Virtualization System Security

Virtualization System Security

Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy Tom Cross, Manager, IBM X-Force Security Strategy

Overview

■ Vulnerability disclosure analysis

■ Vulnerability classes

■ Vulnerability examples

■ Virtualization-system specific attacks

■ Known virtualization system attacks

■ Known virtualization system attacks

■ Public virtualization system exploits

■ Summary of virtualization system security concerns

■ Technologies for virtualization-based security enhancement

■ Configuration recommendations

The Importance of Virtualization System Security

■ Businesses are increasingly relying on virtualization technology

■ In Q4 2009, 18.2% of servers shipped were virtualized¹ – 20% increase over 15.2% shipped in Q4 2008

■ Growing interest in cloud computing will fuel further demand

■ Vulnerability disclosures have grown as interest has grown – Source: IBM X-Force 2010 Midyear Trend Report

The Risk Imposed by Virtualization System Vulnerabilities

■ Disclosed vulnerabilities pose a significant security risk

■ 40% of all reported vulnerabilities have high severity

– Tend to be easy to exploit, provide full control over attacked system

■ Exploits have been publically disclosed for 14% of vulnerabilities

The Risk To Production Systems

■ Most reported vulnerabilities affect production virtualization systems

– Production systems run “on the bare metal” – hypervisor acts as operating system – Contrast with workstation systems, which run on top of a host OS

Vendor Disclosures by Vendor

■ Low percentages for Oracle, IBM, and Microsoft

VMware: 80.9% RedHat: 6.9% Citrix: 5.8%

Oracle: 1.8% IBM: 1.1% Microsoft: 0.9%

Virtualization System Vulnerability Classes

■ Vulnerabilities can be classified by what they affect

System Administrators

Virtualization Server

Guest VM Users 5 System Administrators

Hypervisor Guest

VM

Guest VM

Hardware Virtualization System

1

Admin VM

Virtualization System Vulnerability Classes

■ Management console vulnerabilities –Affect the management console host

–Can provide platform or information allowing attack of management server

–Can occur in custom consoles or web applications

■ Management server vulnerabilities

–Potential to compromise virtualization system configuration –Can provide platform from which to attack administrative VM –Can provide platform from which to attack administrative VM

■ Administrative VM vulnerabilities –Compromises system configuration

–In some systems (like Xen), equivalent to a hypervisor vulnerability in that all guest VMs may be compromised

–Can provide platform from which to attack hypervisor and guest VMs

Virtualization System Vulnerability Classes

■ Guest VM vulnerabilities –Affect a single VM

–Can provide platform from which to attack administrative VM, hypervisor, and other guest VMs

■ Hypervisor vulnerabilities –Compromise all guest VMs

–Cannot be exploited from guest VMs

■ Hypervisor escape vulnerabilities –A type of hypervisor vulnerability

–Classified separately because of their importance

–Allow a guest VM user to “escape” from own VM to attack other VMs or hypervisor

–Violate assumption of isolation of guest VMs

Production Virtualization System Vulnerabilities By Class

Hypervisor Mgmt Server

(6.3%)

Indeterminate (6.3%)

Hypervisor (1.3%)

Hypervisor escape (37.5%)

Admin VM (17.5%) Mgmt console

(16.3%) Guest VM (15.0%)

(6.3%)

Virtualization System Vulnerability Examples

■ Management console

–CVE-2009-2277: A cross-site scripting vulnerability in a VMware web console allows remote attackers to steal cookie-based authentication credentials

■ Management server

–CVE-2008-4281: VMware VirtualCenter management server can allow a local attacker to use directory traversal sequences to gain elevated a local attacker to use directory traversal sequences to gain elevated privileges

■ Administrative VM

–CVE-2008-2097: A buffer overflow in a VMWare management service running in the administrative VM could allow remote authenticated users to gain root privileges

Virtualization System Vulnerability Examples

■ Guest VM

–CVE-2009-2267: A bug in the handling of page fault exceptions in

VMware ESX Server could allow a guest VM user to gain kernel mode execution privileges in the guest VM

■ Hypervisor

–CVE-2010-2070: By modifying the processor status register, a local attacker can cause the Xen kernel to crash

attacker can cause the Xen kernel to crash

■ Hypervisor escape

–CVE-2009-1244: An error in the virtual machine display function on VMware ESX Server allows an attacker in a guest VM to execute arbitrary code in the hypervisor

New Virtualization System-Specific Attacks

■ VM jumping/guest hopping

–Attackers take advantage of hypervisor escape vulnerabilities to “jump”

from one VM to another

■ VM attacks

–Attacks during deployment and duplication –Deletion of virtual images

–Attacks on control of virtual machines

–Code/file injection into virtualization file structure –Code/file injection into virtualization file structure

