Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I actually use a setup that involves a bunch of VMs for pretty good separation. It's a bit of a complicated setup, so I won't elaborate here. The main thing about it, is that even if an attacker runs with root privs on the "anonymous" VM, they'll need a 0-day in the Virtualization engine itself to de-anonymize the machine. I make sure that the VMs are as isolated from the host machine as they can be, so the attack surface is indeed minimized to the VM engine itself. Some "VM busting" attacks did occur in the past, but I believe very few (if any) attacked the VM engine itself. Most used the wider attack surface provided by stuff like the "VMWare tools" API (which for "isolated" VMs should be disabled). Edit: come to think of it, I should probably write up my method and post it to HN at some point...


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: