Attacking the Virtual Machines

There was an interesting advisory posted by Core Security Technologies this week about a vulnerability in Microsoft Virtual PC. In actual fact no vulnerability had been discovered; instead weaknesses in Virtual PC had been identified which made exploitation of new vulnerabilities more likely. The problem was that the virtual machine memory management allowed the OS security mechanisms Data Execution Prevention (DEP), Safe Structured Error Handling (SafeSEH) and Address Space Layout Randomization (ASLR) to be bypassed. This functionality mitigates the effects of buffer overflows and other attacks. So, although the issue presents no current risk to a system, it is more likely that future vulnerabilities will be exploitable in a Virtual PC environment when compared to stand alone systems.

This got me thinking about the risks presented by virtualisation and in particular side channel attacks. My first attempt at investigation in this area was after a seminar at Infosec 2009 where someone suggested an attack could be made against the graphics subsystem of a virtual host. Side channel attacks against virtualisation seemed to be a very new area at the time and I didn’t make much progress. I’ve subsequently come across a recent paper from the University of California, San Diego, which looked at attacking cloud architecture including Amazon’s EC2 and Microsoft Azure.

To summarize, the paper explains how it is possible to identify a physical host of a target VM in a cloud infrastructure and then activate a virtual machine on the same system. It then goes on to discuss possible side channel attacks using vectors such as the shared processor data cache. Perhaps the closest result that came close to presenting a risk was the possibility of identifying key strokes on the target VM. Several denial of service attacks were also proposed.

Assuming the paper is representative of current knowledge on side channel attacks against virtual machines, there is nothing really to worry about at the moment. The amount of effort required by a criminal hacker to gain useful information by this method is disproportionate to the expected return. It is an area of interest more or less exclusively to researchers. However this is likely to change and possibly quite quickly as more and more information is located in the cloud.