New Virtualization System-Specific Attacks

■ VM migration

– VM migration is transfer of guest OS from one physical server to another with little or no downtime

– Implemented by several virtualization products

– Provides high availability and dynamic load balancing

New Virtualization System-Specific Attacks

■ VM migration attack

– If migration protocol is unencrypted, susceptible to man-in-the-middle attack – Allows arbitrary state in VM to be modified

– In default configuration, XenMotion is susceptible (no encryption) – VMware’s VMotion system supports encryption

– Proof-of-concept developed by John Oberheide at the Univ. of Michigan

Known Virtualization System Attacks

■ Management server attacks

–Exploit management console vulnerabilities that divulge password information

–Exploit management console vulnerabilities to gain access to management server

–Exploit vulnerabilities that allow local management server users to gain elevated privileges

■ Administrative VM attacks – exploit vulnerabilities to:

■ Administrative VM attacks – exploit vulnerabilities to:

–Cause a denial of service by halting the system

–Cause a denial of service by crashing the administrative VM –Obtain passwords that are stored in cleartext

–Exploit buffer overflows in exposed services to execute arbitrary code –Exploit vulnerable services to gain elevated privileges

–Bypass authentication

Known Virtualization System Attacks

■ Guest VM attacks – exploit vulnerabilities to:

–Gain elevated privileges –Crash the virtual machine

–Truncate arbitrary files on the system

–Execute arbitrary code with elevated privileges

■ Hypervisor attacks – exploit vulnerabilities to:

–Cause the hypervisor to crash

–Escape from one guest VM to another –Escape from one guest VM to another

Example Configuration Issues

■ Virtual machine configuration

–Resource reservations and limits (for example, on CPU usage) can be established for individual VMs

• Allows assignment of more system resources to specific VMs

• Improper configuration can allow a DoS against one virtual host to affect other hosts on the same server

–Failure to enable log file rotation can fill disk and DoS the ESX Server –Failure to disable unused devices can introduce unnecessary risk

–Failure to disable unused devices can introduce unnecessary risk

Example Configuration Issues

■ Virtual network configuration

–Virtual switches are used to define the topology of virtual networks

Example Configuration Issues

–Improper configuration can allow unintended communication among guest VMs

–Network services are enabled to connect virtual machines and kernel services to the physical network

• Kernel services include features such as virtual machine migration

• Failure to disable unused services can introduce unnecessary risk –VLANs can be used to aggregate multiple virtual switch ports

under a common configuration under a common configuration

• Incorrect aggregation can result in misconfiguration of ports

New Virtualization System-Specific Attacks

■ Hyperjacking

–Consists of installing a rogue hypervisor

• One method for doing this is overwriting pagefiles on disk that contain paged-out kernel code

• Force kernel to be paged out by allocating large amounts of memory

• Find unused driver in page file and replace its dispatch function with shellcode

shellcode

• Take action to cause driver to be executed

• Shellcode downloads the rest of the malware

• Host OS is migrated to run in a virtual machine –Has been demonstrated for taking control of Host OS

–Hyperjacking of hypervisors may be possible, but not yet demonstrated

• Hypervisors will come under intense scrutiny because they are such

Virtualization System Public Exploits

■ 36 public exploits against production virtualization systems have been released

■ Most of these are attacks against third-party components of these systems

■ CVE-2009-2267

–Guest OS user can gain elevated privileges on guest OS by exploiting a bug in handling of page faults

a bug in handling of page faults

–Affects ESX server 4 and other VMware products –Exploit binary posted at lists.grok.org.uk

Virtualization System Public Exploits

■ CVE-2009-3760

–Remote attacker can write PHP code to Web server configuration script to execute arbitrary PHP code with privileges of server

–Affects XenCenterWeb

–Exploit URLs are provided in a Neophasis post:

Virtualization System Public Exploits

■ CVE-2007-5135

–OpenSSL buffer overflow vulnerability allows remote attacker to execute arbitrary code on the system

–Affects VMware ESXi server 3.5, presumably the administrative VM (the “service console”)

–Neophasis post describes the exploit

• Involves sending multiple ciphers to take advantage of an off-by- one error in OpenSSL’s cipher processing code

one error in OpenSSL’s cipher processing code

Summary of Virtualization System Security Concerns

■ Virtualization systems have added new vulnerabilities to infrastructure

–259 new vulnerabilities over the last 5 years (XFDB)

■ Use of virtualization systems doesn’t add inherent security – same connectivity to servers is still needed

