Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

« Previous article — Next article »

Attacks on Virtual Machines

January 31st, 2007 Posted by D Webber

More reading on the security of virtual machines like VMware: a researcher at Symantec has released a great little paper Attacks on Virtual Machine Emulators (hat tip to Computer Defense for point it out).

The paper covers a few of the recent VM-specific malware like the SubVirt rootkit (PDF) but mostly concentrates on methods of detecting the presence of virtual machines, including proof of concept code for detecting VMWare, MS Virtual PC, Parallels, Hydra, QEMU, and even good ol’ BOCHS.

An interesting paragraph:

“A more serious vulnerability potentially exists in hardware-bound virtual machine emulators, if the guest can interact with third-party devices on the system.  For example, if a buffer-overflow vulnerability exists in a network driver in the host environment, it might be possible for an application within the guest environment to send a specially crafted network packet that reaches the host network driver intact, and thus exploit that vulnerability.”

I think that’s the most likely avenue of attack against “enterprise VMs” like VMware ESX which run on the “bare metal” and use their own proprietary drivers for hardware. Drivers are yet another security blind spot no one has paid much attention to until recently. For example, the ongoing saga of vulnerabilities in the Intel wireless drivers, allows most laptops to be compromised despite personal firewalls and other OS-level protections because the bugs are at the driver level.

This is yet more to ponder if you’re considering relying on VMs to provide the same level of isolation as physical hardware: it doesn’t. I think projects that are using VMs to run software firewalls and to provide virtual DMZs are eventually going to have a very rude awakening as more methods to escape VMs are found.

Related posts:

Posted in Blind spots, Virtualization |
Tags: , , ,

One Response to “Attacks on Virtual Machines”:

  1. Virtual Machine Security - h0bbel Says:
    January 31st, 2007 at 4:05 pm

    [...] D. Webber over at Security Viewpoints highlights some interesting aspects regarding Virtual Machines and security. If malicious packets are allowed to leak down to the “bare metal” hardware, through security issues in the drivers the collective virtualization community is bound to get burned. [...]


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.