[Dshield] The race to the bottom - Virtualizing all yourservers -security measure or not?

Don Jackson djackson at secureworks.com
Thu Aug 31 14:09:41 GMT 2006


> If my host server is not using AMD CPUs, but uses Intel XEONs 
> on brand name hardware, does that mean that the nasty has 
> less of an advantage?  I may misunderstand, but if AMD SVM 
> extensions are not available, then they can't be used against 
> my hosting server, right?  Or do AMD SVM extensions provide 
> more protection?  If so does your virtualization host 
> software have to support it to gain any benefit?

For the moment, you need not worry about Blue Pill.

The point of attacking AMD's Pacifica extentions (Secure Virtual
Machine) was to show that we should not be misled about the 'S' in SVM
(available in CPU modules for Socket AM2 Rev F and later).  It simply
isn't "full virtualization" and can be subverted from inside the guest
OS.  The fact that attacks against SVM are being demonstrated, I would
say using AMD SVM makes your machines more of a target *for the time
being*.

VMware machines running under a host OS are also not "full
vitualization".  That is, there are always side-effects of running in a
VM that are visible to the guest OS or it's applications.  There are
many more ways to subvert these VMware workstation-type instances being
discussed, but do I have a PoC?  No...

There will be new SubVirt and Blue Pill type attacks against other VM
technologies (hypervisors on Xeons, other CPU VM extensions), but that
is mostly still in the research phase.

So, for the time being, you need not worry about Blue Pill.  :)
However, you will need to keep watch on new rootikit and VM subversion
countermeasures.

> Do you have any better links on this subject?

Understanding how the attacks happen and what direction attackers might
take (using SVM as an example) is illustrated in Joanna's presentation
at SyScan '06 (also presented at BlackHat).  If you can't find a copy,
I'll email it to you off list.  Also, check out rootkit.com and anything
by Hoglund first, before moving into any deeper waters.  :)

Don Jackson, CISSP
Security Researcher
SecureWorks
11 Executive Park Drive NE
Atlanta, GA  30329-2232
Direct: +1 (404) 417-3730
djackson at secureworks.com 

PGP Public Key ID: 0x588C5EC1
Keyserver: http://pgp.mit.edu
Fingerprint: 2002 3DBB 5A1D 2A85 3EDE 0394 662E 32D4 588C 5EC1



More information about the list mailing list