The Laws of Virtualization Security - Attacking Virtualization
(
Page 4 of 4 )
Attacking Virtualization
Of
course, a virtual system is not without its attack vectors. Rogue hypervisors
and the virtual machine escape are two aspects of threats that should be fully evaluated.
In the
past few years, much attention has been given to the use of virtualization in
support of rootkits. Rootkits gain their effectiveness when they are hidden, and
hypervisor rootkits that are sometimes paradoxically called virtual machine-based
rootkits hide by launching a rogue hypervisor and porting the existing
operating system into a virtual machine. The guest operating system within the virtual
machinebelieves it is running as a traditional operating system with the
corresponding control over local hardware and networking resources afforded to
these systems, even though it isn’t. The hypervisor actually has control and
can manipulate the activities on the system in any number of ways.
In 2006,
security researcher Joanna Rutkowska introduced what she called the “blue
pill,” a hypervisor rootkit that inserts itself into memory, subordinates the
real operating system to virtual machine status, and gains a level of
invisibility by extension. To date, the rogue hypervisor is of greater concern
to security researchers than to the enterprise. In fact, using virtual systems
becomes a sort of protection itself, since malware installed in a virtual
machinewould not execute its payload.
Another
security concern involves what is known as “escaping” the virtual machine. This
ability to move malware outside the virtual machine and execute arbitrary code
on the physical host is considered the Holy Grail of virtualization security.
Given that the intent of virtualization is to be transparent to existing
functionality, the hypervisor is the only new component that need be assessed.
So, the
ability of the hypervisor to withstand attack and provide some level of
isolation among virtual machines is at the root of how risk will fare in these
environments. Since the hypervisor is, after all, a software program, it stands
to reason that additional software initially increases the risk in any
environment, simply because there is more code implemented with more complexity
than with traditional IT environments.
Several
researchers have demonstrated rudimentary virtual machine escape exploits and as
the popularity of virtual systems increases, and the platform becomes more
lucrative an attack target, the threat will continue to increase.
{mospagebreak title=The Impact
of Virtual Environments on Risk}
The Impact
of Virtual Environments on Risk
Although
the benefits of a virtual environment are clear, they are not always realized
in every architected environment. The reality is that these various
characteristics will be mixed and matched with other IT resources. Given that
probable outcome, it is useful to review risk principles and apply them to a
virtual environment. Burton Group defines risk as a function of threats,
vulnerabilities and consequences such that an increase in any of these three
elements increases overall risk.
At this stage
of virtualization maturation, the likelihood that malicious attackers will
target virtual environments is relatively low. That said, as more people get
trained for and learn about virtualization, attackers are bound to follow. Given
the adoption rate of virtualization technology, it is reasonable to assume this
threat is accelerating quickly.
The
vulnerability of a system is a measure of its attack surface—the nature and
extent of resources on a system that are exposed. Of course, that if isolation
mechanisms like firewalls or operating system access controls fail, the attack
surface balloons to comprise the entire machine. The pertinent questions, then,
are whether the attack surface of a system or of an enterprise IT environment
as a whole increases or decreases through virtualization.
Attack
surface increases with the availability of services on any IT resource. This
means that the addition of a system to an enterprise environment increases
attack surface, and at a more granular level, the starting of services, opening
of TCP/UDP ports, and registering of remote procedure call (RPC) endpoints
increases the attack surface as well. If more resources are consumed, more risk
is incurred.
Most
virtual environments aim to make the virtualization transparent throughout the
environment. However, something new is “behind the scenes” of the systems in
place—the hypervisor and virtual machine monitor. The addition of the
hypervisor resource increases risk just like any other additional service does.
If
everything else remains constant, the vulnerability component of risk is
increased in virtual environments. Everything else does not need to remain
constant, however. To whatever extent other resources can be reduced,
eliminated, or isolated so that they are no longer part of the attack surface,
these actions will offset the increased attack surface and reduce overall
vulnerability.
The final
component of risk is the impact or consequences of a successful attack. In most
IT environments, the value of information assets is increasing as organizations
work to squeeze out more benefits from systems. As these functions take on more
mission-critical capabilities, associated losses are increased as well.
But
consequences are not necessarily correlated with an increased attack surface.
Given the increased flexibility of virtual systems, one of the benefits is the
ability to create purpose-built appliances to support various functions. If
functions that were previously combined are separated, then it is clear that
the consequences may be reduced using virtual machines, which also reduces
risk.
Path to Virtualization SecuritySecurity teams
should take a number of steps to ensure improved protection of virtual
environments, including:
- Use all existing security mechanisms: Since one of the primary
goals of virtualization is transparency, all current host-based solutions
should operate in exactly the same way with limited need for modifications.
Existing solutions may not be optimal, but they’ll provide reasonable
security.
- Get your administrative act together: The dynamic nature of the virtual
machine lifecycle and the potential for virtual machine sprawl hint at an
even more difficult asset-management environment in the virtual world. It
is prudent to ensure that administrative procedures are ready for
identifying and tracking virtual machines throughout the environment.
- Look for ways to move security out of the virtual machine: Enterprises reduce or eradicate agents
from virtual machines and create separate process spaces for user
activities and security functions.
- Manage virtual machines like files and systems: The portability of virtual
machines makes them vulnerable to file-style attacks, and therefore they
must be protected in a similar fashion. The goal of file-oriented
management is recognizing the file objects and providing cryptographic and
access control protection for them.
- Encrypt network traffic where possible: Encrypted communications
provides some protection against local sniffing threats that may come from
other virtual machines or the hypervisor.
- Practice segregation of functions: Since multiple virtual
machines can be run on the same machine, it may be possible to create
separate compartments for security components. Strong candidates for
segregation include logging events externally, maintaining separate keys
for encryption, and separating policy and configuration from the image.
Virtualized
environments are poised to provide significant operational benefits to
enterprises, but they are not without their risks. The introduction of a new
layer of software—in the form of the hypervisor—and the new architectures that
provide the benefits must be evaluated from a security perspective to
understand the risk and the security impact.
Pete Lindstrom is a senior analyst
at Burton Group specializing in security metrics, risk management, Web
2.0/SOA/Web services security, and securing new technologies.
