Virtualization System Security

Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy

2009 IBM Corporation

Overview

Vulnerability disclosure analysis Vulnerability classes Vulnerability examples Virtualization-system specific attacks Known virtualization system attacks Public virtualization system exploits Summary of virtualization system security concerns Technologies for virtualization-based security enhancement Configuration recommendations

2010 IBM Corporation

The Importance of Virtualization System Security

Businesses are increasingly relying on virtualization technology In Q4 2009, 18.2% of servers shipped were virtualized1 20% increase over 15.2% shipped in Q4 2008 Growing interest in cloud computing will fuel further demand Vulnerability disclosures have grown as interest has grown Source: IBM X-Force 2010 Midyear Trend Report

1Source:

IDC

2010 IBM Corporation

The Risk Imposed by Virtualization System Vulnerabilities

Disclosed vulnerabilities pose a significant security risk 40% of all reported vulnerabilities have high severity Tend to be easy to exploit, provide full control over attacked system Exploits have been publically disclosed for 14% of vulnerabilities

2010 IBM Corporation

The Risk To Production Systems

Most reported vulnerabilities affect production virtualization systems Production systems run on the bare metal hypervisor acts as operating system Contrast with workstation systems, which run on top of a host OS

2010 IBM Corporation

Vendor Disclosures by Vendor

Low percentages for Oracle, IBM, and Microsoft VMware: 80.9% Oracle: 1.8% RedHat: 6.9% IBM: 1.1% Citrix: 5.8% Microsoft: 0.9%

2010 IBM Corporation

Virtualization System Vulnerability Classes

Vulnerabilities can be classified by what they affect

Virtualization Server Guest VM Users 5

System Administrators Virtualization System Admin VM Guest VM Hypervisor 1 3 4 Hardware Guest VM

2 Management Console Management Server

2010 IBM Corporation

Virtualization System Vulnerability Classes

Management console vulnerabilities Affect the management console host Can provide platform or information allowing attack of management server Can occur in custom consoles or web applications Management server vulnerabilities Potential to compromise virtualization system configuration Can provide platform from which to attack administrative VM Administrative VM vulnerabilities Compromises system configuration In some systems (like Xen), equivalent to a hypervisor vulnerability in that all guest VMs may be compromised Can provide platform from which to attack hypervisor and guest VMs

2010 IBM Corporation

Virtualization System Vulnerability Classes

Guest VM vulnerabilities Affect a single VM Can provide platform from which to attack administrative VM, hypervisor, and other guest VMs Hypervisor vulnerabilities Compromise all guest VMs Cannot be exploited from guest VMs Hypervisor escape vulnerabilities A type of hypervisor vulnerability Classified separately because of their importance Allow a guest VM user to escape from own VM to attack other VMs or hypervisor Violate assumption of isolation of guest VMs

2010 IBM Corporation

Production Virtualization System Vulnerabilities By Class

Hypervisor (1.3%) Indeterminate (6.3%) Mgmt Server (6.3%) Guest VM (15.0%) Hypervisor escape (37.5%)

Mgmt console (16.3%)

Admin VM (17.5%)

2010 IBM Corporation

Virtualization System Vulnerability Examples

Management console CVE-2009-2277: A cross-site scripting vulnerability in a VMware web console allows remote attackers to steal cookie-based authentication credentials Management server CVE-2008-4281: VMware VirtualCenter management server can allow a local attacker to use directory traversal sequences to gain elevated privileges Administrative VM CVE-2008-2097: A buffer overflow in a VMWare management service running in the administrative VM could allow remote authenticated users to gain root privileges

2010 IBM Corporation

Virtualization System Vulnerability Examples

Guest VM CVE-2009-2267: A bug in the handling of page fault exceptions in VMware ESX Server could allow a guest VM user to gain kernel mode execution privileges in the guest VM Hypervisor CVE-2010-2070: By modifying the processor status register, a local attacker can cause the Xen kernel to crash Hypervisor escape CVE-2009-1244: An error in the virtual machine display function on VMware ESX Server allows an attacker in a guest VM to execute arbitrary code in the hypervisor

2010 IBM Corporation

New Virtualization System-Specific Attacks

VM jumping/guest hopping Attackers take advantage of hypervisor escape vulnerabilities to jump from one VM to another VM attacks Attacks during deployment and duplication Deletion of virtual images Attacks on control of virtual machines Code/file injection into virtualization file structure

