1 00:00:01,485 --> 00:00:03,177 Virtual machine weaknesses now. 2 00:00:03,417 --> 00:00:04,777 Under most circumstances, 3 00:00:04,845 --> 00:00:07,851 it’s safe to assume that the virtual machines 4 00:00:08,011 --> 00:00:09,897 are isolated from each other, 5 00:00:10,400 --> 00:00:14,457 that the host is separated from the guest, and the guest is separated from the host. 6 00:00:14,845 --> 00:00:19,085 But the configuration settings and vulnerabilities 7 00:00:19,131 --> 00:00:22,342 within the hypervisor and the VM Tools 8 00:00:22,468 --> 00:00:25,942 and other locations can weaken that isolation. 9 00:00:26,400 --> 00:00:31,062 Let us talk through some of the potential weaknesses of using virtual machines, 10 00:00:31,314 --> 00:00:35,645 and virtual machines and sandboxes are kind of synonyms for each other. 11 00:00:35,885 --> 00:00:40,834 So when we say sandbox, when we say virtual machine, they are very similar devices. 12 00:00:41,154 --> 00:00:45,142 Virtual machines and sandboxes are based on the same principles. 13 00:00:46,068 --> 00:00:50,948 So if we have a host and a guest, if the host is compromised 14 00:00:51,142 --> 00:00:54,160 then it’s possible that the guest could be compromised. 15 00:00:54,422 --> 00:00:58,845 For example, a simple remote access tool running on the host 16 00:00:59,108 --> 00:01:01,451 would only need to take a screenshot 17 00:01:01,588 --> 00:01:04,777 to watch the activity of the guest virtual machine, 18 00:01:04,914 --> 00:01:08,788 or run a key logger which would effectively break 19 00:01:08,891 --> 00:01:11,222 the isolation between them completely. 20 00:01:11,897 --> 00:01:15,291 Maintaining the security of the host operating system 21 00:01:15,657 --> 00:01:17,771 is of paramount importance. 22 00:01:18,091 --> 00:01:21,737 Highlighting the need for a separate secure laptop 23 00:01:22,057 --> 00:01:23,725 for high stakes situations 24 00:01:23,977 --> 00:01:26,971 where you’re considering using virtualization 25 00:01:27,154 --> 00:01:30,914 as your isolation and compartmentalization security control. 26 00:01:32,125 --> 00:01:35,485 Also, vice versa to what we’ve just discussed, 27 00:01:35,622 --> 00:01:40,411 a guest VM could compromise the host operating system, 28 00:01:40,708 --> 00:01:45,657 or other VMs due to vulnerabilities and configuration settings. 29 00:01:46,560 --> 00:01:50,994 The hypervisor sandbox or the VM Tools installed 30 00:01:51,177 --> 00:01:55,782 can have security vulnerabilities that could compromise this isolation. 31 00:01:57,828 --> 00:02:02,960 One such example of a previous hypervisor vulnerability is Venom, 32 00:02:03,165 --> 00:02:06,240 which you can see a diagram here in front of you. 33 00:02:06,514 --> 00:02:08,262 For vulnerable hypervisors, 34 00:02:08,434 --> 00:02:12,411 it allows an attacker to escape from the confines 35 00:02:12,548 --> 00:02:15,268 of a vulnerable virtual machine guest, 36 00:02:15,485 --> 00:02:19,554 which we call a virtual machine escape, and potentially obtain 37 00:02:19,668 --> 00:02:22,205 code execution access to the host. 38 00:02:22,788 --> 00:02:25,474 This has been patched now by all the major vendors, 39 00:02:25,542 --> 00:02:29,394 but obviously if you’re using a old unpatched hypervisor, 40 00:02:29,630 --> 00:02:31,508 you may even still be vulnerable to this. 41 00:02:33,062 --> 00:02:37,520 Here you can see previous virtual machine hypervisor vulnerabilities 42 00:02:37,828 --> 00:02:39,474 that have occurred over the years, 43 00:02:39,874 --> 00:02:44,411 2007 through to 2014, 2015, 44 00:02:44,617 --> 00:02:45,942 I’m sure there’ll be more to come. 45 00:02:46,491 --> 00:02:48,628 So that’s vulnerabilities within the hypervisor. 46 00:02:49,474 --> 00:02:53,737 Here’s an example of the virtual machine tools having vulnerabilities. 47 00:02:54,194 --> 00:02:58,548 In VMware, this allowed a standard user to escalate privileges 48 00:02:58,628 --> 00:03:02,101 to an admin or root user within the confines of the guest, 49 00:03:02,102 --> 00:03:05,051 no virtual machine escape in this case, 50 00:03:05,394 --> 00:03:08,765 but it’s an example of VMware Tool vulnerabilities. 51 00:03:09,474 --> 00:03:14,091 As you can see, vulnerabilities can and do exist with virtual machines. 52 00:03:15,531 --> 00:03:19,600 Virtual machines can leak information, so for example, 53 00:03:19,897 --> 00:03:24,400 traces of your virtual machine’s session could be left 54 00:03:24,537 --> 00:03:27,108 on the local hard drive of the host, 55 00:03:27,280 --> 00:03:30,434 even if it’s a live operating system. 56 00:03:30,868 --> 00:03:34,377 For example, host operating systems usually use 57 00:03:34,640 --> 00:03:37,657 virtual memory called swapping or paging 58 00:03:37,828 --> 00:03:40,217 which copies parts of the RAM to the hard drive. 59 00:03:40,788 --> 00:03:44,697 This could contain information about the guest’s session, 60 00:03:44,800 --> 00:03:47,497 and it could be left on the host’s hard drive. 61 00:03:47,780 --> 00:03:51,120 So it’s potential to get leakage from your virtual machine. 62 00:03:52,080 --> 00:03:54,674 Let's think about active attacks now and malware. 63 00:03:54,925 --> 00:03:59,897 VMs are used by security researches to deliberately isolate malware, 64 00:04:00,114 --> 00:04:03,884 so that the malware can be forensically examined and reversed engineered 65 00:04:03,885 --> 00:04:06,948 in order to understand how the malware works. 66 00:04:07,530 --> 00:04:10,468 Because of this, advanced malware writers 67 00:04:10,525 --> 00:04:13,131 have designed counter measures that can detect 68 00:04:13,177 --> 00:04:16,377 when their malware is running on a virtual system, 69 00:04:16,651 --> 00:04:20,342 in an attempt to prevent that very same reverse engineering. 70 00:04:20,594 --> 00:04:23,428 The more sophisticated malware examines the memory, 71 00:04:23,565 --> 00:04:25,451 the file system, the registry, 72 00:04:25,634 --> 00:04:29,920 running processes for virtual machine environment artifacts, 73 00:04:30,080 --> 00:04:34,685 and looks for VM specific virtual hardware and processor instructions. 74 00:04:35,531 --> 00:04:39,668 It’s relatively trivial to detect, if you’re running in a virtual machine. 75 00:04:40,365 --> 00:04:43,314 In some cases, detection of a virtual environment 76 00:04:43,440 --> 00:04:47,154 causes the malware to shut down its malicious functionality, 77 00:04:47,371 --> 00:04:51,828 so that it cannot be properly analyzed in the virtual environment. 78 00:04:52,080 --> 00:04:54,605 This is a defense mechanism for the malware. 79 00:04:54,971 --> 00:04:56,400 This is great for us, 80 00:04:56,537 --> 00:05:00,377 when using VMs for isolation, and as a security control, 81 00:05:00,594 --> 00:05:03,051 as the malware effectively disables itself, 82 00:05:03,360 --> 00:05:08,182 and sometimes even deletes itself to help prevent forensic examination. 83 00:05:08,754 --> 00:05:12,262 It uses this form of defense because it is better for the malware 84 00:05:12,571 --> 00:05:14,594 to not be reversed engineered 85 00:05:14,857 --> 00:05:16,742 because it can give it a longer life. 86 00:05:17,268 --> 00:05:19,565 So it’s good that malware disables itself, 87 00:05:19,691 --> 00:05:21,611 but it’s not all good news. 88 00:05:21,794 --> 00:05:25,165 Some malware uses the virtual machine detection 89 00:05:25,325 --> 00:05:28,102 to then attempt to exploit security holes 90 00:05:28,320 --> 00:05:29,668 in the VM software, 91 00:05:29,782 --> 00:05:32,171 like the Venom example that we’ve just seen. 92 00:05:32,172 --> 00:05:35,485 Attempting to perform virtual machine escapes, 93 00:05:35,748 --> 00:05:37,874 this wouldn't be good, but fortunately, 94 00:05:37,942 --> 00:05:41,554 hypervisor VM tool vulnerabilities, and other vulnerabilities, 95 00:05:41,760 --> 00:05:43,725 haven't been too prevalent, 96 00:05:43,942 --> 00:05:48,148 so mostly the malware will either keep running and not be able to escape 97 00:05:48,457 --> 00:05:51,257 the isolation, or simply disable itself. 98 00:05:52,411 --> 00:05:54,948 Shared networks are also an attack vector. 99 00:05:55,165 --> 00:05:59,165 If the guests and hosts share the same network, 100 00:05:59,394 --> 00:06:01,680 if any of those machines are compromised, 101 00:06:01,828 --> 00:06:04,422 the other machines could be targets for attack. 102 00:06:04,548 --> 00:06:06,902 Not technically escaping the virtual machine, 103 00:06:07,040 --> 00:06:11,085 but just simply by performing network attacks on the other machines 104 00:06:11,165 --> 00:06:12,777 that are part of the same network. 105 00:06:13,154 --> 00:06:16,685 In most instances, if you are using VirtualBox on your laptop, 106 00:06:16,857 --> 00:06:20,880 the host and guest will share the same network. So for example, 107 00:06:21,108 --> 00:06:23,885 maybe you have a Debian host and a Windows guest, 108 00:06:24,137 --> 00:06:26,388 which have a bridged network adapter. 109 00:06:26,685 --> 00:06:32,594 Windows, the guest is compromised, the Windows VM then attempts an SSL stripping attack 110 00:06:32,800 --> 00:06:36,491 on all the other machines on the network to steal the passwords. 111 00:06:37,028 --> 00:06:40,822 Even though you have isolation between the Windows guest and the Debian host, 112 00:06:41,154 --> 00:06:45,142 and the isolation at the operating system level isn't compromised, 113 00:06:45,417 --> 00:06:46,777 but the network level, 114 00:06:46,960 --> 00:06:51,565 there is an interface and that interface can be used as an attack vector. 115 00:06:53,680 --> 00:06:57,394 VM hosts and guests obviously shares CPUs. 116 00:06:57,565 --> 00:07:03,165 This means it’s theoretically possible to perform what is called covert timing channel attacks. 117 00:07:03,497 --> 00:07:05,348 This is the passing of information 118 00:07:05,634 --> 00:07:09,177 in which one process signals information to another process 119 00:07:09,485 --> 00:07:12,948 by modulating its own use of system resources. 120 00:07:13,462 --> 00:07:17,382 For example, central processing unit, time, in such a way 121 00:07:17,474 --> 00:07:19,211 that this manipulation affects 122 00:07:19,257 --> 00:07:22,754 the real response time observed by the second process. 123 00:07:22,982 --> 00:07:26,011 This means guest and host can communicate 124 00:07:26,148 --> 00:07:30,422 via timing variations based on prearranged methods. 125 00:07:30,742 --> 00:07:34,662 A timing channel is one example of a covert channel. 126 00:07:35,920 --> 00:07:39,028 Again, on CPUs, because the CPU is shared, 127 00:07:39,188 --> 00:07:43,520 it may be possible to perform side channel attacks, too. 128 00:07:43,691 --> 00:07:47,531 For example, extract description keys from either the guest 129 00:07:47,657 --> 00:07:48,411 or the host. 130 00:07:48,674 --> 00:07:51,017 There’s a paper here on this very same thing, 131 00:07:51,211 --> 00:07:54,331 and in a lab the researchers were able to do that 132 00:07:54,342 --> 00:07:56,925 under the right conditions using ElGamal. 