Gartner Blog Network

Hypervisor Attacks in the Real World

by Neil MacDonald  |  February 20, 2009  |  2 Comments

In a previous post, I discussed that many people I talk with about virtualization and security are skeptical that the threat against hypervisors and virtual machine monitors is real. They point to the lack of a publicly disclosed breach that was caused by an attack on the virtualization layer as evidence that such attacks are theoretical – interesting at Black Hat, but inconsequential in the real world.

For the skeptics out there, there has been an incident involving a hypervisor breach that was not widely publicized.

Most people don’t know that the Microsoft Xbox 360 contains an embedded hypervisor (no, it’s not Hyper-V!). The hypervisor is used as a layer of abstraction to isolate the gaming environment from the hardware underneath. Since every Xbox console is sold at a loss to Microsoft, you can imagine how the protection of the privileged system software and hardware from tampering is absolutely critical. Microsoft doesn’t want people hacking in and using the Xbox 360 as a subsidized PC and they also don’t want people hacking into the Xbox and tampering with the licensing system to steal games.

In 2007, there was a documented buffer overflow vulnerability in Microsoft’s Xbox hypervisor which could be exploited to gain access to the hypervisor mode and thus, to the entire system. This was a worst-case scenario for Microsoft and it wasted no time (6 days) in getting a patch released. Unlike Windows machines, patches are not optional for Xbox users. Reportedly, the patch was applied the next time a user connected to Xbox Live or installed a new game. Proof of concepts quickly appeared that exploited the hypervisor vulnerability as well as online documentation on how people have used the Xbox “hypervisor exploit” to crack their systems.

Microsoft has its business model to protect. You have critical workloads and information to protect. As I said in the previous post, the virtualization layer between the OS and the hardware is extremely sensitive. This layer is software — software written by human beings and that will have vulnerabilities. The bad guys are smart, financially motivated and will attack this layer. In future posts, I’ll share more thoughts on how protection of this sensitive layer must evolve.

You tell me – is this the evidence of a real-world, publicly disclosed hypervisor vulnerability and subsequent breaches with a business impact that you are looking for?

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: virtualization-security  

Tags: hypervisor-security  microsoft  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Hypervisor Attacks in the Real World

  1. […] partition running in Server Core in a Hyper-V deployment is not. As I discussed previously here and here, the virtualization layer will be a target for attack, so hardening guidelines (especially on a […]

  2. […] Stuck at the airport after two consecutive JetBlue flight cancellations (and hoping the third isn’t cancelled as well), I ran across this recent article on a publicly documented and confirmed hypervisor attack – this time on the hypervisor used in the Sony PS3 (in this cases using a hardware-based timing attack). A different exploit (not based on hardware timing) was publicized last year on Microsoft’s Xbox. […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.