Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Hypervisor Attacks and Hurricanes are Inevitable, but Breaches Don’t Have to Be.

by Neil MacDonald  |  February 17, 2009  |  2 Comments

Katrina NOLA levee break FEMA.jpgIn my research on virtualization security, I am frequently asked “Aren’t attacks on the virtualization layer just theoretical?” and “Do you know of any publicly disclosed hypervisor attack that resulted in damage or the loss of information?”.

This is similar to standing on one of the levees around New Orleans prior to 2005 and asking “Isn’t a hurricane hitting New Orleans and breaching the levee system just theoretical?” and “Do you know where a levee breach has occurred that resulted in damage?”.

Even this comparison is simplistic. In the case of attacks on the sensitive hypervisor and virtual machine monitor layer between the OS and the hardware, we are not relying on the whims of nature for an attack. Historical pattern recognition tells us that it is just a matter of time before the intelligent bad guys (and, no, this isn’t an oxymoron with the increase in financially-motivated attacks) write malware specifically to target the virtualization layer. If I’m a bad guy, it’s a heck of a lot more efficient to target the layer of software underneath all of the OSs than to have to target each OS individually. Furthermore, this layer has had and will continue to have critical vulnerabilities. As long as software continues to be written by human beings, there will continue to be vulnerabilities in this layer. A breach in the layer of virtualization between multiple OSs and the hardware underneath is really a worst-case security scenario: all hosted workloads are at risk and any of our security protection mechanisms running the OSs above are oblivious to the breach.

The vulnerabilities are there. For VMware, search Secunia for “ESX”. For Microsoft’s Hyper-V, vulnerabilities that affect Windows Server 2008 may also affect Windows Server 2008 “core” which acts as the parent partition for Hyper-V. For example, this vulnerability last fall: Out-of-Cycle Windows Patch Requires Immediate Action affected the Hyper-V parent partition. Surprised? Who would have reasonably anticipated that these vendors would write code with vulnerabilities? Surely, this time things will be different. Not.

The OS-to-hardware virtualization layer is extremely sensitive. This layer is software – software written by human beings and that will have vulnerabilities. The bad guys are smart, financially motivated and will attack this layer. A breach is just a matter of “when”, not “if”.

So what do you do? Not virtualize?  No way. The benefits are too compelling. However, dismissing or ignoring the risk isn’t the right answer either. At a minimum, treat this layer like you would any critical platform in the data center and make it a part of your standard vulnerability and configuration management processes. But that’s just the beginning. I’ve advised hundreds of clients on a multitude of best practices they can use protect their virtualized computing assets.

The storm clouds are forming. Let’s not wait until a breach occurs before we take the risk seriously.

2 Comments »

Category: Virtualization Security     Tags: , ,

2 responses so far ↓

  • 1 Hypervisor Attacks in the Real World   February 20, 2009 at 4:35 pm

    [...] a previous post, I discussed that many people I talk with about virtualization and security are skeptical that the [...]

  • 2 Securing Hyper-V   March 2, 2009 at 10:19 am

    [...] parent partition running in Server Core in a Hyper-V deployment is not. As I discussed previously here and here, the virtualization layer will be a target for attack, so hardening guidelines (especially [...]