Which virtualization solution when security matters ?

PlatinumX · 10-14-2008, 07:37 AM

Hi all,

I know this topic is not directly linked to grsecurity.
However, it may interfere.

In the choice of KVM, Xen, Vserver, OpenVZ, QEMU, ... which virtualization solution would you choose when security matters ?

I don't know if one solution is providing more segregation between host and guest ?
Is one solution more robust when the guest has been conpromised ?

Thanks

unSpawn · 10-14-2008, 04:19 PM

Not an answer but maybe this could help you start reading:
http://www.cs.nps.navy.mil/people/fa...nix00-0611.pdf
http://www.offensivecomputing.net/files/active/0/vm.pdf
http://www.vmware.com/security/advis...2007-0006.html
http://invisiblethings.org/papers.html

salasi · 10-15-2008, 02:29 AM

There is an argument from Green Hills http://www.ghs.com/products/rtos/integritypc.html that their hypervisor solution is architecturally better from the point of view of security. My opinion is that this argument may be true but, in the abscence of a developed infrastructure of hypervisor exploits it is impossible to say how significant this architectural detail is (compared, let's say, to implementation details).

In any case, you probably need to look at it, if security is your overriding concern.

PlatinumX · 10-19-2008, 08:58 AM

At first glance, Vserver sounds good.
It is about "security context".

Moreover, in addition to release their own vserver patch for Linux kernel, they release a "combo" patch:vserver+grsecurity.

Seems security is their point.

unSpawn · 10-21-2008, 02:01 PM

Quote:

Originally Posted by PlatinumX

It is about "security context". (..) Seems security is their point.

If you say it like that the phrase caveat emptor comes to mind. As you defined "advertised" as having "more segregation" and being "more robust" (just trying only to create enough doubt necessary for discussion) just because it says so on the package, what guarantees do you have that it "works as advertised"?.. (any CVE/NVD/OSVDB entries?)

PlatinumX · 10-29-2008, 07:40 AM

You are right, I don't know about the quality of the implementation of Vserver.

But when you talk about the design itself, it seems Vserver takes the security (I mainly mean segregation of applications and network) well into account.

It is purely subjective, I agree.
But I am not able to find any contest between Vserver and OpenVZ (both are containers)clearly pointing the advantage and drawback of each other.