(originally posted on Google+ 01/2018)
This week probably the biggest security problem of the modern IT age has come to light. Due to CPU design problems of Intel and other CPU vendors, it is possible to read the entire CPU memory via special faked CPU instructions. This is a major security problem because today’s operating systems (including VMware) cannot secure systems anymore. Any non-privileged application has total read access to the entire system memory. Some of the scenarios I can think about:
Virtual Server Solutions
Very often multiple servers are consolidated into a virtual machine using a hypervisor like VMware or HyperV. Now customers must assume that a single application running in one VM can read out the entire memory of each isolated VM running on the same server. Cloud VM server offerings are affected in a big way because one VM could read data from other VMs of different customers. Internal server virtualization is also affected. One solution to limit the security hole is to ensure that one physical host serves only a single customer’s VMs. Certainly the problem would still exist within that customer’s VMs, but at least other customer’s VMs cannot access your data.
Workstations (e.g. Windows, Mac, etc.)
As long as a physical workstation is dedicated to a single user and the user is allowed to see all data on this workstation, or the user has Admin access anyways, there is no direct problem. However, when software from other vendors is used or installed, it must be assumed that these additional tools/applications can read out the entire memory even when they don’t have administrative rights, which results in serious security problems. When such a workstation is connected to the Internet, suspect software can forward complete memory content to a remote site to analyze it and pull information out of it, including data, user names, passwords, keys, certificates, etc.
Servers
The same concerns as for workstations apply here. However, if only trusted software runs on a server, then there is no security problem deploying that physical server. Database, web servers, file servers, etc. can be assumed to be safe because they serve data only.
However, server sites allowing customers to install native software or to allow remote access via ssh, etc., which allows transferring and running software, must assume that these software (even with total restrictions) can read out all physical memory of the server.
Summary
I don’t see any solution until new processor generations address this design issue. In the meantime, it is only possible to separate servers and workstations depending upon the security requirements. Several vendors propose updates, however at this point it is not clear if this hardware design problem can be solved by software patches.
- Home
- Products
File Server Products
- Powerful and fail-safe
- Perfect for mixed networks (Mac, Windows, Web clients)
Cloud Products- Secure access to files anytime and anywhere
- No “Cloud” disadvantages
- For businesses and IT service providers
- For Mac, PC, iPad, iPhone, web
Automation- Server-based workflow automation via hot folders
- Automate applications on remote computers (e.g. Photoshop actions and Acrobat PDF creation)
- Launch scripts depending on file type
- No polling
Marketing & Premedia- Server-based image processing with ICC color management
- Image conversions for Internet and print
- Automation via hot folder
- Certified soft proof with annotations
- Industries
- Solutions
- SupportSupport
Offering professional support and excellent technical resources is very important to us. HELIOS partners offer first level support. Our goal is that every problem and question must be resolved.
Updates & Tech InfoKeep the installation always up to date. Install important updates, read technical information on various topics.
Developers & Advanced StuffHELIOS solutions are often integrated into custom solutions. Here you will find advanced technical information.
MediaAll documentation is available online. We provide great overview and training videos which should help you getting started.
- News
The HELIOS News contains …
Latest Press Release: > HELIOS Universal File Server G8 released … • Latest Newsletter: > HELIOS Newsletter 02/2021 …
- Company
- English
Enterprise Server
Developers / SDK
Retail / Industrial
Newspapers / Publishers
Photographer / Studios
Ad Agencies / Premedia / Printers
Video & Entertainment
Cloud Collaboration
HD Color
Image Processing
Proofing
WebShare Connectivity
Workflow Automation
File Server
Press Releases 
Videos 
Newsletters 
Events