On 12/27/10 05:34, Orvar Korvar wrote: > Ok, so virtual machines for x86 (VirtualBox, VMware, etc) does not > necessarily give you additional security. "Security by virtualization is a > failure": > http://www.serverwatch.com/tutorials/article.php/3905096/Use-Virtual-8086-Mode-to-Secure-Virtual-Servers.htm > > I wonder, how does the Solaris Zone VM model compare to these? Can you use > the same type of exploit on Zones? Are Zones vulnerable to what he talks of, > are Zones more secure? Or, are all VMs insecure, no matter what model?
It's a completely different model. It doesn't actually run an OS instance on top of another instance, and "Virtual 8086 Mode" has nothing to do with it at all. Instead, you can think of zones as being like an extended UID plus chroot and networking features. In the same way that UIDs and PIDs keep processes separate, zone IDs keep the per zone processes and data separate. It's still a single instance of a kernel. Again, it's not multiple OSes run one atop another (as you see with VirtualBox, VMware, Xen, et cetera). All of the processes still run on the same system. (And that's why you can't have your zones at different kernel patch levels.) It's at least as secure as allowing multiple users in chroot jails on the same system, and actually more so, because of the way Least Privilege is used to prevent escalation. Even if a user gets ahold of a setuid binary, he can only make himself UID 0 inside the same zone, and he still can't touch the kernel. As for that article, I'm sure Oracle will have some sort of answer, but I'd just say this: all systems have bugs. Whether those bugs allow exploits or not -- and if so, what sorts of exploits -- is extremely difficult to determine. So, you have to keep the software up to date and make sure you're running on a platform that's actively maintained. If you're looking for a magic bullet, the answers are simple. For a single system, turn it off. For a network, you can always run with scissors. > BTW, My original plan does not work. I have SunRay clients, which means I can > not shutdown the global zone's NIC - because then the SunRay will stop > function. I must somehow separate local zones traffic, from the global zone's > traffic. I have no clue about SunRay (and I dunno who might), but I think the simplest configuration by far is to set up the shared IP stack model for your zones and assign each zone an address in the same subnet as the global zone. Implement any security you need at a higher level -- using IPsec, SSL, or other such protocols. Don't forget that with security, simple is usually better. Complex answers tend to be the ones that are hard to configure properly and thus are often done wrong. But good luck. -- James Carlson 42.703N 71.076W <[email protected]> _______________________________________________ zones-discuss mailing list [email protected]
