Attacking Virtualization

Of course, a virtual system is not without its attack vectors. Rogue hypervisors and the virtual machine escape are two aspects of threats that should be fully evaluated.

In the past few years, much attention has been given to the use of virtualization in support of rootkits. Rootkits gain their effectiveness when they are hidden, and hypervisor rootkits that are sometimes paradoxically called virtual machine-based rootkits hide by launching a rogue hypervisor and porting the existing operating system into a virtual machine.  The guest operating system within the virtual machinebelieves it is running as a traditional operating system with the corresponding control over local hardware and networking resources afforded to these systems, even though it isn’t. The hypervisor actually has control and can manipulate the activities on the system in any number of ways.

In 2006, security researcher Joanna Rutkowska introduced what she called the “blue pill,” a hypervisor rootkit that inserts itself into memory, subordinates the real operating system to virtual machine status, and gains a level of invisibility by extension. To date, the rogue hypervisor is of greater concern to security researchers than to the enterprise. In fact, using virtual systems becomes a sort of protection itself, since malware installed in a virtual machinewould not execute its payload.

Another security concern involves what is known as “escaping” the virtual machine. This ability to move malware outside the virtual machine and execute arbitrary code on the physical host is considered the Holy Grail of virtualization security. Given that the intent of virtualization is to be transparent to existing functionality, the hypervisor is the only new component that need be assessed.

So, the ability of the hypervisor to withstand attack and provide some level of isolation among virtual machines is at the root of how risk will fare in these environments. Since the hypervisor is, after all, a software program, it stands to reason that additional software initially increases the risk in any environment, simply because there is more code implemented with more complexity than with traditional IT environments.

Several researchers have demonstrated rudimentary virtual machine escape exploits and as the popularity of virtual systems increases, and the platform becomes more lucrative an attack target, the threat will continue to increase.

{mospagebreak title=The Impact of Virtual Environments on Risk} 

The Impact of Virtual Environments on Risk

Although the benefits of a virtual environment are clear, they are not always realized in every architected environment. The reality is that these various characteristics will be mixed and matched with other IT resources. Given that probable outcome, it is useful to review risk principles and apply them to a virtual environment. Burton Group defines risk as a function of threats, vulnerabilities and consequences such that an increase in any of these three elements increases overall risk.

At this stage of virtualization maturation, the likelihood that malicious attackers will target virtual environments is relatively low. That said, as more people get trained for and learn about virtualization, attackers are bound to follow. Given the adoption rate of virtualization technology, it is reasonable to assume this threat is accelerating quickly.

The vulnerability of a system is a measure of its attack surface—the nature and extent of resources on a system that are exposed. Of course, that if isolation mechanisms like firewalls or operating system access controls fail, the attack surface balloons to comprise the entire machine. The pertinent questions, then, are whether the attack surface of a system or of an enterprise IT environment as a whole increases or decreases through virtualization.

Attack surface increases with the availability of services on any IT resource. This means that the addition of a system to an enterprise environment increases attack surface, and at a more granular level, the starting of services, opening of TCP/UDP ports, and registering of remote procedure call (RPC) endpoints increases the attack surface as well. If more resources are consumed, more risk is incurred.

Most virtual environments aim to make the virtualization transparent throughout the environment. However, something new is “behind the scenes” of the systems in place—the hypervisor and virtual machine monitor. The addition of the hypervisor resource increases risk just like any other additional service does.

If everything else remains constant, the vulnerability component of risk is increased in virtual environments. Everything else does not need to remain constant, however. To whatever extent other resources can be reduced, eliminated, or isolated so that they are no longer part of the attack surface, these actions will offset the increased attack surface and reduce overall vulnerability.

The final component of risk is the impact or consequences of a successful attack. In most IT environments, the value of information assets is increasing as organizations work to squeeze out more benefits from systems. As these functions take on more mission-critical capabilities, associated losses are increased as well.

But consequences are not necessarily correlated with an increased attack surface. Given the increased flexibility of virtual systems, one of the benefits is the ability to create purpose-built appliances to support various functions. If functions that were previously combined are separated, then it is clear that the consequences may be reduced using virtual machines, which also reduces risk.

Path to Virtualization SecuritySecurity teams should take a number of steps to ensure improved protection of virtual environments, including:

• Use all existing security mechanisms: Since one of the primary goals of virtualization is transparency, all current host-based solutions should operate in exactly the same way with limited need for modifications. Existing solutions may not be optimal, but they’ll provide reasonable security.
• Get your administrative act together: The dynamic nature of the virtual machine lifecycle and the potential for virtual machine sprawl hint at an even more difficult asset-management environment in the virtual world. It is prudent to ensure that administrative procedures are ready for identifying and tracking virtual machines throughout the environment.
• Look for ways to move security out of the virtual machine: Enterprises reduce or eradicate agents from virtual machines and create separate process spaces for user activities and security functions.
• Manage virtual machines like files and systems: The portability of virtual machines makes them vulnerable to file-style attacks, and therefore they must be protected in a similar fashion. The goal of file-oriented management is recognizing the file objects and providing cryptographic and access control protection for them.
• Encrypt network traffic where possible: Encrypted communications provides some protection against local sniffing threats that may come from other virtual machines or the hypervisor.
• Practice segregation of functions: Since multiple virtual machines can be run on the same machine, it may be possible to create separate compartments for security components. Strong candidates for segregation include logging events externally, maintaining separate keys for encryption, and separating policy and configuration from the image.

Virtualized environments are poised to provide significant operational benefits to enterprises, but they are not without their risks. The introduction of a new layer of software—in the form of the hypervisor—and the new architectures that provide the benefits must be evaluated from a security perspective to understand the risk and the security impact.

Pete Lindstrom is a senior analyst at Burton Group specializing in security metrics, risk management, Web 2.0/SOA/Web services security, and securing new technologies.