RE: More on VMWare poor guest isolation design
This is a multipart message in MIME format.
------=_NextPart_000_0349_01C7E8A0.A4C035E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I should probably have already ended this discussion, but it reminds me of a
discussion I had on this same list almost ten years ago trying to explain to
Microsoft why a vulnerability that discloses physical paths is a big enough
deal to bother patching. Their argument was that they couldn't see the risk
of disclosing a physical path, and if someone could do something with that
path then they could probably discover the path in the first place. My
argument was that it really doesn't matter what the current risks might be,
that's really not the point, let's just fix it anyway. It turns out later
there were a number of IIS issues where people could execute or access
files, but they needed to know the physical path first.
I think some of you are overanalyzing this issue. I am well aware that there
are other ways to accomplish the same thing in many instances, I am not
saying I have introduced a spectacular new attack vector. I would categorize
this threat standing on its own as medium to low, depending on your
environment. But the fact is that this thing bypasses normal OS security
mechanisms and we simply cannot imagine how that might be used by an
attacker in the future. Some of you keep trying to point out that owning the
host always means owning the guests, but that isn't always the case,
especially if you are not a full administrator on the host machine.
I know that for a lot of years people have been saying that once someone can
access the physical box, there's nothing more you can do. Well, that's just
not true anymore. You very well can protect a physical machine and you
should be able to protect a virtual guest from its host. There's no way a
non-admin user is going to be able to modify the RAM of a vm. And in Windows
Vista, if not already blocked, even as an administrator I would have to
explicitly allow a worm to access the RAM or disk of a virtual machine. No
worm is going to access a vm's resources without a UAC prompt coming up.
The argument that owning a physical machine automatically means game over
just isn't true. We should be able to say the same thing about a VM.
Mark
> -----Original Message-----
> From: Tim Newsham [mailto:newsham@lava.net]
> Sent: Saturday, August 25, 2007 1:05 PM
> To: M. Burnett
> Cc: 'Arthur Corliss'; 'Jonathan Yu'; bugtraq@securityfocus.com
> Subject: Re: More on VMWare poor guest isolation design
>
> > 2. This issue is not about a user on the host compromising a virtual
> guest.
> > It is about a *non-privileged* user on the host being logged in to
> guest
> > machines as an administrator, and a worm--running in the context of
> that
> > non-privileged user on the host--being able to access the admin-level
> > context of the guest machines without knowing those administrator
> > credentials. Also remember that since I am talking about a non-
> privileged
> > user on the host, there will be limits on what this user could do to
> > accomplish some of the other attacks mentioned.
>
> Your position seems to be that an easy automated scripting interface is
> a
> lot more dangerous than a slightly harder indirect attack method. The
> truth is that they are both scriptable and reliable. Techniques for
> attacking virtual machines from the host are certainly no harder to
> code
> than the average remote exploit that worms used to propogate. Do you
> really think a worm writer who wants to compromise VMWare guests would
> take advantage of a scripting interface but shy away from the task if
> he
> had to write custom code to break into the guest?
>
> > 4. This is also not so much about this specific issue at hand--we can
> easily
> > block this--but also looking at the bigger picture of establishing
> best
> > practices for dealing with the guest/host relationship.
>
> Here's a best practice: Don't assume that guests are protected from
> software running on the host system.
>
> > As a side note, I specialize in hardening Windows so all of these
> systems
> > have been hardened with my own hardening script that is quite
> extreme. These
> > are by no means weak targets.
>
> A (virtual) machine where attackers can arbitrarily read and write
> the memory, the disk and even alter devices is going to be a soft
> target.
>
> The physical analogy that someone brought up earlier works well here.
> Would you consider your machine locked down if someone could open
> your computer case, yank the hard drive and attach new devices to the
> system at will? Well, with a virtual machine they can do that while
> the machine is running.
>
> > Mark Burnett
> > http://xato.net
>
> Tim Newsham
> http://www.thenewsh.com/~newsham/
------=_NextPart_000_0349_01C7E8A0.A4C035E0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJFTCCAp0w
ggIGoAMCAQICEGPfoVbHsvJ96WW+eyrXmCYwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MDUwOTE2MzcxMVoXDTA4MDUwODE2Mzcx
MVowPTEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEaMBgGCSqGSIb3DQEJARYLbWJA
eGF0by5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKolIXs769PIPDAOlJt+EUM4yZL1
1F+ZxlNfufFstZzlt8j45BkyeMlmBbo9aFRWAzExoGhZOhzcnYpuanoM0ucVnH5cvMXNC3pafzlW
1prY5+onccbytJ3mvaFjcZObDd1PICFtgAwcRGhWDAPRZZ5P8k44oeWTI6GYyiB7Y0WVAgMBAAGj
eTB3MA4GA1UdDwEB/wQEAwIHgDARBglghkgBhvhCAQEEBAMCBaAwLAYFK2UBBAEEIzAhAgEAMBww
GgIBBAQVODN6d3ZHVHo2cDd3R2pDa3NUSlpBMBYGA1UdEQQPMA2BC21iQHhhdG8ubmV0MAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAMvqv9ySINTLIhcRINi/4wEAQQS18jKXmFSC+iFn9
ynWEvMLbxXkWk811NRTZDKksG8O5TVsHmtwS1y2S2ykRU7xsvgSeeg7hNjv0N9AQD1S3OZQS3ruh
AXR5AK+yvS9pfl8N7RynxS3tCVtZWlD3fKqMBp68FD38cwtomJtw23YwggMtMIIClqADAgECAgEA
MA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIw
EAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9D
ZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20w
HhcNOTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs
dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMb
VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl
bWFpbEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gM
UbbqcpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9A
OKYAo4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQc
uQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdi
KqTwTRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+du
AEcftQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHO
d6KBMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNV
BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29u
c3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UE
AxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1m
cmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkG
A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcC
Y1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XR
xSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYD
VR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1h
aWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFi
ZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vf
ldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAaIwggGeAgEBMHYwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV
BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBj36FWx7Lyfellvnsq15gm
MAkGBSsOAwIaBQCggYMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MDcwODI3MTc1MTQ1WjAjBgkqhkiG9w0BCQQxFgQUm4PgrYF+AaqjWQgYoQKzRARYzHIwJAYJKoZI
hvcNAQkPMRcwFTAHBgUrDgMCGjAKBggqhkiG9w0CBTANBgkqhkiG9w0BAQEFAASBgDLoq+We2nok
Z6cEhi9UjOKL+9yfRdcNvvOSdjn8euEDvVhYHLLYZn1g1WEPKEXnceae3UHC8EdKrSgyur9wKRyX
ySGekQPUqlQll1IzLqfZUDptDPuQEo7aAcTWCbwzcZWrL7oPO36mjho8tUL8/elhisUHqz1YiG2e
nXv5pNUWAAAAAAAA
------=_NextPart_000_0349_01C7E8A0.A4C035E0--
討論串 (同標題文章)
完整討論串 (本文為第 1 之 3 篇):