2. Why should I care?
Server virtualization is now a given in the majority of
enterprise datacenters – source IDC
The virtual server and virtual server management
software market is forecast to reach a market opportunity
of approximately $4.1 billion by 2014. This represents a
CAGR of 13.1%. – source IDC
Over 40% of production virtual machines will be less
secure than their physical counterparts through 2014 –
source Gartner
3. Virtualization powers the cloud
Private Cloud Public Cloud
• Mimics public cloud • Available to anyone
• Benefits enterprise with a network
users connection
• Highly virtualized • Pay-as-you-go
• Strings together IT • Multi-tenant and
infrastructure into virtualized
resources pools • Self-service portals
5. Some Common VM Security Myths
“I only have to patch my host OS / Kernel”
“If I protect my Host machine, it will protect my
VMs.”
“Virtual Hard Disk files are secure by default.”
“If you expose the virtual machine, you have to
expose all virtual machines and the host.”
“All virtual machines can see each other.”
“I don’t need Anti-Virus with Virtualization”
7. Virtualization Architecture- Hypervisor
Primary Partition Child Partitions
Virtualization Stack
WMI Provider
Applications
VM VM Worker
Service Processes
Ring 3
MinWin Virtualization Virtualization
Service Service
Providers Clients
Windows (VSPs) (VSCs) Guest OS
Kernel IHV Kernel
Drivers VMBus VMBus Enlightenments
Ring 0
Windows hypervisor Ring “-1”
Server Hardware
8. Hypervisor Security Assumptions
Guests are untrusted
Trust relationships
Parent must be trusted by hypervisor
Parent must be trusted by children
Hypercall interface will be well documented and widely
available to attackers
All hypercalls can be attempted by guests
Can detect you are running on a hypervisor + version
The internal design of the hypervisor will be well understood
9. Hypervisor Security Goals
Strong isolation between partitions
Protect confidentiality and integrity of guest data
Separation
Unique hypervisor resource pools per guest
Separate worker processes per guest
Guest-to-parent communications over unique channels
Non-interference
Guests cannot affect the contents of other guests, parent, hypervisor
Guest computations protected from other guests
Guest-to-guest communications not allowed through VM interfaces
10. Hyper-V Isolation
No sharing of virtualized devices
Separate VMBus per VM to the parent
No sharing of memory
Each has its own address space
VMs cannot communicate with each other, except through
traditional networking
Guests can’t perform DMA attacks because they’re never
mapped to physical devices
Guests cannot write to the hypervisor
Parent partition cannot write to the hypervisor
11. Hyper-V Security Hardening
Hypervisor has separate address space
Guest addresses != Hypervisor addresses
No 3rd party code in the Hypervisor
Limited number of channels from guests to
hypervisor
No “IOCTL”-like things
Guest to guest communication through hypervisor is
prohibited
No shared memory mapped between guests
Guests never touch real hardware I/O
12. Hyper-V Security Model
Uses Authorization Manager
(AzMan)
Fine grained authorization and access
control
Department and role based
Segregate who can manage groups of
VMs
Define specific functions for
individuals or roles
Start, stop, create, add
hardware, change drive image
VM administrators don’t have to be
Server 2008 administrators
Guest resources are controlled by
per VM configuration files
Shared resources are protected
Read-only (CD ISO file)
Copy on write (differencing disks)
13. Virtualization Attack Vectors
Host Hardware
Virtual Machine Host OS
Virtual Machine Hard Disk Files
Virtual Machine Configuration Files
Remote Management/Control interfaces
Guest Operating System
Virtual Networks
14. Common Attacks: Host
Host Compromise for
Deployment, Duplication and Deletion
Control of Virtual Machines
Direct Code / File injection to Virtualization File
Structure
Virtual Hard Disks
Virtual Configuration Files
Time Sync
Hardware
Rootkits / Malware
Drivers (Attack Surface / Stability)
16. Use Remote Management
All Virtualization Solutions include some form of remote
control.
Access to these tools should be limited.
Limit scope of access / control
Protect the remote control mechanisms!
Use limited use accounts for control
Make sure the connections are encrypted / authenticated (SSL, RDP
over SSL)
Use logging
VM
VM VM
VM
VM VMVM VM
VM VM VMVM VM
VM VM
VM VM
V VMVM VM
VM VM VM
M
17. File Types and Locations
.vhd disk file
– In folder you specify
in settings
.vhdd disk file
– In folder you specify
in settings
.vud disk file
– In vmc-file folder
.vsv disk file
– In vmc-file folder
18. Common Attacks: Guest
Unpatched Virtual Machines
Older Operating Systems
Test or Development machines (these often are not
managed in the same way as production machines)
Un-managed or user deployed virtual machines
Backups and archives
19. Guest Attacks
The Virtualization File Structure
Virtual Hard Disks
File / Code Injection
Can be Directly Mounted / accessed
Virtual Configuration Files
Base Configuration changes
Redirection / addition of Virtual drives / Resoures
BIOS
<hardware>
<memory>
<ram_size type="integer">256</ram_size>
</memory>
...
<pci_bus>
<ethernet_adapter>
<controller_count type="integer">2</controller_count>
</ethernet_adapter>
</pci_bus>
</hardware>
21. Threat Landscape: Virtualized Attackers?
Is this is one of the next big attack vectors on the horizon?
The VM industry is focused on securing the VMs from attack.
Very little thought of VMs being used as the attacker.
Cases are starting to appear where people use VMs to
attack, then shutdown the VM to remove any trace of
evidence.
22. Threat Landscape: Virtualized Attackers?
But we do write all events to the SysLog
Things that go into drive slack are recoverable using
forensics tools
We still have network traces…
…and audit logs
…and firewall and router logs
…not to mention video cameras in the server room.
