Paid Advertising is
ha.ckers sla.cking
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Virtual Machine security
Posted by: doody
Date: April 03, 2010 11:27PM

I was wondering about setting up a virtual machine on VirtualBox or VMWare. How secure are those? Is it possible to break through and get to the underlying system?

Options: ReplyQuote
Re: Virtual Machine security
Posted by: _valentin
Date: April 10, 2010 10:16AM

There are various ways of virtualization, some of them are:
- full virtualization (emulated virtualization) (e.g. vmware, qemu)
- container virtualization (e.g. virtuozzo)
- paravirtualization (The VMM here is a hypervisor) (e.g. xen)
- kernel mode virtualization (e.g. kvm)

The level of security depends on the virtualization solution you choose. When it comes down to resource sharing (this is what virtualization really is), isolating the guests from each other is one of the most important factors.

You can bet that every software vendor makes sure that you can't access other guests when you are within a VM.

Anyway, some vulnerabilities for VMWare products have been reported :)

Options: ReplyQuote
Re: Virtual Machine security
Posted by: ntp
Date: April 11, 2010 06:22PM

iofuzz was an entire bootable ISO meant to be used as a VM (converted to OVF, vmdk, VHD, etc) for fuzzing from guest-to-host created by Tavis Ormandy at Google.

Others such as Kostya at Immunity Security busted host-to-guest using some of video drivers or something in a BlackHat presentation called CloudBurst.

McAfee and many others have worked closely with VMware, Oracle/Sun, Citrix, Microsoft, Redhat, and other virtual infrastructure vendors regarding vulnerabilities found in their products.

Certainly running stuff in a VM creates a software/application boundary, albeit it is not a perfect one (similar to network firewalls -- they stop a lot of things, but not everything). There are many other advantages to running in a VM, and with VirtualBox's Seamless Mode (VMware Workstation and Fusion have something similar, but these are commercial products that cost a lot of money), you can use the VM almost like it is a native part of your regular operating system.

I run Web Security Dojo in a VM about 100 percent of the time.

Options: ReplyQuote
Re: Virtual Machine security
Posted by: doody
Date: April 12, 2010 01:19PM

I had an idea to run a web server off a VM.. reason being I wanted to keep the web server environment isolated and also make it easy to wipe the entire OS if there were any problems.

Options: ReplyQuote

Sorry, only registered users may post in this forum.