Virtual Insanity

In today’s environment, operating systems flit between physical CPU cores like ghosts between rooms
In today’s environment, operating systems flit between physical CPU cores like ghosts between rooms
One of the security advantages of virtualization is that machines become easily disposable, and machines that are compromised by malware can be easily killed
One of the security advantages of virtualization is that machines become easily disposable, and machines that are compromised by malware can be easily killed
Joanna Rutkowska, security researcher
Joanna Rutkowska, security researcher

From the view of technology experts, we now live in a world where the physical and the shadowy logical one are moving further apart.

There was a time when an operating system and its data were tied to a physical box. These days, operating systems flit between physical CPU cores like ghosts between rooms. Thanks to products like VMware’s vSphere hypervisor and Microsoft’s HyperV, hundreds of virtual operating systems can haunt a single block of memory.

Similar to the spirit world, however, the logical one is boundless. Just as ghosts are not constrained by walls, network packets are not constrained by physical space. With virtual data and operating systems no longer tied to individual machines, how can we stop attackers from drifting, ghost-like, between them, leaving malware and taking data as they go?

Headaches in the Cloud

Such considerations are particularly important given the rise of cloud-based services as an operating concept. Vendors, such as HP, preach the benefits of cloud computing to customers, in which logical systems can be manipulated and reconfigured independently of their physical ones. On the other hand, customers have to get over the security implications.

"You can’t afford to have a million different instances of an operating system"
John Manley, HP

The benefits of cloud-based computing are immense. A company can provision new virtual machines and storage capacity to users immediately, rather than waiting weeks to requisition physical equipment. It enables companies to squeeze many applications with many users into a single machine, rather than having them spread across many machines with lots of wasted space.

However, John Manley, director of the automated infrastructure laboratory at HP’s Bristol research labs, warns that it can give administrators and programmers alike a headache.

“If you have a million users, you probably have a bit of a problem. You can’t afford to have a million different instances of an operating system. At that point you have to be multi-tenanted in your deployment”, he says. Multi-tenanted systems force many users into a single instance of a system. “So how do you then ensure that potentially competitive users are protected from each other? That affects the way in which the code is written”, Manley continues.

These technical considerations are made all the more problematic by cloud computing’s central proposition: that customers should concentrate on the service, and leave the infrastructural issues to the experts. Clients are supposed to worry only about the service provided, while letting the cloud computing provider deal with the back-end details. Companies concerned with managing risk, and perhaps with placating regulators, must be sure that their data is being handled correctly – whether by an internal IT department with its own virtualized infrastructure, or by a third-party provider.

“SLAs [service level agreements] will become a lot more interesting and more binding. Security will be mentioned in the SLA, and if you break it, there will be penalties”, Manley says. “As a service level, you don’t want to know what box it’s running on, the number of boxes, and so on. But if you’re going to have statements in an SLA and they are going to have any force, then they have to have metrics associated with them.”

Moreover, Manley expects a level of disaggregation that will further compound the problem. Any service provider that a company contracts may end up relying on two or three other service providers to fulfill a component of their service by hosting elements of their clients’ data, or processing it in some way. “So the whole issue of SLAs becomes more complex, because you have to get into federated management of SLAs”, he warns.

You Can’t Have it All

Virtualization is both a blessing and a curse from a security perspective. On one hand, it can stop malware infections and other compromises effectively. On the other, the mechanisms that make virtualization possible are – at least in theory – subject to attack themselves, which experts say would be next-to-impossible to detect.

In traditional computing, the operating system would run directly atop the computer’s processor, talking directly to it and giving it instructions. In turn, the applications run by the user operate directly on top of the operating system, talking to it and making use of its services.

"Intel TXT can only provide ‘launch-time’ integrity – assuring that the hypervisor we load is indeed the one we trust, but only in the very moment of loading"
Joanna Rutkowska, security researcher

Virtualization changes that by putting a layer of code in between the processor and the operating system. That code, known as a hypervisor, acts as a relay between the operating system and the processor, while making the operating system think that it’s still talking directly to the processor. Administrators can then run multiple operating systems (virtual machines) atop the hypervisor, without any of them conflicting with each other.

