The good, the bad and the virtual

March 11, 2010 (at 1:30 p.m.) in Attack & Research

Virtualization, from an assessor perspective, is often a pure black box. Most of the time a whole penetration test can go on without the tester even noticing that the machines he assessed were virtual ones. However, virtualization poses new challenges to the tester and new threats to any data center, which should be identified and addressed. Or maybe exploited.

In this talk, we will go into the details of various kinds of attacks leveraging a new toolkit, VASTO [Virtualization ASsessment TOolkit], which will be released at TROOPERS10.

Claudio Criscione

Claudio spends his work hours as principal consultant at Secure Network, a security firm based in Milan. He used to be a pure web application security guy and graduated with a master thesis on anomaly detection on web applications. He got interested in virtualization from a practical perspective as a penetration tester since its birth and has been doing research since then.

He’s a columnist at and a member of