Virtualization (In)Security Through Economic Obfuscation…
Here's something that's bothered me for some time…
To date, the bulk of security research focused on the many elements of virtualization are clearly focused on open-source based virtualization platforms/hypervisors such as Xen or other widely-available hosted hypervisor architectures and not on closed-source, commercially-available offerings.
The reason for this is two-fold: cost and availability of source code.*
It's clear that it costs nothing and is easier to find vulnerabilities in free and freely-available source code or free/low-cost hosted platforms.
So, assuming that VMware enjoys 50%+ marketshare in the (server) virtualization space, it's frightening that perhaps the reason we don't see a lot of research and/or publically-available review of security in VMware comes down to the first stumbling block that puchasing ESX is simply not economically viable for many researchers. So they don't.
This comment has been made by several top-rung researchers over the last 3 days in a VirtSec conference I'm attending.
Security through economic obfuscation.
It will be interesting to see what happens as the cost of commercial hypervisors approach zero even if they are closed sourced. As ESX and Hyper-V are now basially free, I look forward to seeing work done by the researchers in this space as they turn their attention to it now that it's affordable.
*Oh, yeah…there's that little issue of NDA/legal, too…if you happen to directly engage with said vendors who can therefore limit disclosure.