A methodology for testing virtualisation security

Scott Donaldson; Natalie Coull; David McLuskie

doi:10.1109/CyberSA.2017.8073397

A methodology for testing virtualisation security

Scott Donaldson, Natalie Coull, David McLuskie

SDI - Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

324 Downloads (Pure)

Abstract

There is a growing interest in virtualisation due to its central role in cloud computing, virtual desktop environments and Green IT. Data centres and cloud computing utilise this technology to run multiple operating systems on one physical server, thus reducing hardware costs. However, vulnerabilities in the hypervisor layer have an impact on any virtual machines running on top, making security an important part of virtualisation. In this paper, we evaluate the security of virtualisation, including detection and escaping the environment. We present a methodology to investigate if a virtual machine can be detected and further compromised, based upon previous research. Finally, this methodology is used to evaluate the security of virtual machines. The methods used to evaluate the security include analysis of known vulnerabilities and fuzzing to test the virtual device drivers on three different platforms: VirtualBox, Hyper-V and VMware ESXI. Our results demonstrate that the attack surface of virtualisation is more prone to vulnerabilities than the hypervisor. Comparing our results with previous studies, each platform withstood IOCTL and random fuzzing, demonstrating that the platforms are more robust and secure than previously found. By building on existing research, the results show that security in the hypervisor has been improved. However, using the proposed methodology in this paper it has been shown that an attacker can easily determine that the machine is a virtual machine, which could be used for further exploitation. Finally, our proposed methodology can be utilised to effectively test the security of a virtualised environment.

Original language	English
Title of host publication	Proceedings of the International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA)
Publisher	IEEE
Number of pages	8
ISBN (Electronic)	9781509050604
ISBN (Print)	9781509050611
DOIs	https://doi.org/10.1109/CyberSA.2017.8073397
Publication status	Published - 19 Oct 2017
Event	2017 International Conference on Cyber Situational Awareness, Data Analytics and Assessment: Cyber Situation Awareness as a Prism to Understanding Situations in a fast-paced CyberWorld - London, United Kingdom Duration: 19 Jun 2017 → 20 Jun 2017

Conference

Conference	2017 International Conference on Cyber Situational Awareness, Data Analytics and Assessment
Abbreviated title	CyberSA 2017
Country	United Kingdom
City	London
Period	19/06/17 → 20/06/17

Access to Document

10.1109/CyberSA.2017.8073397

McLuskie_MethodologyForTesting_Author_2017Accepted author manuscript, 319 KB

Fingerprint Dive into the research topics of 'A methodology for testing virtualisation security'. Together they form a unique fingerprint.

Cite this

@inproceedings{11f3456c864247f986e1eeff9718b29f,

title = "A methodology for testing virtualisation security",

abstract = "There is a growing interest in virtualisation due to its central role in cloud computing, virtual desktop environments and Green IT. Data centres and cloud computing utilise this technology to run multiple operating systems on one physical server, thus reducing hardware costs. However, vulnerabilities in the hypervisor layer have an impact on any virtual machines running on top, making security an important part of virtualisation. In this paper, we evaluate the security of virtualisation, including detection and escaping the environment. We present a methodology to investigate if a virtual machine can be detected and further compromised, based upon previous research. Finally, this methodology is used to evaluate the security of virtual machines. The methods used to evaluate the security include analysis of known vulnerabilities and fuzzing to test the virtual device drivers on three different platforms: VirtualBox, Hyper-V and VMware ESXI. Our results demonstrate that the attack surface of virtualisation is more prone to vulnerabilities than the hypervisor. Comparing our results with previous studies, each platform withstood IOCTL and random fuzzing, demonstrating that the platforms are more robust and secure than previously found. By building on existing research, the results show that security in the hypervisor has been improved. However, using the proposed methodology in this paper it has been shown that an attacker can easily determine that the machine is a virtual machine, which could be used for further exploitation. Finally, our proposed methodology can be utilised to effectively test the security of a virtualised environment.",

