Theo de Raadt and PC Hardware Security subject logo: UNIX
Posted by: badanov

Via slashdot comes a link about a message thread at where OpenBSD's Theo de Raadt discusses paravirtualization and the x86 (PC) hardware virtualization problems.

Virtualization finally came of age last year with the release of Xen 3.0, a openware package which allows several virtual machines to run aboard one physical machine, each with their own ethernet interface, memory, disk space, the works. Each virtual machine is in fact a file aboard the physical machine, which can be switched by the physical machine in case of some event which could affect the virtual machine (VM), a software crash, can be remdiated by transferring files to another VM.

The advantages are obvious: A physical machine can run a web server, a mail server and a database server, each with their own security. Backups are a breeze as are many normal server functions because everything in a VM resides within a seperate file, which could be moved elsewhere quickly by the physical machine.

Cool tricks, and I was most impressed with all that I had read about VMs.

Except for security.

On the tail of this most wonderful news came disturbing reports that already proof of concept exploits had been published which allowed a malicious person to take control of a physical machine and then all the other VMs without the physical machine even giving a hint something has gone wrong.

My personal interest evaporated, and I can see how machine system operators and the like howl at the thought of several fundamental problems that the PC's x86 architecture has which renders it incapable of totally compartmentailizing VM's. It's hard to believe it, but Theo de Raadt has been sounding the alarm about it for months now.

de Raadt has been running about the place with a hatpin pricking these large expectant bubbles about VMs and how fundamentally secure they are, all these expectations inflated apparently without realizing that explots are already out there which can take over a physical PC all without an operator even being aware they have been hosed. Some of his remarks are caustic, putting it kindly, and are therefore hilarious. He seems to be like Freddy Krueger without the charm and the sense of humor.

I came to the concluson after reading about these rootkits out there that there was something badly wrong enough with Xen and the concept of VMs on the x86 boards, that VMs were not in my immediate future. I like computer security and I understand that like all security, it is layered and not absolute, and it that is a journey and not a destination.

A few weeks ago attending a local Linux function, I overheard a conversation about a hospital systems admin showing off his VMs, how easy it was to switch VMs from one physical machine to another. The sound of marvel and awe was in the air.

Fortunately for him, hospital privacy and IT security standards have yet to catch up to the exploits. They obviously have caught up to the VMs, but not to the stuff that can take them down.

If I had the time, I could lobby for that guy's job.

If you have something to add, Fire Away!

Number of Comments so far: 0

Click here for a list of stories in the Unix and Computer category