Local Zone Security

[neuralnode]

Hi All,

A friend of mine has suggested recently that since the Solaris zone feature relies on software-level isolation (as opposed to hardware-level isolation, as with AIX LPARs), then it is theoretically possible to break out of the local zone to the global zone.

My question is: has anything like that been ever reported?
Has anyone ever managed to hack themselves out of the local zone?
Is it even realistically possible?

Thanx in advance for the enlightenment.

--

 

[blarneyme]

Q1) Has it ever been reported?
A1) I have never heard of a Solaris Zone being escaped from.

Q2) Has anyone managed to hack out of a local zone?
A2) See A1.

Q3) Is it possible?
A3) Possibly. Developers still can't write secure software (look at US-CERT vulnerabilities), so you think they can begin writing secure virtualization software?

If you are concerned then use Logical Domains (similar to AIX DLPAR's). As a side note, Solaris Zones are similar to AIX WPAR's.

Or find yourself and old Sun Fire e2900 and use fault-isolated hard partitions which are secure.

BTW, I think your friend reads to much Internet fluff.

 

[neuralnode]

Thanx blarneyme for your comments.

I must clear out one thing: I am very far from being paranoid about Solaris zones security, and in fact I'm very skeptical as to my friend's claims. Yet I wanted to ask the Forum if there has ever been any confirmed example of zone break (which I doubted from the very beginning).

--