Hypervisors: The cloud's potential security Achilles heel
Napa Valley, CA: When some security companies talk about potential threats they tend to, it hypes the danger. When someone who works with cloud technology, like Linux kernel developer and cloud company Nebula's senior security software engineer Matthew Garret talks about potential security problems in cloud computing, I sit up and take notice.
Best known for finding ways to get Linux to work with Windows 8's secure boot, Garret is also both a low-level security and cloud expert. At the Linux Foundation's Linux Collabration Summit, Garrett explained that his greatest worry is hypervisors.
Hypervisors, as ZDNet's own Dan Kusnetzky explained in his book, Virtualization: A Manager's Guide, "can run one or more complete virtual systems on a physical machine. Each of these systems—such as Linux's KVM, Microsoft's Hyper-V or VMware's vSphere/ESXi—process as if it has total control of its own system, even though it may only be using a portion of the capabilities of a larger physical system."
It is the virtual machines (VMs) that the hypervisors automatically generate on servers on demand that we're using when we work on the cloud. Without modern hypervisors, the cloud simply couldn't exist.
So, the real security question for the cloud starts with: "Can you trust your cloud provider's hypervisor?" Garrett's answer is "maybe."
Garrett said, "On the balance of probabilities, you have to assume that hypervisors probably do contain vulnerabilities, that they do contain flaws that can be exploited to gain access and allow guests to break out into the hypervisor."
Has anyone found such a bug yet? No. Is the potential there for such a security hole? Garrett says yes.
Can hypervisors detect such attacks? Uh… no, not really.
Say for example, "You host with Amazon. You have no idea what else is running on the same hardware, you have no way of seeing the other guests, what services they are running. It's conceivable that your main data store and credit-card processing system VMs are on the same hypervisor as someone running a bad PHP-based personal Web server VM. Say that amateur's VM is hacked. The hypervisor should protect other guest machines from a compromised guest, But, what if the hacker can then break into into the hypervisor. Then your otherwise protected, up-to-date secure VM guest can potentially be attacked from an unexpected direction."
"Is it absolutely certain that if someone compromises a guest on the same hardware as you, that that compromised guest will then not be able to break into the hypervisor, and then from the hypervisor compromise your system?" Garrett asked. The answer's no.
He continued, "Humans are bad at writing code. You should tell your kids at night that hypervisors are secure, but while we've done well, none of them are perfectly secure. There will be bugs."
AR + VR
"Once someone gets to the hypervisor then it's game over, everyone can be compromised," said Garrett. "None of this will be your fault, but you'll have been violated. You can have a perfectly secure VM, but if the hypervisor isn't secure, than your security doesn''t matter.
Therefore, Garrett said that you must ask your cloud providers hard questions. These include how are VM guests isolated? If a hypervisor security issue is found, how does the provider respond? What mechanisms are used to detect compromises? Can a cloud provider say, with certainty, that a host machine has been compromised in a fundamental way? And, if so, what tools will they use to investigate?"
These are very difficult questions," Garrett continued, "and cloud providers are extremely reluctant to answer them." The reason for this is simple, if you doubt the security of hypervisors, you doubt the very foundation of cloud computing. For instance, "The entire public statement from Amazon about guest security is that 'the hypervisor protects guests from interfering with each other.'"
Garrett's pretty much right about Amazon's cloud hypervisor security position. More troubling still, Amazon Web Services' (AWS) security statement hasn't been updated since December 5, 2008. Things have changed a wee bit since then when it comes to clouds, hypervisors, and security.
Garrett admits that "So far there has been no proof that this has ever happened, but we must assume that people are looking for hypervisor zero days. Hypervisor security is difficult. They have large attack surfaces with lots of entry points, their code is complicated, and they can be dependant on subtle CPU behavior."
Worse still, he continued, "We don't have best practices for checking on hypervisors for security violations. We're beginning a new security journey and we need to move faster. In one worst-case scenario, your entire cloud and all the VMs on it will be as vulnerable as the weakest guest."
Related Stories: