T 5.149 Misuse of guest tools in virtual IT systems

For many virtualisation products, so-called guest tools are installed in the virtual IT systems. On the one hand, these guest tools can be used to provide the device drivers required for operating system virtualisation for virtual or emulated devices such as network cards, graphics cards, or hard disks. On the other hand, these tools can be used to install programs for communicating with the hypervisor or the host operating system, for improving the performance of the virtual IT system, and for simplifying the provision of new virtual IT systems within the virtual IT systems. With the help of the guest tools, the virtual systems may additionally be monitored. The hypervisor or the host operating system uses guest tools to monitor the availability and performance of the guest.

The guest tools are frequently executed with high authorisations due to their quasi-system function. Frequently, they are executed in the context and therefore with the rights of the operating system core of the virtual machine.

Functions such as overbooking main memory or bulk memory space for virtual IT systems are coordinated between the hypervisor and the virtual IT system with the help of guest tools. These functions constitute a significant added value for the virtualisation technology in computer centre operations.

For some virtualisation products specialised for software development, there is additionally the option of conveniently designing complex test scenarios. This is also frequently implemented or supported with the help of the guest tools. For this, the guest tools are equipped with interfaces in order to transmit script files to virtual IT systems. These scripts can then also be executed in the virtual IT system using the guest tools. All script languages available in the virtual IT system may be used. The scripts may be started either during system start, when a user logs in, or also at any other time. The interfaces do not normally require any network connection between the guest systems, but are provided by the hypervisor or the host operating system.

These interfaces for scripts may be exploited by an attacker in order to establish an undesirable communication across several virtual systems that cannot be controlled with the help of classical means. In this, the attacker transmits the data using the interface for transporting script files.

Furthermore, when using the described virtualisation products designed for software development, an attacker may transmit proprietary script files from one virtual IT system to another virtual IT system with the help of the guest tools. These scripts can be executed with the rights needed to run the guest tools. Due to the wide-ranging authorisation of the guest tools, this is particularly critical, since any actions may be performed with the guest tools in the guest system concerned. For example, malware can be started, users can be created, group memberships can be modified, or the configuration of the operating system of the virtual IT system can be manipulated.

Denial-of-service by overbooking resources

Some virtualisation products allow overbooking of different resources such as hard disk space or RAM. For example, if two virtual IT systems compete for internal memory capacity, the host operating system or a hypervisor may order the guest tools to reserve virtual RAM in one of the virtual IT systems. The physical representation of this storage is not used by the virtual IT system as a consequence. The hypervisor may now provide this physical storage to the other virtual IT system as virtual RAM. The other way around, a virtual IT system may use the guest tools to request main memory capacity.

If an attacker controls a virtual IT system, he/she may request main memory space with the help of malware to the extent that the main memory space would become scarce for other virtual IT systems. This has adverse effects on the capability of the other virtual IT systems through to a denial-of-service attack. The same effect occurs if an attacker accesses a service of a virtual IT system from the outside in such a way that this service occupies large amounts of storage space.

If a function for overbooking hard disk space is used, there is usually also an option for releasing this storage. This is performed by consolidating unused disk space and by highlighting this disk space as free.

If an attacker triggers such a process in a virtual IT system, the storage systems are put under significant stress. This may also reduce the capability of other IT systems.

Examples:

• A computer retailer processes software development jobs for different customers. For this, the computer retailer operates a virtualisation environment specialised for development assignments, since comprehensive test scenarios must be established for the development of client/server applications. The test systems for these scenarios are provided with the help of several templates for different virtual servers and clients that are copied and adapted to the respective test scenario if required.
  
  Due to the weak order situation of the computer retailer, several developers must be dismissed. One of the dismissed developers wants to take revenge for her dismissal and develops a script which continuously resets a virtual test system to the initial condition of the template once a user logs in to the virtual system for the second time. It looks as if the user who logged in triggered the reset. In reality, this script is entered into the test system once it is started for the second time with the help of the virtualisation software. Additionally, the script transmits itself to every virtual test system running in the virtual infrastructure via a virtualisation function.
  
  The persons responsible at computer retailer assume that their systems are infested with a worm and commission an IT consulting company with a network analysis in order to determine the cause of the problem. However, the consulting company cannot identify any irregularities in the network of the computer retailer. Only by accident, one of the developers notices the attack to the test environment performed by his colleague.
  
  Troubleshooting and failure of test operations required significant personnel resources and caused the non-observance of deadlines. Thus, the computer retailer which was already in a precarious financial situation suffered additional damage.
• A service provider operates a web server farm for several customers. In order to save hardware cost, the web servers are virtualised. In doing so, the service provider provides the virtual systems of the customers with significantly more main memory than actually present in the virtual infrastructure. Since the web servers of the customers are normally only utilised insignificantly, there are no perceivable performance limitations in the virtual systems.
  
  One of the web servers of the customers then suffers a denial-of-service attack. In this, this virtual IT system consumes very large amounts of the main memory. However, this memory is not freely available in the physical virtualisation server the virtual web server is operated on, but is used by other virtual web servers. In order to be able to provide the attacked system with this memory space, this space must be released by the other virtual IT systems. The hypervisor of the virtualisation server therefore reduces the main memory for all other virtual web servers controlled by it. As a consequence, the response times of the virtual web servers increase significantly. Some of the connections are interrupted so that even the virtual web servers that were not the direct aim of the DoS attack are no longer available.