UNIT-III

Virtualization System Security

• Virtualization System-Specific Attacks:

• Guest hopping,
• Attacks on the VM (delete the VM, attack on the control of
the VM, Code or file injection into the virtualized file
structure),
• VM migration attack, hyper jacking.
Introduction : Virtual Threats

• Some threats to virtualized systems are general in nature, as they are

inherent threats to all computerized systems (such as denial-of-service, or
DoS, attacks).
• Many VM vulnerabilities stem from the fact that a vulnerability in one VM
system can be exploited to attack other VM systems or the host systems, as
multiple virtual machines share the same physical hardware, as shown in
Figure

© 2010 IBM Corporation

Introduction : Virtual Threats-
Some of the vulnerabilities exposed

Shared clipboard — Shared clipboard technology allows data to be transferred

between VMs and the host, providing a means of moving data between malicious programs
in VMs of different security realms.

Keystroke logging — Some VM technologies enable the logging of keystrokes and screen
updates to be passed across virtual terminals in the virtual machine, writing to host fi les and
permitting the monitoring of encrypted terminal connections inside the VM

VM monitoring from the host — Because all network packets coming from or going to a VM
pass through the host, the host may be able to affect the VM by the following:
 Starting, stopping, pausing, and restart VMs
 Monitoring and configuring resources available to the VMs, including CPU, memory, disk,
and network usage of VMs
 Adjusting the number of CPUs, amount of memory, amount and number of virtual disks,
and number of virtual network interfaces available to a VM
 Monitoring the applications running inside the VM
 Viewing, copying, and modifying data stored on the VM’s virtual disks

VMware VMotion brochure

© 2010 IBM Corporation
Introduction : Virtual Threats-
Some of the vulnerabilities exposed

Virtual machine monitoring from another VM — Usually,

VMs should not be able to directly access one another’s
virtual disks on the host.
However, if the VM platform uses a virtual hub or switch to
connect the VMs to the host, then intruders may be able to
use a hacker technique known as “ARP poisoning” to
redirect packets going to or from the other VM for sniffing.

Virtual machine backdoors — A backdoor, covert

communications channel between the guest and host could
allow intruders to perform potentially dangerous
operations.
Introduction : Virtual Threats-
ESX Server Application Vulnerability Severity Code Definitions
Introduction : Virtual Threats- VM THREAT LEVELS

When categorizing the threat posed to virtualized environments, often the

vulnerability/threat matrix is classified into three levels of compromise:

• Abnormally terminated — Availability to the virtual machine is

compromised, as the VM is placed into an infinite loop that prevents the
VM administrator from accessing the VM’s monitor.

• Partially compromised — The virtual machine allows a hostile process

to interfere with the virtualization manager, contaminating state
checkpoints or over-allocating resources.

• Totally compromised — The virtual machine is completely overtaken

and directed to execute unauthorized commands on its host with
elevated privileges.
New Virtualization System-Specific Attacks

Hypervisor Risks

• The hypervisor is the part of a virtual machine that allows host resource sharing
and enables VM/host isolation.

• Therefore, the ability of the hypervisor to provide the necessary isolation

during intentional attack greatly determines how well the virtual machine can
survive risk.

• One reason why the hypervisor is susceptible to risk is because it’s a software
program; risk increases as the volume and complexity of application code
increases.

• Ideally, software code operating within a defined VM would not be able to

communicate or affect code running either on the physical host itself or within
a different VM; but several issues, such as bugs in the software, or limitations to
the virtualization implementation, may put this isolation at risk.

• Major vulnerabilities inherent in the hypervisor consist of rogue hypervisor © 2010 IBM Corporation

rootkits, external modification to the hypervisor, and VM escape.

 New Virtualization System-Specific Attacks
Rogue Hypervisors Rootkits or Hyper jacking:

 In a normal virtualization scenario, the guest operating system (the operating

system that is booted inside of a virtualized environment) runs like a traditional OS
managing I/O to hardware and network traffic, even though it’s controlled by the
hypervisor.

 VM-based rootkits can hide from normal malware detection systems by initiating a
“rogue” hypervisor and creating a cover channel to dump unauthorized code into
the system.

 Proof-of-concept (PoC) exploits have demonstrated that a hypervisor rootkit can

insert itself into RAM, downgrade the host OS to a VM, and make itself invisible.

