Challenges of Virtual Machine Security are Multiplying

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Virtualization is a boon for data centers and other scenarios in which concentrated computer resources are necessary.


Significant questions about the security of the technology persist, however. Indeed, it seems that the questions are proliferating. At Black Hat DC last week, a researcher demonstrated how to hack into VMware and Xen products during the movement of the virtual machine from one physical machine to another.


Dark Reading reports that the University of Michigan's Jon Oberheide introduced Xensploit, a tool that can take over the virtual machine's hypervisor and applications and, ultimately, gain access to data. Oberheide said that the data is moved in the clear, which can leave the process open for the type of man-in-the-middle attacks generally associated with public Wi-Fi schemes.


In still another piece of bad news for VMware, ZDNet reports that Core Security Technologies has released proof-of-concept software that demonstrates the ability of a hacker to create or modify executable files on the host operating system. The story goes into good detail on the exploit, the damage it can do and how it came to light.


Apparently, the issue of security and virtualization is coming to a head. On one hand, the story says, VMware is nearing an announcement on a security initiative with other companies. On the other, Core is pushing the issue by timing release of the news of the exploit during the VMworld event in Cannes. The hope was to pressure the company into taking action. Core, according to the story, says that VMware had known about the flaw for four months.


Security is only a small part of this Tech Republic piece, which relates 10 important facts about virtualization. The overall piece is a worthwhile read, however. Especially important is the first item, which makes the important point that virtualization actually covers five operations: desktop virtualization; virtual testing environments; presentation virtualization; application virtualization and storage virtualization.


The security element of the piece actually offers a rare positive spin. The writer says that isolating servers on discreet virtual machines can be more secure than running several servers on the same operating system. She also points to the ability to isolate applications in "sandboxes." In an item related to security, the writer says that disaster recovery can be done much more quickly in a virtual environment than one in which the operating system, application and data all must be reinstalled.


Fortunately, this paper -- presented by a Google researcher at CanSec West -- is summarized in this Smart Security blog posting, since its level of complexity is great. The blogger sums up the security status of virtualization smartly enough that it is worth quoting:

Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in.

The paper, the blogger says, mostly identifies flaws such as buffer overflows. At this point, even the blogger's explanation became a bit obtuse. It is clear, however, that the paper backs up the growing belief that virtualization is vulnerable.


This Data Storage Today piece takes a high-level look at virtulized security. Specifically, it looks at four major concerns that have been expressed about the platform. Potential users are concerned about "virtual machine escapes," which are the movement of an attack from a hypervisor to the virtual machines resident on the same physical host. The second worry is that virtual machines increase patching burdens. The third concern is the challenge of whether or not to run virtual machines in the DMZ. Finally, the fact that hypervisors are new and untested is thought likely to attract hackers.