Security of virtual machines
Friday, April 20. 2007
Tavis Ormandy just gave an interesting presentation at CanSecWest'07 about the security of virtual machines (QEMU, VMware, Bochs, ...) entitled "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environment". Using fuzzing and other techniques, he managed to find quite a few bugs in popular VMs, amongst others:
For example, his summary for the security of QEMU is:
Regarding malware analysis, these results presumably mean that the malware analysis process should be carried out on a native machine with some kind of restore cards since we can not trust the malware code. We use such a setup within CWSandbox and the results look promising.
Tavis also released a paper describing the results in detail. The paper also includes some proof-of-concept demos. Soon you can also find his presentation at the CanSec website.
Abstract
As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security
exposure to the hosts of hostile virtualized environment.
- heap overflow in QEMU's NE2000 network device
- heap overflow in QEMU's VGA code
- vulnerability in VMware's power management code
For example, his summary for the security of QEMU is:
An attacker with access to a QEMU virtualized environment could potentially compromise the virtual machine process and execute arbitrary code with the privileges of the emulator. Malware being studied inside QEMU, even in an unprivileged state, can terminate the virtual machine safely and reliably.
Regarding malware analysis, these results presumably mean that the malware analysis process should be carried out on a native machine with some kind of restore cards since we can not trust the malware code. We use such a setup within CWSandbox and the results look promising.
Tavis also released a paper describing the results in detail. The paper also includes some proof-of-concept demos. Soon you can also find his presentation at the CanSec website.
Abstract
As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security
exposure to the hosts of hostile virtualized environment.
".
