Virtualization System Security

Transcription

1 Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation

2 Overview Vulnerability disclosure analysis Vulnerability classes Vulnerability examples Virtualization-system specific attacks Known virtualization system attacks Public virtualization system exploits Summary of virtualization system security concerns Technologies for virtualization-based security enhancement Configuration recommendations

3 The Importance of Virtualization System Security Businesses are increasingly relying on virtualization technology In Q4 2009, 18.2% of servers shipped were virtualized 1 20% increase over 15.2% shipped in Q Growing interest in cloud computing will fuel further demand Vulnerability disclosures have grown as interest has grown Source: IBM X-Force 2010 Midyear Trend Report 1 Source: IDC

4 The Risk Imposed by Virtualization System Vulnerabilities Disclosed vulnerabilities pose a significant security risk 40% of all reported vulnerabilities have high severity Tend to be easy to exploit, provide full control over attacked system Exploits have been publically disclosed for 14% of vulnerabilities

5 The Risk To Production Systems Most reported vulnerabilities affect production virtualization systems Production systems run on the bare metal hypervisor acts as operating system Contrast with workstation systems, which run on top of a host OS

6 Vendor Disclosures by Vendor Low percentages for Oracle, IBM, and Microsoft VMware: 80.9% RedHat: 6.9% Citrix: 5.8% Oracle: 1.8% IBM: 1.1% Microsoft: 0.9%

7 Virtualization System Vulnerability Classes Vulnerabilities can be classified by what they affect Virtualization Server Guest VM Users 5 System Administrators Virtualization System 1 Admin VM Guest VM Hypervisor Hardware Guest VM Management Console Management Server

8 Virtualization System Vulnerability Classes Management console vulnerabilities Affect the management console host Can provide platform or information allowing attack of management server Can occur in custom consoles or web applications Management server vulnerabilities Potential to compromise virtualization system configuration Can provide platform from which to attack administrative VM Administrative VM vulnerabilities Compromises system configuration In some systems (like Xen), equivalent to a hypervisor vulnerability in that all guest VMs may be compromised Can provide platform from which to attack hypervisor and guest VMs

9 Virtualization System Vulnerability Classes Guest VM vulnerabilities Affect a single VM Can provide platform from which to attack administrative VM, hypervisor, and other guest VMs Hypervisor vulnerabilities Compromise all guest VMs Cannot be exploited from guest VMs Hypervisor escape vulnerabilities A type of hypervisor vulnerability Classified separately because of their importance Allow a guest VM user to escape from own VM to attack other VMs or hypervisor Violate assumption of isolation of guest VMs

10 Production Virtualization System Vulnerabilities By Class Mgmt Server (6.3%) Guest VM (15.0%) Hypervisor (1.3%) Indeterminate (6.3%) Hypervisor escape (37.5%) Mgmt console (16.3%) Admin VM (17.5%)

11 Virtualization System Vulnerability Examples Management console CVE : A cross-site scripting vulnerability in a VMware web console allows remote attackers to steal cookie-based authentication credentials Management server CVE : VMware VirtualCenter management server can allow a local attacker to use directory traversal sequences to gain elevated privileges Administrative VM CVE : A buffer overflow in a VMWare management service running in the administrative VM could allow remote authenticated users to gain root privileges

12 Virtualization System Vulnerability Examples Guest VM CVE : A bug in the handling of page fault exceptions in VMware ESX Server could allow a guest VM user to gain kernel mode execution privileges in the guest VM Hypervisor CVE : By modifying the processor status register, a local attacker can cause the Xen kernel to crash Hypervisor escape CVE : An error in the virtual machine display function on VMware ESX Server allows an attacker in a guest VM to execute arbitrary code in the hypervisor

13 New Virtualization System-Specific Attacks VM jumping/guest hopping Attackers take advantage of hypervisor escape vulnerabilities to jump from one VM to another VM attacks Attacks during deployment and duplication Deletion of virtual images Attacks on control of virtual machines Code/file injection into virtualization file structure

14 New Virtualization System-Specific Attacks VM migration VM migration is transfer of guest OS from one physical server to another with little or no downtime Implemented by several virtualization products Provides high availability and dynamic load balancing VMware VMotion brochure

15 New Virtualization System-Specific Attacks VM migration attack If migration protocol is unencrypted, susceptible to man-in-the-middle attack Allows arbitrary state in VM to be modified In default configuration, XenMotion is susceptible (no encryption) VMware s VMotion system supports encryption Proof-of-concept developed by John Oberheide at the Univ. of Michigan John Oberheide et. al. University of Michigan

16 Known Virtualization System Attacks Management server attacks Exploit management console vulnerabilities that divulge password information Exploit management console vulnerabilities to gain access to management server Exploit vulnerabilities that allow local management server users to gain elevated privileges Administrative VM attacks exploit vulnerabilities to: Cause a denial of service by halting the system Cause a denial of service by crashing the administrative VM Obtain passwords that are stored in cleartext Exploit buffer overflows in exposed services to execute arbitrary code Exploit vulnerable services to gain elevated privileges Bypass authentication

17 Known Virtualization System Attacks Guest VM attacks exploit vulnerabilities to: Gain elevated privileges Crash the virtual machine Truncate arbitrary files on the system Execute arbitrary code with elevated privileges Hypervisor attacks exploit vulnerabilities to: Cause the hypervisor to crash Escape from one guest VM to another

18 Example Configuration Issues Virtual machine configuration Resource reservations and limits (for example, on CPU usage) can be established for individual VMs Allows assignment of more system resources to specific VMs Improper configuration can allow a DoS against one virtual host to affect other hosts on the same server Failure to enable log file rotation can fill disk and DoS the ESX Server Failure to disable unused devices can introduce unnecessary risk

