[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0708272205400.17192@AncHm-1.nevaeh-linux.org>
Date: Mon, 27 Aug 2007 22:22:08 -0800 (AKDT)
From: Arthur Corliss <corliss@...italmages.com>
To: Ken Kousky <kkousky@...inc.com>
Cc: bugtraq@...urityfocus.com
Subject: RE: VMWare poor guest isolation design
On Sat, 25 Aug 2007, Ken Kousky wrote:
> I'm trying to understand how the vm actually prevents the buffer overflow
> from injecting code that has direct hardware control? It seems that the code
> injected into memory should be truly "arbitrary code" based on the physical
> machine.
First off, you need to understand what a buffer overflow is -- in most cases
it's not an attack on the hardware, it's an attack on the process. Which is
usually running in its own protected address space.
In short, vms don't alleviate or protect you from buffer overflows (crap
code is still crap inside of a guest), but running a service in a dedicated
vm versus on a host with other concurrent services reduces the information
leakage should the service be subverted. That's all.
--Arthur Corliss
Live Free or Die
Powered by blists - more mailing lists