At Black Hat CD, a researcher demonstrated how VMware and Xen virtualization software could be hacked when a virtual machine is moved from one physical machine to another. The concern for virtualization security has risen in priority. This article addresses the challenges of virtual machine security.
Virtualization is a boon for data centers and other scenarios in which concentrated computer resources are necessary.
Significant questions about the security of the technology persist, however. Indeed, it seems that the questions are proliferating. At Black Hat DC last week, a researcher demonstrated how to hack into VMware and Xen products during the movement of the virtual machine from one physical machine to another.
Dark Reading reports that the University of Michigan's Jon Oberheide introduced Xensploit, a tool that can take over the virtual machine’s hypervisor and applications and, ultimately, gain access to data. Oberheide said that the data is moved in the clear, which can leave the process open for the type of man-in-the-middle attacks generally associated with public Wi-Fi schemes.
In still another piece of bad news for VMware, ZDNet reports that Core Security Technologies has released proof-of-concept software that demonstrates the ability of a hacker to create or modify executable files on the host operating system. The story goes into good detail on the exploit, the damage it can do and how it came to light.
Apparently, the issue of security and virtualization is coming to a head. On one hand, the story says, VMware is nearing an announcement on a security initiative with other companies. On the other, Core is pushing the issue by timing release of the news of the exploit during the VMworld event in Cannes. The hope was to pressure the company into taking action. Core, according to the story, says that VMware had known about the flaw for four months.
Security is only a small part of this Tech Republic piece, which relates 10 important facts about virtualization. The overall piece is a worthwhile read, however. Especially important is the first item, which makes the important point that virtualization actually covers five operations: desktop virtualization; virtual testing environments; presentation virtualization; application virtualization and storage virtualization.
The security element of the piece actually offers a rare positive spin. The writer says that isolating servers on discreet virtual machines can be more secure than running several servers on the same operating system. She also points to the ability to isolate applications in "sandboxes." In an item related to security, the writer says that disaster recovery can be done much more quickly in a virtual environment than one in which the operating system, application and data all must be reinstalled.
Fortunately, this paper - presented by a Google researcher at CanSec West - is summarized in this Smart Security blog posting, since its level of complexity is great. The blogger sums up the security status of virtualization smartly enough that it is worth quoting:
Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in.
The paper, the blogger says, mostly identifies flaws such as buffer overflows. At this point, even the blogger’s explanation became a bit obtuse. It is clear, however, that the paper backs up the growing belief that virtualization is vulnerable.
This Data Storage Today piece takes a high-level look at virtulized security. Specifically, it looks at four major concerns that have been expressed about the platform. Potential users are concerned about "virtual machine escapes," which are the movement of an attack from a hypervisor to the virtual machines resident on the same physical host. The second worry is that virtual machines increase patching burdens. The third concern is the challenge of whether or not to run virtual machines in the DMZ. Finally, the fact that hypervisors are new and untested is thought likely to attract hackers.
United, Internet Users Stand; Divided, We End up at Phony Sites
Last week, news hit of a vulnerability in the Domain Name System that, if exploited by hackers, could lead surfers to phony Web sites. The flaw was found by Dan Kaminsky, the director of penetration testing for IOActive. Kaminsky tells IT Business Edge’s Carl Weinschenk that the potential severity of the problem led vendors and researchers to work together to create the patches that now are available.Defining Virtualization's Role in Regulatory Compliance
Greg Shields, an independent IT author, speaker, consultant, and columnist for Virtualization Review Magazine discusses how compliance and virtualization are related. He shares insight on how virtualization managment tools can play a part in compliance and how that works.Virtualization Thrives, Security Struggles to Keep Up
VMware has acknowledged a "critical" vulnerability in shared-folder configurations on Windows-hosted VMware software. The bugs lets users of a guest system access host system folders. VMware has not yet released a patch. Virtualization is definitely the server technology of choice, yet security is still a priority.