Fuzzing virtual machines
Security researcher Tavis Ormandy has published an interesting paper “An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments” (PDF link) where he used a I/O fuzzer and random opcode generator to find anomalies in VMware and other virtualization products.
Tested were VMware Workstation and VMware Server, Xen, QEMU, Bochs, plus two “popular proprietary products” that were not specifically identified but sound suspiciously like MS Virtual PC and Parallels.
The approach is interesting: first a code-level review was performed for the open source products, and then each virtual machine was hammered on using CrashMe, a testing tool that gives a machine random bytes to execute, and a tool that generates activity on random I/O ports. “Fuzzing” tools like this are commonly used to look for anomalies in software that may indicate a vulnerability… for example fuzzing input data can sometimes identify an exploitable buffer overflow. However this is the first time I know of that someone has performed fuzzing against a VM.
Ormandy found that all the virtualization products tested crashed when subjected to CrashMe, meaning denial of service attacks in VMs are pretty easy. Further, all the VMs tested showed signs that an attacker could potentially run code on the host system at least with the privileges of the VM, usually though bugs in an emulated hardware like network cards. Not surprisingly, if an attacker has super user access within the guest OS (e.g. gains access to root or administrator) it becomes easier to compromise the guest.
Some of the paper’s recommendations for deploying virtual machines:
- Treat Virtual Machines like services that can be compromised; use chroot, systrace, acls, least privileged users, etc.
- Disable emulated hardware you don’t need, and external services you don’t use (DHCP daemons, etc.) to reduce the attack surface exposed to hostile users.
- Xen is worth watching in future; separating domains should limit the impact of a compromise.
- Maintain the integrity of guest operating systems, protect the kernel using standard procedures of disabling modules, /dev/mem, /dev/port, etc.
- Keep guest software up-to-date with published vulnerabilities. If an attacker cannot elevate their privileges within the guest, the likelihood of compromising the VMM is significantly reduced.
- Keep Virtual Machine software updated to ensure all known vulnerabilities have been corrected.
Related posts: