Readers email me frequently with virtualization questions asking for advice or how to solve problems in their virtual environments. Each week I'll share some select questions and my answers so that others can learn as well. If you have your own question, fill out this form and I'll publish it in an upcoming column.
The first several questions come from a student at Carnegie Mellon who is writing a thesis on security and virtualization. He writes:
One of the sections in my thesis is a study comparing VMware (ESX and ESXi) and Xen regarding reported common vulnerabilities and exposures. I found out that Xen has around 200,000 lines of code, but I can't find the same information for VMware. Do you know how many lines of code each product has?
I've never seen VMware officially announce this but according to a blog post I read, ESX has around 150,000 lines of code. This is probably just the VMkernel which is the core of the hypervisor and does not include the service Ccnsole. With the vSphere release this number has probably greatly increased as many new features were added..
Are the cores of VMware ESX and VMware ESXi the same? May I assume a bug reported for ESXi is also present on ESX?
Yes, the VMkernel components of both ESX and ESXi are identical. What differs between the two is the management console. ESX uses a larger service console, which is just a privileged virtual machine (VM) running a modified version of Red Hat Linux. ESXi uses a much smaller management console which is based on Posix.
If a bug report is related to the management console it will be specific to either ESX or ESXi, bug reports for the VMkernel will apply to both ESX and ESXi.
Do you think it is fair to compare VMware ESX with Xen, or should I compare Xen with ESXi?
It is a fair comparison. Both ESX and XenServer are bare-metal hypervisors, meaning an underlying operating system is not required to install them on to a server. XenServer is probably the closest competitor to ESX as far as maturity and features; Hyper-V is the new kid on the block and lags behind but could also be considered a competitor to ESX.
What is your opinion regarding Blue Pill? Do you think it died in 2007, as I've read in many places? Did VMware do something regarding that subject? Do you think Trusted Platform Module specifications could solve these kinds of problems?
The Blue Pill rootkit was essentially a virtual machine monitor that took advantage of specific virtualization features added to newer processors to insert itself between the hardware and operating system, making itundetectable by the operating system. This type of theoretical attack targets a regular operating system like Microsoft Windows and not a hypervisor like ESX.
Even if a VM was compromised by this type of attack the architecture of the bare-metal hypervisor would not allow it access to the host server, and from there, other VMs. A hosted hypervisor, however, like VMware Workstation is another matter and is more vulnerable to attacks. VMware addressed the theoretical Blue Pill attack by providing its own information challenging the Blue Pill concept and basically saying VMware was not vulnerable to it. Check out VMware's responses: I spy a Blue Pill: detecting the theoretical rootkit, Debunking Blue Pill myth, and Virtual rootkit targets OS, not virtual machines.
Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forums and maintains VMware-land.com, a VI3 information site.