Home > Cloud Computing, Cloud Security, Virtualization Security > Hacking Exposed: Virtualization & Cloud Computing…Feedback Please

Hacking Exposed: Virtualization & Cloud Computing…Feedback Please

Craig Balding, Rich Mogull and I are working on a book due out later this year.

It’s the latest in the McGraw-Hill “Hacking Exposed” series.  We’re focusing on virtualization and cloud computing security.

We have a very interesting set of topics to discuss but we’d like to crowd/cloud-source ideas from all of you.

The table of contents reads like this:

Part I: Virtualization & Cloud Computing:  An Overview
Case Study: Expand the Attack Surface: Enterprise Virtualization & Cloud Adoption
Chapter 1: Virtualization Defined
Chapter 2: Cloud Computing Defined

Part II: Smash the Virtualized Stack
Case Study: Own the Virtualized Enterprise
Chapter 3: Subvert the CPU & Chipsets
Chapter 4: Harass the Host, Hypervisor, Virtual Networking & Storage
Chapter 5: Victimize the Virtual Machine
Chapter 6: Conquer the Control Plane & APIs

Part III: Compromise the Cloud
Case Study: Own the Cloud for Fun and Profit
Chapter 7: Undermine the Infrastructure
Chapter 8: Manipulate the Metastructure
Chapter 9: Assault the Infostructure

Part IV: Appendices

We’ll have a book-specific site up shortly, but if you’d like to see certain things covered (technology, operational, organizational, etc.) please let us know in the comments below.

Also, we’d like to solicit a few critical folks to provide feedback on the first couple of chapters. Email me/comment if interested.


/Hoff, Craig and Rich.

Reblog this post [with Zemanta]
  1. January 30th, 2010 at 06:17 | #1

    Outstanding! This is one I'll put on my Amazon wishlist, and not (only) as an e-book.

    Among the topics I'd really like to see the three of you address is the likely changes we'll see in virtualized network appliances, both in response to the changes in infra- and info-structure, but also as a 'liberation' from hardware … what might one do with virtual appliances that would be unthinkable, unaffordable or impractical with physical boxes? As examples, I think of:

    – the 'scalable' firewall — scale up and scale out in response to types of attacks.

    – the 'firewall squadron' — functionally specialized v-appliances, called into service on-demand

    Independent of the future of virtual network appliances, your take on the future of network forensics in an age of virtualization and cloud would be very enlightening. As far as I'm concerned, we've never really had 'real-time' network forensics. Does the virtualized datacenter and 'cloud' offer up both more urgent demand for realtime forensics AND more practicable solutions for realtime?


    = Rich

  2. Doug Neal
    January 30th, 2010 at 07:18 | #2

    Great idea. Something like this is sorely needed. Please make sure it is available on Kindle.

    I hope you will address the question of threats and mitigation when using techniques such as CohesiveFT's VPN3, Amazon's VPC, and Google's SDC.

    There is also a need for practical guidance on how to be more aware of whether you have been hacked or not. And, how you should conceptualize and implement systems that can continue to function in spite of the hacking.

    Lastly, think about how you can make this book keep pace with the changes of the next several years. Consider not just an online version, but some kind of online diagnostics and forums.

  3. Vanessa Alvarez
    January 30th, 2010 at 07:31 | #3

    Since there has been so much talk around IT "going away", I think it makes sense (if not included somewhere in these sections already) to discuss just how the role of sec folks evolve as we move into a more dynamic environment. What "new" skills are needed? What other areas (outside sec) need to be understood? What groups within org need to work together? We know what a challenges it has been to have netops/sec work together. Cloud computing drives not only technological change, but also organizational and will be necessary to have all parts of org on board.

    Just my 2 cents…

  4. January 30th, 2010 at 08:01 | #4

    Looks Great /Hoff. I hope there is one Hacker's Challenge Series related to Cloud comes up after this :-).

  5. January 30th, 2010 at 13:07 | #5

    I would include some material on the government and the big push they have on moving toward a cloud computing platform. I'd love to preview or review anything you include in the book. This one is definitely going to end up on my bookshelf.

  6. Dan Jones
    January 30th, 2010 at 14:09 | #6

    I would like to see more on interaction with the virtual environment and existing production networks. We have seen a disconnect between the network shop managing the production network and the VMware folks maintaining management of the virtual switches. It causes a need to just trunk everything down to the VMWare environment (something I said was a bad idea) but problems still pop up. We call know network shops are always dealing with updates and design issues to mitigate announced security issues but how does that translate to the VM environment?

  7. January 30th, 2010 at 13:37 | #7

    I’d include a chapter on exploiting the complexity of the system. The design philosophy of simpler being better will be increasingly important as all the parts necessary to support the operation of a cloud as well as what operates inside of the cloud create unanticipated vulnerabilities.

    And it needs more squirrels.

  8. January 31st, 2010 at 03:42 | #8

    Looks like a good outline, Hoff. A few things I think would be good to see:

    1. How VDI changes the existing desktop imaging/maintenance model for better and worse, from a security and compliance perspective.

    2. How change control and config mgmt become more critical than ever in a virt environment.

    3. A discussion of attack vectors is a good idea, in general, around Type I and II hypervisors. For example, how exploiting Hyper-V could be as simple as exploiting Win2k8.

