Google investigates security vulnerabilities of popular virtualization platforms

Google is one of the few big IT vendors that didn’t embrace hardware virtualization so far. They have their good reasons.
But this doesn’t imply that the company doesn’t track the trend, doesn’t acquire an application virtualization startup, or doesn’t have insights about the technology to share.

On the corporate blog dedicated to security Tavis Ormandy, Information Security Engineer at Google, expressed his skepticism about the fact that a virtualization platform can be bug-free:

As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine…

Ormandy also published a 10-pages whitepaper describing his attempts to break the security of popular virtualization platforms, including commercial and open source ones like VMware Workstation and Server, Xen, QEMU-based (KVM, VirtualBox), Bochs and others.
(the analysis also includes other two commercial platforms not mentioned by the name. Reading the paper it’s easy to guess which ones they are)