[BBLISA] noexec

[Daniel Hagerty]

Tom Metro <tmetro+bblisa at vl.com> writes:

> The other issue to raise in this thread is that it feels a bit 
> antiquated to be imposing these kinds of restrictions on users of a 
> system. If they are really that untrustworthy, then they would be better 
> served bing boxed off in a virtual machine. Then you can impose disk, 
> memory, network, and other restrictions on the entire VM.

    Virtualization is a good tool for getting better utilization out
of existing resources and otherwise making one computer pretend to be
many.

    Virtualization as a security tool is currently more marketing than
fact.  "Bad guy must learn new ways of breaking the container" does
not mean "bad guy can't break the container".  Virtualization has a
long way to go, including hardware changes, before it approaches the
latter.

    For example, Xen will allow the system administrator to give a
domU direct control of PCI devices, like a network card.  Network
cards have DMA engines on them.  DMA engines have unfettered access to
all host memory.  I'll let you fill in the blanks for what capabilites
this implies for root on this domU.


    History has shown that retrofit virtualization systems have a tall
hill to climb when presented with one of the virtualizees being
hostile.  Research on the current generation of technology, both on
the attackers side, and the defenders side, is still in its infancy.