T 5.148 Misuse of virtualisation functions

The majority of the virtualisation products contain tools for freezing virtual machines or certain conditions of the virtual machines. These functions are normally based on the hard disk containers of the virtual IT systems being copied or the conditions of the internal memory and the processor of the virtual IT system being stored to a bulk memory of the virtualisation server.

Every virtualisation server has access to all storage resources of the virtual machines it administrates. There is therefore a risk that the virtualisation server may access such resources in an unauthorised manner in order to copy or modify data without authorisation. Therefore, an attacker may easily produce a copy of a virtual machine in order to remove this copy from the computer centre and to operate it on a separate virtualisation server without authorisation. The attacker may use the created copy in order to examine the virtual machine.

Furthermore, an unmodified clone of a virtual machine may cause an IP address or other resource conflict in computer centre operations if such a clone is not adapted before booting.

For some virtualisation products, snapshots of a virtual machine may also be created during live operations. In this case, the processor condition and the main memory content are written to a hard disk of the virtualisation server. Moreover, the hard disk container of the virtual machine is also frozen and changes are written to a differential file. This data may be copied in order to create an operable clone of the virtual machine with the help of another virtualisation server. The stored content of the processor condition and the main memory of the virtual machine may furthermore be used by an attacker in order to analyse storage areas of the virtual machine. For example, keys of encryption tools stored in the main memory of the virtual machine without any encryption may be extracted at this point.

Furthermore, it is possible to reset virtual machines to an old status by using snapshots. This way, safeguards taken in order to close security gaps may be undermined, for example.

Attacks otherwise recorded in the log files of the virtual machines may also be concealed by resetting a virtual machine to a snapshot. Together with the status of the virtual machine, its log file is reset as well.

If older snapshots are activated, it is also possible to restore data that should be deleted. If the virtual IT system is reset to the snapshot, supposedly deleted data may be restored. The use of tools which overwrite the content of a file several times in order to render the restoration impossible is not efficient either if a snapshot was created before the tool is used within the virtual IT system. If a snapshot has been created for a virtual machine, the overwriting processes only affect the differential file containing the changes performed since the snapshot was created. If the snapshot is deleted and the changes in the differential file are applied to the hard disk container, the seemingly multiple overwriting processes are only written to the hard disk container once.

Example:

In the computer centre of a company operating in the field of basic research, data with a high protection requirements category regarding confidentiality are processed in a virtual IT system. Therefore, a hard disk encryption program is installed in the virtual machine. This requires the entry of a password during booting. The password was only disclosed to a few, particularly trustworthy employees of the company.

The hard disk encryption program works transparently for the operating system of the virtual machine. This means no additional password must be entered during operation of the virtual machine.

During operation of the virtual machine, the data is protected by restricted authorisations. Moreover, user accounts are blocked automatically if these are used several times to try to gain unauthorised access to the data.

By using the hard disk encryption program, the data of the virtual machine is protected in the storage network. The computer centre operator therefore assumes that copying the hard disk container of the virtual machine does not result in any data useful to an attacker. Moreover, the operator believes that a sufficient level of security has been achieved by assigning authorisations and automatically blocking accounts.

An employee of this computer centre is in a financial difficulty. A competitor of the computer centre operator now offers the employee a large amount of money if he provides the competitor with access to the data processed in the virtual machine.

As a consequence, the employee creates a snapshot of the virtual machine during live operations on the virtualisation server. The snapshot contains the internal memory content, as well as the processor condition of the virtual IT system. The employee copies the configuration file, the hard disk containers, the content of the internal memory, and the CPU condition of the virtual machine to a portable mass storage medium and leaves the organisation with this medium.

The copy of the virtual machine can now be executed on the virtualisation server of the competitor. Since the virtualisation server restores the runtime environment of the virtual machine from the stored data, the hard disk encryption program does not prompt the user to enter a password. The operating system in the virtual machine does not "notice" this interruption of operations.

The attacker tries to determine the passwords of the authorised users with the help of brute-force attacks. In order to accelerate the procedure, the attacker creates several copies of the virtual machine. If an account is blocked due to the number of failed attempts, the attacker resets the virtual machine to the condition before the account was blocked and continues the brute-force attack.