Security's Everyman

Security's Everyman

Tuesday, July 31, 2007

Virtual Machine = Virtual Vulnerability?

Paul and Cutaway both write about the latest research in VM escaping and it's not pretty. The research that is not their writing.

It seems that Ed Skoudis and team have come up with a way to really escape a VM and run an exploit on the host system. This is still "shaky" in terms of it's not perfect and it's not complete but the potential consequences of this is pretty severe. VM's are used quiet heavily today for many different things. One of the biggest being malware testing. The bad guys have already figured out a way to make that more difficult but this makes it even worse. A VM is used because it can be blown away and reloaded in a matter of minutes so if it get hosed it's no big deal. If the bad guys can cause the VM to crash and then exploit the host machine then that puts AV research in a bit of a bind. VM's are also used by companies to save space, hardware and time. Lots of security software runs on VM's and this has the potential to put all of that at risk.

Read the articles by Cutaway and Paul and do some research yourself and let me know your thoughts. After you have become informed check back on my site and take the new poll. "Are Virtual Machines days numbered?"


LonerVamp said...

While I think this is possible, I fully expect any issues to be minor things in code for things like vmware, and not something unfixable. Patch issued and installed and these issues are gone, imo. I expect it will eventually prove easier to own the management software and thus own every guest as opposed to boring up through the guest.

But that's just my gut feeling. :) Kinda like pandemic planning, I am not buying that this is a big deal to me yet (big deal for research, yes).

Rob Lewis said...

Would you say that rather than jump ship now we might consider a trusted OS foundation and trusted guest operating system as defenses in virtual machines?

Andy, ITGuy said...

I'm not suggesting that we jump ship. I just want to ensure that the ship stays afloat. I think a trusted OS is great. I'm just not fully convinced that we're there yet. Maybe Trustifier is the answer. We'll have to wait and see.

Rob Lewis said...

I would venture that Trustifier will be determined to be one possible solution. They are doing work along these lines with SELinux, but Trustifier's functionality and ease of use makes it a better bet for non-Linux users.

In a parallel issue, a trusted environment is the only real defense against anti-forensic tools as well, so I believe the case for trusted systems is slowing building.

cdman83 said...

This is not a big deal. From a security stand point virtual machines are excellent both because (a) most attacks and attackers are not expecting it and are not equipped to circumvent it (a little security by obscurity - nothing wrong with that) and (b) they have a much smaller codebase than any OS, meaning that the possibility of problems is much smaller.

In that sense they are even better than OS level solutions, because they have to deal with less complexity (when you are using a HIPS, are you sure that it hooked all of the system calls it had to?). Of course it must be coupled with layered security, like running the VM - just like any other application - under an account that has access only to the files it has to.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.