Machines that are physically connected to the public internet are going to share physical connections with classified networks.
* grin *
If the hacker owns the hypervisor, he/she owns all data traversing the hypervisor and is in a position to sample, redirect, or spoof anything. Without some form of fail-safe, guest operating systems would have no way of knowing they are running on a compromised platform. This “hyperjacking” scenario is particularly frightening if we consider large-scale virtualization platforms that offer 10, 50, even hundreds of hosted servers running on a single piece of hardware.
Have a nice day.
Via: Wired:
U.S. Central Command has 14 different, physically separated networks. To get access to the info on all of ‘em, a military type needs as many as five different computers, sitting on his desk. But new software being tested by CENTCOM would enable a single computer to connect to all those networks at once — from the open internet to the top secret stuff. “If it proves secure, could save more than $200 million for CENTCOM,” UPI’s Shaun Waterman reports. And a ton of hassle, too.
But the best part of the project might be its acronym. The demonstration is called “One Box, One Wire” — OB1, for short. Use the Force, sysadmins!
The key to OB1, retired U.S. Air Force Gen. Eugene Habiger tells Waterman, is the “separation kernel,” a piece of software “guaranteed to keep the different networks separate.”
The software… creates “what we call security domains … in essence virtual machines or virtual servers … each one of them is impregnable. Even viruses that operate at the very deepest level of the operating system cannot get around the new software,” he said.
“We sit literally on the bare metal … on the microprocessor. What we create is a secure platform, and on top of that platform you can run Windows or Linux … inside of a securely separated domain, where … your top-secret or confidential corporate data … can be protected and cannot be accessed by an intruder” from any one of the other domains.
But isn’t that a huge security risk? The NSA apparently has tested the system out, and given OB1 its blessing.