RSS Alerts

Share

More services

John Walker

Job title:
CEO, Secure Bastion LTD

Areas of expertise:
Professor John Walker: FBCS CITP CISM CRISC ITPC

Biography:
CEO of Secure-Bastion Ltd, Practicing Expert Witness, Visiting Professor Nottingham Trent University. Fellow of the BCS, & hold CITP (BCS), CISM CRISC (ISACA), UK Government ITPC. Chair of the London ISACA Chapter Security Advisory Group (SAG) , ENISA CEI Listed Expert, & Editorial Board Member of CSRI.

Tag Cloud

hackingSecurityDavid HarleyMalwarecloudcloud securityWiFiCompliance

Bloggers

Blog

Hyperjack of Flickwhitery

I have been involved with virtual environments for about a decade now, supporting client consultations, and implementations. Over this period, I have observed growth, from what was once considered a novelty technology, through to today’s technological solutions supporting leading edge operational missions.

Virtualised environments have also become key technologies supporting the delivery of cloud services to a range of clients, from the single user, SME, right up to the corporate outsourced delivery chain. However, this growth of virtualised worlds should not be taken for granted, and deserves, and dictates the associated security box is well and truly ticked, and respected!

The first key, and obvious fact to grasp is, whilst the virtualised system may look the same as their tin based brother (or sister), that is where the similarity ends! First of all it is essential to appreciate that these ‘virtualised’ environments are running on the host operating system, working under very privileged conditions, interfacing at kernel level of the host OS. Thus any breakout from the perceived sandboxed virtual world could result in supporting direct logical interaction at the higher end of the privilege stack, holding significant implications on the underlying security model of the operational system, and potentially the associated hypervisor.

And of course, with any new leading edge technology, the bad guys will always be there seeking out opportunities to force a compromise, and with virtualisation, this same rule applies. Thus it is here where one may encounter new era virtualisation aware malware in the form of Virtual Rootkits, VAM (Virtualisation Aware Malware), VMBR (Virtual Machine Based Rootkits), and HVMR (Hypervisor Virtual Machine Rootkits), all of which support potential states of exploitation against system, systems, and of course, compromise of the stored information assets.

Now consider the implication if a virtualised host was subject to a compromise, allowing the attacker to deploy an additional VM with malicious intent, or by say creating a man-in-the-middle style hyperstack - hyperjack attack, replacing the original hypervisor with a rouge counterpart – the implications of which could be very far reaching. Whilst such attacks have not as yet been seen in the wild, they have been very well documented, and like all things, it may only be a matter of time before they appear in the real world in one form or another.

So by all means leverage this amazing technology, and make it work for your enterprise, to support your business mission – but be sure to understand the idiosyncrasy of the virtualised offering, and deployed with the appropriate level of security.

 

Posted 02/08/2011 by John Walker

Tagged under:Cloud,Hacking,Rootkits,Hyperjack

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012