Home > Virtualization > Virtualization (In)Security Through Economic Obfuscation…

Virtualization (In)Security Through Economic Obfuscation…

September 11th, 2008 Leave a comment Go to comments

Here's something that's bothered me for some time…

To date, the bulk of security research focused on the many elements of virtualization are clearly focused on open-source based virtualization platforms/hypervisors such as Xen or other widely-available hosted hypervisor architectures and not on closed-source, commercially-available offerings.

The reason for this is two-fold: cost and availability of source code.*

It's clear that it costs nothing and is easier to find vulnerabilities in free and freely-available source code or free/low-cost hosted platforms.

So, assuming that VMware enjoys 50%+ marketshare in the (server) virtualization space, it's frightening that perhaps the reason we don't see a lot of research and/or publically-available review of security in VMware comes down to the first stumbling block that puchasing ESX is simply not economically viable for many researchers.  So they don't.

This comment has been made by several top-rung researchers over the last 3 days in a VirtSec conference I'm attending.

Security through economic obfuscation.

Ugh.

It will be interesting to see what happens as the cost of commercial hypervisors approach zero even if they are closed sourced.  As ESX and Hyper-V are now basially free, I look forward to seeing work done by the researchers in this space as they turn their attention to it now that it's affordable.

/Hoff

*Oh, yeah…there's that little issue of NDA/legal, too…if you happen to directly engage with said vendors who can therefore limit disclosure.

Categories: Virtualization Tags:
  1. September 11th, 2008 at 11:27 | #1

    Well hopefully we should see at least one of those arguments fall away as time goes by, as ESXi server is available for free, so now there is one VMware product in each class (workstation, server with standard OS and bare-metal hypervisor) which are free…

  2. David O'Berry
    September 11th, 2008 at 17:38 | #2

    Huge issue..even when it is widely available you still will not be sure if the dude next to you can fuzz it better than you can…
    Good stuff Hoff and one of the reasons why I believe that even though we downplay hyperjacking based on just sheer surface area it will be a very large challenge sooner than most expect.
    –David

  3. David O’Berry
    September 11th, 2008 at 21:38 | #3

    Huge issue..even when it is widely available you still will not be sure if the dude next to you can fuzz it better than you can…
    Good stuff Hoff and one of the reasons why I believe that even though we downplay hyperjacking based on just sheer surface area it will be a very large challenge sooner than most expect.
    –David

  4. Daniel
    July 10th, 2009 at 10:33 | #4

    Bit late for a comment, but VMWare is (now?) offering some options to academic research. http://www.vmware.com/partners/academic/faqs.html

  1. No trackbacks yet.