On virtualisation

Tuesday, May 29, 2007 4:20 PM

Following Panayiotis' and Niels' post on malware, I'd like to discuss a somewhat related topic, virtualisation. Virtual machines are often used by security researchers to sandbox malware samples for analysis, or to protect a machine from a potentially hazardous activity. The theory is that any security threat or malicious behaviour will be restricted to the virtual environment which can be discarded and then restored to pristine condition after use.

Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine. I investigated this topic earlier this year, and presented a paper at CanSecWest on a number of ways that an attacker could break out of a virtual machine.

Most of the attacks identified were flaws, such as buffer overflows, in emulated hardware devices. One example of this is missing bounds checking in bitblt routines, which are used for moving rectangular blocks of data around the display. If exploited, by specifying pathological parameters for the operation, this could lead to an attacker compromising the virtual machine process. While you would typically require root (or equivalent) privileges in the guest to interact with a device at the low level required, device drivers will often offload the parameter checking required onto the hardware, so in theory an unprivileged attacker could be able to access flaws like this by simply interacting with the regular API or system call interface provided by the guest operating system.

While researching this topic we worked with the vendors affected to make sure they were aware of our findings, and provided patches where possible. I've also suggested some precautions virtualization you can take to minimise the impact of any flaws like this discovered in future, such as:

Reduce the attack surface

By disabling emulated devices, features and services you don't need you reduce the amount of code exposed to an attacker, thus reducing the number of possible bugs that can be exploited. You should also aim to protect the integrity of the guest operating system, making it harder for an attacker to get lower level access to emulated hardware. By keeping software in the guest up to date, and hardening it by locking down the operating system and minimising what is run with root or admin privileges, you can reduce the risk of privilege escalation attacks. If an attacker cannot get low level access to the emulated hardware, it will be more difficult to exploit the bugs in them. Remember that some legacy operating systems make no attempt to restrict access to I/O ports and similar interfaces, these should be used with caution in a security sensitive context.

Treat virtual machines as services that can be compromised

Most administrators will take steps to limit the impact of a compromise of a network facing daemon, such as using chroot() or running the daemon as a low privileged user. These same tactics can be applied to your virtual machine. As always, try to minimise what has to run as root or administrator.

Keep software up to date

Keep your virtual machine software up to date, and look out for any security advisories from your vendor so that you can apply any patches promptly.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.


Plonit said...

GreenBorder / Virtualization -
Does it all go together with this article

Icarus said...

Cant really agree more there. The simple version of this article could go as follows :

"On virtualisation : There is no silver bullet, try again"

Doublt this will stop vendors from trying to sell it as such silver bullet. Ah, we will see :)

Steve said...

icarus. I dont think the vendors are selling virtual machines as a silver bullet to solve the malware problem. Security research is simply another application of VM. Many IT admins use VM technology to consolidate their IT services onto one machine, instead of having a different physical machine for each service... VM is also VERY useful for software testing too....

//Steve Jackson
Malware Researcher

Steve said...

btw. Nice to see Google having a security related blog!!


Chris said...

Security researchers use VMs because they have handy snapshot and revert features.

Some OSes have snapshot and revert features, but they are inconvenient to use.

I'd agree that VMs are just another container like processes, chroot jails, etc. which offer some security properties, but are not a magic bullet.

-chris wee

Ilya Rabinovich said...

Unfortunately, virtualization has a lot of security-related problems. It require constant revert to original state. Sandbox HIPS without virtualization (DefenseWall HIPS, GeSWall) gives much more security to their users compare to sandbox HIPS with virtualization (ex-Greenborder, SandboxIE,...).