virtualization-aravind_1234567891011.ppt

UNIT-III
Virtualization System Security
• Virtualization System-Specific Attacks:
• Guest hopping,
• Attacks on the VM (delete the VM, attack on the control
of the VM, Code or file injection into the virtualized file
structure),
• VM migration attack, hyper jacking.

Introduction : Virtual Threats
© 2010 IBM Corporation
•
• Some threats to virtualized systems are general in nature, as they are
inherent threats to all computerized systems (such as denial-of-service, or
DoS, attacks).
Many VM vulnerabilities stem from the fact that a vulnerability in one VM
system can be exploited to attack other VM systems or the host systems,
as multiple virtual machines share the same physical hardware, as shown
in Figure

Introduction : Virtual Threats-
Some of the vulnerabilities exposed
VMware VMotion brochure
Shared clipboard — Shared clipboard technology allows data to be transferred
between VMs and the host, providing a means of moving data between malicious programs
in VMs of different security realms.
Keystroke logging — Some VM technologies enable the logging of keystrokes and screen
updates to be passed across virtual terminals in the virtual machine, writing to host fi les and
permitting the monitoring of encrypted terminal connections inside the VM
VM monitoring from the host — Because all network packets coming from or going to a VM
pass through the host, the host may be able to affect the VM by the following:
Starting, stopping, pausing, and restart VMs
Monitoring and configuring resources available to the VMs, including CPU, memory, disk,
and network usage of VMs
Adjusting the number of CPUs, amount of memory, amount and number of virtual disks,
and number of virtual network interfaces available to a VM
Monitoring the applications running inside the VM
Viewing, copying, and modifying data stored on the VM’s virtual disks

Some of the vulnerabilities exposed
Virtual machine monitoring from another VM — Usually,
VMs should not be able to directly access one another’s
virtual disks on the host.
However, if the VM platform uses a virtual hub or switch to
connect the VMs to the host, then intruders may be able to
use a hacker technique known as “ARP poisoning” to redirect
packets going to or from the other VM for sniffing.
Virtual machine backdoors — A backdoor, covert
communications channel between the guest and host could
allow intruders to perform potentially dangerous operations.

ESX Server Application Vulnerability Severity Code Definitions

Introduction : Virtual Threats- VM THREAT LEVELS
When categorizing the threat posed to virtualized environments, often the
vulnerability/threat matrix is classified into three levels of compromise:
•Abnormally terminated — Availability to the virtual machine is
compromised, as the VM is placed into an infinite loop that prevents the
VM administrator from accessing the VM’s monitor.
• Partially compromised — The virtual machine allows a hostile
process to interfere with the virtualization manager, contaminating
state checkpoints or over-allocating resources.
• Totally compromised — The virtual machine is completely overtaken
and directed to execute unauthorized commands on its host with
elevated privileges.

New Virtualization System-Specific Attacks
Hypervisor Risks
• The hypervisor is the part of a virtual machine that allows host resource
sharing and enables VM/host isolation.
•Therefore, the ability of the hypervisor to provide the necessary isolation
during intentional attack greatly determines how well the virtual machine can
survive risk.
•One reason why the hypervisor is susceptible to risk is because it’s a software
program; risk increases as the volume and complexity of application code
increases.
• Ideally, software code operating within a defined VM would not be able
to communicate or affect code running either on the physical host itself or within
a different VM; but several issues, such as bugs in the software, or limitations to
the virtualization implementation, may put this isolation at risk.
•Major vulnerabilities inherent in the hypervisor consist of rogue hypervisor
rootkits, external modification to the hypervisor, and VM escape.

Rogue Hypervisors Rootkits or Hyper jacking:
In a normal virtualization scenario, the guest operating system (the operating
system that is booted inside of a virtualized environment) runs like a traditional OS
managing I/O to hardware and network traffic, even though it’s controlled by the
hypervisor.
VM-based rootkits can hide from normal malware detection systems by initiating a
“rogue” hypervisor and creating a cover channel to dump unauthorized code into the
system.
Proof-of-concept (PoC) exploits have demonstrated that a hypervisor rootkit can
insert itself into RAM, downgrade the host OS to a VM, and make itself invisible.
A properly designed rootkit could then stay “undetectable” to the host OS, resisting
attempts by malware detectors to discover and remove it.