24. Host Attacks: Potential Solutions
Harden the Host Servers
Where a Hypervisor or Specialist Kernel is used, the Host attack surface is
smaller, however updating and patching is still required.
Use single role servers and remove unwanted and un-necessary services /
attack vectors
Use a local firewall and only allow limited host control / management ports
over encrypted and authenticated channels.
Use limited scope admin accounts with strong passwords
Protect the Virtual Machine files
Access Control Lists (limited to the security context for the users who manage
them and the services that control them.
Encryption
Disk / Volume / Folder / File
Auditing
file access, creation, deletion …
Don’t forget the backup files / archives
25. Guest Attacks: Potential Solutions
Harden the Guest Operating Systems
Treat the guest OS as if it was a physical machine
Isolate the machine with Virtual Networks / VLANs
Local Only Access
NAT
Segmented networks
IPSec Isolation
Physical Isolation (Separate NICs)
26. Use Access Control Lists
Deny Read-only Read/Write
• Cannot modify VMC file • See the VM in web • See the VM in web
• Will not appear in web console and VRMC console and VMRC
console or VMRC • Can interact with VM • Can interact with the VM
• Cannot start, stop, pause • Can
or resume VMs start, stop, pause, resume
VMs
27. Deployment Considerations
Minimize risk to the Parent Partition
Use Server Core
Don’t run arbitrary apps, no web surfing
Run your apps and services in guests
Moving VMs from Virtual Server to Hyper-V
FIRST: Uninstall the VM Additions
Two physical network adapters at minimum
One for management (use a VLAN too)
One (or more) for vm networking
Dedicated iSCSI
Connect to back-end management network
Only expose guests to internet traffic
28. Anti-Virus & BitLocker…
Parent partition
Run AV software and exclude .vhd
Child partitions
Run AV software within each VM
BitLocker
Great for branch office
Can be used within a VM
http://blogs.technet.com/virtualworld/archive/2008/02/16/using-
bitlocker-under-virtual-pc-virtual-server.aspx
29. Conclusions
Reduce the attack surface on the Host
Use least privilege access
Audit the deployment, maintenance, control and access to
virtual machines
Leverage backups, snapshots and redundancy to reduce
impact of Host / Guest maintenance
Secure your Virtual Machine Hard Disk and configuration
files, including backups and archives
Use Virtual Networks / VLANs / IPSec to Isolate
machines, especially before they are exposed to the network.
30. Resources
Step-by-Step Guide to Getting Started with Hyper-V
http://technet2.microsoft.com/windowsserver2008/en/library/c513e254-
adf1-400e-8fcb-c1aec8a029311033.mspx?mfr=true
Virtualization Team Blog
http://blogs.technet.com/virtualization
Microsoft Virtualization Website
http://www.microsoft.com/virtualization
Using BitLocker under Virtual PC / Virtual Server
http://blogs.technet.com/virtualworld/archive/2008/02/16/using-bitlocker-
under-virtual-pc-virtual-server.aspx
The growth we’ve seen in virtualization over the last 5-10 years is quite amazing. Despite the economic crisis of 2008 and the down-turn in the economy, as well as IT spending, we’re still seeing growth. POINT #1In fact, virtualization has matured enough that we’re now seeing a shift to virtual clients, as well as heavy growth in virtualization management tools. Not counting client virtualization…POINT #2The key take away from this slide is that virtualization is still growing. Moreover, we see a lot of insecurity due to the introduction of new technologies and its added complexity. POINT #3We can expect to see this number decline as virtual server and configuration management tools mature.
Why do other people care? Virtualization powers the cloud. The speed at which cloud services, whether public or private, are adopted, depends, in large part, on the security, privacy and reliability of said services. Virtualization security plays a significant part in this equation. Although the focus of this presentation isn’t on cloud architecture, it’s important to mention that both the public and private iterations rely heavily on virtualization. The private cloud virtualizing resources for applications in the enterpriseThe public cloud providing multi-tenancy for user and/or company environments
When securely architected, deployed and managed, virtualization is great!It provides for service flexibility, as well as scalability of applications and services, not to mention it requires less rackspace and generally consumes less power.
In the cloud – there is a big difference between Azure (base template which is patched) or Amazon where you are responsible for your VMDon’t assume that in a cloud based scenario that your service provider has you covered by patching. It’s all different.Azure – standard image (check box – auto install base image updates)Amazon world – patch base images – do not patch deployed imagesVM needs to be treated as a stand alone machine. Firewall rules applyNo encryption built in- if someone has your
In computer science, hierarchical protection domains,[1][2] often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behaviour (computer security). This approach is diametrically opposite to that of capability-based security.Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPUarchitectures that provide different CPU modes at the hardware or microcodelevel. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.Recent CPUs from Intel and AMD offer x86 virtualization instructions for a hypervisor to control Ring 0 hardware access. Although they are mutually incompatible, both Intel VT-x (codenamed "Vanderpool") and AMD-V (codenamed "Pacifica") create a new "Ring -1" so that a guest operating system can run Ring 0 operations natively without affecting other guests or the host OS.[10]
Imagine you’re living in a house and renting out rooms. You can’t trust your guests or boarders. You can trust in the integrity of your house and your guests need to place an inherent amount of trust in you.Now imagine you have something valuable in your house. Something a thief would want. Given the value of the dollar these days, let’s say that you have hundreds of gold bars inside your house. My like a hypervisor, you can guarantee there is publicly available information about your house. Anyone can knock on your door. Anyone can inspect your windows, doors and locks to ascertain versions. All of these things are can be well understood. The point? When it comes to your hypervisor. Don’t trust anything.
Still biggest attack vectorIf I can deploy my own virtual server, you win.Access should be limited by firewall rulesRBAC should be baked into the tool.