Comments on: Fear for the Sake Of Fear? Hyper-Jacking Myths?

By: SafeTinspector

SafeTinspector — Mon, 27 Jun 2011 20:39:40 +0000

“Hypervisors should be designed to never allow themselves to be executed by themselves in abstracted context.”
I know the article is a few years old now, but this one is out of the bag as VMWare partners are already offering this as a cloud deliverable… intentionally.

By: Schorschi

Schorschi — Tue, 28 Oct 2008 07:43:25 +0000

Actually, you just made the point for me. You do not hype Hyper-Jacking? Of course you don’t, because it is not, as yet, reality at all. I suggest that instead of you decrying what you don’t like in my blog versus what you think is better in your blog, you consider what is really going on, do some home work. I have never tried to compare my blog to anyone’s blog, I consider that bad form. Regardless of why or what you may think about my blog, the point is, many authors have been misleading about Hyper-Jacking, especially authors in so called major publications. They should be more careful, and more actuate, as you have stated you are, in presenting real issues and real threats to the less technical oriented in the world? For the record, C2 and C3 ratings are not lame or weak evaluations. Trying developing a product and passing C2 review, it is not trival nor light weight. EAL is one thing, whereas C2 is another. Again, respectfully suggest some home work on your part.

By: Christofer Hoff

Christofer Hoff — Mon, 27 Oct 2008 20:10:12 +0000

I don’t know which one of the blog entries in the group you were talking about when you referenced the “article” in question, so I can’t respond to your point directly.

However, this set of statements is hysterical:

“Unfortunately, this article is misleading. The key virtualization platforms that dominate the industry have been certified and vetted, against known methods and techniques, something this article, among others,never explains and thus never provides a balanced view of the issue. Of course, no one is secure against new techniques and methods, but this article does not explain that point well either, it raises questions, nothing more.”

Certified and vetted? Against known methods and techniques? Buahahaha. So, you’re referencing which certifications, exactly? Common Criteria? Up to EAL 4, perhaps? That’s not exactly difficult to achieve and doesn’t require semiformal or formal design verification, and they do NOT certify or vet that hypervisors cannot be subverted or that guests cannot escape.

And as far as vetting them against “known” methods, that’s hardly the issue when referencing on-going research that has shown recently that abuse of device drivers and DMA can lead to all sorts exploits.

Further, if you read my blog or attended my presentations, you’d discover that I don’t hype hyperjacking or virtualization malware at all — just the opposite.

I presented both sides of the argument in the cited collection of blog pieces above. How you get fog/fud out of any of them is beyond me.