19 Example Configuration Issues Virtual network configuration Virtual switches are used to define the topology of virtual networks VMware

20 Example Configuration Issues Improper configuration can allow unintended communication among guest VMs Network services are enabled to connect virtual machines and kernel services to the physical network Kernel services include features such as virtual machine migration Failure to disable unused services can introduce unnecessary risk VLANs can be used to aggregate multiple virtual switch ports under a common configuration Incorrect aggregation can result in misconfiguration of ports

21 New Virtualization System-Specific Attacks Hyperjacking Consists of installing a rogue hypervisor One method for doing this is overwriting pagefiles on disk that contain paged-out kernel code Force kernel to be paged out by allocating large amounts of memory Find unused driver in page file and replace its dispatch function with shellcode Take action to cause driver to be executed Shellcode downloads the rest of the malware Host OS is migrated to run in a virtual machine Has been demonstrated for taking control of Host OS Hyperjacking of hypervisors may be possible, but not yet demonstrated Hypervisors will come under intense scrutiny because they are such attractive targets Known hyperjacking tools: BluePill, SubVirt, Vitriol

22 Virtualization System Public Exploits 36 public exploits against production virtualization systems have been released Most of these are attacks against third-party components of these systems CVE Guest OS user can gain elevated privileges on guest OS by exploiting a bug in handling of page faults Affects ESX server 4 and other VMware products Exploit binary posted at lists.grok.org.uk

23 Virtualization System Public Exploits CVE Remote attacker can write PHP code to Web server configuration script to execute arbitrary PHP code with privileges of server Affects XenCenterWeb Exploit URLs are provided in a Neophasis post:

24 Virtualization System Public Exploits CVE OpenSSL buffer overflow vulnerability allows remote attacker to execute arbitrary code on the system Affects VMware ESXi server 3.5, presumably the administrative VM (the service console ) Neophasis post describes the exploit Involves sending multiple ciphers to take advantage of an off-by- one error in OpenSSL s cipher processing code

25 Summary of Virtualization System Security Concerns Virtualization systems have added new vulnerabilities to infrastructure 259 new vulnerabilities over the last 5 years (XFDB) Use of virtualization systems doesn t add inherent security same connectivity to servers is still needed Addition of new operating system (hypervisor) increases attack surface Doesn t replace existing OSes Potential for new types of attacks Migration of VMs for load balancing can make them more difficult to secure Ease of addition of new VMs can increase likelihood that insecure systems will go online New management systems are needed for virtualization systems - increases attack surface

26 Technologies for Virtualization-Based Security Enhancement Some technologies can take advantage of virtualization to improve security IBM Security Virtual Server Protection for VMWare Takes advantage of virtualization to provide IPS protection for all communication between VMs on a virtualization server Traditional IPS provides protection only where appliances are installed Future may see virtualization-based sandboxing Sandbox environment is a locked-down OS that restricts what programs can do for example, disallow network access Sandboxes could run in separate VMs and be used for opening untrusted files and running untrusted applications

27 Virtualization System Configuration Recommendations Don t connect virtualization system hosts to operational networks until fully configured Management server configuration Management servers should be segregated from operational networks via an appropriately configured firewall or router Restrict access of management system databases to the management server, a database administrator, and backup software Limit access to remote management tools Use limited accounts Connections to virtualization systems should be encrypted and authenticated Use logging

28 Virtualization System Configuration Recommendations Administrative VM configuration Avoid installing third-party software Disable or restrict access to unused network services Synchronize clocks on virtualization servers and management servers to aid log analysis Manage log size to avoid filling partitions Implement file system integrity checking and password policies Only allow server administrators to manage administrative VMs Disable root console logins

29 Virtualization System Configuration Recommendations Guest VM configuration Harden servers Update and patch OS Use single role servers disable unnecessary services Use local firewall to insure limited host control Use limited scope admin accounts with strong passwords Protect virtual machine files Use access control lists Use encryption Use auditing of file operations (access, creation, deletion, ) Disable unnecessary or unused virtual devices Use hardened VM images as basis for new VMs VMware supports templates for creation of new VM images

30 Virtualization System Configuration Recommendations Virtualization environment configuration Install hypervisor updates and patches If possible, install VMs with different security profiles on different physical machines The existence of hypervisor escape vulnerabilities makes this prudent Otherwise, use virtual firewalls between groups of machines with different security postures Isolate VM traffic by defining VLAN port groups in virtual switches and associating each VM virtual adapter with the appropriate port group If supported, configure port groups to: Restrict virtual adapters from entering promiscuous mode Avoid changing virtual NICs own MAC addresses

31 Summary Virtualization system interest and vulnerabilities have both increased Virtualization system vulnerabilities can be characterized by what they affect Known attacks exist against all virtualization system components Public exploits have been released for some virtualization system vulnerabilities Virtualization systems have introduced new types of attacks Currently, virtualization systems make networks less secure Some technologies can offer virtualization-based security enhancement Proper configuration can reduce virtualization system risk

32 References X-Force 2010 Midyear Trend Report X-Force database VMWare ESX Server 3 Configuration Guide NSA ESX 3 Server Configuration Guide Virtualization Security (Microsoft presentation) c61ddd81/Day2Session-VirtualizationSecurity-RickClaus.pdf Subverting Vista Kernel for Fun and Profit (BlackHat presentation by Joanna Rutkowska) US-06-Rutkowska.pdf SubVirt: Implementing malware with virtual machines (U. of Michigan and Microsoft) Empirical Exploitation of Live Virtual Machine Migration (John Oberheide et. al.)

33 References From Virtualization vs. Security to Virtualization Based Security (Steve Orrin, Intel presentation) VMware Security Hardening Guide Wikipedia article on sandboxing What you need to know about Security Your Virtual Network (Daniel Petri)