The advantage from a security standpoint is that each virtual machine becomes disposable. A snapshot of a clean operating system, with the relevant applications already installed, can be instantiated at a moment’s notice. It becomes easy, in that case, to kill machines that are compromised by malware. Security researchers now use virtual machines to analyze malware, knowing that they can kill the machine and load a fresh copy when necessary. These days, it is also possible to conduct malware scans on dormant virtual machines, updating them while they are not running.

There are other advantages, too. VMware has introduced a security platform called VMSafe, which uses a set of technologies it calls Introspection. This gives administrators and development partners a way to monitor what is happening in and between virtual machines, at the hypervisor level. VMSafe enables companies developing code that runs on virtualized operating systems to better understand the context in which that code is running. They can inspect memory access and CPU states before executing any code inside the virtual machine, for example.

Products such as vShield allow administrators to set hypervisor-level firewalls that protect applications and operating systems running at different levels of trust. They can also use vCenter, the management product supporting the hypervisor, to handle things like patch management, which is an important part of any security process.

Concept? Or Controversy?

Virtualization sounds like an ideal concept to make systems more secure, but experts have found holes in the system. One worrisome security problem arises in the event that a malicious hypervisor is used to virtualize an operating system and control it.

Polish security researcher Joanna Rutkowska used this technique with Blue Pill, a very thin proof-of-concept hypervisor that installed itself below Windows and pretended to be the processor. This attack could also be used to compromise an existing hypervisor. Because it sits below the operating system and has more operating privileges, a malicious hypervisor effectively compromises any operating system on which it runs, in a way that the operating system couldn’t detect.

"We actually do the measuring and attestation of the files that boot using the hardware"
Dean Coza, VMware

“It’s just a concept”, says Dean Coza, director of product management at VMware. He argues that the company uses trusted platform technologies built into the Intel processor to stop anything inserting itself in between the processor and the operating system. “We actually do the measuring and attestation of the files that boot using the hardware. You can compare that known good operating system image by booting it from the system that runs using the trusted platform.”

He’s talking about TXT, an extension to Intel’s processors that relies heavily on a technology developed in the early 2000s, called the Trusted Platform Module (TPM). The TPM is a heavily protected physical chip containing a secret key that is used to check the integrity of the system gradually as it boots. The secret can be used to check everything from the BIOS upwards, including the hypervisor, and then the operating system, to ensure that the code hasn’t been tampered with.

However, the attack is far more than a concept, retorts Rutkowska. For one thing, it relies on these trusted hardware technologies performing as they should. She says that she has demonstrated two attacks, one exploiting a flaw in the System Memory Management Module (SMM) that is used to load the trusted code. Another used a flaw in the Authenticated Code Module.

These attacks managed to sneak in malicious code through loopholes in the Intel TXT system. The company has worked to patch these flaws, but it raises the question: How can anyone be certain that more flaws don’t exist?

Smaller is Better

In any case, there are other more fundamental vulnerabilities in Intel’s processors, says Rutkowska. “Intel TXT can only provide ‘launch-time’ integrity – assuring that the hypervisor we load is indeed the one we trust, but only in the very moment of loading”, she says. “Five seconds later, it can be compromised via some attack exploiting a potential buffer overflow in the hypervisor code, and Intel TXT can do nothing about it (by definition).”

The key, she says, lies in making the hypervisor as small as possible, and offloading functionality to other modules that might load atop the hypervisor. Sadly, she argues, VMware has fleshed out its hypervisor with lots of functionality, thereby increasing the amount of code, and therefore the attack surface of the hypervisor, giving malware writers a bigger target to aim at.

Rutkowska is developing her own Linux-based operating system called Qubes, which is based on the Xen hypervisor. The system is based on what she calls the ‘security by isolation’ approach, in which she isolates both applications and also system components at a granular level. The networking and storage subsystems are protected from each other in their own virtual machines, for example. Rutkowska’s research into TXT vulnerabilities will make her product better, as she plans to include support for the technology in the future.

The advantages offered by virtualization are too big to ignore, and it is a trend that is already sweeping the IT world. However, as companies embrace the concept more, and begin taking advantage of virtualized cloud-based systems both internally and externally, an element of caution is required. Hopefully, approaches to security will mature along with the concept of virtualization itself, and we will avoid as many Halloween-style nightmares as possible.

What’s Hot on Infosecurity Magazine?