Comments on: Virtual Machines are No Security Blanket

By: editorial_response

editorial_response — Wed, 30 Nov -0001 00:00:00 +0000

Do you believe you have complete control over your system now, virtual or not? I bet I could come up with a logic that could define a virtual machine that a sys admin maintains, and another system that an end user uses and neither would actually have control of either system and I could rewrite protocols so that data was a heck of a lot more secure across the entire nation.

By: sfandino

sfandino — Wed, 30 Nov -0001 00:00:00 +0000

Virtual machines are no more or less secure than physical machines

That\’s just plain wrong, virtual machines are far less secure than physical ones!

Virtualization software, as any other software, has bugs and these bugs can be exploited to take control of the VM process allowing execution of arbitrary code in the host. That would give an attacker full access to any sibling VMs running there.

Hardware also has bugs but hitting them will usually just leave you with a crashed machine instead of allowing you to access other servers in the neighborhood.

Some real examples:

http://news.zdnet.co.uk/security/0,1000000189,39661637,00.htm
http://news.softpedia.com/news/Guest-to-Host-Exploit-Found-in-VMware-Fusion-109530.shtml

By: cweberusa

cweberusa — Wed, 30 Nov -0001 00:00:00 +0000

Virtual machines have the one great advantage of effortless snapshots and easy provisioning. So while they are not any more secure than physical servers, recovery from an attack is much easier and quicker: Locate a snapshot from before the attack, spin it up in the lab (behind a firewall or off the net entirely), close the loophole, move it online, and you\’re back in business. The big unknown in this scenario is \”close the loophole\”, of course.

By: duncan

duncan — Wed, 30 Nov -0001 00:00:00 +0000

This is just about as dumb an article as I have ever seen. Anytime you add anything to the mix it is probably less secure period.

Also, just restoring a machine doesn\'t get you back to where you were, unless your just displaying a few flat web pages. I guess I think in terms of actually doing something - like taking orders.

By: khess

khess — Wed, 30 Nov -0001 00:00:00 +0000

@sfandino

Well, the first link you gave is for: Penetration-testing company Immunity has exploited a flaw in VMware software that allows malicious code running in a virtual machine to take over the host operating system. This would be similar to the LSASS worm killing other physical machines on a network of physical machines. This doesn\'t make the VM less secure.

And, same for the other one: \"This is indeed a guest-to-host exploit,\" Kortchinsky said in an e-mail, according to a Computerworld report. \"It uses several vulnerabilities in the \'Display functions\' (as VMware put it) that allow [someone] to read and write arbitrary memory in the host. Thus, the guest can run some code on the host, effectively bypassing ASLR and DEP on Vista SP1.\"

Again, not VM security issues.

@cweberusa

You\'re correct. You\'d have to do that with a physical machine as well.

@duncan
The VM itself is not less secure just because of its status as a VM.

By: sfandino

sfandino — Wed, 30 Nov -0001 00:00:00 +0000

@khess, obviously you don\’t understand the implications of a guest to host exploit!