Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Do You Want the Red Pill or the Blue One?

Virtualization is a hot topic by any measure, and the security world has not escaped healthy debates and new discoveries from researchers just beginning to plumb the issues. They're looking at not only the impact of virtualization on security, but also the impact security can have with virtualization. Here's a brief summary of some of the different issues that are keeping things interesting.

Several years ago Joanna Rutkowska released the "Red Pill" tool. The goal was to easily detect when a program was running under virtualization. Since then (really since before then -- Red Pill wasn't even the first generic VM detection), the ability to detect virtualization and respond differently based no that has been creeping into malware in an attempt to make security companies jobs harder when analyzing them. Ironically, this trend might actually go away. After all, as virtualized environments become more common, many legitimate endpoints will be running in virtualized environments indistinguishable from a malware analyst's environment and distinguishing between virtualization and native hardware will be unnecessary for the bad guys.

Not done with the topic of virtualization, at BlackHat in 2006, Rutkowska demonstrated but didn't release her "Blue Pill" tool (get the Matrix references yet?), essentially a rootkit able to subvert a running operating system using hardware virtualization built using AMD's SVM (at the same conference, Dino Dai Zovi demoed a similar tool called Vitriol for Intel's VT-x). Finally, this year's BlackHat featured some back and forth between Rutkowska and other security researchers on whether hypervisor rootkits are really a real threat. The bottom line though is that the bad guys don't need to move to the hypervisor because they don't need to. There are plenty of reasons to stay in the operating system. While I'm sure some proof-of-concept tools will be released with hypervisor rootkit abilities (especially since Joanna released Blue Pill's source), I don't expect this to become a large threat anytime remotely soon.

While paranoid security folks have always been sure to require virtual machines hosted on the same hardware are of the same security posture and classification (IE, your public-facing webserver isn't hosted on the same hardware that also handles sensitive internal payroll applications), not everybody got that memo. Some folks are blindly mixing VMs without regard for the security implications. There's a couple of problems there. First, most security monitoring appliances are built to monitor traffic from span ports, taps, etc, but may not yet be adjusted to operate on virtual networks yet. Look for security vendors to start pushing technologies that do this. See Art's post for more on that.

However an even bigger threat exists in the form of breakout attacks. When vulnerabilities exist within the virtualization technologies themselves, it's theoretically possible to "escape" from a client VM and into the parent operating system. While using an environment like VMWare's ESX that is specifically designed for Virtualization might help mitigate these risks, it certainly doesn't eliminate them. Not only has Xen patched vulnerabilities in that past that allowed this, but Microsoft's last batch of Black Tuesday patched MS07-049, a security bulletin describing a vulnerability reported by Mcafee of such a technique. Additionally, at the recent SANSFire conference, Ed Skoudis and Tom Liston of Intel Guardians reportedly demonstrated a live breakout of VMWare (while details are a bit light, see Ed's comment on the Cutaway Security blog for more info).

  • 1