8

Recently, I started exploring threats to Virtual machines in general. The first question that popped into my head was whether a host machine can dump its entire memory onto a file, and inspect the memory to read contents of the VM's memory image.

As virtualization essentially leads to the fact that the guest and host share the same RAM, I'm guessing that this is possible.

=====================
|           |VM|    |
=====================

Suppose the memory looks like this. 1GB memory for the VM out of a total of 8GB. So if I dump the RAM, I should be able to view contents of the VM RAM.

Q1. Is this a possibility? http://www.symantec.com/business/support/index?page=content&id=HOWTO31321 shows how to obtain a memory dump

Q2. Is this a threat? (I'm guessing no). However, if someone comes up with an idea, it would be splendid.

Q3. A more interesting scenario - Could the VM somehow grab the memory of the host? i.e. are there any known attacks on VMWare or other software that has documented such an attack ?

Polynomial
  • 133,763
  • 43
  • 302
  • 380
sudhacker
  • 4,300
  • 5
  • 23
  • 35

3 Answers3

5

Is this possible?
Yes, it's possible. The VM's memory is accessible by the host system, which allows the host to read anything inside the VM, including kernel-mode memory. Quite a few VM solutions allow guest instances to be dumped to file, or suspended (i.e. a VM version of hibernate).

Is this a threat?
Note that the VM's memory won't entirely be stored in the host's physical memory, but rather will likely be partially stored in a swapfile. This means that part of the guest OS's memory is stored on the host's disk, making slack space analysis a potential attack, even after the guest OS terminates. Images of suspended VMs may also be accessible to an attacker if he steals the disk or gets file read privileges on the host. If the attacker can compromise the host, he may also be able to issue arbitrary memory reads and writes on the VM process, allowing theft and manipulation of data.

Can the VM grab the memory of the host?
It shouldn't be able to. VMs work by creating virtualised versions of processors and memory controllers. This virtual hardware takes normal memory access interrupts and translates them into a virtual address space. For example, the guest OS's kernel might wish to access the physical memory at 7a22d6aa, but the VM actually translates that address to vm.swap+0x7a22d6aa instead, such that the VM is completely unaware of the translation.

Such an attack would require violation of the isolation mechanisms built into the VM. These isolation mechanisms are very strong, since they have to contain an entire OS and any software / drivers it might run. Isolation is often implemented at hardware level using CPU extensions such as VT-x. However, VM systems are software, and software always has bugs. There have been vulnerabilities in the past where software on a VM was able to attack the host, usually via inter-OS communication mechanisms used for sharing files and clipboard functionality.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • Or the often overlooked networking vector of the VM. ;) No use having perfect sandboxing in place if the VM can communicate and transfer data to the host through a networked connetion eh? http://security.stackexchange.com/questions/3056/how-secure-are-virtual-machines-really-false-sense-of-security –  Sep 19 '12 at 01:32
  • @TerryChia Yeah, though it depends what services are visible on the host. Often the host will simply be a barebones system, or even a VM host OS (e.g. VMware ESX), which has little or no services. – Polynomial Sep 19 '12 at 05:46
  • True, in a cloud computing environment, sometimes even hardware virtualization is present where guests directly run on near bare bones machines. In that case, the RAM would be shared between guests. – sudhacker Sep 19 '12 at 13:35
4

The host can certainly grab a copy of the complete state of a VM, including what the VM sees as RAM. This is called a "snapshot" and it is a desirable feature.

You can imagine the host system as the kernel's kernel. A VM cannot be protected from its host, anymore than an operating system can protect from a malicious, corrupted CPU. If your security model calls from protection of the VM from the hosting system, then your security model is doomed from start.

(Although such a thing could exist in the context of fully homomorphic encryption, but current state of research is quite far from providing anything usable in that area, let alone efficient.)

In the other direction: the VM is supposed to be contained by the host, and not to be able to escape it, to reach either other VM, or the host itself. Now, of course, that's the theory, but in practice security holes occur.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
1

I have a little different thought on this then previous answers.

Is this possible? And if possible, is it a threat?

It may or may not be possible.

Technically it should be possible since the virtualization program is running inside the operating system you control. So, dumping the memory of a particular region of your operating system should be available. And if it is possible then I think it is not really a security threat since host should have full access rights to the virtual environment running inside it.

But I think practically it is not possible directly(without using features like snapshot provided by your hypervisor). The reason for this is because your hypervisor runs on ring -1 which is more privilege than your operating system (kernel specific) which is ring 0. So, the hypervisor has permission to deny memory access right to your operating system for a particular region of memory.

schroeder
  • 125,553
  • 55
  • 289
  • 326
shubham0d
  • 11
  • 5