In a previous post, I discussed that many people I talk with about virtualization and security are skeptical that the threat against hypervisors and virtual machine monitors is real. They point to the lack of a publicly disclosed breach that was caused by an attack on the virtualization layer as evidence that such attacks are theoretical – interesting at Black Hat, but inconsequential in the real world.
For the skeptics out there, there has been an incident involving a hypervisor breach that was not widely publicized.
Most people don’t know that the Microsoft Xbox 360 contains an embedded hypervisor (no, it’s not Hyper-V!). The hypervisor is used as a layer of abstraction to isolate the gaming environment from the hardware underneath. Since every Xbox console is sold at a loss to Microsoft, you can imagine how the protection of the privileged system software and hardware from tampering is absolutely critical. Microsoft doesn’t want people hacking in and using the Xbox 360 as a subsidized PC and they also don’t want people hacking into the Xbox and tampering with the licensing system to steal games.
In 2007, there was a documented buffer overflow vulnerability in Microsoft’s Xbox hypervisor which could be exploited to gain access to the hypervisor mode and thus, to the entire system. This was a worst-case scenario for Microsoft and it wasted no time (6 days) in getting a patch released. Unlike Windows machines, patches are not optional for Xbox users. Reportedly, the patch was applied the next time a user connected to Xbox Live or installed a new game. Proof of concepts quickly appeared that exploited the hypervisor vulnerability as well as online documentation on how people have used the Xbox “hypervisor exploit” to crack their systems.
Microsoft has its business model to protect. You have critical workloads and information to protect. As I said in the previous post, the virtualization layer between the OS and the hardware is extremely sensitive. This layer is software — software written by human beings and that will have vulnerabilities. The bad guys are smart, financially motivated and will attack this layer. In future posts, I’ll share more thoughts on how protection of this sensitive layer must evolve.
You tell me – is this the evidence of a real-world, publicly disclosed hypervisor vulnerability and subsequent breaches with a business impact that you are looking for?