Red Hat SELinux hacker Dan Walsh writes about Secure Virtualization
) on his web log. The basic idea is to leverage SELinux to isolate virtual machines from each other and from the host. "After virtualization, we have multiple services running on the same host. If a virtual machine is broken into, the cracker just needs to break though the hypervisor. If a hypervisor vulnerability exists, the cracker can take over all of the virtual machines on the host. He can even write into any virtual host images that are accessible from the host machine.
This is very scary stuff. The question is not 'if', but 'when'. Hacker/cracker conventions are already examining hypervisor vulnerabilities. Crackers have already broken though the xen hypervisor, as I documented in one of my previous blogs.
to post comments)