T 5.150 Compromising the hypervisor of virtual IT systems

The hypervisor is the central component of a virtualisation server and it controls all virtual machines executed on this virtualisation server. It assigns processor and main memory resources and distributes the available computation time to the virtual machines. Furthermore, it manages the access of the virtual IT systems to the network and the storage resources. A successful attack to this component means the loss of control of all virtual IT systems executed in the context of this hypervisor. An attack on a hypervisor may predominantly be performed as follows:

• Manipulation of the CPU registers controlling the virtualisation functions for processors with integrated virtualisation support. Such attacks may be used to determine whether the attacker is in a virtual environment. For some virtualisation products, the hypervisor itself may be visualised and therefore controlled by malware by certain processor commands. This is even possible from a virtual IT system.
• Utilisation of an error in the implementation of the resources provided to the virtual IT systems by the hypervisor. For example, this may refer to emulated network cards, bulk storage media, or graphics cards. For some virtualisation products, core components such as processor and main memory are also emulated. The device emulations are used by the virtual IT systems in order to use the corresponding functions of the hypervisor and/or the host operating system.
• As a central component, the hypervisor assumes a host of security-critical functions on a virtualisation solution. If an attacker manages to compromise the hypervisor, secure operation of the respective virtual IT systems and the respective virtualisation servers is particularly endangered. Attackers may attempt to manipulate or disturb virtual IT systems in this way. Confidential information could be disclosed to unauthorised persons in this way. Weaknesses in the hypervisor product used may therefore entail significant risks for information processing.
• Some virtualisation systems furthermore include functions for communication between hypervisor and virtual IT systems. These are normally implemented by guest tools installed in the virtual IT system. In order to allow for communication between the guest tools and the hypervisor, every virtual IT system is equipped with a communication channel for the guest tools to the hypervisor. For this, there is a specific DMA channel in virtual IT systems based on the products provided by the manufacturer VMware opening such a channel if certain processor registers with certain values are loaded. This option is not exclusively available for guest tools, but also for malware. If an attacker is able to occupy this communication channel, he/she may exploit security gaps or design weaknesses of the hypervisor in order to gain control of the hypervisor or to his/her own code in the context of the hypervisor. In this way, the attacker may gain control of other virtual IT systems. Since the hypervisor monitors and controls all functions of a virtual IT system, the hypervisor can be used to directly manipulate processor functions or main memory content of the virtual IT system in order to introduce malware into the virtual IT system. This does not necessarily require a usable security gap in the virtual IT system attacked using the hypervisor.

Example:

A computer centre service provider operates IT systems for several customers competing with each other. In order to reduce the system operation costs for the customers and to stay competitive, the service provider introduces a virtualisation solution in its computer centre operations. The service provider informs its customers about the fact that their systems are now operated as virtual IT systems. Since the network of the computer centre service provider is designed in such a way that no communication connections can be established between the IT systems of different customers using the network, the service provider continues to guarantee that the confidentiality of the customers' data is ensured. The service provider checks this with the help of regular audits and also provides its customers with audit possibilities.

A database administrator of one of the customers is provided with the option of interactively logging in to the IT systems operated by the computer centre service provider. He has administrator rights on the database system. Hoping to gain information about a competitor of his/her employer, he now starts malware allowing him to execute his own code in the context of the hypervisor due to an error in the graphics card emulation of the hypervisor. This code allows for monitoring all hypervisor functions. In this way, he is able to identify a database system of another customer of the computer centre service provider as a database system of a direct competitor. Using the bulk memory interface of the hypervisor, he manages to read data from and modify content in the database of this virtual machine. This significantly disrupts the production of the competitor and the company of the administrator is provided with a competitive advantage.