Security Adviser | Roger A. Grimes » Excellent VM detection and breakout presentation

January 18, 2007 | Comments: (0)

Excellent VM detection and breakout presentation

TAGS: None

Breaking out of virtual machine software programs.

Since I wrote my column on Virtual Machine (VM) security vulnerabilities (click here), I've received many emails asking how I can break out of VMWare, Xen, or any of the other VM technologies?

Essentially, the majority of VMs "hook" interrupts and APIs on the host operating system. It's the way they work. Malware can walk the interrupt vector table or VM interface subroutines, find the VM hooks, and insert itself one call above or replace a sub-routine. So far, I haven't found the VM that protects against this, although various host OSs are doing more and more to prevent interrupt vector table manipulation on their own.

If you are an assembly language programmer (like I am), it is fairly easy to write a short demonstration program. I have written two, but I'm under NDA with the vendor that paid me to do the work. But what I did wasn't rocket science, and with just a little digging, you too can find the weaknesses (if you're a threat modeler).

Read this summary on other detection and break-out techniques:

http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

This excellent SANS presentation covers some other techniques, as well as, discusses some of the items that are relevant to break out attacks.

Posted by Roger Grimes on January 18, 2007 12:56 AM

RATE THIS ARTICLE: