[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Which virtualization is the best for Debian?

On Thursday 21 January 2010 00:47:28 Sthu Deus wrote:
> Thank You for Your time and answer, Boyd:
> >VServer and OpenVZ requires the guests to know they are running in a
> >virtualized environment, since they share a kernel with the host.  They
> > don't support unmodified guest OSes.
> In case of guest crack - will the attacker identify that he is in the
>  virtual environment?

If the attacker gets shell access, they should be able to identify that they 
are in a VServer/OpenVZ environment.  It needn't be root.

Similarly, a modified guest OS or simply one with the "guest utilities" (e.g. 
VMWare Guest Extensions for MS Windows or Novell's Virtual Machine Driver Pack 
for MS Windows etc.) installed should be recognizable to a user that looks 
hard enough.

If you are using an unmodified guest OS, it is harder, but there are some 
signs an attacker can look for.  Mainly, using root permissions to probe 
identify hardware and then matching the missing/virtualized/emulated hardware 
to the virtualization technology.

> >The KVM kernel module does that, and more, through
> >the use of the VT extensions.
> What do You think makes more overhead comparing KVM and Xen?

In particular, Qemu (and similar) present the guest with a emulated video card 
and can also emulate a number of other devices.  With Xen, the guests don't 
have a video card etc. unless you use PCI passthrough, and then the host loses 
access to that device, at least for the duration of the passthrough.

Qemu and similar started from total isolation (the guest fully emulated as a 
non-privileged processes) and have been gradually adding features that 
increase speed through virtualization/passthrough technologies while still 
keeping an eye on isolation.
Boyd Stephen Smith Jr.           	 ,= ,-_-. =.
bss@iguanasuicide.net            	((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy 	 `-'(. .)`-'
http://iguanasuicide.net/        	     \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: