Re: More on VMWare poor guest isolation design

> 2. This issue is not about a user on the host compromising a virtual guest.
> It is about a *non-privileged* user on the host being logged in to guest
> machines as an administrator, and a worm--running in the context of that
> non-privileged user on the host--being able to access the admin-level
> context of the guest machines without knowing those administrator
> credentials. Also remember that since I am talking about a non-privileged
> user on the host, there will be limits on what this user could do to
> accomplish some of the other attacks mentioned.

Your position seems to be that an easy automated scripting interface is a lot more dangerous than a slightly harder indirect attack method. The truth is that they are both scriptable and reliable. Techniques for attacking virtual machines from the host are certainly no harder to code than the average remote exploit that worms used to propogate. Do you really think a worm writer who wants to compromise VMWare guests would take advantage of a scripting interface but shy away from the task if he had to write custom code to break into the guest?

> 4. This is also not so much about this specific issue at hand--we can easily
> block this--but also looking at the bigger picture of establishing best
> practices for dealing with the guest/host relationship.

Here's a best practice: Don't assume that guests are protected from software running on the host system.

> As a side note, I specialize in hardening Windows so all of these systems
> have been hardened with my own hardening script that is quite extreme. These
> are by no means weak targets.

A (virtual) machine where attackers can arbitrarily read and write the memory, the disk and even alter devices is going to be a soft target.

The physical analogy that someone brought up earlier works well here. Would you consider your machine locked down if someone could open your computer case, yank the hard drive and attach new devices to the system at will? Well, with a virtual machine they can do that while the machine is running.

> Mark Burnett
> http://xato.net

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Tim Newsham
http://www.thenewsh.com/~newsham/ Received on Mon Aug 27 13:49:44 2007