14 comments

[ 2.8 ms ] story [ 38.4 ms ] thread

    COM1
Man, I haven't even /thought/ about that term in years...
Virtualization is a great tool for using "well behaved" programs. It's foolhardy to expect it to defend against sophisticated malicious software.

About 40 years ago IBM studied the security of their own VM technology. They found many exploitable bugs, and this was on a codebase that was probably less than 1% the size of VMware. I wrote more about IBM's findings on HN about 3 months ago:

https://news.ycombinator.com/item?id=9241807

That's not the only place that has poor isolation: clocks, cache, devices ...

virtualization comes with the lie of hardware isolation while devices are views on common peripherals that are isolated at application level by an incorrect abstraction.

jails and virtual machines alike are jails made of a strong but viciously brittling glass.

Remind me: Are modern hypervisors meant to securely contain guests? Because they advertise their presence pretty loudly, and there's nothing which motivates a jail-break like reminding the inmate they're in a cell.
This is why I'm not a fan of public cloud virtualization for high security systems (PCI-DSS/HIPPA/etc).

In addition to the escapes, you need to contend with side channel timing observation and resource contention.

Yes, they are. A common use case of hypervisors is to split up a large server between multiple renters, who demand a hypervisor which won't let other renters hack them.
Well I suppose a guest with access the internet could also deploy malware to a website which is then visited by the host computer and downloads a hack that patches vmware to allow full host control from the guest.

Depends on what you mean by "escape".

You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes. -- Theo de Raadt
Is this a bug in VMware or a bug in Windows?
VMWare. It takes advantage of the fact that VMWare links guest VMs to the host's printers by default and takes advantage of that link. The patch from VMWare even applied to VMWare Fusion even though there hasn't been anything published on getting this to work in OSX.