In the last five years, virtualisation software has been massively adopted by companies as a means to reduce costs, achieve instant scalability and possibly better their security through isolation. Recent numbers indicate that 78 per cent of companies have their production servers virtualised, and 20 per cent of them actually only rely on virtualised servers. At the same time security auditing of such software poses unique challenges, in particular when it comes to dynamic testing. In this presentation, I describe a methodology for the security assessment of virtualisation software based on switching the CPU mode to virtual 8086 mode in order to get access to the (possibly virtualised) hardware, that aims at being both generic (applicable to both x86 and x64 architectures) and extremely large in terms of code coverage. I have implemented this technology under the form of a dynamic testing tool which has proved to be very efficient in finding bugs in virtualisation software.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.