This showed up on the cryptography mailing list -- we should think hard
about it for Xen environments.

Begin forwarded message:

Date: Tue, 20 Mar 2007 20:14:26 -0400
From: Dan Geer <dan@geer.org>
To: cryptography@metzdowd.com
Subject: virtualization as a threat to RNG



Quoting from a discussion of threat posed by software virtualization as
found in Symantec's ISTR:xi, released today:

> The second type of threat that Symantec believes could emerge is >
> related to the impact that softwarevirtualized computers may have on
> > random number generators that are used inside guest operating
> > systems > on virtual machines. This speculation is based on some
> > initial work > done by Symantec Advanced Threat Research in a paper
> > on GS and ASLR in > Windows Vista. This research showed that the
> > method  used to generate > the random locations employed in some
> > security technologies would, > under certain circumstances, differ
> > wildly in a software-virtualized > instance of the operating
> > system. If this proves to  be true, it could > have considerable
> > implications for a number of different technologies > that rely on
> > good randomness, such as unique identifiers, as well as > the seeds
> > used in encryption.

--dan

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo@metzdowd.com