Virtualization Showdown at Black Hat
Can malicious attacker, working remotely, can take control of the open-source Xen virtualization software?
Next week at the Black Hat conference in Las Vegas, security researcher Joanna Rutkowska promises to demonstrate how a malicious attacker, working remotely, could take control of the open-source Xen virtualization software.
If successful, Rutkowska and her team will be the first researchers to demonstrate how to compromise a Xen hypervisor, that crucial layer of virtualization software underneath all the virtualized environments running on a machine, one that provides direct connections to the processor, memory and hardware devices.
"Many people [have] argued that having a legitimate hypervisor installed prevents installation of virtualization-based malware. We will show that this is not the case," she said in an e-mail interview.
For the conference, Rutkowska will oversee three presentations, which will be given by herself, Rafal Wojtczuk and Alex Tereshkin. In addition to showing how to install the rootkit, they also plan to show how someone could bypass the security monitoring mechanisms that would normally detect such an attack. Finally, and perhaps most importantly, they will show how users could prevent such attacks.
Citrix system chief security strategist Kurt Roemer expects Rutkowska's disclosure will generate more publicity than prove to be a serious threat to operating instances of the software. He likens it to "sensationalist attacks," that frequently are weighed against virtualization software. Citrix offers a commercially-supported version of Xen.
Roemer has not seen Rutkowska's presentation, but he does point out that the attack will probably rely upon the attacker having root access to the server running Xen. "That's not a normal model," he noted.
Rutkowska confirmed that root access is needed. Much like root access is needed to install a root kit on a server, so too will administrative access be needed to breech Xen. Rutkowska argued, however, that her work is still important.
"Years ago other vendors tried to downplay the importance of ... [Microsoft] Windows kernel rootkits, saying that one needed to already be an administrator in order to install one. As we know, over the last couple of years, kernel rootkits became a very serious security problem," she commented.
The attack requires taking control of the Xen master domain, called Domain 0.
Within Xen, each virtualized environment is given its own space in memory, called a domain. In addition to these user domains (called Dom-U's), there is also a domain, called Domain 0, which is a privileged domain used for controlling the whole Xen system. "It is automatically created when the system boots, and does a lot of the management of the system. It builds all of the other user domains, and manages all of their virtual devices," Roemer said.
"The subverting techniques we will be presenting at Black Hat indeed assume that the attacker first obtained access to Domain 0," Rutkowska said. She brushed off that this would be a serious challenge though. "Domain 0, being an administrative domain, requires certain services to be run inside it. One such service is an [Secure Shell] daemon. This makes the attack surface on Domain 0 quite large."
Increasingly over the past few years, security researchers and malicious have sought ways for users to break into the Domain 0 from a virtualized environment.
In December McAfee researcher found (PDF here) that a file system utility, called e2fsprogs, that could allow a guest user to in such a way that a malicious command could be passed from the guest machine to the host machine.
"Over the last year it has been shown that Domain 0 is far from being bulletproof. With our presentations we take the game to the new level by studying how to compromise the hypervisor and what we can do to prevent it," she said.The researchers promise to show how a user can bootstrap up from Domain 0 into the hypervisor itself.
Roemer downplayed the impact of Xen’s security vulnerabilities, noting that those found so far have been only in versions of the software under development. They were found, and fixed, in the developmental open-source versions of the software, Roemer said. "Published Xen is configured in a secure way," he said.
Moreover, recent versions of Xen have guards in place to protect the hypervisor even from actions within Domain 0, involving the use of input/output memory management unit (IOMMU) found on newer peripheral devices such as network cards.
These initiatives do not seem to intimidate the researchers though.
"We will show how to bypass those protections and subvert Xen hypervisor memory," Rutkowska promised.
This is not Rutkowska's first brush with controversy within the emerging practice of virtualization security. At the 2006 Black Hat conference, she introduced what she called a virtualization rootkit, one dubbed Blue Pill. According to Rutkowska, Blue Pill could encapsulate an entire operating environment within a virtualized container, while offering the user no clue that the environment is actually under control by another party.
"We're going to see how it is presented. She's done some really cool stuff in the past, but in this case I don't see this applying to all of Xen," Roemer said.