VM Security Risks: Phantom or Menace?

VMs carry potential security threats, as evidenced by vulnerabilities patched by VMware, Microsoft and XenSource.

NEW YORK—Virtual machines are threatening to crack the walls of data centers with a host of potential security threats—nothing thats been publicly exploited yet but a fact thats borne out by a slew of vulnerabilities patched over the past seven months by major virtualization vendors VMware, Microsoft and XenSource.

David Lynch, vice president of marketing at Embotics, a VM life-cycle management vendor, said during a presentation here at Interop Oct. 23 that a fundamental issue with VMs is that theyve come into enterprises via the back door, thereby slipping past standard security hardening. Meanwhile, VM sprawl has virtualization instances popping up with nobody keeping track of them. Simply stated, organizations wont be able to secure these things, given that nobody knows how many have been created, Lynch said.

"Even if you just replace [unsecure virtualization instances] completely, how do I make sure I replace all instances of [a] virtual appliance?" Lynch told eWEEK following his presentation. "I asked the audience how many people knew how many virtual machines [they were running]. Three people put their hands up, out of about 50. Thats a fundamental issue. People dont know how many machines they have out there. How can you manage them? How can you make sure configurations are maintained, that theyre where theyre supposed to be?"

Sprawl needs to be dealt with today, Lynch said, but other and worse security issues are on the horizon. The ability to break out of a guest operating system and into the host operating system that a VM is running on is one such issue that Intelguardians Network Intelligence , a security consultancy based in Washington, first demonstrated on a VMware workstation in a July presentation.

The demonstration came a few months after VMWare fixed the relevant vulnerability—detailed in CVE-2007-1744. The issue was in VMware Workstation, a simpler product than the companys vaunted ESX Server, with its purportedly staunch security profile. But Intelguardians co-founder Ed Skoudis told eWEEK that, regardless, the point has been proved that an attacker can escape past a VM to wreak havoc on a host systems operating system, and, beyond that, his company thinks ESX Server might not be bulletproof.

"Our issue was in Workstation, but the point was, it demonstrated the possibility of VMware escape," Skoudis said. "ESX hasnt been escaped, but there are possibilities of escape there. We focused on a simpler product and did find an escape vulnerability that could allow an attacker to get access to the host file system and perhaps execute code on the host."

Breaking out of a VM and onto the host operating system means an attacker can potentially install a rootkit, among other things, Embotics Lynch told eWEEK. But the real issue, he said, is that this is beyond the scope of most security technologies, which dont look at the hypervisor. Instead, they work at the operating level within the operating system. Thats why security researcher Joanna Rutkowska has claimed that her famed Blue Pill virtual rootkit is "undetectable"—it installs on the hypervisor, and thats where most security technologies just arent looking.

But like Blue Pill, these VM breakouts are still constrained to the lab—theyre merely theoretical at this point.

A more immediate potential threat is virtual appliances: As software delivery mechanisms move to delivering VMs in this manner, theyre bringing in a black box of unknowns to the data center, Lynch said. Virtual appliances run who knows what kind of operating system, with heaven knows what level of hardening and with the potential to introduce backdoors. As data centers start to bring them in, Lynch said, administrators should question the processes for patching the relevant operating system and application set, as well as learning who will do security maintenance work.

Its easy to see how VMs snuck into the data center. Virtualization is an extremely valuable, useful technology in terms of service levels, cost reduction and business continuity. But its plain to see, Lynch said, that the technology has been adopted in terms of utility and not in a structured manner.

Lynch pointed to surveys showing that 55 percent of respondents believe VMs are as secure as or more secure than physical servers—a belief that "unfortunately is not the case," he said. Even more telling, 24 percent think theyre less secure, and 21 percent dont know if VMs are more or less secure than physical servers.

Thats shocking, given that virtualization is being deployed in all Fortune 100 companies and 80 percent of Fortune 1000 companies, Lynch said. Normally, in the security world, there is some level of consensus around whether a problem exists and a focus on what to do about it. With virtualization, however, adoption has been broad but shallow. Market researcher IDC notes that only 7 percent of physical servers have been virtualized around the world. Everybodys doing it, but nobodys doing it thoroughly or methodically.

"Normally, technology in the data center is planned, thought about, managed and implemented in a very structured way. This is an operational tool that came through the back door," Lynch said.

He recommended tracking where VMs are deployed, where they came from, their lineage, and their updates and patches, including both host and guest operating systems.

In addition, securing a virtualized environment requires segmenting—avoiding mixing VMs with different security postures and requirements on one host system. Lynch also recommended segmenting a virtual environment for defense by isolating privileged VMs on their own network segment.

Other best practices include applying and enforcing—preferably automatically—consistent security policy across all VMs and virtualization platforms, allowing only approved VMs to operate, controlling what kind of VMs can be installed in specific environments, enforcing minimum permissions for users and staff, and limiting the ability to load arbitrary software onto the host operating system.

In addition, Lynch recommended monitoring access to virtualization resources and all administrative activity, triggering notification on significant events, and protecting audit logs. Finally, he said, data centers should keep host operating systems thin and hardened and should keep up-to-date on all hypervisor patches and threats.