How to recognize and prevent a hypervisor attack to protect data

A hypervisor attack can hand hackers the keys to your virtual kingdom. But, with the proper precautions and tools, you can minimize the risk.

While numerous guest OS and network security vulnerabilities exist in a virtual environment, a successful hypervisor attack could have devastating consequences. But, with the right plan in place, you can better protect data and minimize your virtualization and hypervisor security vulnerabilities.

More on virtualization and hypervisor security vulnerabilities

Top 10 ways virtualization threatens security

Virtualization security: How vulnerable is your hypervisor?

Virtual security: Developing a plan and procedures

Most security experts agree it’s better to design security measures into a system (i.e., an operating system, hypervisor), rather than adding them after the fact. But this was difficult early on, because the dynamic nature of server, storage and network virtualization wasn’t fully realized when most of the popular hypervisors were designed. For example, mobility tools -- such as VMware vMotion -- were released two to three years after VMware ESX Server 1.0 debuted in 2001. In the meantime, as the software stacks have grown in size and complexity, so has the potential for security vulnerabilities.

How to attack a hypervisor
An intruder typically tries to use the hypervisor services -- such as create/delete, clone and migrate -- to execute and extend a threat. The potential for success increases with the software stack’s size, number of application programming interfaces (APIs) and if there are lower degrees of security assurance in the code. Generally, a larger software stack provides a greater attack surface than a smaller code stack, because a large amount of code will likely have more coding errors.

The same goes for a large amount of APIs for third-party applications: These interfaces give an intruder more attack paths and a larger attack surface. (Typical APIs include hypervisor calls, interrupts generated by the hardware, processor instructions with parameters that the hypervisor can process, etc.)

In addition, if vendors develop code without security in mind, it will generally have a lower security assurance and a larger attack surface. As such, a large amount of code designed with a high degree of security may be more secure than a small amount of code without security built in.

What a hypervisor attack looks like
When a hypervisor is compromised, a hacker can attack each virtual machine (VM) on a virtual host. One possible outcome of a hypervisor attack: The resource usage of a virtual machine can increase, resulting in a denial of service across the host or even a collection of servers. This problem is exacerbated when multiple virtual servers are involved. But monitoring tools from vendors, such as SolarWinds Inc., VMware, and HyTrust Inc., can detect and prevent these types of attacks.

Some experts suggest another way to compromise a hypervisor: through the use of rootkits. But it turns out that few people, if anyone, have used this method in the real world. The best-known rootkit is Blue Pill, developed by Rutkowska. This malware executes as a hypervisor to gain control of computer resources. The renegade hypervisor installs without requiring a restart, which makes detection difficult. It can intercept internal communications and send false responses. (Since Blue Pill’s release, the Red Pill rootkit was created to detect it.)

Stopping hypervisor attacks before they start
In the rush to benefit from virtualization and cloud environments, many users are not seriously considering the security implications. The addition of virtualized servers, storage and networking in a data center has created new security dependencies that were not found in the physical environments of the past.

If you are just beginning to think about virtualizing your data center, here are some tips for securing your hypervisor to better protect data from the onset:

  • Do not view intrusion detection as an option. Nothing is more important than security.
  • The hypervisor vendor provides the best intrusion-detection capabilities, because it has the wherewithal to place detection code in the places where intruders are most likely to attack. Get as much information on hypervisor security from the vendor developing or supporting the virtualization platform. Also include your technical experts in this discussion. If you do not have the appropriate experts, hire a consultant.
  • Ask vendors where a hypervisor attack might occur and which types of security tools are available to prevent them.
  • When evaluating hypervisors, compare the size of attack areas and the number of APIs available.
  • Some hypervisors are integrated into an OS kernel and others run on bare metal. Get your internal experts engaged with the hypervisor vendors to discuss why they believe their architecture offers the highest degree of security.
  • Study as many hypervisor comparisons as you can, with security in mind. Pay particular attention to who drafted the comparisons and if the reports were sponsored by a vendor.

Implementing security after a deployment
If you have already deployed one or more hypervisors, there are a number of ways to enhance the protection of your virtualized environments:

  • Use security tools to monitor the virtual environment, including the virtual servers as well as the network traffic between VMs and hosts. These tools must include oversight and visibility into the virtual administration activities.
  • Integrate hypervisor monitoring into your overall system management/monitoring infrastructure.
  • Continuously validate your virtual environment to ensure the integrity and security of your virtual servers.

As more companies run mission-critical workloads and house sensitive data within virtualized infrastructures, the importance of hypervisor security will continue to grow. While these precautions will not guarantee the security your virtual environment, they will definitely minimize the risks of a hypervisor attack.

Dig Deeper on Server virtualization risks and monitoring