Alessio L.R. Pennasilico, known online as mayhem, presented on virtualization security risks. He discussed classical threats like VM escapes and malware that is aware of virtualization. He raised questions about securing management traffic and traffic between virtual machines. Pennasilico concluded that virtualization can be used securely but only if networks divide traffic, filter what is allowed, continuously analyze for threats, and ensure all software is patched. The presentation aimed to promote awareness of virtualization security issues.

1. Alessio L.R. Pennasilico
mayhem@aipsi.org
twitter: mayhemspp
FaceBook: alessio.pennasilico
Virtualization (in)security
Thursday, 21 October, 2010

2. Virtualization (in)security mayhem@aipsi.org
$ whois mayhem
Board of Directors:
CLUSIT, Associazione Informatici Professionisti,
Associazione Italiana Professionisti Sicurezza Informatica,
Italian Linux Society, OpenBSD Italian User Group,
Hacker’s Profiling Project
2
Security Evangelist @
Thursday, 21 October, 2010

3. Virtualization (in)security mayhem@aipsi.org
Classical threats
Escape from VM
diversi esempi nel tempo,
ne vedremo altri in futuro :)
3
Thursday, 21 October, 2010

4. Virtualization (in)security mayhem@aipsi.org
altre minacce
malware vm-aware
4
Thursday, 21 October, 2010

5. Virtualization (in)security mayhem@aipsi.org
Confidenzialità
posso clonare macchine accese
e fare quello che voglio sui cloni?
5
Thursday, 21 October, 2010

6. Virtualization (in)security mayhem@aipsi.org
Management VLAN
Gli host/hypervisor si dicono
diverse cose interessanti
Dove facciamo passare il
traffico “di servizio”?
6
Thursday, 21 October, 2010

7. Virtualization (in)security mayhem@aipsi.org
Traffico di servizio
accesso all’interfaccia amministrativa
test reachability per HA
vMotion
iSCSI, NFS
7
Thursday, 21 October, 2010

8. Virtualization (in)security mayhem@aipsi.org
Soluzioni?
Dividere
Filtrare
Analizzare
8
Thursday, 21 October, 2010

9. Virtualization (in)security mayhem@aipsi.org
Logical
9
Thursday, 21 October, 2010

10. Virtualization (in)security mayhem@aipsi.org
Physical
10
Thursday, 21 October, 2010

11. Virtualization (in)security mayhem@aipsi.org
disruption
Cosa succede se rendo “irraggiungibili” gli
IP monitorati per la gestione dell’HA?
11
Thursday, 21 October, 2010

12. Virtualization (in)security mayhem@aipsi.org
Unauthorized access
Brute force?
Exploit (undocumented services)?
Exploit application layer? (SOAP)
12
Thursday, 21 October, 2010

13. Virtualization (in)security mayhem@aipsi.org
netstat
tcp
0
0
0.0.0.0:5989
0.0.0.0:*
LISTEN
tcp
0
0
0.0.0.0:902
0.0.0.0:*
LISTEN
tcp
0
0
0.0.0.0:903
0.0.0.0:*
LISTEN
tcp
0
0
0.0.0.0:427
0.0.0.0:*
LISTEN
tcp
0
0
0.0.0.0:80
0.0.0.0:*
LISTEN
tcp
0
0
0.0.0.0:22
0.0.0.0:*
LISTEN
tcp
0
0
0.0.0.0:443
0.0.0.0:*
LISTEN
13
Thursday, 21 October, 2010

14. Virtualization (in)security mayhem@aipsi.org
Perchè
intercettare / rallentare il traffico iSCSI / NFS
storage in replica per HA/DR
14
Thursday, 21 October, 2010

15. Virtualization (in)security mayhem@aipsi.org
Migration
Manipolare le VM durante la migrazione?
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
Jon Oberheide, Evan Cooke, Farnam Jahanian: Xensploit
15
Thursday, 21 October, 2010

16. Virtualization (in)security mayhem@aipsi.org
Migration
Posso spostare VM infette
di datacenter in datacenter...
16
Thursday, 21 October, 2010

17. Virtualization (in)security mayhem@aipsi.org
Dubbi...
traffico “trusted” tra datacenter per garantire
la migration delle VM?
Traffico protetto?
Traffico Trusted / VPN come canale di
accesso amministrativo?
17
Thursday, 21 October, 2010

18. Virtualization (in)security mayhem@aipsi.org
Dormant VM
outdated policy
outdated signatures (AV, IPS)
manipolabili? >;-)
18
Thursday, 21 October, 2010

19. Virtualization (in)security mayhem@aipsi.org
Botnet e Cloud?
19
Thursday, 21 October, 2010

20. Virtualization (in)security mayhem@aipsi.org
Traffico interVM
firewall virtuali?
feature dell’hypervisor?
prodotti di terze parti?
20
Thursday, 21 October, 2010

21. Virtualization (in)security mayhem@aipsi.org
Prodotti agent based
multipiattaforma?
(comprende backup, AV, IPS...)
21
Thursday, 21 October, 2010

22. Virtualization (in)security mayhem@aipsi.org
Budget?
81% delle intrusioni avvengono su reti che non
sodisfano i requirement delle più diffuse
norme/best practice / guidelines
Gartner
22
Thursday, 21 October, 2010

23. Virtualization (in)security mayhem@aipsi.org
Conclusioni
Usare la virtualizzazione?
Si, ma…
Dividere, Filtrare, Analizzare, Patchare
23
Thursday, 21 October, 2010

24. Alessio L.R. Pennasilico
mayhem@aipsi.org
twitter: mayhemspp
FaceBook: alessio.pennasilico
Domande?
These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-
ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :)
Grazie per l’attenzione!
Thursday, 21 October, 2010