author = "Scott Donaldson and Natalie Coull and David McLuskie",

year = "2017",

month = oct,

day = "19",

doi = "10.1109/CyberSA.2017.8073397",

language = "English",

isbn = "9781509050611",

booktitle = "Proceedings of the International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA)",

publisher = "IEEE ",

note = "2017 International Conference on Cyber Situational Awareness, Data Analytics and Assessment : Cyber Situation Awareness as a Prism to Understanding Situations in a fast-paced CyberWorld, CyberSA 2017 ; Conference date: 19-06-2017 Through 20-06-2017",

}

Donaldson, S, Coull, N & McLuskie, D 2017, A methodology for testing virtualisation security. in Proceedings of the International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA). IEEE , 2017 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, London, United Kingdom, 19/06/17. https://doi.org/10.1109/CyberSA.2017.8073397

TY - GEN

T1 - A methodology for testing virtualisation security

AU - Donaldson, Scott

AU - Coull, Natalie

AU - McLuskie, David

PY - 2017/10/19

Y1 - 2017/10/19

N2 - There is a growing interest in virtualisation due to its central role in cloud computing, virtual desktop environments and Green IT. Data centres and cloud computing utilise this technology to run multiple operating systems on one physical server, thus reducing hardware costs. However, vulnerabilities in the hypervisor layer have an impact on any virtual machines running on top, making security an important part of virtualisation. In this paper, we evaluate the security of virtualisation, including detection and escaping the environment. We present a methodology to investigate if a virtual machine can be detected and further compromised, based upon previous research. Finally, this methodology is used to evaluate the security of virtual machines. The methods used to evaluate the security include analysis of known vulnerabilities and fuzzing to test the virtual device drivers on three different platforms: VirtualBox, Hyper-V and VMware ESXI. Our results demonstrate that the attack surface of virtualisation is more prone to vulnerabilities than the hypervisor. Comparing our results with previous studies, each platform withstood IOCTL and random fuzzing, demonstrating that the platforms are more robust and secure than previously found. By building on existing research, the results show that security in the hypervisor has been improved. However, using the proposed methodology in this paper it has been shown that an attacker can easily determine that the machine is a virtual machine, which could be used for further exploitation. Finally, our proposed methodology can be utilised to effectively test the security of a virtualised environment.

AB - There is a growing interest in virtualisation due to its central role in cloud computing, virtual desktop environments and Green IT. Data centres and cloud computing utilise this technology to run multiple operating systems on one physical server, thus reducing hardware costs. However, vulnerabilities in the hypervisor layer have an impact on any virtual machines running on top, making security an important part of virtualisation. In this paper, we evaluate the security of virtualisation, including detection and escaping the environment. We present a methodology to investigate if a virtual machine can be detected and further compromised, based upon previous research. Finally, this methodology is used to evaluate the security of virtual machines. The methods used to evaluate the security include analysis of known vulnerabilities and fuzzing to test the virtual device drivers on three different platforms: VirtualBox, Hyper-V and VMware ESXI. Our results demonstrate that the attack surface of virtualisation is more prone to vulnerabilities than the hypervisor. Comparing our results with previous studies, each platform withstood IOCTL and random fuzzing, demonstrating that the platforms are more robust and secure than previously found. By building on existing research, the results show that security in the hypervisor has been improved. However, using the proposed methodology in this paper it has been shown that an attacker can easily determine that the machine is a virtual machine, which could be used for further exploitation. Finally, our proposed methodology can be utilised to effectively test the security of a virtualised environment.

U2 - 10.1109/CyberSA.2017.8073397

DO - 10.1109/CyberSA.2017.8073397

M3 - Conference contribution

SN - 9781509050611

BT - Proceedings of the International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA)

PB - IEEE

T2 - 2017 International Conference on Cyber Situational Awareness, Data Analytics and Assessment

Y2 - 19 June 2017 through 20 June 2017

ER -