Virtualization is a hot topic by any measure, and the security world has not escaped healthy debates and new discoveries from researchers just beginning to plumb the issues. They're looking at not only the impact of virtualization on security, but also the impact security can have with virtualization. Here's a brief summary of some of the different issues that are keeping things interesting.
Several years ago Joanna Rutkowska released the "Red Pill" tool. The goal was to easily detect when a program was running under
virtualization. Since then (really since before then -- Red Pill wasn't even the first generic VM detection), the ability to detect
virtualization and respond differently based no that has been creeping into malware in an attempt to make security companies jobs
harder when analyzing them. Ironically, this trend might actually go away. After all, as virtualized environments become more common,
many legitimate endpoints will be running in virtualized environments indistinguishable from a malware analyst's environment and
distinguishing between virtualization and native hardware will be unnecessary for the bad guys.
Not done with the topic of virtualization, at BlackHat in 2006, Rutkowska demonstrated but didn't release her "Blue Pill" tool (get
the Matrix references yet?), essentially a rootkit able to subvert a running operating system using hardware virtualization built using
AMD's SVM (at the same conference, Dino Dai Zovi demoed a similar tool called Vitriol for Intel's VT-x). Finally, this year's BlackHat
featured some back and forth between Rutkowska and other security researchers on whether hypervisor rootkits are really a real threat.
The bottom line though is that the bad guys don't need to move to the hypervisor because they don't need to. There are plenty of reasons
to stay in the operating system. While I'm sure some proof-of-concept tools will be released with hypervisor rootkit abilities
(especially since Joanna released Blue Pill's source), I don't expect this to become a large threat anytime remotely soon.
While paranoid security folks have always been sure to require virtual machines hosted on the same hardware are of the same security
posture and classification (IE, your public-facing webserver isn't hosted on the same hardware that also handles sensitive internal
payroll applications), not everybody got that memo. Some folks are blindly mixing VMs without regard for the security implications.
There's a couple of problems there. First, most security monitoring appliances are built to monitor traffic from span ports, taps, etc,
but may not yet be adjusted to operate on virtual networks yet. Look for security vendors to start pushing technologies that do this. See Art's post for more on that.
However an even bigger threat exists in the form of breakout attacks. When vulnerabilities exist within the virtualization
technologies themselves, it's theoretically possible to "escape" from a client VM and into the parent operating system. While using an
environment like VMWare's ESX that is specifically designed for Virtualization might help mitigate these risks, it certainly doesn't
eliminate them. Not only has Xen patched vulnerabilities in that past that allowed this, but Microsoft's last batch of Black Tuesday
patched MS07-049, a security bulletin describing a vulnerability reported by Mcafee of such a technique. Additionally, at the recent
SANSFire conference, Ed Skoudis and Tom Liston of Intel Guardians reportedly demonstrated a live breakout of VMWare (while details are
a bit light, see Ed's comment on the Cutaway Security blog for more info).