2010 IBM Corporation

New Virtualization System-Specific Attacks

VM migration VM migration is transfer of guest OS from one physical server to another with little or no downtime Implemented by several virtualization products Provides high availability and dynamic load balancing

VMware VMotion brochure

2010 IBM Corporation

New Virtualization System-Specific Attacks

VM migration attack If migration protocol is unencrypted, susceptible to man-in-the-middle attack Allows arbitrary state in VM to be modified In default configuration, XenMotion is susceptible (no encryption) VMwares VMotion system supports encryption Proof-of-concept developed by John Oberheide at the Univ. of Michigan

John Oberheide et. al. University of Michigan

2010 IBM Corporation

Known Virtualization System Attacks

Management server attacks Exploit management console vulnerabilities that divulge password information Exploit management console vulnerabilities to gain access to management server Exploit vulnerabilities that allow local management server users to gain elevated privileges Administrative VM attacks exploit vulnerabilities to: Cause a denial of service by halting the system Cause a denial of service by crashing the administrative VM Obtain passwords that are stored in cleartext Exploit buffer overflows in exposed services to execute arbitrary code Exploit vulnerable services to gain elevated privileges Bypass authentication

2010 IBM Corporation

Known Virtualization System Attacks

Guest VM attacks exploit vulnerabilities to: Gain elevated privileges Crash the virtual machine Truncate arbitrary files on the system Execute arbitrary code with elevated privileges Hypervisor attacks exploit vulnerabilities to: Cause the hypervisor to crash Escape from one guest VM to another

2010 IBM Corporation

Example Configuration Issues

Virtual machine configuration Resource reservations and limits (for example, on CPU usage) can be established for individual VMs Allows assignment of more system resources to specific VMs Improper configuration can allow a DoS against one virtual host to affect other hosts on the same server Failure to enable log file rotation can fill disk and DoS the ESX Server Failure to disable unused devices can introduce unnecessary risk

2010 IBM Corporation

Example Configuration Issues

Virtual network configuration Virtual switches are used to define the topology of virtual networks

VMware
2010 IBM Corporation

Example Configuration Issues

Improper configuration can allow unintended communication among guest VMs Network services are enabled to connect virtual machines and kernel services to the physical network Kernel services include features such as virtual machine migration Failure to disable unused services can introduce unnecessary risk VLANs can be used to aggregate multiple virtual switch ports under a common configuration Incorrect aggregation can result in misconfiguration of ports

2010 IBM Corporation

New Virtualization System-Specific Attacks

Hyperjacking Consists of installing a rogue hypervisor One method for doing this is overwriting pagefiles on disk that contain paged-out kernel code Force kernel to be paged out by allocating large amounts of memory Find unused driver in page file and replace its dispatch function with shellcode Take action to cause driver to be executed Shellcode downloads the rest of the malware Host OS is migrated to run in a virtual machine Has been demonstrated for taking control of Host OS Hyperjacking of hypervisors may be possible, but not yet demonstrated Hypervisors will come under intense scrutiny because they are such attractive targets Known hyperjacking tools: BluePill, SubVirt, Vitriol

2010 IBM Corporation

Virtualization System Public Exploits

36 public exploits against production virtualization systems have been released Most of these are attacks against third-party components of these systems CVE-2009-2267 Guest OS user can gain elevated privileges on guest OS by exploiting a bug in handling of page faults Affects ESX server 4 and other VMware products Exploit binary posted at lists.grok.org.uk

2010 IBM Corporation

Virtualization System Public Exploits

CVE-2009-3760 Remote attacker can write PHP code to Web server configuration script to execute arbitrary PHP code with privileges of server Affects XenCenterWeb Exploit URLs are provided in a Neophasis post:

2010 IBM Corporation

Virtualization System Public Exploits

CVE-2007-5135 OpenSSL buffer overflow vulnerability allows remote attacker to execute arbitrary code on the system Affects VMware ESXi server 3.5, presumably the administrative VM (the service console) Neophasis post describes the exploit Involves sending multiple ciphers to take advantage of an off-byone error in OpenSSLs cipher processing code

2010 IBM Corporation

Summary of Virtualization System Security Concerns

Virtualization systems have added new vulnerabilities to infrastructure 259 new vulnerabilities over the last 5 years (XFDB) Use of virtualization systems doesnt add inherent security same connectivity to servers is still needed Addition of new operating system (hypervisor) increases attack surface Doesnt replace existing OSes Potential for new types of attacks Migration of VMs for load balancing can make them more difficult to secure Ease of addition of new VMs can increase likelihood that insecure systems will go online New management systems are needed for virtualization systems increases attack surface
2010 IBM Corporation

