RE: More on VMWare poor guest isolation design

["M. Burnett" <mb () xato net>]

I should probably have already ended this discussion, but it reminds me of a
discussion I had on this same list almost ten years ago trying to explain to
Microsoft why a vulnerability that discloses physical paths is a big enough
deal to bother patching. Their argument was that they couldn't see the risk
of disclosing a physical path, and if someone could do something with that
path then they could probably discover the path in the first place. My
argument was that it really doesn't matter what the current risks might be,
that's really not the point, let's just fix it anyway. It turns out later
there were a number of IIS issues where people could execute or access
files, but they needed to know the physical path first.

I think some of you are overanalyzing this issue. I am well aware that there
are other ways to accomplish the same thing in many instances, I am not
saying I have introduced a spectacular new attack vector. I would categorize
this threat standing on its own as medium to low, depending on your
environment. But the fact is that this thing bypasses normal OS security
mechanisms and we simply cannot imagine how that might be used by an
attacker in the future. Some of you keep trying to point out that owning the
host always means owning the guests, but that isn't always the case,
especially if you are not a full administrator on the host machine. 

I know that for a lot of years people have been saying that once someone can
access the physical box, there's nothing more you can do. Well, that's just
not true anymore. You very well can protect a physical machine and you
should be able to protect a virtual guest from its host. There's no way a
non-admin user is going to be able to modify the RAM of a vm. And in Windows
Vista, if not already blocked, even as an administrator I would have to
explicitly allow a worm to access the RAM or disk of a virtual machine. No
worm is going to access a vm's resources without a UAC prompt coming up. 

The argument that owning a physical machine automatically means game over
just isn't true. We should be able to say the same thing about a VM.


Mark




> -----Original Message-----
> From: Tim Newsham [mailto:newsham () lava net]
> Sent: Saturday, August 25, 2007 1:05 PM
> To: M. Burnett
> Cc: 'Arthur Corliss'; 'Jonathan Yu'; bugtraq () securityfocus com
> Subject: Re: More on VMWare poor guest isolation design
>
> > 2. This issue is not about a user on the host compromising a virtual
> guest.
> > It is about a *non-privileged* user on the host being logged in to
> guest
> > machines as an administrator, and a worm--running in the context of
> that
> > non-privileged user on the host--being able to access the admin-level
> > context of the guest machines without knowing those administrator
> > credentials. Also remember that since I am talking about a non-
> privileged
> > user on the host, there will be limits on what this user could do to
> > accomplish some of the other attacks mentioned.
>
> Your position seems to be that an easy automated scripting interface is
> a
> lot more dangerous than a slightly harder indirect attack method. The
> truth is that they are both scriptable and reliable.  Techniques for
> attacking virtual machines from the host are certainly no harder to
> code
> than the average remote exploit that worms used to propogate.  Do you
> really think a worm writer who wants to compromise VMWare guests would
> take advantage of a scripting interface but shy away from the task if
> he
> had to write custom code to break into the guest?
>
> > 4. This is also not so much about this specific issue at hand--we can
> easily
> > block this--but also looking at the bigger picture of establishing
> best
> > practices for dealing with the guest/host relationship.
>
> Here's a best practice:  Don't assume that guests are protected from
> software running on the host system.
>
> > As a side note, I specialize in hardening Windows so all of these
> systems
> > have been hardened with my own hardening script that is quite
> extreme. These
> > are by no means weak targets.
>
> A (virtual) machine where attackers can arbitrarily read and write
> the memory, the disk and even alter devices is going to be a soft
> target.
>
> The physical analogy that someone brought up earlier works well here.
> Would you consider your machine locked down if someone could open
> your computer case, yank the hard drive and attach new devices to the
> system at will?  Well, with a virtual machine they can do that while
> the machine is running.
>
> > Mark Burnett
> > http://xato.net
>
> Tim Newsham
> http://www.thenewsh.com/~newsham/

Attachment: smime.p7s
Description: