VMware vulnerabilities survey

Software is usually affected by some kinds of security vulnerabilities. Vulnerabilities can be classified into several types, in order to ease their impact analysis, providing a common thought framework. Virtualization products aim to allow users to abstract the  physical hardware details and provide them with means to install multiple virtual machines. Some virtualization users often tend to forget or ignore that this additional software layer exposes them to additional attack vectors and potential vulnerabilities. In this paper, we analyze the known vulnerabilities for VMware, a well known virtualization product.

Check the Full Paper:

Preview:

Screen Shot 07-07-16 at 05.06 PM.PNG

Hagia Sophia, Istanbul

Containers vs Hypervisors (Overview)

Containers seem like an interesting technology for many virtualization and cloud scenarios, specially for hosting providers looking to support more virtual machines or service instances in a physical host.

These are the main differences and advantages between containers and hypervisors

  • Physical machine resource usage and scheduling works better than in a Hypervisor because there is only one kernel copy.
    • Same kernel serving all containers
      • sliglthly different kernel versions can be used in the containers
    • OS virtualization instead of physical hardware virtualization
    • Only Linux is supported
  • Better for overcommiting than Hypervisors
    • More containers in a single physisical host
      • less OS copies running
      • More profitable for companies serving hosted applications (SaaS or PaaS)
    • Faster memory and CPU rescheduling from machines consuming resources guaranteed for other machines
      • faster and more transparent than “ballooning” in VMware
      • physical address space is shared by all the containers and handled by a single kernel
        • on a Hypervisor you get one more layer
  • https://coreos.com/
    • Minimal Linux distribution compatible with Containers
    • “CoreOS is designed to give you compute capacity that is dynamically scaled and managed, similar to how infrastructure might be managed at large web companies like Google.”
  • Very large companies like Google use containers and no hypervisors.
  • Solaris & AIX also have [incompatible] Container technology.

I think it has some problems, though:

  • “Overcommiting” is bad for real-time applications,  as events can be delayed and accumulate.
    • “James Bottomley” was really honest about this issue: “This is the way to cheat your customers”
  • The lack of “Windows OS” support can also be a problem for some people. It seems that only Linux distributions are supported.

If you can port to Linux and don’t have too many real-time restrictions, it looks promising.