On 12/27/10 05:34, Orvar Korvar wrote:
> Ok, so virtual machines for x86 (VirtualBox, VMware, etc) does not 
> necessarily give you additional security. "Security by virtualization is a 
> failure":
> http://www.serverwatch.com/tutorials/article.php/3905096/Use-Virtual-8086-Mode-to-Secure-Virtual-Servers.htm
> I wonder, how does the Solaris Zone VM model compare to these? Can you use 
> the same type of exploit on Zones? Are Zones vulnerable to what he talks of, 
> are Zones more secure? Or, are all VMs insecure, no matter what model?

It's a completely different model.  It doesn't actually run an OS
instance on top of another instance, and "Virtual 8086 Mode" has nothing
to do with it at all.

Instead, you can think of zones as being like an extended UID plus
chroot and networking features.  In the same way that UIDs and PIDs keep
processes separate, zone IDs keep the per zone processes and data separate.

It's still a single instance of a kernel.  Again, it's not multiple OSes
run one atop another (as you see with VirtualBox, VMware, Xen, et
cetera).  All of the processes still run on the same system.  (And
that's why you can't have your zones at different kernel patch levels.)

It's at least as secure as allowing multiple users in chroot jails on
the same system, and actually more so, because of the way Least
Privilege is used to prevent escalation.  Even if a user gets ahold of a
setuid binary, he can only make himself UID 0 inside the same zone, and
he still can't touch the kernel.

As for that article, I'm sure Oracle will have some sort of answer, but
I'd just say this: all systems have bugs.  Whether those bugs allow
exploits or not -- and if so, what sorts of exploits -- is extremely
difficult to determine.  So, you have to keep the software up to date
and make sure you're running on a platform that's actively maintained.

If you're looking for a magic bullet, the answers are simple.  For a
single system, turn it off.  For a network, you can always run with

> BTW, My original plan does not work. I have SunRay clients, which means I can 
> not shutdown the global zone's NIC - because then the SunRay will stop 
> function. I must somehow separate local zones traffic, from the global zone's 
> traffic. 

I have no clue about SunRay (and I dunno who might), but I think the
simplest configuration by far is to set up the shared IP stack model for
your zones and assign each zone an address in the same subnet as the
global zone.  Implement any security you need at a higher level -- using
IPsec, SSL, or other such protocols.

Don't forget that with security, simple is usually better.  Complex
answers tend to be the ones that are hard to configure properly and thus
are often done wrong.

But good luck.

James Carlson         42.703N 71.076W         <carls...@workingcode.com>
zones-discuss mailing list

Reply via email to