VIRTUMANIA Episode 19: Security Is The Dark Side Of Virtualization
The VIRTUMANIA continues with Episode 19! Rick Vanover joins Marc and I again along with very special guest Ed Haletky for an extremely important discussion about security in virtualization infrastructure. The following is the podcast summary:
VIRTUMANIA Podcast Episode 19 – Security is The Dark Side of Virtualization. Rich Brambley (@rbrambley) of VMETC and Marc Farley (@3parfarley) of 3Par and StorageRap.com with show regular Rick Vanover (@rickvanover) of RickVanover.com host Ed Haletky (@texiwill) of The Virtualization Practice Blog. This episode includes interesting discussion about unintentionally created security concerns with virtual infrastructure that arise when administrators decide to deviate from best practices in the name of convenience. The show gets into well known attacks possible on a hypervisor, and what, if anything, can be done to stop them. Virtumania is an Infosmack Production.
All virtualization administrators should pay close attention to the Blue Pill Attack discussion. it’s definitely some scary stuff!
Before, between, and after the important stuff we also have some fun with Farley Fest, The World Cup, 4th of July Vacations, and Wisconsin. Ed reveals he is a foodie like Jason Perlow in our last episode, and he makes a recommendation for Mama Reux in Austin, TX. Look out for the bad alligator jokes too.
Rick gives Ed a hard time for being a known as being too serious at times, and he proudly keeps track of how many times Haletky laughs on this show.
Listen to the podcast with the embedded player or subscribe to get a weekly copy so you can listen when convenient.
Check out the VM /ETC VIRTUMANIA Page to listen to past episodes as well as episodes of Infosmack.
The following links offer more information on some of the topics mentioned in VIRTUMANIA Episode 19:
The Blue Pill Attack
The name Blue Pill is a reference to the blue pill from The Matrix where one character (Morpheus) is in a virtual reality simulation talking to another character (Neo) who is unaware that they are in a virtual reality.
Morpheus says, "This is your last chance. After this, there is no turning back. You take the blue pill, the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill, you stay in Wonderland and I show you how deep the rabbit-hole goes."
A Blue Pill computing system victim is like Neo, unaware that it has been compromised.
The Blue Pill virtualization attack: Virtual machine malware
The Blue Pill attack itself manipulates kernel mode memory paging and the VMRUN and related SVM instructions that control the interaction between the host (hypervisor) and guest (virtual machine). This permits undetected, on-the-fly placement of the host operating system in its own secure virtual machine allowing for complete control of the system including manipulation by other malware.
VI: Looking at Ms. Rutkowaska demonstration Austin Wilson, Director of the Windows Client Group at Microsoft, said the company will try to prevent such scenario in upcoming Vista operating system. What do you think can really be done at operating system level to mitigate the risk? Is this something also the Linux, BSD and Solaris communities should look at?
AL: I wouldn’t lose a bit of sleep over this particular threat. I don’t feel there is any new risk here at all.
Researchers to cure Blue Pill virtualization attacks
Two researchers from North Carolina State University have developed software that they say can protect virtualization hypervisors from malicious "Blue Pill" rootkit threats.
"HyperSafe enables the hypervisor self-protection from code injection attempts," said Xuxian Jiang, an assistant professor of computer science at NCSU.
Security Tools for virtualization mentioned:
- Hytrust – http://www.hytrust.com/product/overview/
- Catbird – http://www2.catbird.com/our_services/vmware.php
- Reflex Systems – http://www.reflexsystems.com/Products/VMC
- Altor Firewall – http://www.altornetworks.com
- VMware’s VMSafe and vShield Zones – http://www.vmware.com/go/vmsafe and https://www.vmware.com/products/vshield-zones/
More Info about @texiwill
Blue Gears Blog
The Virtualization Practice
Virtualization Security Podcast
- VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment
- VMware ESX Server in the Enterprise: Planning and Securing Virtualization Servers
- New Book for 2010 – VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers (2nd Edition)
Posted By Texiwill on April 21, 2010
We discussed forensic from the perspective of evidence necessary for the court of law. In other words, forensically sound data acquisition prepared for forensic analysis. This is the an interesting aspect of virtualization. Some of which I have discussed before.
Out of this discussion came some fairly straight forward advice that many may find difficult to perform due entirely to the additional cost and requirements:
- Have a Written Incident Response Policy and Procedure
- Have a Written Data Retention Policy
- Have a Separate ESX Cluster for purely Forensics
Virtualization & Security: Real Threats to Virtual Systems.
Hakin9: Hard Core IT Security Magazine, June 2008, pp 54-58.
The Virtualization Practice’s Edward Haletky presents
Secure Multi Tenancy Concerns
So to the hypervisor vendors, give us encrypted memory and encrypted vMotion or Live Migration. Then we can finally start to seriously implement SMT.
produced by Edward L. Haletky of The Virtualization Practice