Virtualised servers have one big downside according to a security researcher. Jon Oberheide, a graduate student at the University of Michigan, said that one of the most attractive features of virtualisation - the ability to replicate virtual servers on the fly to meet demand - leave the servers extremely vulnerable to attack.
Oberheide, who's currently studying for his PhD, is set to give a talk at next week's Black Hat security conference in which he is expected to set out a range of problems that might be encountered.
When a virtual machine migrates from one physical server to another, it can be subject to a range of attacks primarily because authentication between machines is weak and the virtual-machine traffic between physical machines is unencrypted, said Oberheide. In the short term, the cure is installing hardware-based encryption on all the physical servers that might send or receive virtual machines, Oberheide says, but long term, virtual-machine software should incorporate strong authentication that minimises the risk.
During his talk, he will describe a proof-of-concept tool he used in a lab to execute man-in-the-middle attacks against virtual machines as they migrated from one physical server to another. His research targeted open source Xen and VMware virtualisation platforms.
Citrix, which sells a commercial version of Xen, says it gets around the problem with its management server acting as a third party to authenticate origination and destination servers to each other, says Simon Crosby, CTO of the virtualisation and management division at Citrix. "We avoid that man-in-the-middle attack by being the man in the middle," he said.
For its part, VMware recommends encryption of virtual machine migration, which it calls VMotion. "VMotion network activity is not encrypted, so as a best practice this traffic should occur on a dedicated VLAN or connection and kept secure from network sniffing, as the running memory state of a virtual machine traverses the VMotion network and will likely contain privileged information," said the company. "Hardware based SSL encryption is an option for securing VMotion networks in high security deployments."
Oberheide says he will not demonstrate his attacks, but he plans to show screenshots of how an attack would occur, and what his tool does to enable the attacks.
"It's not very difficult at all as long as the [attacker and servers] are on the same network," he says. "The prerequisite is man-in-the-middle capabilities, which can be achieved through a number of different methods, such as IP hijacking or ARP spoofing, which makes them send their migration traffic to you first and you can forward it on to the destination."
He says that action would involve an attacker with access to the network where the virtual-machine migration is taking place, but after that the skills needed are well known.
"It doesn't require anything very special," Oberheide says.
If an attacker can become a man in the middle while a server is migrating, the attacker can perpetrate a number of exploits. A virtual machine could be migrated to the attacker's machine, turning over full access to the attacker, he says.
By initiating multiple outgoing migrations of virtual servers, the attacker could overload the receiving server hardware, he says.
Calling Oberheide's work fascinating, one analyst says virtual servers face much more basic security challenges. "Our entire security infrastructure has been built around a static model, and as we're virtualising everything else, the virtualisation of security is lagging by a tremendous amount," says Andreas Antonopoulos, an analyst with Nemertes Research. "That's causing real problems in architecture decisions today. It's forcing companies to make decisions they'd rather not make."
He cited an enterprise client of his who is forced to isolate groups of applications to their own exclusive groups of physical servers as a way to isolate them from these migration attacks. So if one application needs more processing power than its dedicated group hardware can provide, it cannot tap the other servers. This defeats one benefit of virtualisation, the ability to pool the processing power among all corporate machines, said Anatopoulos.