I've been reading into virtualization security and came across Blue Pill, a malicious thin hypervisor (project website is down, archived version here: http://web.archive.org/web/20080418123748/http://www.bluepillproject.org/).
My question is: could a custom malicious hypervisor modify execution flow, inject and execute arbitrary code, look at private information in RAM of the VM or anything else?
I'm not asking whether this would be practical from a malware point of view (to implement these features, it may turn into a large and impractical backdoor). I'm interested in whether the malicious hypervisor would have complete control over every aspect of the virtualized machine.
Would there be any difference for this when it comes to a program like VirtualBox - could the Host OS execute arbitrary code inside the guest at any time it choses?
Any thoughts would be highly appreciated!
Thanks in advance,
r3mo
Yes, the hypervisor is running at a higher privilege level than the guest VM so it could easily modify the execution flow and read arbitrary parts of the VM.
The same is true for VirtualBox. The host OS can alter the guest provided that you have full access/permissions on the host OS.
Related
I'm learning about security and wondering, if I'm using a VM on any host (Windows or GNU/Linux) is it possible for someone (either in the same network or not) to gather information about my host (ip, mac address, location, etc.)
Is it possible using only a certain hypervisor (hyper-v, virtualvox,vmware,etc) or certain host?
I read that using Tails in a Virtual Machine is not that secure, because the host can compromise a guest and vice versa. How come?
Whether or not it is possible clearly depends on virtual machine monitor (VMM) and host OS settings, and security mechanisms available/used.
Ideally, on a host system that strictly adheres to Goldberg-Popek conditions for virtualization, it is possible to write a hypervisor that provides full isolation. However, this fully applies to a simple hypothetical machine used in that paper. It says nothing about multicore systems, networking, or timing issues.
In reality, both software defects and hardware bugs/errata/oddities as last but not least poor configuration lead to situations where at least some information about host can be collected from within a guest.
If both host and guest are placed in the same network segment, one can easily learn some properties of the host by, for example, using nmap network scanner and comparing against known OS signatures.
If there is no network access but some other resources are shared (files on a shared virtual folder), their careful study can reveal a lot. Like, if you see c:\program files shared with a Linux system, it gives a hint about host's OS.
Certain properties of many hypervisors can be seen simply by inspecting system resources. Examples: CPUID instruction can report "KVMKVMKVM" on KVM; disk vendor string can tell you that it is "Virtutech drive" for Wind River Simics; presence of Xen's paravirtual devices is an obvious thing to guess that maybe the host is Xen; etc. Typically, commercial hypervisors do not have a goal to mimic real hardware as closely as possible.
If a VMM is set up to hide such apparent blunders, there still are numerous differences in behavior between real hardware and virtualized one. One of the most famous is Red Pill, but similar detection techniques are many, and at least some of them are documented in academical papers available on the Net.
It is hard to account for all of difference in machine instructions behavior, because of the complexity of underlying host architecture. For example, the architecture manual for very popular Intel 64 and IA-32 systems has more than 4000 pages describing its official behavior. Not all corner cases are apparent/easy to implement/documented/well-defined/well-studied/not affected by errata. And AMD's processors that implement "the same" x86 architecture have their own manual for AMD64; and not always all things are pretty and unambiguously defined in these two books. The same applies to IBM's ARM's MIPS's processors.
Going deeper, there are timing/side channel details of computer operation which are even harder to account for when writing a hypervisor. The signal/noise ratio for analysis of timings is lower (i.e., it is easier to make a mistake and detect a real hardware as VMM, or vice versa), but it is still valid. The security community only recently started widely exploring attacks based on timings (see the Spectre/Meltdown family), and VMMs are not excluded from begin potential targets of such attacks.
I read that using Tails in a Virtual Machine is not that secure, because the host can compromise a guest and vice versa. How come?
Unless something is formally proven, it cannot be relied upon 100%. Software can rarely be proven to be formally correct. In governmental/military applications, a sense of "security" can be assured by passing certain very strict certifications. Only few specialized operating systems are certified to be free of bugs. Tails is not one of them. Besides all the reasons above, there can simply be a bug or misconfiguration in it that allows data to leak to those who look for it.
i am trying to measure code performance (basically speed-up when using threads). So far i was using cygwin via windows or linux on separate machine. Now i have the ability to set up a new system and i am not sure whether i should have dual boot (windows and ubuntu) or a virtual machine.
My concern is whether i can measure reliable speed up and possibly other stuff (performance monitors) via a linux virtual machine or if i have to go with with normal booting in linux.
anybody have an opinion?
If your "threading" relies heavily on scheduling, I won't recommend you to use VM. VM is just a normal process from the host OS's point of view, so the guest kernel and its scheduler will be affected by scheduling by the host kernel.
If your "threading" is more like parallel computation, I think it's OK to use VM.
For me, it is much safer to boot directly on the system and avoid using a VM in your case. Even when you don't use a VM, it is already hard to have twice the same results in multi-threading because the system being used for OS tasks, so having 2 OS running in the same time as for VM even increases the uncertainty on the results. For instance, running your tests 1000 times on a VM would lead to, let's say, 100 over-estimated time, while it would maybe be only 60 on a lonely OS. It is your call to know if this uncertainty is acceptable or not.