 A properly designed rootkit could then stay “undetectable” to the host OS, resisting
attempts by malware detectors to discover and remove it.
© 2010 IBM Corporation
New Virtualization System-Specific Attacks
Rogue Hypervisors Rootkits or Hyper jacking:

 This creates a serious vulnerability in all virtualized systems.

 Detectability of malware code lies at the heart of intrusion

detection and correction, as security researchers analyze code
samples by running the code and viewing the result.

 In addition, some malware tries to avoid detection by anti-virus

processes by attempting to identify whether the system it has
infected is traditional or virtual.

 If found to be a VM, it remains inactivated and hidden until it can

penetrate the physical host and execute its payload through a
traditional attack vector. © 2010 IBM Corporation
New Virtualization System-Specific Attacks

■ Rogue Hypervisors Rootkits or Hyper jacking:

–Consists of installing a rogue hypervisor

• Hyperjacking is an attack in which a hacker takes malicious control

over the hypervisor that creates the virtual environment within a
virtual machine (VM) host.
• The point of the attack is to target the operating system that is
below that of the virtual machines so that the attacker's program
can run and the applications on the VMs above it will be
completely oblivious to its presence.
• Hyperjacking involves installing a malicious, fake hypervisor that
can manage the entire server system.

• In hyperjacking, the hypervisor specifically operates in stealth

mode and runs beneath the machine, it makes more difficult to
detect and more likely gain access to computer servers where it
can affect the operation of the entire institution or company.

© 2010 IBM Corporation

New Virtualization System-Specific Attacks
■ Rogue Hypervisors Rootkits or Hyper jacking:
–Consists of installing a rogue hypervisor
• 1. Injecting a rogue hypervisor beneath the original hypervisor;
• 2. Directly obtaining control of the original hypervisor;
• 3. Running a rogue hypervisor on top of an existing hypervisor.

• One method for doing this is overwriting pagefiles on disk that

contain paged-out kernel code
• Force kernel to be paged out by allocating large amounts
of memory
• Find unused driver in page file and replace its dispatch function
with shellcode
• Take action to cause driver to be executed
• Shellcode downloads the rest of the malware
• Host OS is migrated to run in a virtual machine
–Has been demonstrated for taking control of Host OS
–Hyperjacking of hypervisors may be possible, but not yet
demonstrated
• Hypervisors will come under intense scrutiny because they are
such attractive targets Known hyperjacking tools: BluePill, SubVirt,
© 2010 IBM Corporation

Vitriol
 Virtualization System Public Exploits

CVE-2015-3456: VENOM vulnerability

• The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows
local guest users to cause a denial of service (out-of-bounds write and guest crash) or
possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2)
FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands

• VENOM refers to a security vulnerability that results from a buffer overflow in a kernel-level
driver included in many default virtualized environments.
• The VENOM vulnerability has the potential to provide attackers with access to the host
operating system and, as a result, other guest operating systems on the same host.
• VENOM, an acronym for Virtualized Environment Neglected Operations Manipulation, arises
from QEMU’s virtual Floppy Disk Controller (FDC), which carries a vulnerability that could
enable an attacker to run code by pairing one of two flawed commands related to the
controller with a buffer overflow.
• The VENOM vulnerability affects KVM, Xen and native QEMU virtual machines.
• Virtual machines running on Microsoft Hyper-V or VMware hypervisors are not affected by
VENOM.
• The VENOM vulnerability works with the default configuration of the affected virtualization
platforms, so even when the FDC drive has not been added to the platform, systems are still
© 2010 IBM Corporation
vulnerable.
New Virtualization System-Specific Attacks
External Modification of the Hypervisor:

In additional to the execution of the rootkit

payload, a poorly protected or designed
hypervisor can also create an attack vector.
Therefore, a self-protected virtual machine may
allow direct modification of its hypervisor by an
external intruder.
This can occur in virtualized systems that don’t
validate the hypervisor as a regular process.

