Friday, September 28, 2007

Thomas Ptacek on DMA, Virtualization, and Nate Lawson

Thomas Ptacek makes an important comparison between network security and memory/hardware resource allocation, especially in terms of virtualization. This is an excellent follow-up to Nate Lawson's posts that I mentioned early today. From Thomas' post:
"In 5 years, nobody will deploy new servers for applications. Every application will run on a virtual machine. Inevitably. And as we approach this end-state, more and more of our applications are virtualized, and performance becomes a bigger concern....

[There] is a hole in the X86 VMM security strategy. Today, if you want your guest VMs not to have to trust each other, and one of them needs direct access to NIC, you have to trust that the NIC can’t be coerced into copying network packets with executable code directly into the kernel memory of the other machines....

You only need to read Nate’s posts if you (a) believe virtualization will be ubiquitous within the next 5 years, (b) work in security, and (c) believe you need to sound like you know what you’re talking about. Otherwise, Nate’s posts are entirely optional."
So, now you know why you need to read Nate’s posts, right?

No comments: