David Larochelle on 9 Nov 2017 11:45:17 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] small business server virtualization?

On Wed, Nov 8, 2017 at 7:02 AM, Rich Kulawiec <rsk@gsp.org> wrote:

There's another factor to consider here as well: where do adversaries spend
their time and effort?  Probably not on lint or troff, because even if it
turns out there's a nasty bug in them, it's unlikely to yield useful results.
But a virtualization layer bug, now THAT would be worth a lot -- particularly
if it's exploitable from inside a virtual host.

If I were well-resourced $BADGUYS, I would have an entire team of people
working on this and little else: perhaps it has a low probability of success,
but it also has a very high reward.

You right that there's an incentive to find exploitable virtualization layer bugs but this cuts both ways.
At least these tools are being actively audited.  Obviously the absence of reported flaws doesn't mean that they don't exist however it does provide some baseline idea of the quality of the code.

As a thought experiment imagine that a gray hat researcher finds a zero day in a virtualization layer.  Their options are to 1.) publicize it for the reputational value, 2.) sell it on the gray market, 3.) use it to compromise systems,
1.) results in the vulnerability being fixed nearly immediately.

In case of 2 and 3, active exploitation of the zero day will eventually result in it being detected by others and publicized and fixed.  So the incentive is to conduct a high value attack or go after a high value target.  A small business probably isn't worth attacking since the attacker is risking the discovery of their zero day for comparatively small gain.

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug