On 13 November 2010 01:50, Chet Langin <clan...@siu.edu> wrote: > -----Original Message----- > <snip> >>I have run OpenBSD in production on both VMWare server and ESXi. It was > the only machine >facing the Internet that the auditors had no findings on. >> >>-- >> >>Edward Ahlsen-Girard >>Ft Walton Beach, FL > > > > Which is good, but, then, it appears to me that VMWare and ESXi become > comparatively weak links in the setup.
True. Based on the research performed by Tavis Ormandy at Google [1], the weakest virtual machine can become an entry point to then be used to subvert the host server or other adjacent virtual machines. So it seems to me that security in a virtualized environment is limited to the combination of the security of the least secure exposed VM and the security of the host. Exploit a vulnerable VM and then it's vulnerable host and you now own all the VM's served by that host, including the OpenBSD ones. If OpenBSD is not in control of ring zero, you lose. Alas, sometimes we have no choice. 1. http://taviso.decsystem.org/virtsec.pdf Shane
