is closed for new posts.
Posted Thursday 27th March 2008 18:06 GMT
"Though impossible by design, the hypervisor can still have implementation vulnerabilities."
How true of so much software. Remember, NT4 is can be configured to pass C2 security compliance. While the "design" may be "perfect," theory usually is. The reality is that it's left to developers to implement these theories. Any software is only as secure is its least skilled developer.
Posted Thursday 27th March 2008 21:32 GMT
Nothing is impossible in the Virtualised Field...... although some things will have no valid future prospects if they abuse the Field...... which will identify ITs Abusers/Crass Users. It is just the Semantic Nature of the Medium which makes it so.
And that Offers .......... well, Infinite Possibilities limited only by Poor Imagination.
Suck IT and See. Wanna do something Really Imaginative and BetaTest IT? :-)
Posted Thursday 27th March 2008 21:32 GMT
Although Monsieur Guilmette is correct is pointing out that NT4 had C2 certification, it came with small print. It excluded hosts with network connectivity and a few other things (I seem to recall a problem with the default bootloader). With the small print, it made the certification pretty worthless.
The greatest problem occurs between the design and implementation. Almost all security issues and faults occur due to poor implementation.
So while not ignoring the need for good design and proving the security of the design, the implementation needs to be controlled also - not using C would be good start.
Posted Friday 28th March 2008 02:54 GMT
software is only ever completely perfect, secure and stable in one place: marketing literature.
anything created by humans has flaws, because humans can not imagine every possible use case, over an indefinite period of time (easy example: the creators of SMTP failed to design for spam). if one starts with that assumption, a VM is just another target to compromise. just like antivirus/security apps, a virtualized environment can provide a more effective way to hide malware.
the bullet point was likely (hopefully) produced by the marketing department, because if their engineering team came up with that clanger, they need to hire some less optimistic code jockeys, soonest.
Posted Tuesday 1st April 2008 00:10 GMT
Seems promising:
http://www.vmware.com/overview/security/vmsafe.html
and yes, it's not only VMware alone developing this in a quiet chamber - it's being co-developed and audited by anything that holds a name in the security sector.
This topic is closed for new posts.
Back to the article
Transforming IT culture
Driving Situational Awareness:
Application Performance Management:
Ensuring service assurance in the new normal