    Looks good. Also, I see you have a chapter focused on chipset/CPU exploitation. Another place where it always seems to be much easier *described* versus actually exploited – talking about tools like Blue Pill and whether they are really detectable or not (practically, as in file integrity monitoring types of detection, and via other, more obscure methods like timing discrepancies, etc). In fact, given the degree of hype around what I would generally consider hypothetical attacks, or those not wholly feasible in 99% of practical attack scenarios, it'd be good to bring a dose of reality to the whole thing.


  9. January 31st, 2010 at 04:26 | #9

    I would love to see the different ways you can mess up governance and operations. As you know, I have a few ideas along those lines … 😉

    With three such incredible authors, it's bound to be good either way!

  10. January 31st, 2010 at 08:29 | #10

    Would be delighted/honored to look at early chapters if it would be of help.

  11. Mat Miehling
    January 31st, 2010 at 09:34 | #11

    This looks like it’s going to be a great title! If you’re looking for reviewers, I’d be happy to review it, and could probably get a few other in my research group as well 🙂

  12. Jeff Murri
    January 31st, 2010 at 16:57 | #12

    How about best practices as far as protecting a virtual infrastructure (and of course how to get around it)?

    For instance, do you setup separate VLANs for administration, actual talk to the VM's (doesn't VMWare use tagging only at Layer 3?), etc., or do you go physically separate networks (so you can separate admin, talk to VM's themselves and possibly iSCSI via NICs on blades) with a firewall sitting at the head of the admin network only allowing certain subnets or IPs to even get thru? What are the pluses and minuses of each and how would you own each?

    Should a normal old Joe in accounting be able to hit a management server?

    As far as cloud stuff, if you didn't mention the raw CPU goodness you can get from a provider like Amazon's big farm for things like building hash tables, etc…..

    Just thoughts…

  13. Jeff Murri
    January 31st, 2010 at 17:14 | #13

    Oh, and I'd be glad to review if needed…

  14. Christiaan Beek
    January 31st, 2010 at 19:39 | #14

    I think this would be a great book, some topics I would like to see, but could also be a follow up 😉

    – incident handling/forensics on virtual environments

    – virtual appliances '(security) pro's and con's (four horsemen talk)

  15. Mortman
    February 1st, 2010 at 02:44 | #15


    Yeah what she said :-). And you know I"m happy to review.

  16. February 1st, 2010 at 14:34 | #16

    I would love to see more about PaaS/Saas providers.

  17. February 4th, 2010 at 23:48 | #17

    wud be glad to provide feedback on some of the chapters.


  18. February 6th, 2010 at 15:40 | #18

    Great Topic

    One Topic maybe is it better for the Security if I use some OpenSource Hypervisor like XEN or KVM. Also KVM looks very promising because with KVM every Guest is now a process and it’s much easier to provide Security like SELinux to this processes. Is that true? Maybe a comparison Securitywise of some Standardinstallations ( Vsphere 4 , Xenserver, Hyper-V, RHEV )
    Also with new SR-IOV there maybe some more Securityproblems..

    Maybe a bestpractice for a secure Virtualisation Enviroment.

    wud be glad to provide feedback on some of the chapters too.

  19. Deb Banerjee
    February 7th, 2010 at 06:55 | #19

    There a rich set of info-sec practices developed for on-premise/physical infrastructures. These include asset management, configuration management, vulnerability assessment in addition to traditional IPS/IDS technologies. Differences in cloud infrastructure(virtualization, multi-tenancy, loss of visibility) require these techniques to evolve. That discussion would be useful for on-premise info-sec practitioners.

  20. Jamison
    February 9th, 2010 at 03:50 | #20

    Many regulations require physical separation for information assurance and security – especially in the public sector, but cloud computing and virtualization solutions rely on logical segmentation. I would like to see a section covering segmentation as a security control and its exploitation.

  21. February 12th, 2010 at 08:56 | #21

    I would enjoy participating in the early feedback, if that would be useful to you. @ryanlrussell

  22. Jonathan Harvey
    February 13th, 2010 at 12:39 | #22

    I am a business student at Harris-Stowe State University in St. Louis, MO. I am apart of a research team that is working on cloud computing. The scope of my research is to find information pertaining to, "blue pill" and "redwood". Also I am focusing on any U.S. Risk and Assessment White Papers and Reports that address Cloud Computing or Virtualization, as well as security risks associated with multitenancies. If you lead me in the right direction or provide me with any information that would assist me in my research I would greatly appreciate it.

    Thank You,

    Jonathan Harvey

    Business Administration Student

    Harris-Stowe State University Busch School of Business

  23. March 16th, 2010 at 04:31 | #23

    I'm working for a client how wish to embed security into VMware … I'm searching for real and sharp technical arguments how will make them understand that it's clearly not the right solution.

    This book could be my holy grail.

    Thanks by advance.

  24. Daniel Jeffrey
    October 5th, 2010 at 12:45 | #24

    Excellent series of books and especially looking forward to this version. Currently doing MSc dissertation on cloud security so would love to critically analyse a few chapters.

    Thanks and look forward to it!!

  25. Ch@ZZbr0
    February 5th, 2012 at 09:41 | #25

    Did anything ever come of this? Or was it “overtaken by events?”

  26. March 27th, 2012 at 12:36 | #26

    When is this book due out? I saw a publish date of Dec 2011 on http://www.powells.com/biblio?isbn=9780071664691,
    called McGrawHill and they said it wasn’t due for publish and release until Dec 2013????maybe 2014….

  1. January 30th, 2010 at 10:08 | #1
  2. January 30th, 2010 at 16:35 | #2
  3. April 21st, 2010 at 14:08 | #3