Hypervisors are the pillars of the Cloud, not the Achilles Heel

Hypervisors are the pillars of the Cloud, not the Achilles Heel

Summary: Bromium's Simon Crosby strongly advises us not to succumb to Cloudophobia.

Simon Crosby is CTO of Bromium

The following story was written by guest contributor Simon Crosby.

In a recent piece, Steven J. Vaughan-Nichols writes that hypervisors may be the Achilles Heel of the cloud. The piece draws on a discussion with Linux kernel developer Matthew Garrett, who raises the spectre of targeted attacks on cloud hypervisors: "Once someone gets to the hypervisor then it's game over, everyone can be compromised."

Garrett is technically correct: Vulnerabilities in all major hypervisors and their support code have been documented (eg: Xen, VirtualBox, VMware ESX and Workstation, Hyper-V). Research published by my colleagues Rafal Wotczuk and Rahul Kashyap at Black Hat highlights the potential for devastating “guest to hypervisor” attacks.

But my emphasis on the word potential is deliberate: I’m not convinced that hypervisor attacks ought to be viewed as a significant concern for cloud security, for many reasons: 

  • Better code: Hypervisors are small code-bases developed by some of the world’s best engineers, and are subject to more rigorous scrutiny than other software precisely due to their critical role in system security. They surely have vulnerabilities, but I’d be prepared to bet that they have far fewer than comparably sized applications. Public cloud vendors that build on Open Source Software – like AWS and Google – do not disclose what version of what code base they use, and they are passionately dedicated to the security of their infrastructure.

  • Extreme difficulty: To succeed in practice this class of attack requires multiple successful compromises, each of which is extremely difficult to achieve. For a malicious VM to compromise a fellow tenant VM on the same server via the hypervisor probably requires (a) a privilege escalation in the attacking VM (b) a precisely targeted hypervisor attack that allows the attacker to achieve guest-to-host privilege escalation that (c) does not crash the hypervisor before (d) gathering in-memory data or snooping on network activity of other guests and (e) somehow exporting this information (over the network) to the attacker. Possible? Yes. Probable? No.  

  • Attackers are rational:  Attacking another guest via the hypervisor is like paying to try to break into the back of a building through a set of tiny windows just to see if there’s something interesting inside. More rewarding by far to pick a valuable target, and enter by the front door – using publicized application or OS vulnerabilities

In my view Vaughn-Nichols is losing sight of the big picture: What is the overall risk faced by a customer adopting the cloud, versus running the application on their own infrastructure? The title of his piece is belied by the fact that to date there have been no reports of real-word attacks, and merely adds fuel to the fire of cloudophobia

The future of secure infrastructure looks brighter too. Both hardware and software technologies are becoming available that will greatly diminish the threat due to attacks via low-level systems infrastructure.   

For example the PrivateCore extensions to KVM encrypt VM memory and storage at run-time. The platform validates server integrity and counters persistent attacks such as rootkits or bootkits, and secures both the hypervisor and cloud user against malicious server hardware.  

Expect to see such features in hardware soon.  For example “trusted enclaves” made possible by Intel SGX technology that will ensure that the data in an enclave (VM) is protected even in the event that the hypervisor itself is compromised.

Finally, there is a rich vein of academic research on techniques to protect hypervisors and guests. I only wish that the press would do more to promote tools and techniques to educate careless application developers to build more secure cloud applications.

Simon Crosby is CTO of Bromium and was previously CTO of Citrix, Inc. 

Topics: Cloud, Networking, Open Source, Security, Virtualization


Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cloudphobia

    Whoever the IDIOT was that decided to call a SERVER FARM a CLOUD should be NCIS head smacked.

    The CLOUD is vulnerable just as it has always been. And the fact that the NSA has backdoors into every version of the CLOUD that exists it not only troublesome, but annoying as hell.

    Corporate Data Espionage and Theft will be the next big high dollar crime to hit worldwide.
    • "Cloud"

      The term has been used in publications since 1996.