Rogue Hypervisors Rootkits or Hyper jacking:
This creates a serious vulnerability in all virtualized systems.
Detectability of malware code lies at the heart of intrusion
detection and correction, as security researchers analyze code
samples by running the code and viewing the result.
In addition, some malware tries to avoid detection by anti-virus
processes by attempting to identify whether the system it has
infected is traditional or virtual.
If found to be a VM, it remains inactivated and hidden until it can
penetrate the physical host and execute its payload through a
traditional attack vector.

■ Rogue Hypervisors Rootkits or Hyper jacking:
–Consists of installing a rogue hypervisor
• Hyperjacking is an attack in which a hacker takes malicious control
over the hypervisor that creates the virtual environment within a
virtual machine (VM) host.
• The point of the attack is to target the operating system that is
below that of the virtual machines so that the attacker's program
can run and the applications on the VMs above it will be
completely oblivious to its presence.
• Hyperjacking involves installing a malicious, fake hypervisor that
can manage the entire server system.
• In hyperjacking, the hypervisor specifically operates in stealth
mode and runs beneath the machine, it makes more difficult to
detect and more likely gain access to computer servers where it
can affect the operation of the entire institution or company.

■ Rogue Hypervisors Rootkits or Hyper jacking:
–Consists of installing a rogue hypervisor
• 1. Injecting a rogue hypervisor beneath the original hypervisor;
• 2. Directly obtaining control of the original hypervisor;
• 3. Running a rogue hypervisor on top of an existing hypervisor.
• One method for doing this is overwriting pagefiles on disk that
contain paged-out kernel code
• Force kernel to be paged out by allocating large amounts of
memory
• Find unused driver in page file and replace its dispatch function
with shellcode
• Take action to cause driver to be executed
• Shellcode downloads the rest of the malware
• Host OS is migrated to run in a virtual machine
–Has been demonstrated for taking control of Host OS
–Hyperjacking of hypervisors may be possible, but not yet demonstrated
• Hypervisors will come under intense scrutiny because they are
such attractive targets Known hyperjacking tools: BluePill,
SubVirt, Vitriol

Virtualization System Public Exploits
CVE-2015-3456: VENOM vulnerability
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows
local guest users to cause a denial of service (out-of-bounds write and guest crash) or
possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2)
FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands
•
• VENOM refers to a security vulnerability that results from a buffer overflow in a kernel-level
driver included in many default virtualized environments.
The VENOM vulnerability has the potential to provide attackers with access to the host
operating system and, as a result, other guest operating systems on the same host.
VENOM, an acronym for Virtualized Environment Neglected Operations Manipulation, arises
from QEMU’s virtual Floppy Disk Controller (FDC), which carries a vulnerability that could
enable an attacker to run code by pairing one of two flawed commands related to the
controller with a buffer overflow.
The VENOM vulnerability affects KVM, Xen and native QEMU virtual machines.
Virtual machines running on Microsoft Hyper-V or VMware hypervisors are not affected by
VENOM.
The VENOM vulnerability works with the default configuration of the affected virtualization
platforms, so even when the FDC drive has not been added to the platform, systems are still
•
•
•
•
•
vulnerable.

External Modification of the Hypervisor:
In additional to the execution of the rootkit
payload, a poorly protected or designed
hypervisor can also create an attack vector.
Therefore, a self-protected virtual machine may
allow direct modification of its hypervisor by an
external intruder.
This can occur in virtualized systems that don’t
validate the hypervisor as a regular process.