I have access to a machine to which I can ssh. How to determine if my OS is running in fully-virtualized (where VMM does binary translation), para-virtualized or non-virtualized environment? I have some idea of how to go about it (some operations like accessing a memory page/disk will take longer time in a virtualized environment) but don't know how to proceed.
It does depends on the VMM you are running on top of. If it's a Xen or Microsoft VM, I believe CPUID with EAX value of 0x40000000 will give you a non-zero value in EAX. Not sure if that works on VMWare, VirtualBox or KVM. I expect that it will work there too...
Measuring access time is unlikely to ALWAYS show you the truth, since in a non-VM system those can vary quite a lot as well, and there is no REAL reason that you'd see a huge difference in an efficient implementation. And of course, you don't know if your VM is running with a REAL hard-disk controller passed through via the PCI, or if your NFS mounted disks are connected via a REAL network card passed through to the VM, or if they are accessed through a virtual network card.
A good VMM shouldn't show you much difference as long as the application is behaving itself.
On most operating systems today, the default is that when we install a program, it is given access to many resources that it may not need, and it's user may not intend to give it access to. For example, when one installs a closed source program, in principle there is nothing to stop it from reading the private keys in ~/.ssh and send them to a malicious third party over the internet, and unless the user is a security expert proficient in using tracing programs, he will likely not be able to detect such a breach.
With the proliferation of many closed sourced programs being installed on computers, what actions are different operating systems taking to solve the problem of sandboxing third party programs?
Are there any operating system designed from the grounds up with security in mind, where every program or executable has to declare in a clearly readable format by the user what resources it requires to run, so that the OS runs it in a sandbox where it has access only to those resources? For example, an executable will have to declare that it will require access to a certain directory or a file on the filesystem, that it will have to reach certain domains or IP address over the network, that it will require certain amount of memory, etc ... If the executable lies in its declaration for system resource requirements, it should be prevented from accessing them by the operating system.
This is a the beauty of Virtualization. Anyone performing testing or operating a questionable application would be wise to use a virtual machine.
Virtual Machines:
Provide advantages of a full Operating System without direct hardware access
Can crash or fail and be restarted without affecting the host machine
Are cheap to deploy and configure to a variety of environments
Great for using applications designed for other platforms
Sandboxes applications that may attempt to access other private data on your computer
With the seamless modes virtualization programs such as VirtualBox provide you can take advantage of Virtual Machine's sandboxing in a nearly seamless fashion.
You have just described MAC (Mandatory Access Control) in your last paragraph.
I was always curious about that too.
Nowadays mobile OSes like Android do have sandboxing built-in. When installing an app, it asks for permissions to access a set of resources/features. Windows too as far as I know, at least to some extend. It is more permissive though.
Ironically, linux and others seem to be far far away concerning "software based permissions" and are stuck in the past, which is a pity. ...at least, as far as I know. I would be pleased for someone to show me wrong and show me a "usable" open source system where application sandboxing/privileges is built-in. Currently, as far as I know, permissions are solely user based.
I think this awareness that not only users need rights to access documents but also executables need rights to access resources has been missing for several decades. It might have avoided a plague of viruses and security issues of our century.
We have a physical machine that runs VMware and hosts a VM we use for SharePoint deployment testing. That machine is old and dying, and my employer's network czars are heavily pushing hosted VMs as a replacement for outdated physical servers. I was curious about whether it's possible to run VMware inside VMware, and if so, whether there are severe performance implications. We don't require extreme performance from this setup, since it's just used for SharePoint testing and the associated SQL Server is on a different box. My guess is that we can't just use the primary hosted VM for our testing because we'll want to roll back occasionally and otherwise have more control over it, and getting buy-in for that from the network folks is unlikely. Does anyone have any experience with this?
edit: I know this nesting certainly isn't the preferred option, but (1) we want the flexibility of being able to use VMware snapshots at will and (2) the network folks will not allow us to arbitrarily roll back to a previous point in time because of the potential for removing mandated security updates. My guess is that a local desktop machine running VMware Workstation might just be the way to go. The hosted option seems attractive if it will work though since it's less machine maintenance for me to deal with.
The technical limitation with running VMware inside VMware is that VMware, Virtual PC, etc takes advantage of the Virtualization features present in modern CPUs.
If you have two or more hypervisors are both trying to control Ring 0 then there will be problems, this is something that I've encountered while trying to run both VMware and Virtual PC simultaneously on my desktop - one will error out/crash.
If your hypervisor can interact with the 'parent' hypervisor, then you'll be OK. Alternatively if the child hypervisor doesn't try to use the CPU virtualization features, or entirely emulates the CPU (such as QEMU) then you should also be OK.
Basically old-style hypervisors on old CPUs use Full virtualization (slow) which would be capable of nesting with a heavy, heavy performance hit. modern Hypervisors/CPUs use hardware assisted virtualization (near native performance) and you'd be hard pressed to find a hypervisor that is designed or capable of nested virtual machines.
Finally, I'd really advise against running dev/test VMs on the same physical server that is running production VMs. There's just too much to go wrong and security implications - you need to manage the dev/test environment and it sounds like you shouldn't have access to production environment. Likewise you probably don't want the operations team messing about with your test environment.
UPDATE: ESXi 4 now supports virtualizing itself. See this article for more information
I've never run VMware in VMware, but I've run VirtualPC inside VirtualBox without problems, so there's no fundamental reason it shouldn't work I suppose...
It sounds to me more like you have a problem with the inflexibility of your "network czars" than any technical one. If you're a developer or QA you need a testing environment where you can fool around with outdated (and potentially insecure) versions of the OS and applications, without putting the rest of the company network at risk.
Ex-VMware employee here.
Firstly, when you say Nested VMware I will assume you mean Nested ESXi. (You could also mean Workstation, Fusion, or Player).
Nested ESXi environments are unsupported and should not be used for production. These scenarios are not tested in QA and not guaranteed to work. In short, if you experience any kind of problem, VMware will not help you with this Nested ESXi setup.
With that said, yes you can do it and yes it does work. A lot of people use nested ESXi in their labs but not in production. Previously there were special configuration file edits that were necessary for nested ESXi to work. I have seen environments with even 3 layer nested ESXi servers (ESXi vm on and ESXi vm on a physical ESXi host). More recently there is the ESXi appliance which makes this much easier.
Have a look here:
http://www.virtuallyghetto.com/2015/12/deploying-nested-esxi-is-even-easier-now-with-the-esxi-virtual-appliance.html
I ran into this same problem. I work at a large company where our entire infrastructure is virtual, so if you need a server you get a VMware VM. So I had a couple of Windows 2003 Server Standard Edition based Guest VM's that had 6GB of memory and 200 GB of disk space, but I wanted to run linux and a LAMP stack on them. So I tried to install VMware Workstation on one and I got an error message saying it couldn't be installed within a VM. I also tried Microsoft Virtual PC and got a similar error message. I installed Sun's VirtualBox and that installed fine, but I couldn't get the networking to work w/in the guest Ubuntu OS. My next step is to try QEMU although performance might become an issue.
You ought to have a look at Mainframes - they are Virtualised from the word go:
Hardware - runs Hypervisor Type 1 - Level 1
on this you have zVM - Type 2 Hypervisor - Level 2
on this you have zOS - your main big operating system - Level 3
and/or
on this you have zLinux - Level 3
and/or
on this you have zVM for testing next version - Level 3
and/
on this you have zOS for testing zVM plus zOS both at next version - Level 4
So going down to level 4 is pretty common
Mind you on a Mainframe you can have 1000's of VMs running at the same time - and most sites who start using zVM/CMS and zVM/Linux usually do.
I can see two solutions for this (three if you count a VM inside a VM which is just crazy).
New hardware, which should be robust enough to handle several VM's used specifically for testing (sharpoint, etc.). In this situation your team could be given more rights without affecting non-testing VM's.
Sharepoint test VM's are moved to the main VM pool and those who need access are given the ability to checkout/deploy/rollback testing resources. This could be direct through VMWare tools or through an internal project that works through a VMWare API.
This should be a joint decision between Network/Dev/Testing.
JFYI:
I tried installing and running VMware ESXi server host(child ESXi server) as a virtual machine(on parent ESXi server) and it runs however you can not run any VMs under child ESXi server.
I am doing practice of VMware vSphere Data center virtualization on single Physical machine. There is VMware Workstation installed on Windows 8 OS. In VM Workstation, I have installed Windows Server 2008 OS, VMware ESXi OS and created the VMware Data center LAB. There is VMs running in LAB, and its confirm that We can user VMware in VMware. But it depends on your need, and Products which is chosen.
You can install ESXi on VMware Workstation, it's usefull to learn ESXi, so there in no reason run VMware in VMware.
Yes. You can run VMWare inside VMWare. Though its not officially supported, You can deploy VMs in the child ESX. I have checked for an advanced feature like PassThrough the HBA card but which was not available in child ESX, hence I could not provide a LUN from array.
So in production its better to not use this.
But for training and practices this can be used.
You can do that.
You can install vmware esxi inside virtual machine of another vmware esxi.
But the performance will be very bad.
Totally works.. totally can't do it other then for some kinda testing or some kind of educational purpose, because you won't get support. and from my limited experience it doesn't perform that well.
Yes, you can, VMware can even detect if it's running inside of another vmware machine and warn you that VMception will cause worse performance. which it will, trust me, just try to get the version the virtual machines work best in a physical machine, as to get as much performance possible.
"whether it's possible to run VMware inside VMware" What?
I can run Windows with Sharepoint in a VMWare machine that's hosted somewhere.
Or, I can run Windows with Sharepoint in a WMWare machine that's actually a VMWare machine that's hosted somewhere.
Why on earth would I add a level of nesting? Why not just go with Windows with Sharepoint hosted somewhere?
You can have any number of VMWares running on a single host. Lots of different versions doing lots of different things.
Nesting them doesn't make sense.