[lug] So much for VMware

Sean Reifschneider jafo at tummy.com
Sat Dec 2 20:57:13 MST 2006


On Sat, Dec 02, 2006 at 01:43:50AM -0700, Nate Duehr wrote:
>Virtualized mainframes (since someone went there...) and most forms of 
>virtualization prior to these chipsets always had a way for the Grand 
>Poohbah administrator to see who was running what inside their virtual 
>environments.
>
>This latest round of hardware virtualization techniques on PC-class 
>hardware seems to have gotten the whole idea totally wrong... driven by 
>customer desires for "security" between virtual machines.

Ah, I see...  You don't understand the exploit.  The current hardware
*DOES* allow the "grand poohbah" administrator to see what other instances
are running on the hardware.  It does *NOT* allow the virtual instances to
see that same information.  The point of the exploit is that someone could
push the user's system image down into one of these virtual containers.

So, the grand poohbah *CAN* see the virtualization status, it's just that
in this case the grand poohbah is an external user who has compromised the
machine, not the user who owns it and selected "Virtualization: Enabled" in
their BIOS, but didn't actually set up the virtualization on their system
to become the grand poohbah.

The PC-class virtualization does make the virtual machines nearly unable to
tell the difference between them running on the native hardware, and them
running in the container.  That's kind of the point of the virtualization,
because otherwise the virtual OSs have to be ported to the virtualization
system, which is a ton of effort as the Xen and User Mode Linux people have
found.

The exact same thing can be said about the software-level virtualization
things like "jail" and whatnot that make it look like your server is just
yours when actually someone else controls it.  Exactly the same thing can
happen to servers without any special hardware support.  For them to work
legitimately, they kind of also have to work in a way that attackers could
exploit.

Though, in reality, most hardware virtualization systems provide at least
an emulated network interface, and it's usually not too hard to tell that
you're running in a virtual container from the experiences I've had.

Sean
-- 
 This mountain is PURE SNOW!  Do you know what the street value of this
 mountain is!?!                -- Better Off Dead
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability




More information about the LUG mailing list