Cloud // Cloud Storage
Commentary
7/20/2012
06:16 PM
Jasmine  McTigue
Jasmine McTigue
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Virtualization And The Apple Effect

Banking on black hats not targeting hypervisors was always a questionable idea. Now, it's downright dangerous.

Remember when attackers ignored Apple products? Back when the platform was limited to industry-specific niches? Mac viruses are still rare, but the explosive popularity of iThings and Apple's growing market presence (now around 14% of total U.S. personal computing share) mean they're a growing concern. Hypervisors are also popping up everywhere, and not just in data centers. Even Microsoft's Xbox console sports an elementary hypervisor (not Hyper-V) to separate the system software from underlying hardware. And more popularity inevitably equals more attacks.

Some IT pros saw this coming. Back when vSphere was still called ESX server, I remember sitting with a group of network professionals and discussing how the hypervisor changed the security landscape by interjecting a new layer into the stack, thereby creating a new attack surface. The more senior members of our little group pointed out that because hypervisors were written by humans and consisted of code, they were inherently vulnerable. Most of my team scoffed--after all, in 2002, only a small percentage of IT shops had virtualized infrastructures. With hardware and implementation costs acting as a barrier to adoption and major vendors like Microsoft refusing to support widely used products like Exchange and SQL Server running on virtualized platforms, confidence in virtualized infrastructures and their ability to show a compelling ROI was not exactly high. But I remember thinking it was only a matter of time before attacks on the hypervisor went mainstream.

That time is now, and evidence of hypervisor vulnerabilities in 64-bit paravirtualized Xen hosts (CVE-2012-0217) has brought home exactly how right those old-timers were. When it comes to market share, the hypervisor is king. Our InformationWeek 2012 State of the Data Center Survey, fielded in April, shows just 14% of respondents (all involved with management or decision-making at data centers that are 1,000 square feet or larger) don't have a virtualization management or private cloud software stack in place; the top pick by far, with 53%, is VMware vCenter. At No. 2, with just 10%, is Microsoft System Center VMM.

With widespread adoption in every vertical and in industries of every size, the incentive to write exploit code for common hypervisor platforms is very compelling indeed.

The Xen vulnerability brings the matter of hypervisor security to our front door. An attacker who compromises an unpatched guest machine can now root the host itself on unpatched Xen implementations. The fact that CVE-2012-0217 exists means we can no longer ignore security at the hypervisor and rest easy at night secure in the knowledge that exploits simply don't exist.

Still, while the landscape just became a whole lot scarier, it's not all gloom and doom. VMware in particular has been proactively preparing for this moment since February 2008, when it launched the VMsafe initiative. The idea behind VMsafe was to get a small number of highly trusted security providers deep into VMware's hypervisor and collaboratively develop APIs and intercept code to mitigate and prevent hypervisor exploits. While VMsafe has been discontinued, its successor product line, vShield, is alive and well and has been the subject of considerable enhancement in vSphere 5.

VMware has also espoused the fact that a small, compact, and robustly tested hypervisor like vSphere is intrinsically difficult to write exploit code for, a statement with which most security professionals will agree. While Hyper-V continues to gain in market share, largely because of aggressive pricing, VMware's full-featured ESXi sports a 70-MB installed footprint versus around 3.5 GB for a corresponding Server 2008 R2 Core Hyper-V installation. This means that VMware is fully functional at one-fiftieth the amount of code, a significant attack surface advantage for the seated virtualization giant.

Even so, VMware has taken a few lumps. In 2008, a vulnerability dubbed CVE-2008-4916, which took advantage of faulty display code to enable execution of code on the host machine, was demonstrated; however, the vulnerability was only ever proved on VMware workstation, and VMware patched the bug before releasing vSphere 4.0. This year, a new vulnerability in VMware display drivers, CVE-2012-1510, enables local privilege elevation on a guest machine running the unpatched driver but does not threaten the host itself. Also this year, CVE-2012-1517 can crash the host VMX process and is listed as having the potential to execute privileged code on the host, even though a proof of concept has not been demonstrated.

Despite the lack of a corresponding case of guest-to-host escape like CVE-2012-0217, the virtualization giant has come close to a serious vulnerability more than once.

So what does it all mean? Simply put, despite VMware's best efforts to mitigate vulnerabilities and its visionary leadership in the area of hypervisor security, vulnerabilities are still becoming a fact of life in virtualized infrastructures.

And with the hypervisor being a critical component of everyday business strategy from enterprises both small and large, it's only a matter of time before the more enterprising members of the black-hat community start finding exploits for major hypervisor platforms with increasing frequency.

Network and security professionals would be wise to pull their heads out of the sand and start addressing virtual security before it's too late.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jake McTigue
50%
50%
Jake McTigue,
User Rank: Apprentice
7/23/2012 | 4:18:24 PM
re: Virtualization And The Apple Effect
Lars,

Our intention is definitely not to minimize Xen, but merely to point out that vulnerabilities like this are coming main stream. And while the public cloud has had to worry about security pretty much from the word go, security awareness in the private cloud is a different story altogether because of complacency in the face of few if any demonstrated viable exploits. When we survey IT professionals, we see a large majority building private clouds to avoid the perceived trust, privacy and reliability issues associated with public cloud services.

The Xen community response to CVE-2012-0217 has been amazing, but it's still a call to arms for technology warriors. Thank you for the informative comment!
LarsKurth
50%
50%
LarsKurth,
User Rank: Apprentice
7/23/2012 | 2:03:19 PM
re: Virtualization And The Apple Effect
People who want to read up on CVE-2012-0217, should have a look at http://blog.xen.org/index.php/... ...

There are a number of points to make:
a) The vulnerability has not only affected Xen, but also operating systems such as NetBSD, FreeBSD and some versions of Microsoft Windows (including Windows 7)
b) The Xen community does have a security vulnerability response process which has allowed the majority of service providers to patch their installations before the CVE was published
c) Security of Hypervisors is taken very seriously (and has been taken seriously for years) in particular by cloud providers and hosting services which have built their services on top of hypervisors such as Xen

Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.