Virtualisation Security – The How To Guide – Part 3
OVERVIEW
In this the third technical article from Orthus that summarises much of the platform focused industry research that has taken place as regards issues associated with the security of virtualisation platforms, we outline the second of three categories of virtualised platform specific vulnerabilities, namely that of virtual machine environment protection bypasses.
CONCERNS OVER ISOLATIONISM…
The detection of virtual machine environments (see previous article) is merely one weapon in the attackers’ armoury, and there exists a number of mechanisms for bypassing the supposed isolation between guest and host operating systems and processes. In the same presentation in which Ed Skoudis and Tom Liston discussed potential remote virtual machine environment detection, a number of utilities were highlighted that can bypass the isolation supposedly inherent in platform virtualisation technologies, particularly VMware. The utilities discussed were operable in VMware Workstation 4 and 5 (and may well be applicable to VMware Workstation 6). VMware Worsktation has an inbuilt communications channel that allows host and guest operating system instances to communicate (commonly referred to as a backdoor). By exploiting this functionality as well as DLL injection it was possible to generate a suite of tools designed to circumvent the isolation of partitions and platforms. As highlighted these tools have not been publicly disclosed as of the time of writing (this may be in no small part due to the fact that much of the research conducted by Ed Skoudis and Tom Liston is formerly sponsored by the United States Department of Homeland Security), however publicly released tools are available for both the attacker and legitimate researchers to utilise. Most notable amongst these is the VM Back suite of tools developed by Ken Kato[i] and other contributors. The VM Back suite of utilities exploits the Backdoor / IO functionality that forms part of many VMware binary distributions. This backdoor is used by the binary distribution to configure deployments of VMware during application runtime (interestingly, the official VMware Tools utilise this backdoor). At the time of writing there are twenty known commands that can be issued via this backdoor functionality and impact upon VMware products for both Windows and Linux hosts, namely:
Command Number
Description
01h
Get Processor Speed
02h
Invoke APM function on virtual machine
04h
Get mouse pointer position
05h
Set mouse pointer position
06h
Get text length from clipboard
07h
Get text from clipboard
08h
Set text length to clipboard
09h
Set text to clipboard
0Ah
Get VMware version information
0Bh
Get device information
0Ch
Connect / Disconnect a device
0Dh
Get GUI options setting
0Eh
Set GUI options setting
0Fh
Get Host screen size
11h
Get virtual hardware version
12h
Popup “OS Not Found” dialog
13h
Get BIOS UUID
14h
Get Memory size
17h
Get Host system time
1Eh
Enhanced RPC
TOOLING & EXPOLITATION
By exploiting the functionality of Backdoor/IO operations, Ken Kato (and others) have been able to create a number of utilities that can be used to bypass the supposed isolation between guest and host operating systems operating in a virtual machine environment. Indeed in February 2008, security research group Core Labs, utilised one such application VMFTP to help exploit a vulnerability within VMware shared folders functionality (which was enabled by default) that allowed for users of a guest OS to obtain read and write access to the host OS.
NEXT TIME…
In our next article we will discuss final category of virtualised platform specific vulnerability, namely that of virtual machine environment destruction.
Sean Bennett is Commercial Director at Orthus, a leading professional services firm focused on helping organisations globally to secure their technical evironments and manage risk. For advice or support in securing your virualization deployment or virtualized environment contact Orthus (EMEA) on +44 (0)203 170 8955 or visit www.orthus.com Article Source:http://www.articlesbase.com/security-articles/virtualisation-security-the-how-to-guide-part-3-1117239.html
Welcome back! You may want to subscribe to my RSS feed. Thanks for visiting!
If you enjoyed this post, make sure you subscribe to my RSS feed!
Related Posts - Spyware Programs Protection Spywares are software that are kept hidden, deployed secretly and executed transparently in your system. These spywares collect data from your computer, and send it to a remote database using your own Internet connection. Spyware creators are constantly changing their applications to avoid detection. Spyware can also gather information about......
- Creating A Website And Finding Fast Affordable Webhosting To Get It Online. With fast stable web hosting, domain registrations and an online site builder from SSA Host - giving you all the tools you need to make a great website and get it online. Following the steps I have below, you can be online in no time. Follow the simple information below,......
- Online parental settings It is always the duty of the parents to provide the best education to their children. Amidst this, if they find that their kids are misutilising their free time and surfing banned sites, that becomes a grave issue. This is where online parental settings become useful. Through the online parental......
- PC Anti Malware is a Rogue There are so many different areas that an average computer and Internet user must be suspicious of in their day to day use that it can seem really overwhelming. One of the most crucial of these areas is learning to identify and avoid rogue antispyware programs such as PC Anti......
- Security and Network Vulnerability Assessment Cyber-criminal would have to search another job, could they not rely on two big “friends”. Human nature, with its traits of trusting, negligence, credulousness, ad curiosity is surely the strongest leverage in any hacker’s arsenal. Even in a world of advanced technology, hackers will use human weakness to unveil otherwise......
Related Websites - 10 Tips on How to Get Rid of Viruses and Keep Your Computer Healthy Each time you go online, your computer will be under attack from viruses that have the potential to destroy your files and harm your computer. Like their real world namesake, computer viruses can either be easy or difficult to handle, primarily because new ones are created nearly everyday. If you've......
- The New Technology: Hardware Assisted Virtualization | Intel VT & Microsoft Hyper-V @ work We all know, and some of us even used virtualization software such as VMWare Workstation, VMWare GSX Server, Microsoft Virtual PC or Virtual Server, but very few of us got access to real hardware assisted virtualization. Except from proprietary systems such as IBM Regatta (Alpha based mainframe), hardware virtualization was......
-
Guide to Measuring and Marking Tools pt 4 Dividers - The divider is designed in order to draw circles or arcs on a designated work piece. The divider is typically made out of steel and it has sharp points that are capable of marking metal or wood. Dividers are also commonly used in order to transfer distances between...... - Virtual PBX vs Self-Hosted PBX Systems PBX Systems allow you to set up extensions, customer management systems, auto-attendants, call redirects and more to route calls within your organization. These operations are handled through a private branch exchange server (PBX). Virtual PBX services will setup, maintain, and host your exchange server off-site and you simply buy......
-
How to Apply for Social Security Benefits Online At last the Social Security Administration is allowing us to apply for Social Security retirement benefits online. Until now, you had to visit a local Social Security office or attempt to apply by telephone. Now, there is a link directly from the Social Security home page. This is a......
« How To Secure Your Windows Computer | Home | Internet Service Providers to Change IP »
Leave a Comment