Attacking VirtualizationBy Baselinemag | Posted 2008-04-30 Email Print
WEBINAR: On-demand webcast
Next-Generation Applications Require the Power and Performance of Next-Generation Workstations REGISTER >
Virtualization technology can deliver cost savings and improve IT performance, but it also introduces new security concerns. In this summary of a Burton Group report, security expert Pete Lindstrom examines the security considerations unique to virtualized IT environments.
Of course, a virtual system is not without its attack vectors. Rogue hypervisors and the VM escape are two aspects of threats that should be evaluated fully.
In the past few years, much attention has been given to the use of virtualization in support of rootkits. Rootkits gain their effectiveness when they are hidden, and hypervisor rootkits—sometimes paradoxically called VM-based rootkits—hide by launching a rogue hypervisor and porting the existing operating system into a VM.
The guest operating system within the VM believes it is running as a traditional operating system with the corresponding control over local hardware and networking resources afforded to these systems—but it isn’t. The hypervisor has control and can manipulate the activities on the system in any number of ways.
In 2006, a security researcher named Joanna Rutkowska introduced what she called the “blue pill,” a hypervisor rootkit that inserts itself into memory, subordinates the real operating system to VM status and gains a level of invisibility by extension. To date, the rogue hypervisor is of greater concern to security researchers than to the enterprise. In fact, using virtual systems becomes a sort of protection in itself, since malware installed in a VM would not execute its payload.
Another security concern involves what is known as “escaping” the virtual machine. This ability to move malware outside the VM and execute arbitrary code on the physical host is considered the holy grail of virtualization security research. Given that the intent of virtualization is to be transparent to existing functionality, the hypervisor is the only new component that need be assessed.
The ability of the hypervisor to withstand attack and provide some level of isolation among VMs is at the root of how risk will fare in these environments. Since the hypervisor is, after all, a software program, it stands to reason that additional software initially increases the risk in any environment, simply because there is more code implemented with more complexity than with traditional IT environments.
Several researchers have demonstrated rudimentary VM escape exploits, and as the popularity of virtual systems increases—and the platform becomes a more lucrative attack target—the threat will continue to increase.