Home > Virtualization > Direct Attach Hardware/VMM Bypass Technologies Are a Security Anathema…

Direct Attach Hardware/VMM Bypass Technologies Are a Security Anathema…

September 11th, 2008 Leave a comment Go to comments

Flyinointment
I'm going to clean this post up later, but I just gave a presentation that was an extension of my Four Horsemen talk.

One of the new topics that I'm speaking about is how technologies in chipset/CPU technologies that allow for VMM bypass, direct VM to hardware attachment as well as cramming virtual switching back down into the CPU/NIC are the devil…from a security perspective.

If you haven't seen technology examples such as SR-IOV (single root IO virtualization) — Intel VT-d extensions –and CPU extensions in upcoming processors such as Nehalem that allow specific VM's to bypass the VMM and directly attach/access hardware for the sake of performance, get ready for some seriously nasty security and networking implications.

Technology like SR-IOV and VMDirectPath are great for performance and scalability (if you're not already using paravirtualization) but provide the archnitectural antithesis from the perspective of mobility and security visibility.  If you bypass the VMM, you lose mobility and the virtual security appliances/security capabilities that might be present in the VMM disappear…

Further, given the recent exploration of abuse of DMA as an attack vector, it's a little disturbing.

I'll expand more later, but here's a slide that sums up the introduction to this issue:

SRIOV 

Categories: Virtualization Tags:
  1. David O'Berry
    September 11th, 2008 at 17:42 | #1
    Reply | Quote

    Did the DMA attack vector also lead to any type of direct firmware capabilities as far as modification?
    I have a vendor tell me one time that when they flashed their stuff it was only vulnerable for a few seconds…so therefore it was nearly impossible to breach because something would have to be right there looking at the memory space to best it..
    I nodded politely and walked away.
    –David

  2. David O’Berry
    September 11th, 2008 at 21:42 | #2
    Reply | Quote

    Did the DMA attack vector also lead to any type of direct firmware capabilities as far as modification?
    I have a vendor tell me one time that when they flashed their stuff it was only vulnerable for a few seconds…so therefore it was nearly impossible to breach because something would have to be right there looking at the memory space to best it..
    I nodded politely and walked away.
    –David

  1. No trackbacks yet.