■ Addition of new operating system (hypervisor) increases attack surface

surface

–Doesn’t replace existing OSes

■ Potential for new types of attacks

■ Migration of VMs for load balancing can make them more difficult to secure

Ease of addition of new VMs can increase likelihood that insecure

Technologies for Virtualization-Based Security Enhancement

■ Some technologies can take advantage of virtualization to improve security

■ IBM Security Virtual Server Protection for VMWare ®

–Takes advantage of virtualization to provide IPS protection for all communication between VMs on a virtualization server

–Traditional IPS provides protection only where appliances are installed

■ Future may see virtualization-based sandboxing

■ Future may see virtualization-based sandboxing

–Sandbox environment is a locked-down OS that restricts what programs can do – for example, disallow network access

–Sandboxes could run in separate VMs and be used for opening untrusted files and running untrusted applications

Virtualization System Configuration Recommendations

■ Don’t connect virtualization system hosts to operational networks until fully configured

■ Management server configuration

–Management servers should be segregated from operational networks via an appropriately configured firewall or router

–Restrict access of management system databases to the management server, a database administrator, and backup software

server, a database administrator, and backup software –Limit access to remote management tools

–Use limited accounts

–Connections to virtualization systems should be encrypted and authenticated

–Use logging

Virtualization System Configuration Recommendations

■ Administrative VM configuration –Avoid installing third-party software

–Disable or restrict access to unused network services

–Synchronize clocks on virtualization servers and management servers to aid log analysis

–Manage log size to avoid filling partitions

–Implement file system integrity checking and password policies –Implement file system integrity checking and password policies –Only allow server administrators to manage administrative VMs –Disable root console logins

Virtualization System Configuration Recommendations

■ Guest VM configuration – Harden servers

• Update and patch OS

• Use single role servers – disable unnecessary services

• Use local firewall to insure limited host control

• Use limited scope admin accounts with strong passwords – Protect virtual machine files

• Use access control lists

• Use encryption

• Use encryption

• Use auditing of file operations (access, creation, deletion, …) – Disable unnecessary or unused virtual devices

– Use hardened VM images as basis for new VMs

• VMware supports templates for creation of new VM images

Virtualization System Configuration Recommendations

■ Virtualization environment configuration – Install hypervisor updates and patches

– If possible, install VMs with different security profiles on different physical machines

• The existence of hypervisor escape vulnerabilities makes this prudent

• Otherwise, use virtual firewalls between groups of machines with different security postures

– Isolate VM traffic by defining VLAN port groups in virtual switches and associating each VM virtual adapter with the appropriate port group associating each VM virtual adapter with the appropriate port group – If supported, configure port groups to:

• Restrict virtual adapters from entering promiscuous mode

• Avoid changing virtual NICs’ own MAC addresses

Summary

■ Virtualization system interest and vulnerabilities have both increased

■ Virtualization system vulnerabilities can be characterized by what they affect

■ Known attacks exist against all virtualization system components

■ Public exploits have been released for some virtualization system vulnerabilities

vulnerabilities

■ Virtualization systems have introduced new types of attacks

■ Currently, virtualization systems make networks less secure

■ Some technologies can offer virtualization-based security enhancement

References

■ X-Force 2010 Midyear Trend Report

– http://www-935.ibm.com/services/us/iss/xforce/trendreports/

■ X-Force database

– http://xforce.iss.net/

■ VMWare ESX Server 3 Configuration Guide

– http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_3_server_config.pdf

■ NSA ESX 3 Server Configuration Guide

– http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf – http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf

■ Virtualization Security (Microsoft presentation)

– http://download.microsoft.com/download/8/c/6/8c62bac5-af9b-4815-be7f- 3165c61ddd81/Day2Session-VirtualizationSecurity-RickClaus.pdf

■ Subverting Vista Kernel for Fun and Profit (BlackHat presentation by Joanna Rutkowska) – http://web.archive.org/web/20070928060104/blackhat.com/presentations/bh-usa-06/BH-

US-06-Rutkowska.pdf

SubVirt: Implementing malware with virtual machines (U. of Michigan and Microsoft)

References

■ From Virtualization vs. Security to Virtualization Based Security (Steve Orrin, Intel presentation)

– http://event.isacantx.org/_event_files/346_Lunch_Orrin_VirtSec_Part2_v1.pdf

■ VMware Security Hardening Guide

– http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf

■ Wikipedia article on sandboxing

– http://en.wikipedia.org/wiki/Sandbox_(computer_security)

What you need to know about Security Your Virtual Network (Daniel Petri)

■ What you need to know about Security Your Virtual Network (Daniel Petri)

– http://www.petri.co.il/what-you-need-to-know-about-vmware-virtualization-security.htm