133 00:07:57,474 --> 00:08:00,754 Features like shared folders, clipboard access 134 00:08:00,845 --> 00:08:02,777 and drag and drop functionality, 135 00:08:02,880 --> 00:08:06,514 all reduce the isolation and allow attack vectors. 136 00:08:06,754 --> 00:08:08,640 Anything you allow the guest to access, 137 00:08:08,765 --> 00:08:11,771 for convenience, is a trade off with security. 138 00:08:11,897 --> 00:08:14,674 The guest can then possibly view your files 139 00:08:14,754 --> 00:08:17,760 and copy and paste the contents of the clipboard. 140 00:08:18,205 --> 00:08:22,080 If within your VM you have configured them to be accessible, 141 00:08:22,457 --> 00:08:26,948 hardware and hardware emulation could be used to breach the isolation. 142 00:08:27,200 --> 00:08:30,822 So I’m talking about hardware like the microphone, the webcam, 143 00:08:31,108 --> 00:08:32,548 3D acceleration, 144 00:08:32,834 --> 00:08:37,600 serial port, floppy drive, CD drive, USB port and so on. 145 00:08:38,034 --> 00:08:41,737 These could be manipulated and used as an attack vector. 146 00:08:43,245 --> 00:08:45,931 There’s also a possibility that a bug could be found 147 00:08:45,965 --> 00:08:49,588 in the underlining technology that is used by a hypervisor, 148 00:08:49,668 --> 00:08:52,205 such as the Intel VTD. 149 00:08:52,320 --> 00:08:55,702 And I’m aware of one such example, which is this. 150 00:08:56,822 --> 00:09:00,902 This is a complex attack that was able to bypass Intel's 151 00:09:01,040 --> 00:09:02,811 VTD imposed protection. 152 00:09:03,211 --> 00:09:07,485 Intel VTD, if you’re not aware, enables hardware support 153 00:09:07,668 --> 00:09:09,702 for isolation and virtualization, 154 00:09:09,820 --> 00:09:14,102 and a vulnerability was found by these two researches here at Invisible Labs. 155 00:09:14,480 --> 00:09:17,497 So there was no vulnerabilities in the hypervisors themselves, 156 00:09:17,622 --> 00:09:19,885 but in the underlining technology, 157 00:09:20,182 --> 00:09:23,600 and when there is problems in the underlying hardware technology, 158 00:09:23,794 --> 00:09:24,891 you can't just patch it. 159 00:09:25,542 --> 00:09:28,560 And then when we start to think about who needs serious security, 160 00:09:28,640 --> 00:09:30,251 privacy and anonymity. 161 00:09:30,537 --> 00:09:34,377 Running a number of virtual machines requires a fast machine 162 00:09:34,457 --> 00:09:36,697 with good CPU and memory. 163 00:09:36,891 --> 00:09:40,525 Many of the people who need security, privacy and anonymity, 164 00:09:40,857 --> 00:09:42,720 are unfortunately not rich. 165 00:09:42,857 --> 00:09:45,222 They live in places where there isn't a lot of money, 166 00:09:45,348 --> 00:09:48,822 and they can't afford a machine to support virtual machines. 167 00:09:48,960 --> 00:09:51,897 This is a disadvantage, a major disadvantage 168 00:09:51,988 --> 00:09:55,268 of virtual machines for people with limited funds. 169 00:09:55,862 --> 00:09:59,314 Virtual machines shouldn't be relied upon as your sole means of protection. 170 00:09:59,462 --> 00:10:03,051 It is one layer of a defense in-depth approach. 171 00:10:03,417 --> 00:10:07,588 All of the security controls detailed throughout the course should be applied as well, 172 00:10:07,691 --> 00:10:11,200 where appropriate, based on your threat model, your risk, 173 00:10:11,314 --> 00:10:13,691 your adversaries, and the consequences, 174 00:10:14,240 --> 00:10:18,045 including hardening the virtual machine, which we will cover next. 175 00:10:18,754 --> 00:10:22,342 So virtual machines and sandboxes are not perfect, 176 00:10:22,571 --> 00:10:24,034 but when configured correctly, 177 00:10:24,148 --> 00:10:27,462 they are a very, very effective security control, 178 00:10:27,702 --> 00:10:30,160 that I highly recommend that you use.