    • oh well

      this is not the first time, and won't be the last, that a vague term has become popular as a marketing spin, to sell services that would only be clearly defined once a prospective buyer has indicated interest in a prospective supplier. Or as it was put in a sales phrase, "...nothing happens until somebody buys something..." which is sort of an economic reality that most of us techno-dweebs would rather not have to admit. At least that is true if you expect to make a living somehow. Let's face it: "cloud" is just "customer A wants to outsource some infrastructure to supplier B and they don't have a dedicated WAN link between them".
  • In my view . . .

    "In my view Vaughn-Nichols is losing sight of the big picture"

    In my view, those who think the "cloud" is a magic bullet or some sort of ultimate future have also lost sight of the big picture. It's a nice thing to have around, but to be blind to its drawbacks and to suggest it as a solution to *everything* is to not be realistic about its role in our lives.
    • Three guesses as to what Perlow does

      at Microsoft.
      • There's no guesswork here


        However, this article was written by Simon Crosby. Who is Chief Technology Officer for Bromium, which develops security software.
    • You give me flashbacks

      The same theme was used by mainframe folks against the PC and networks. We know how that worked out.

      Even as an Enterprise IT person, I see how the cloud will replace much of what we do. There's already no reason to have email or collaboration in-house. The backoffice is moving out of the data center slow but sure; payroll, HR, soon the rest. The front office (web) is moving to the cloud for scale and the -ilities. What's left are things that are competitive advantages and data. For some those will go, for others that's all they'll have left.

      Resist if you want, but the IT world is changing. You can either change with or work the leftover niche.
      • naah

        I don't see "cloud" as REPLACING anything that IT does. It is just the same old story: IT management wants to outsource as long as that prospect looks attractive to the bottom line. So they do it and THEN they find out what it costs them (typically, localized political, tactical and strategic control, perhaps also some modicum of fault-tolerance but also arguably some advantages). So the trend toward "outsourcing vs. insourcing" tends to vary with sunspot cycles.
  • Just because it is a "pillar" doesn't prevent it ...

    from also being an "Achilles Heel".

    And how vulnerable they are depends on who the developers are. Those that created the most vulnerable systems in the world? Or those that invented the field (IBM)?

    And just how are those "Hypervisors are small code-bases developed by some of the world’s best engineers, and are subject to more rigorous scrutiny than other software precisely due to their critical role in system security. "

    No they aren't. Most are software implementations of what used to be hardware due to the limitations of the provided hardware.

    And many hardware platforms are NOT designed for use with VMs. Take the simple USB interfaces... Unless it has an IOMMU built in that cannot be accessed by either the guest OR the controller... the system is vulnerable.

    Attached GPUs? an even bigger attack point as most of them don't have IOMMUs and some even have user writable bus interfaces...

    Attached disk controllers? same problem.

    And a software module to provide the equivalent? bigger vulnerability magnet.

    I would trust IBMs LPARs for virtualization first, at least those are still hardware.

    Just having a virtual CPU is not a complete virtual machine. That requires the virtualization capabilities to be EVERYWHERE in the system. And right now... not a chance.
    • asi ,asi

      those of us in earthquake county, know that a "pillar" is also a "crush zone" when you put too much weight on it. The smart money is on DISTRIBUTED pillars.
  • The Cloud is 2 dimensional

    The term "Cloud" is used by non-technical people to describe an abstract idea. Most of us see a bunch of unrelated VMs running on the same/similar hardware to what we've seen for years (i.e. NOT new). A "true" Cloud OS (as opposed to a Linux/UNIX/Windows OS) would span all of these VMs - pulling them all together seamlessly (along with their storage).

    What we have today are multiple tools and middleware that (try to) emulate that ideal. We are at that proprietary/hit and miss era before the true standard rises to the top (like FCAL->SAN, SoftPC->VMware, Openlook->Motif,etc.).
    Roger Ramjet