VM Escape
Due to the host machine’s fundamentally privileged
position in relationship to the VM, an improperly
configured VM could allow code to completely bypass the
virtual environment, and obtain full root or kernel access
to the physical host
This would result in a complete failure of the security
mechanisms of the system, and is called VM escape.
Virtual machine escape refers to the attacker’s ability to
execute arbitrary code on the VM’s physical host, by
“escaping” the hypervisor.
VM escapes could occur through virtual machine shared
resources called VMchat, VMftp, vCAT, and VMdrag-n-
Drop

Case Study: Virtualization System Public Exploits
■ 36 public exploits against production virtualization systems have been
released
Most of these are attacks against third-party components of these
systems
CVE-2009-2267
–Guest OS user can gain elevated privileges on guest OS by
exploiting a bug in handling of page faults
■
■
–Affects ESX server 4 and other VMware products
–Exploit binary posted at lists.grok.org.uk

VM migration
–Migration attack is an attack on the network during VM
migration from one place to another. This attack is an exploit on
the mobility of virtualization.
–Since VM images are easily moved between physical machines
through the network, enterprises constantly
move VMs to various places based on their
usage.
–For example, VMs from a canceled customer may be moved to
a backup data center, and VMs that need maintenance may be
moved to a testing data center for changes.
–Thus, when VMs are on the network between secured
perimeters, attackers can exploit the network vulnerability to
gain unauthorized access to VMs.
– Similarly, the attackers can plant malicious code in the VM
images to plant attacks on data centers that VMs travel
between.

VM MIGRATION explained-
Video Animation-Flipped
Activity

VM migration-Types and Techniques
Cold Migration
Before migration, the virtual machine must be powered off, after
doing this task. The old one should be deleted from source host.
Moreover, the virtual machine need not to be on shared storage.
Warm Migration
Whenever transfer OS and any application, there is no need to
suspend the source host. Basically it has high demand in
public cloud.
Live Migration
It is the process of moving a running virtual machine
without stopping the OS and other applications from source
host to destination host.

■VM migration-Types and Techniques
1)Pre- Copy Migration:
In this migration, the hypervisor copies all memory page from source machine to destination
machine while the virtual machine is running. It has two phases: Warm- up Phase and stop and
copy phase.
a) Warm Up Phase:
During copying all memory pages from source to destination, some memory pages changed
because of source machine CPU is active. All the changed memory pages are known as dirty
pages. All these dirty pages are required to recopy on destination machine; this phase is called as
warm up phase.
b) Stop & Copy Phase: Warm up phase is repeated until all the dirty pages recopied on destination
machine. This time CPU of source machine is deactivated till all memory pages will transfer
another machine. Ultimately at this time CPU of both source and destination is suspended, this
is known as down time phase. This is the main thing that has to explore in migration for its
optimization.

virtualization-aravind_1234567891011.ppt

■ VM migration-Types and Techniques
2) Post- Copy Migration:






 In this technique, VM at the source is suspended to start post copy VM
migration.
When VM is suspended, execution state of the VM (i.e. CPU state,
registers, non-pageable memory) is transferred to the target.
In parallel the sources actively send the remaining memory pages of the
VM to the target.
This process is known as pre-paging.
At the target, if the VM tries to access a page that has not been
transferred yet, it generates a page fault, also known as network
faults. These faults are redirect to the source, which responds with the
faulted pages.
Due to this, the performance of applications is degrading with number of
network faults.
To overcome this, pre-paging scheme is used to push pages after the last
fault by dynamically using page transmission order

■ Live VM migration steps of Google Compute Engine

■ VM migration
–VM migration is transfer of guest OS from one physical server to another with
little or no downtime
–Implemented by several virtualization products
–Provides high availability and dynamic load balancing
VMware VMotion brochure

■ VM migration attack
– If migration protocol is unencrypted, susceptible to man-in-the-middle attack
– Allows arbitrary state in VM to be modified
– In default configuration, XenMotion is susceptible (no encryption)
– VMware’s VMotion system supports encryption
– Proof-of-concept developed by John Oberheide at the Univ. of Michigan
John Oberheide et. al.
University of Michigan

Analysis of Hyper jacking Attack and Mitigation Techniques

virtualization-aravind_1234567891011.ppt

More Related Content

Similar to virtualization-aravind_1234567891011.ppt (20)

More from aravym456 (20)

Recently uploaded (20)

virtualization-aravind_1234567891011.ppt