Gartner Blog Network

Hypervisor Attacks and Hurricanes are Inevitable, but Breaches Don’t Have to Be.

by Neil MacDonald  |  February 17, 2009  |  2 Comments

Katrina NOLA levee break FEMA.jpgIn my research on virtualization security, I am frequently asked “Aren’t attacks on the virtualization layer just theoretical?” and “Do you know of any publicly disclosed hypervisor attack that resulted in damage or the loss of information?”.

This is similar to standing on one of the levees around New Orleans prior to 2005 and asking “Isn’t a hurricane hitting New Orleans and breaching the levee system just theoretical?” and “Do you know where a levee breach has occurred that resulted in damage?”.

Even this comparison is simplistic. In the case of attacks on the sensitive hypervisor and virtual machine monitor layer between the OS and the hardware, we are not relying on the whims of nature for an attack. Historical pattern recognition tells us that it is just a matter of time before the intelligent bad guys (and, no, this isn’t an oxymoron with the increase in financially-motivated attacks) write malware specifically to target the virtualization layer. If I’m a bad guy, it’s a heck of a lot more efficient to target the layer of software underneath all of the OSs than to have to target each OS individually. Furthermore, this layer has had and will continue to have critical vulnerabilities. As long as software continues to be written by human beings, there will continue to be vulnerabilities in this layer. A breach in the layer of virtualization between multiple OSs and the hardware underneath is really a worst-case security scenario: all hosted workloads are at risk and any of our security protection mechanisms running the OSs above are oblivious to the breach.

The vulnerabilities are there. For VMware, search Secunia for “ESX”. For Microsoft’s Hyper-V, vulnerabilities that affect Windows Server 2008 may also affect Windows Server 2008 “core” which acts as the parent partition for Hyper-V. For example, this vulnerability last fall: Out-of-Cycle Windows Patch Requires Immediate Action affected the Hyper-V parent partition. Surprised? Who would have reasonably anticipated that these vendors would write code with vulnerabilities? Surely, this time things will be different. Not.

The OS-to-hardware virtualization layer is extremely sensitive. This layer is software – software written by human beings and that will have vulnerabilities. The bad guys are smart, financially motivated and will attack this layer. A breach is just a matter of “when”, not “if”.

So what do you do? Not virtualize?  No way. The benefits are too compelling. However, dismissing or ignoring the risk isn’t the right answer either. At a minimum, treat this layer like you would any critical platform in the data center and make it a part of your standard vulnerability and configuration management processes. But that’s just the beginning. I’ve advised hundreds of clients on a multitude of best practices they can use protect their virtualized computing assets.

The storm clouds are forming. Let’s not wait until a breach occurs before we take the risk seriously.

Category: virtualization-security  

Tags: hyper-v  hypervisor-security  vmware  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Hypervisor Attacks and Hurricanes are Inevitable, but Breaches Don’t Have to Be.

  1. […] a previous post, I discussed that many people I talk with about virtualization and security are skeptical that the […]

  2. […] parent partition running in Server Core in a Hyper-V deployment is not. As I discussed previously here and here, the virtualization layer will be a target for attack, so hardening guidelines (especially […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.