[Dshield] VMware

John B. Holmblad jholmblad at aol.com
Fri Oct 14 14:10:46 GMT 2005


Neil,

you might want to recheck the assertions regarding vm software always 
running in ring 0. I am not so sure of that myself. Having said that I 
to have wondered about what kinds of security exposures arise from VM 
systems. Now that Microsoft has gotten into the market with their 
Virtual PC and Virtual Server products we will see even more instances 
of such environments especially since Microsoft markets the concept of 
server virtualization as a way to deal with the long tail of still 
extant servers out there running Windows NT.

You may be aware that VMware also has a product called ACE, based, I 
believe, on VMware Workstation 5.0, and running on Windows XP. It is 
noteworthy that ACE stands for "Assured Computing Environment" and from 
what I have read and heard from VMware sales folk, it is being touted as 
a security improvement for so-called "unmanaged" PC's, i.e. those that 
PC's that operate some or all of the time outside of the enterprise 
perimeter defenses.  Here is the url to the section of the VMware www 
site devoted to ACE:

          http://www.vmware.com/products/ace/

Best Regards,

John Holmblad

Televerage International
GSEC Gold,GCWN Gold,GGSC-0100,NSA-IAM

(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388

primary email address:     jholmblad at aol.com
backup email address:      jholmblad at verizon.net



Neil Richardson wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
> 
>on 10/12/2005 12:33 PM David Taylor said the following:
>
>  
>
>>I use VMWare 5 as well and love it. As others have stated I
>>haven't seen any direct guest to host problems.
>>    
>>
>
>- ----->8 ===== [ snip, snip, snip ] ===== 8< -----
>
>  
>
>>From: list-bounces at lists.dshield.org
>>[mailto:list-bounces at lists.dshield.org] On Behalf Of Semper Securus
>>
>>
>>I also use VMWare 5 WS quite a bit and have had no issues with any
>>guest to host contamination. A couple of items for consideration:
>>    
>>
>
>- ----->8 ===== [ snip, snip, snip ] ===== 8< -----
>
>First, although I'm not the original poster I want to thank you guys
>for the good advice; I'm looking into using virtual PC software for
>parallel reasons (a sandbox to learn security, although in my case for
>VPNs and remote access).
>
>One question, though:  In a recent issue of PC Magazine, they made the
>following comments[1] :
>
>  
>
>>With host OS, VMM, and guest OS instances all running in ring 0,
>>heroic (and slightly dicey) software techniques must be used to
>>keep each guest OS isolated from the host and the other guests. (
>>... ) This can be messy?and potentially insecure against malware.
>>The current state of the /x/86 architecture doesn't allow for
>>"clean" virtualization of software operating at ring 0.
>>
>>    
>>
>This brought me to a screeching halt.  Are there known
>problems/exploits with the sandbox breaking and the host PC being
>compromised?  Or is this just warning against
>theoretically-possible-but-unlikely-in-practice dangers and
>attacks...a magazine equivelent of the  EULA that says "We don't
>promise that this will work" ?
>
>[1] Tiny-URL: http://tinyurl.com/c2hxv
>Unencoded URL: http://www.pcmag.com/article2/0,1895,1854448,00.asp
>
>
>Thanks again for all the enlightenment!
>
>- -Neil R.
>- --
>Supreme Lord High Commander and Keeper of the Holy Potato
>- ----------
>PGP Fingerprint: A663 1ACB 84E6 F4DE B86E  0AA1 7A36 F817 E098 F32E
>- ----------
>It really bothers me when people cut me o
> 
> 
> 
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.4 (MingW32)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
>iD8DBQFDTznnejb4F+CY8y4RAnQ8AJ43Spcgbtp4l3w+Rc9JjXdZnng3vQCfaQRN
>JSPVmhVwBdEdKLEqcNvFfMY=
>=vNRs
>-----END PGP SIGNATURE-----
>
>
>_________________________________________
>Using .Net? Need to know more about .Net Security?
>http://isc.sans.org/banner_count.php?dest=dotnet
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>  
>


More information about the list mailing list