© 2010 IBM Corporation

New Virtualization System-Specific Attacks
VM Escape
Due to the host machine’s fundamentally privileged
position in relationship to the VM, an improperly
configured VM could allow code to completely bypass
the virtual environment, and obtain full root or kernel
access to the physical host
This would result in a complete failure of the security
mechanisms of the system, and is called VM escape.
Virtual machine escape refers to the attacker’s ability to
execute arbitrary code on the VM’s physical host, by
“escaping” the hypervisor.
VM escapes could occur through virtual machine shared
resources called VMchat, VMftp, vCAT, and VMdrag-n-© 2010 IBM Corporation

Drop
Case Study: Virtualization System Public Exploits
■ 36 public exploits against production virtualization systems have been
released
■ Most of these are attacks against third-party components of
these systems
■ CVE-2009-2267
–Guest OS user can gain elevated privileges on guest OS by
exploiting a bug in handling of page faults
–Affects ESX server 4 and other VMware products
–Exploit binary posted at lists.grok.org.uk

© 2010 IBM Corporation

New Virtualization System-Specific Attacks

VM migration
–Migration attack is an attack on the network during VM
migration from one place to another. This attack is an exploit
on the mobility of virtualization.
–Since VM images are easily moved between physical machines
through the network, enterprises constantly move VMs to
various places based on their usage.
–For example, VMs from a canceled customer may be moved to
a backup data center, and VMs that need maintenance may be
moved to a testing data center for changes.
–Thus, when VMs are on the network between secured
perimeters, attackers can exploit the network vulnerability to
gain unauthorized access to VMs.
– Similarly, the attackers can plant malicious code in the VM
images to plant attacks on data centers that VMs travel
between.
Migrating Virtual Machines
VM MIGRATION explained-
Video Animation-Flipped Activity
New Virtualization System-Specific Attacks

VM migration-Types and Techniques

Before migration, the virtual machine must be powered off, after

Cold Migration doing this task. The old one should be deleted from source host.
Moreover, the virtual machine need not to be on shared storage.

Whenever transfer OS and any application, there is no need to

Warm Migration suspend the source host. Basically it has high demand in public
cloud.

It is the process of moving a running virtual machine without

Live Migration stopping the OS and other applications from source host to
destination host.
 New Virtualization System-Specific Attacks

■ VM migration-Types and Techniques

1) Pre- Copy Migration:

In this migration, the hypervisor copies all memory page from source machine to destination
machine while the virtual machine is running. It has two phases: Warm- up Phase and stop and
copy phase.

a) Warm Up Phase:
During copying all memory pages from source to destination, some memory pages changed
because of source machine CPU is active. All the changed memory pages are known as dirty pages.
All these dirty pages are required to recopy on destination machine; this phase is called as warm
up phase.

b) Stop & Copy Phase: Warm up phase is repeated until all the dirty pages recopied on
destination machine. This time CPU of source machine is deactivated till all memory pages will
transfer another machine. Ultimately at this time CPU of both source and destination is suspended,
this is known as down time phase. This is the main thing that has to explore in migration for its
optimization.
 New Virtualization System-Specific Attacks
■ VM migration-Types and Techniques
2) Post- Copy Migration:
  In this technique, VM at the source is suspended to start post copy VM
migration.
 When VM is suspended, execution state of the VM (i.e. CPU state,
registers, non-pageable memory) is transferred to the target.
 In parallel the sources actively send the remaining memory pages of
the VM to the target.
 This process is known as pre-paging.
 At the target, if the VM tries to access a page that has not been
transferred yet, it generates a page fault, also known as network faults.
These faults are redirect to the source, which responds with the faulted
pages.
 Due to this, the performance of applications is degrading with number
of network faults.
 To overcome this, pre-paging scheme is used to push pages after the
last fault by dynamically using page transmission order
 New Virtualization System-Specific Attacks
■ Live VM migration steps of Google Compute Engine
New Virtualization System-Specific Attacks
■ VM migration
– VM migration is transfer of guest OS from one physical server to another with
little or no downtime
– Implemented by several virtualization products
– Provides high availability and dynamic load balancing

VMware VMotion brochure

© 2010 IBM Corporation
New Virtualization System-Specific Attacks
■ VM migration attack
– If migration protocol is unencrypted, susceptible to man-in-the-middle attack
– Allows arbitrary state in VM to be modified
– In default configuration, XenMotion is susceptible (no encryption)
– VMware’s VMotion system supports encryption
– Proof-of-concept developed by John Oberheide at the Univ. of Michigan

John Oberheide et. al.

University of Michigan © 2010 IBM Corporation
Analysis of Hyper jacking Attack and Mitigation Techniques