In my research on virtualization security, I am frequently asked “Aren’t attacks on the virtualization layer just theoretical?” and “Do you know of any publicly disclosed hypervisor attack that resulted in damage or the loss of information?”.
This is similar to standing on one of the levees around New Orleans prior to 2005 and asking “Isn’t a hurricane hitting New Orleans and breaching the levee system just theoretical?” and “Do you know where a levee breach has occurred that resulted in damage?”.
Even this comparison is simplistic. In the case of attacks on the sensitive hypervisor and virtual machine monitor layer between the OS and the hardware, we are not relying on the whims of nature for an attack. Historical pattern recognition tells us that it is just a matter of time before the intelligent bad guys (and, no, this isn’t an oxymoron with the increase in financially-motivated attacks) write malware specifically to target the virtualization layer. If I’m a bad guy, it’s a heck of a lot more efficient to target the layer of software underneath all of the OSs than to have to target each OS individually. Furthermore, this layer has had and will continue to have critical vulnerabilities. As long as software continues to be written by human beings, there will continue to be vulnerabilities in this layer. A breach in the layer of virtualization between multiple OSs and the hardware underneath is really a worst-case security scenario: all hosted workloads are at risk and any of our security protection mechanisms running the OSs above are oblivious to the breach.
The vulnerabilities are there. For VMware, search Secunia for “ESX”. For Microsoft’s Hyper-V, vulnerabilities that affect Windows Server 2008 may also affect Windows Server 2008 “core” which acts as the parent partition for Hyper-V. For example, this vulnerability last fall: Out-of-Cycle Windows Patch Requires Immediate Action affected the Hyper-V parent partition. Surprised? Who would have reasonably anticipated that these vendors would write code with vulnerabilities? Surely, this time things will be different. Not.
The OS-to-hardware virtualization layer is extremely sensitive. This layer is software – software written by human beings and that will have vulnerabilities. The bad guys are smart, financially motivated and will attack this layer. A breach is just a matter of “when”, not “if”.
So what do you do? Not virtualize? No way. The benefits are too compelling. However, dismissing or ignoring the risk isn’t the right answer either. At a minimum, treat this layer like you would any critical platform in the data center and make it a part of your standard vulnerability and configuration management processes. But that’s just the beginning. I’ve advised hundreds of clients on a multitude of best practices they can use protect their virtualized computing assets.
The storm clouds are forming. Let’s not wait until a breach occurs before we take the risk seriously.