Someone figured out how to step up in VMware

by Alex Handy 04/11/2009 02:33 AM EST

No one seems to know who, where or how. But this security update from VMware sure makes it sound like what we've all feared is true: Hypervisors can be compromised from the code they run in their bellies. Joanna Rutkowska gave a talk back in 2006 at Black Hat about her Red Pill and Blue Pill. I'm not covering super-duper cutting-edge security much, outside of the development side, these days. But this patch from VMware did catch my eye because I hadn't yet heard of any host compromising exploits for hypervisors in the wild. I could easily not be "with it," but right now, it looks like the cool kids in the know are out there. Beware!

As if it's a surprise that these virtualization exploits were still being researched by the bad guys. I think the frightening thing here is that, somewhere, someone had code, and now VMware is aware of it. That's scary. I'd rather know that VMware figured it out themselves. Or that Rutkowska or her cohorts had contributed some new information. Either way, watch your VMs. They may be watching you!

Clarification: The security hole here works like this: I run Windows in a VM on my Linux desktop. I run some horribly trojan-ridden Windows program with the exploit in question inside of it. This exploit, when run inside of a virtual machine, leaps up and compromises the hypervisor, likely through an overflow of some known type. The compromised hypervisor is then a slave to run what-have-you. Local priv escalations could be fired up to the Linux OS. As I understand it, the Red Pill is this type of attack. Beware of pulling apart malware in non-updated copies of Fusion, researchers.

The Blue Pill, on the other hand, is a hypervisor-as-trojan. You run something, it installs virtualization software. Upon reboot, your desktop OS is launched seamlessly as a guest operating system inside of a trojan (invisible to the user) hypervisor. This patch has little to do with the blue pill. The question with the blue pill becomes, "How do I tell if I am running inside a hypervisor?" How do you know when the nightmare is over?

Hope I got the colors right. I wouldn't want to wake up inside the rabbit hole.

Currently rated 3.7 by 3 people

Currently 3.666667/5 Stars.
1
2
3
4
5

Share this link: http://www.sdtimes.com/blog/1399

Tags: security, vmware, blue pill, red pill, virtualization, virtual machines, operating systems, compsec, security, information security, technology, exploits, 31337, hacking, hackers, hack, code, coding, vmware

security

Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
02/09/2012 02:16 PM EST

Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
02/07/2012 11:57 AM EST

RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
02/04/2012 01:57 PM EST

GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
02/03/2012 12:17 PM EST

Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.
02/02/2012 08:26 AM EST

Ryan Dahl steps down
Ryan Dahl, creator of Node.js, steps back from his position as gatekeeper for the project.
02/01/2012 04:58 PM EST

Cloud Connect

2/13/2012 to 2/16/2012
Santa Clara
TechWeb

SPTechCon: The SharePoint Technology Conf.

2/26/2012 to 2/29/2012
San Francisco
BZ Media

RSA Conf.

2/27/2012 to 3/2/2012
San Francisco
RSA

IBM Pulse Conf.

3/4/2012 to 3/7/2012
Las Vegas
IBM Tivoli

Game Developer Conf.

3/5/2012 to 3/9/2012
San Francisco
TechWeb

4/11/2009 6:42:33 AM #

Dude, your posting is "sentence fragment city".

Where the frack the Hypervisor's "belly" is at?

Are you saying a GUEST can compromise a HOST/HYPERVISOR or a HOST/HYPERVISOR can compromise a GUEST or just that the boot sector can be infected with a compromised HOST/HYPERVISOR or none of the above?

Am I the only one who thinks "San Diego" when I see "sdtimes"?

My Head Hurts

4/11/2009 9:01:47 AM #

Google "cloudburst immunity" to see who and where. There's even a movie of it!

dave aitel

4/12/2009 1:38:36 AM #

Quite interesting...I know numerous businesses who utilize VMWare for production server virtualization. This should cause a major disruption to their process. I'm not sure the patching of virtualization software has been a very high priority at many places. I think this SHOULD be much bigger news than it currently is.

AbeFroman

Someone figured out how to step up in VMware

Related posts

Comments

Add comment