The “hype” over the Xen hypervisor flaw put the technology back in the spotlight.
Not specifically covering virtualisation or cloud in any great depth, this hasn’t been an area I have focused on, but we do cover flaws and this was of interest. I recently caught up with hypervisor vendor Bromium, whose security researcher Rafal Wojtczuk was presenting on “lessons learned from 8 years of breaking hypervisors” at the Black Hat Europe conference.
He said that he had “been fascinated by hypervisor security” since he found his first vulnerabilities in 2006 and, having recently found more, the area continued to interest him. He explained that there are two types of hypervisor: one has sole control of the platform; and the other is part of the operating system and, not only has privileged code on the platform and coexists with Windows, but is quite different and creates opportunities for an attacker trying to break out of the virtual machine.
He said: “To run an attack, it needs an instruction to behave properly and if the code runs, you can access memory outside of the virtual machine, but it will make no sense to do that as there would be no protection.
“Separation by hypervisor is good, but for a virtual machine to be useful you need to drill holes in the container and let the hypervisor communicate with the outside world.”
Rafal said that one of the main functionalities of the hypervisor is to provide communication channels for code running in the virtual machine and in the outside world, and hypervisor code is not very large in comparison to mainline off the shelf products.
He said: “It is management code that’s not under the control of attacker, and my virtualisation system uses a hypervisor and it is verified, but what other parts are relevant or security critical? If you verify software, it is not the end of the story.
“The hypervisor is responsible for intercepting the actions of the driver running in the virtual machine, and the network card driver does a job on behalf of the virtual machine. A lot of virtualisation vendors try to add services for functionality and ease of use, and there is some code running outside the virtual machine and security is critical, and it is a channel for the virtual machine as the code listens for requests.”
Giving an example, he pointed at a shared folder functionality that immediately creates an attack surface, as it is not perfectly written and this creates problems. He said that if the goal is functionality, then the threat vector grows as you allow development of code. “If the goal is fixtures, then don’t expect it to run malware,” he said. “You can run type of hypervisor and if you use virtualisation, it is security by isolation. You can isolate the code in a cave and then the critical part is being careful on how you choose a hypervisor and how it interacts with the surface.”
Asked if there could be such a thing as a zero-attack surface, Rafal said that, if it is so unsecure, then the answer is not straight forward, as there are options on isolating malicious code as “everyone has given up writing code with no vulnerabilities”.
He said that the current trend is to isolate and in the case of application, try to isolate a large portion of the code and run it in a sandbox, and that is implemented by wrappi
ng it in sandbox which is intended to limit the attack surface.
Rafal said that normally you do not choose between security and isolation, as you wrap all it all in a sandbox in the virtual machine where the attacker would have break out of both. “The beauty of virtualisation is you can do it at one layer, but assume the hypervisor can be attacked, and if it can be attacked within sandbox it increases the exposure layer,” he said.
He explained that isolation by virtualisation can improve security and it is possible to design a hypervisor in a way as not to sacrifice security, and specifically design the hypervisor so it is as small as possible, and therefore a small attack surface.
Rafal concluded by saying that the hypervisor does have a known attack surface, but it is useful to protect an operating system and if you have a secure OS, you don’t need a hypervisor. “If you design a hypervisor or choose one, try to find out what options the vendor made to make it possible,” he said.
I caught up with his colleague and chief security architect Rahul Kashyap, who said that hypervisor security is a “black art” for most people.
He said: “One of the core values of hypervisor is the security aspect, and we don’t realise it but the hypervisor is very prevalent in the cloud. All critical infrastructures use a hypervisor as it is more optimised and it gives better security, and all of the multi tenancies in the cloud are because of the hypervisor. So if you optimise the hypervisor, you can own the cloud.”
I asked him on that point about owning the cloud, he said that there are a few hypervisors which are widely prevalent, and a lot of critical infrastructure relies on the robustness of hypervisors. “Breaking the hypervisor is not easy and even if you are a good security researcher, you may not be able to get into the technology, so you need expertise in low level technology and this sort of information is not that common,” he said.
“This is not about cloud security, this is about the hypervisor on the client side and it is not targeted to cloud security, more on mistakes that you need to consider in the hypervisor when building a hypervisor. There is always this notion that you become bigger and bigger on the hypervisor side, so how do you limit that? Some people use the virtual box for malware analysis in the hypervisor as it is open source; it has to be targeted and sophisticated malware but it is possible unless you harden the hypervisor well enough.”
Rahul said that so far, the hypervisor has been devoid from the security world and there has been more focus on virtualisation, and there are security benefits but people have not tried to integrate the two.
He said: “VMware tried with ‘Introspection’ inside the virtual machine so you have full visibility and looking below the hypervisor. There are advantages to it as it is more robust and you get insight into malware that you normally wouldn’t on the host operating system. There are a lot of possibilities and opportunities to explore.”
Rahul said that a lot of companies are catching up with the concept of combining HV with security technologies, so perhaps there is the possibility of doing something different and it being a more secure offering.
Naturally this is not a new concept, nor an unbreakable solution, but what Bromium demonstrated is that this can be a modern defence mechanism to do better analysis of malware and use virtual machines. If you haven’t got into the virtual world, then be aware that the dark art is being watched by many.