Attacking VirtualizationBy Baselinemag | Posted 2008-01-25 Email Print
WEBINAR: On-demand webcast
Next-Generation Applications Require the Power and Performance of Next-Generation Workstations REGISTER >
Of course, a virtual system is not without its attack vectors. Rogue hypervisors and the virtual machine escape are two aspects of threats that should be fully evaluated.
In the past few years, much attention has been given to the use of virtualization in support of rootkits. Rootkits gain their effectiveness when they are hidden, and hypervisor rootkits that are sometimes paradoxically called virtual machine-based rootkits hide by launching a rogue hypervisor and porting the existing operating system into a virtual machine. The guest operating system within the virtual machinebelieves it is running as a traditional operating system with the corresponding control over local hardware and networking resources afforded to these systems, even though it isn’t. The hypervisor actually has control and can manipulate the activities on the system in any number of ways.
In 2006, security researcher Joanna Rutkowska introduced what she called the “blue pill,” a hypervisor rootkit that inserts itself into memory, subordinates the real operating system to virtual machine status, and gains a level of invisibility by extension. To date, the rogue hypervisor is of greater concern to security researchers than to the enterprise. In fact, using virtual systems becomes a sort of protection itself, since malware installed in a virtual machinewould not execute its payload.
Another security concern involves what is known as “escaping” the virtual machine. This ability to move malware outside the virtual machine and execute arbitrary code on the physical host is considered the Holy Grail of virtualization security. Given that the intent of virtualization is to be transparent to existing functionality, the hypervisor is the only new component that need be assessed.
So, the ability of the hypervisor to withstand attack and provide some level of isolation among virtual machines is at the root of how risk will fare in these environments. Since the hypervisor is, after all, a software program, it stands to reason that additional software initially increases the risk in any environment, simply because there is more code implemented with more complexity than with traditional IT environments.
Several researchers have demonstrated rudimentary virtual machine escape exploits and as the popularity of virtual systems increases, and the platform becomes more lucrative an attack target, the threat will continue to increase.