Virtualization systems are nowadays ubiquitus in enterprises of any size. Penetration testers and security auditors, however, often overlook virtualization infrastructures, simply looking at the virtual machines without any direct analysis of the underlying solution, not to mention those analyses simply marking virtual environments as "not-compliant".
A different, new approach is required to assess such systems, defining new targets and new ways to get there.
This talk will outline procedures and approaches, complete with tools and demos, to execute a penetration test or a design review on virtualization enviroments. Security experts eager to know more about these systems and sysops willing to protect their own fortress will find this talk interesting
Claudio Criscione managed to score his first hack at the age of 10, to download more contents from the local BBS bypassing ratio restrictions. After that he hacked his way to graduation at Milano TU and started his PhD while working as the principal consultant at Secure Network. He's been involved in web application security and anomaly detection, and then moved into virtualization security to find a new toy. He presented in various conferences, including BlackHat EU, CONFidence and Syscan, and he's an editor at virtualization.info.