Technologies for Virtualization-Based Security Enhancement

Some technologies can take advantage of virtualization to improve security IBM Security Virtual Server Protection for VMWare Takes advantage of virtualization to provide IPS protection for all communication between VMs on a virtualization server Traditional IPS provides protection only where appliances are installed Future may see virtualization-based sandboxing Sandbox environment is a locked-down OS that restricts what programs can do for example, disallow network access Sandboxes could run in separate VMs and be used for opening untrusted files and running untrusted applications

2010 IBM Corporation

Virtualization System Configuration Recommendations

Dont connect virtualization system hosts to operational networks until fully configured Management server configuration Management servers should be segregated from operational networks via an appropriately configured firewall or router Restrict access of management system databases to the management server, a database administrator, and backup software Limit access to remote management tools Use limited accounts Connections to virtualization systems should be encrypted and authenticated Use logging

2010 IBM Corporation

Virtualization System Configuration Recommendations

Administrative VM configuration Avoid installing third-party software Disable or restrict access to unused network services Synchronize clocks on virtualization servers and management servers to aid log analysis Manage log size to avoid filling partitions Implement file system integrity checking and password policies Only allow server administrators to manage administrative VMs Disable root console logins

2010 IBM Corporation

Virtualization System Configuration Recommendations

Guest VM configuration Harden servers Update and patch OS Use single role servers disable unnecessary services Use local firewall to insure limited host control Use limited scope admin accounts with strong passwords Protect virtual machine files Use access control lists Use encryption Use auditing of file operations (access, creation, deletion, ) Disable unnecessary or unused virtual devices Use hardened VM images as basis for new VMs VMware supports templates for creation of new VM images

2010 IBM Corporation

Virtualization System Configuration Recommendations

Virtualization environment configuration Install hypervisor updates and patches If possible, install VMs with different security profiles on different physical machines The existence of hypervisor escape vulnerabilities makes this prudent Otherwise, use virtual firewalls between groups of machines with different security postures Isolate VM traffic by defining VLAN port groups in virtual switches and associating each VM virtual adapter with the appropriate port group If supported, configure port groups to: Restrict virtual adapters from entering promiscuous mode Avoid changing virtual NICs own MAC addresses

2010 IBM Corporation

Summary

Virtualization system interest and vulnerabilities have both increased Virtualization system vulnerabilities can be characterized by what they affect Known attacks exist against all virtualization system components Public exploits have been released for some virtualization system vulnerabilities Virtualization systems have introduced new types of attacks Currently, virtualization systems make networks less secure Some technologies can offer virtualization-based security enhancement Proper configuration can reduce virtualization system risk

2010 IBM Corporation

References

X-Force 2010 Midyear Trend Report http://www-935.ibm.com/services/us/iss/xforce/trendreports/ X-Force database http://xforce.iss.net/ VMWare ESX Server 3 Configuration Guide http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_3_server_config.pdf NSA ESX 3 Server Configuration Guide http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf Virtualization Security (Microsoft presentation) http://download.microsoft.com/download/8/c/6/8c62bac5-af9b-4815-be7f3165c61ddd81/Day2Session-VirtualizationSecurity-RickClaus.pdf Subverting Vista Kernel for Fun and Profit (BlackHat presentation by Joanna Rutkowska) http://web.archive.org/web/20070928060104/blackhat.com/presentations/bh-usa-06/BHUS-06-Rutkowska.pdf SubVirt: Implementing malware with virtual machines (U. of Michigan and Microsoft) http://www.eecs.umich.edu/virtual/papers/king06.pdf Empirical Exploitation of Live Virtual Machine Migration (John Oberheide et. al.) http://www.eecs.umich.edu/fjgroup/pubs/blackhat08-migration.pdf
2010 IBM Corporation

References

From Virtualization vs. Security to Virtualization Based Security (Steve Orrin, Intel presentation) http://event.isacantx.org/_event_files/346_Lunch_Orrin_VirtSec_Part2_v1.pdf VMware Security Hardening Guide http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf Wikipedia article on sandboxing http://en.wikipedia.org/wiki/Sandbox_(computer_security) What you need to know about Security Your Virtual Network (Daniel Petri) http://www.petri.co.il/what-you-need-to-know-about-vmware-virtualization-security.htm

2010 IBM Corporation