Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Hypervisor Attacks in the Real World

by Neil MacDonald  |  February 20, 2009  |  2 Comments

In a previous post, I discussed that many people I talk with about virtualization and security are skeptical that the threat against hypervisors and virtual machine monitors is real. They point to the lack of a publicly disclosed breach that was caused by an attack on the virtualization layer as evidence that such attacks are theoretical – interesting at Black Hat, but inconsequential in the real world.

For the skeptics out there, there has been an incident involving a hypervisor breach that was not widely publicized.

Most people don’t know that the Microsoft Xbox 360 contains an embedded hypervisor (no, it’s not Hyper-V!). The hypervisor is used as a layer of abstraction to isolate the gaming environment from the hardware underneath. Since every Xbox console is sold at a loss to Microsoft, you can imagine how the protection of the privileged system software and hardware from tampering is absolutely critical. Microsoft doesn’t want people hacking in and using the Xbox 360 as a subsidized PC and they also don’t want people hacking into the Xbox and tampering with the licensing system to steal games.

In 2007, there was a documented buffer overflow vulnerability in Microsoft’s Xbox hypervisor which could be exploited to gain access to the hypervisor mode and thus, to the entire system. This was a worst-case scenario for Microsoft and it wasted no time (6 days) in getting a patch released. Unlike Windows machines, patches are not optional for Xbox users. Reportedly, the patch was applied the next time a user connected to Xbox Live or installed a new game. Proof of concepts quickly appeared that exploited the hypervisor vulnerability as well as online documentation on how people have used the Xbox “hypervisor exploit” to crack their systems.

Microsoft has its business model to protect. You have critical workloads and information to protect. As I said in the previous post, the virtualization layer between the OS and the hardware is extremely sensitive. This layer is software — software written by human beings and that will have vulnerabilities. The bad guys are smart, financially motivated and will attack this layer. In future posts, I’ll share more thoughts on how protection of this sensitive layer must evolve.

You tell me – is this the evidence of a real-world, publicly disclosed hypervisor vulnerability and subsequent breaches with a business impact that you are looking for?


Category: Virtualization Security     Tags: ,

2 responses so far ↓

  • 1 Securing Hyper-V   March 2, 2009 at 10:23 am

    […] partition running in Server Core in a Hyper-V deployment is not. As I discussed previously here and here, the virtualization layer will be a target for attack, so hardening guidelines (especially on a […]

  • 2 Another Hypervisor Hack   March 14, 2010 at 4:40 pm

    […] Stuck at the airport after two consecutive JetBlue flight cancellations (and hoping the third isn’t cancelled as well), I ran across this recent article on a publicly documented and confirmed hypervisor attack – this time on the hypervisor used in the Sony PS3 (in this cases using a hardware-based timing attack). A different exploit (not based on hardware timing) was publicized last year on Microsoft’s Xbox. […]