Hypervisors gone bad. Malware spreading from one virtual machine to another. Virtualization-based rootkits evading detection. Such threats look scary on a PowerPoint slide, but are they worth losing sleep over tonight?
Probably not, experts say. Virtualization is still in its early stages of deployment, so most security threats to virtualized environments are either too futuristic or theoretical for most enterprises to digest. Few virtualization vulnerabilities have been disclosed publicly.
But that doesn't mean you won't lose some sleep down the road, security experts say. (See VMs Create Potential Risks.)
"This [virtualization] is a major tectonic shift in how we provision, deploy, manage, and secure resources," says Christofer Hoff, chief architect for security innovation at Unisys. "There is an assumed risk with virtualization."
The relative dearth of virtual machine bugs has more to do with researchers only just starting to zero in on this technology, Hoff says, and the fact that most deployments have mostly been internal, rather than externally-facing. "But once you see them show up in production, and become external-facing... There will be exploits."
There are some real threats today as well, such as a "rogue" VM images accidentally -- or maliciously -- landing on a production machine, an "exploit" that Hoff has witnessed firsthand.
Virtualization is expected to take off within the next few years. According to Gartner, 70 percent of large organizations plan to use virtualization by 2010 to collapse some or all of their DMZs.
This is only the beginning, experts say. Microsoft last month patched a so-called "elevation of privilege" bug in its Virtual Server and Virtual PC software. This would let an attacker run code on the host operating system if he were to get malicious code running on the guest OS.
Microsoft says it's trying to catch potential threats before it puts out new virtualization-based software. "The threat is very real and something we are taking very seriously," says Brandon Baker, security development engineer for Microsoft. "For Windows Server virtualization within Windows Server 2008, weve invested in developing extensive threat models to think about ways attacks could manifest themselves, and [we] are validating our code against these hypothetical attacks."
"We want to find and fix as many of these bugs as possible before they ever ship or can be exploited in public. We have to be ahead of the curve on virtualization security," Baker says.
Virtualization bugs are typically complex and tough to find, Baker observes, and the industry needs better tools to assist researchers. "As an industry, [we need to] do more to develop new tools and adapt existing ones to find these sorts of bugs early, because ultimately, they will become more interesting to people looking to exploit systems."
And vulnerabilities aren't the only things that can make a virtual environment prone to attack: Some virtualization product features themselves can be exploited to launch an attack. A vulnerability in VMWare's scripting-automation API, for instance, lets a malicious script on the host run programs and compromise guest OSes, according to security consultant and researcher Mark Burnett.
Still, a lot comes down to how you configure a VM. "There are insecure ways to configure everything," says Thomas Ptacek, principal with Matasano Security. You have to be careful how you migrate to VMs, where you store them, and that you segment them as needed: "High sensitivity apps with customer information and credit card data should not be on the same iron as a VM to test a new application."
Microsoft's Baker says any feature or vulnerability that could compromise guest-to-guest isolation in Windows Server virtualization "gets fixed or cut."
"The last thing I ever want to hear as a security engineer is 'it's a feature, not a vulnerability,' " Baker says. "Any remaining channels we expose from the host into guests, such as VMBus in Windows Server virtualization, are treated as potentially hostile and undergo rigorous analysis and testing."
So far, there have been no reports of major exploits or attacks on hypervisors yet, says Allwyn Sequeira, senior vice president of product operations for Blue Lane Technologies. "I don't know a single case where a customer has talked to [us] about being attacked," he says. "More recently, they are asking us whether we protect the hypervisor."
For now, it's the calm before the storm, experts say. "Five years from now, every machine will be virtualized," argues Matasano's Ptacek. "It's that important, and we need to take this more seriously."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.