Microsoft exec rebuts hypervisor security claims

Redmond's security strategist Steve Riley says claims that the company's hypervisor software could be maliciously replaced on PCs without administrators knowing, is "incorrect".
Written by Liam Tung, Contributing Writer

Senior Microsoft security strategist Steve Riley has used the vendor's TechEd conference in Sydney to rebut claims by a Polish researcher that Microsoft's hypervisor software could be maliciously replaced on PCs without administrators knowing.

The hypervisor is the portion of Microsoft's operating system that controls virtual operating system instances. Researcher Joanna Rutkowska has caused a debate over the several years by developing a hypervisor rootkit she claims could go undetected on a PC.

"Her insistence is that you can replace the hypervisor without anybody knowing...Our assertion is that this is incorrect," Riley told the audience. "First of all, to do these attacks you need to become administrator at the root. So that's going to be, on an appropriately configured machine, an exceedingly difficult thing to happen."

In a presentation at the Black Hat security conference last month, Rutkowska claimed her and fellow researcher Rafal Wojtchuk had developed a means of implanting the "Blue Pill" rootkit into a virtual system "on the fly". The researchers claimed Xen hypervisors could be subverted by compromising flaws in Xen software to gain access to Domain 0, Xen's privileged administrative domain. Once that administrative domain is compromised, the virtual system controlled by the hypervisor is compromised. Rutkowska also claimed attacks on the hypervisor could be launched from an unprivileged domain.

However, Microsoft's Riley asserted that modifications to the hypervisor would be detected, and that even if an attacker's malware did gain root access, therefore allowing them to replace the hypervisor, the replacement itself would be an imperfect copy, according to Riley.

"Because you [the attacker] didn't subject your own replacement hypervisor through the thorough design review that ours did, I'll bet your hypervisor is probably not going to implement 100 percent of the functionality as the original one," Riley said. "There will be a gap or two and we will be able to detect that."

Riley went on to explain that an attacker's malware would also behave differently from the original hypervisor, resulting in changes to network, processing and disk activity, which should cause alarm bells for security professionals. "I mean, the whole reason for doing this is so you can take over the machine," he said. "It is entirely possible to detect if the root operating system has been compromised and if the hypervisor has been replaced."

So where does that leave the security professional who manages these systems? According to Riley, exactly where they were before the rise of virtual machines. "You have to ask: is there malware on my system? You can be 100 percent certain there is no malware that you can detect, but less than 100 percent certain that there is no malware at all. Now, ladies and gentlemen, isn't this true of every computer we already have? There is no difference just because it's virtualization.

Riley warned the audience: "Don't let the hype machines cloud your understanding of what you need to do. Apply your knowledge to the next evolutionary step, but don't expect that everything you have learned is something you have to throw away."

ZDNet UK's Tom Espiner contributed to this report.

Editorial standards