T 5.147 Unauthorised reading or disturbance of the virtualisation network

Manifold network connections are required in order to operate a virtual infrastructure. These connections are used in order to be able to access storage networks. Moreover, the connections between the individual virtualisation servers are required in order to allow for controlling and monitoring of the virtualisation servers and the virtual IT systems. For high-availability functions or the so-called Live Migration (migration of virtual IT systems between virtualisation servers during live operations), network connections are required as well. These network connections are referred to as "virtualisation network" in the following.

Within a virtual infrastructure, individual virtual IT systems can be migrated between virtualisation servers (Live Migration). For example, this is performed for load balancing, for maintenance purposes, or to compensate a failure. Here, the processor condition and the main memory content, as well as the configuration data of the virtual IT system must be transferred from one virtualisation server to the other. This transmission is performed using the so-called virtualisation network. The transmission protocols used by the manufacturers of the virtualisation solutions often do not provide for any encryption mechanisms for this flow of data. Because of this, persons who gain unauthorised access to the virtualisation network are able to read confidential content of the transferred guest systems such as the main memory content. For example, confidential data contained in the main memory that is otherwise only transmitted through the network in an encrypted manner may be read and possibly even changed. If the virtualisation servers use a central storage network, the content of the connected storage network may possibly also be compromised (see also T 5.129 Manipulation of data via the storage system, as well as T 5.7 Line tapping and T 5.8 Manipulation of lines).

A manipulated virtualisation server may furthermore disturb the virtualisation network by the attacker accessing the information transmitted in the network and suppressing or modifying network packets. For example, changes to the main memory content of a virtual IT system may not be checked by the virtualisation server when it is transmitted during a Live Migration. In this way, main memory content of the guest system could be modified by an attacker.

If the communication in the virtualisation network is disrupted, migrations during live operations may fail. This may result in resource bottlenecks in the virtual infrastructure if these migrations were initiated to prevent these bottlenecks.

Example:

A medium-sized company uses a database server for processing the personnel data of its employees. In order to protect this personnel data, the database content is only written to the hard disks of the database server in an encrypted form. The client application used by the Personnel Department users also communicates with the database server in an encrypted manner. However, the database system itself partially stores the data in an unencrypted form in its main memory during processing.

This database system has been virtualised within the framework of the virtualisation project in the company. The administrator of the virtualisation server now wants to access salary data of the personnel database in order to improve her position during salary negotiations, since she feels that she is underpaid when compared to her colleagues. She designed the database system and therefore knows how the system works. However, she is not able to use functions or the server or the database software in order to unobtrusively access the system's data. Therefore, she installs a network monitoring tool in the virtualisation network which she can use to read the network traffic in this network.

She now orders the virtualisation servers to migrate the database server between two servers during live operations (Live Migration). She reads and records the transmission of the main memory in the network. After several recorded migrations, she is able to reconstruct a complete copy of the salary table from the recorded content of the database server's main memory.

This attack on the confidentiality of the data in the personnel administration remains unnoticed, since the Live Migration is completely transparent for the database system and the client application.