by CSIS: Center for Strategic & International Studies

OVERVIEW

A number of security research projects have been undertaken into gaining an insight into the security vulnerabilities associated with platform specific virtualisation technologies and / or the hosting of one operating system environment on another. There has arguably been less focused research into resource specific virtualisation issues, and the allocation of specific system resources (e.g. storage and memory areas, name spaces etc.). The race for the discovery of undisclosed security vulnerabilities and software bugs with popular platform virtualisation environments (most notably those produced by VMWare Inc.) has led to a situation whereby physical virtualised resources have been largely stricken from the collective consideration of the security research community.

In this series of six independent technical articles from Orthus we will present an overview of much of the platform focused research that has already been undertaken, what differentiates this from resource specific issues and considerations.  As increased numbers of enterprises move towards adoption of virtualised resource technologies, and infrastructure associated with critical national security and industrial control systems also adopt these technologies, the risk exposures increase, and it is of vital significance that security research efforts are focused upon these technologies.

VIRTUAL REALITY

Many modern computing environments are sufficiently powerful to support the use of platform virtualisation technologies to facilitate the deployment of virtual machine instances which utilise a separate Operating System. Depending upon deployment requirements (and indeed the hardware and software vendors selected to facilitate such deployments) a platform specific virtualised environment may consist of some (or all) of the following components: virtual machine instances, guest and host Operating Systems, virtual machine monitors (VMMs), the virtual machine environment (VME) itself, in addition to hardware.

A variety of protection mechanisms may also be employed which range from hypervisors to appliances.  As discussed in the abstract, a considerable amount of focused security research has been undertaken concerning platform virtualisation technologies however as of the time of writing, little attention has been directed towards virtualised resource platforms. This is not to imply that these technologies are not receiving the attentions of researcher owing to the rarity of their deployment.

The use of virtualised resources is a growing trend, and they can be found operating in many computing environments, including the financial, governmental, health care, and military sectors.  Additionally, popular vendors of SCADA based systems and software, PROCSYS and Wonderware allow for their technologies to be scaled and deployed within virtual resources.

A number of specific business drivers may be utilised when making the decision to deploy virtualised resources, however there is a common misconception that the deployment of such assets will lead to increased productivity and reduced costs. Regardless of deployment drivers, the use of virtualised resources and a move away from the notion of network based computing models (e.g. the computer is the network, and the network is at its best, when distributed) is a growing trend that has arguably received little attention from security researchers to date.  

Most technical and business staff in enterprise environments understand the difficulties inherent in securing distributed environments, however the ugly kernel remains that in relation to virtualised resources the scope and impacts of security threats are rarely fully understand and addressed.

SECURITY IN VIRTUALISED ENVIRONMENTS

Prior to discussing the security threats and vulnerabilities that face virtualised technologies (be they platform or resource specific) the elements that constitute a secure environment should first be considered. Virtualised technologies arguably have a number of distinct elements that need to exist for them to be classified as secure. A number of researchers have focused their attentions towards defining these, most notably, Reiner Sailer et al of IBM, in the paper ‘sHype: Secure Hypervisor Approach to Trusted Virtualized Systems’[i].

A number of constituent security goals are defined by Sailer at al, as forming secure virtualised environments, namely:

Strong isolation guarantees between multiple partitions Controlled sharing (communication and co-operation) among partitions Platform and partition integrity guarantees Platform and partition content attestation Resource accounting and control Secure services (e.g. auditing)

These elements are an excellent starting point however they disregard a number of key requirements from a security perspective. Although Sailer et al recognise the need for isolation and separation between virtual machine partitions this should arguably also be applied to processes and users.  From a security perspective it is also imperative to ensure that not only is controlled sharing enforced for partitions but also those resources they may access (such as memory).

Additionally, although the necessity of auditing is recognised, the value of virtualisation lies in its inherent flexibility and, and this too should be considered especially with regards secure and scaleable deployments. Regardless of the theory of what constitutes a secure virtual machine environment, the reality remains that at present many environments are anything but.

A number of security research groups and individuals are conducting research into bypassing the security restrictions in place within virtual machine environments, and as highlighted in the abstract for this paper this has proved a fertile area. A number of security vulnerabilities have been highlighted in products issued by VMware Inc over recent years, and this is a trend that doubtless will continue. The VMware product suite (i.e. VMware Server, VMware Player, VMware Workstation etc.) or elements thereof, is widely deployed in many environments, and importantly comparatively inexpensive to obtain. Regardless of the individual vendor however, virtualised platform specific vulnerabilities can loosely be classed into three major groupings, namely:

Virtual machine / environment detection Virtual machine / environment protection bypasses Virtual machine /environment destruction

NEXT TIME…

In our next and second article of six we will explore how the first of these j

Notes

[i] sHype: Secure Hypervisor Approach to Trusted Virtualized Systems; Reiner Sailer, Enriquillo Valdez, Trent Jaeger, Roland Perez, Leendert van Doorn, John Linwood Griffin, Stefan Berger. IBM Research Division. February 2005.

 http://domino.watson.ibm.com/library/cyberdig.nsf/papers/265C8E3A6F95CA8D85256FA1005CBF0F/$ File/rc23511.pdf