On sale now!

A multi-volume chronology and reference guide set detailing three years of the Mexican Drug War between 2010 and 2012. Rantburg.com and borderlandbeat.com correspondent and author Chris Covert presents his first non-fiction work detailing the drug and gang related violence in Mexico. Chris gives us Mexican press dispatches of drug and gang war violence over three years, presented in a multi volume set intended to chronicle the death, violence and mayhem which has dominated Mexico for six years.

Click here for more information

On Sale Now!

The threat of civil war hangs over an isolated ficticious southeastern Oklahoma town.

Rantburg.com and Borderlandbeat.com correspondent and author Chris Covert presents Newtonville, his first, epic novel of love and betrayal set in the turbulent late 1960s. Click here to buy

Theo de Raadt and PC Hardware Security
2007-11-02
Posted by: badanov

Via slashdot comes a link about a message thread at kernal.org where OpenBSD's Theo de Raadt discusses paravirtualization and the x86 (PC) hardware virtualization problems.

Virtualization finally came of age last year with the release of Xen 3.0, a openware package which allows several virtual machines to run aboard one physical machine, each with their own ethernet interface, memory, disk space, the works. Each virtual machine is in fact a file aboard the physical machine, which can be switched by the physical machine in case of some event which could affect the virtual machine (VM), a software crash, can be remdiated by transferring files to another VM.

The advantages are obvious: A physical machine can run a web server, a mail server and a database server, each with their own security. Backups are a breeze as are many normal server functions because everything in a VM resides within a seperate file, which could be moved elsewhere quickly by the physical machine.

Cool tricks, and I was most impressed with all that I had read about VMs.

Except for security.

On the tail of this most wonderful news came disturbing reports that already proof of concept exploits had been published which allowed a malicious person to take control of a physical machine and then all the other VMs without the physical machine even giving a hint something has gone wrong.

My personal interest evaporated, and I can see how machine system operators and the like howl at the thought of several fundamental problems that the PC's x86 architecture has which renders it incapable of totally compartmentailizing VM's. It's hard to believe it, but Theo de Raadt has been sounding the alarm about it for months now.

de Raadt has been running about the place with a hatpin pricking these large expectant bubbles about VMs and how fundamentally secure they are, all these expectations inflated apparently without realizing that explots are already out there which can take over a physical PC all without an operator even being aware they have been hosed. Some of his remarks are caustic, putting it kindly, and are therefore hilarious. He seems to be like Freddy Krueger without the charm and the sense of humor.

I came to the concluson after reading about these rootkits out there that there was something badly wrong enough with Xen and the concept of VMs on the x86 boards, that VMs were not in my immediate future. I like computer security and I understand that like all security, it is layered and not absolute, and it that is a journey and not a destination.

A few weeks ago attending a local Linux function, I overheard a conversation about a hospital systems admin showing off his VMs, how easy it was to switch VMs from one physical machine to another. The sound of marvel and awe was in the air.

Fortunately for him, hospital privacy and IT security standards have yet to catch up to the exploits. They obviously have caught up to the VMs, but not to the stuff that can take them down.

If I had the time, I could lobby for that guy's job.

If you have something to add, Fire Away!

Number of Comments so far: 0

Click here for a list of stories in the Unix and Computer category