Int. J. Mach. Learn. & Cyber.

(2014) 5:729–742
DOI 10.1007/s13042-013-0166-4

ORIGINAL ARTICLE

Virtual machine security challenges: case studies

Amjad Rehman • Sultan Alqahtani •

Ayman Altameem • Tanzila Saba

Received: 25 February 2012 / Accepted: 21 March 2013 / Published online: 9 April 2013
 Springer-Verlag Berlin Heidelberg 2013

Abstract Currently Virtual Machines (VMs) have many 1 Introduction

applications and their use is growing constantly as the
hardware gets more powerful and usage more regulated Tremendous speed in the field of information technology as
allowing for scaling, monitoring, portability, security well as many systems and applications used, all of this has
applications and many other uses. There are many types of increased the number of devices and servers creating a
virtualization techniques that can be employed on many difficulty in their management as well as to the cost of
levels from simple sandbox to full fledged streamlined purchase and operation. One of the solutions presented in
managed access. While scaling, software lifecycles and this area is the Virtual Machine. Virtual machines (VMs)
diversity are just some of security challenges faced by VM have recently become very popular and have been adopted
developers the failure to properly implement those mech- rapidly in many computing environments. These virtual
anisms may lead to VM escape, host access, denial of machines provide users and administrators with great
service and more. There are many exploits found in the last flexibility, allowing for the copying, saving, reading and
couple of years which were fixed on latest versions but modifying, sharing, migrating, and great easiness in
some systems are still running them and vulnerable as manipulating files. This often leads to physical server’s
presented, mostly to host based attacks and some have consolidation which reduces operating costs and helps in
dramatic consequences. the daily administration. Furthermore, amongst the previ-
ously mentioned reasons, VMs operate within the same
Keywords Virtual machines  Virtual machine security  interface as existing hardware, and therefore users would
Virtualization  Threats be able to benefit from their previous operating systems,
management tools, and applications. Servers and desktops
are therefore being shifted to virtual environments that will
A. Rehman
Faculty of Computing, Universiti Teknologi Malaysia, be able to take advantage of all the previously mentioned
Skudai, Malaysia benefits. However, considering the other side of the story, it
can be seen that this shift will be very hard to adopt. This
S. Alqahtani
shift can lead to the rising of essential and active models
College of Computer and Information Science,
Al-Imam M.Saud Islamic University, Riyadh, that are unavailable in conventional computing situations,
Kingdom of Saudi Arabia thus undermining security of many organizations and
exposing them to different threats. These threats are evi-
A. Altameem
dent because of the predictability of the hosts, host con-
College of Applied Studies and Community Services,
King Saud University, Riyadh, Kingdom of Saudi Arabia figuration, host location, amongst other systems.
There are plenty of commercial and open source virtual
T. Saba (&) machines on the market available and we went ahead to
College of Engineering and Computer Sciences,
demonstrate what consequences can having them installed
Salman Abdul Aziz University, Alkharj,
Kingdom of Saudi Arabia on your computer have on your host system. There are
e-mail: [email protected] various hacks, with the most difficult ones being from guest

123
730 Int. J. Mach. Learn. & Cyber. (2014) 5:729–742

to host OS, although not impossible they seem to be hardest 3 Virtual machine environment
to exploit but there seems to be a lack of attention to
exploits that involve manipulating data on the host OS as In this section, main trends in the development of virtual
plenty expose their sacred memory and process manage- machine systems are explained.
ment functionalities without enough guard and a regular
user can gain administrator privileges this way. We also 3.1 Full virtualization
found some that altered the workings of the virtual machine
in a malicious manner or prevented authorized users from This type of virtualization allows running unmodified guest
using the machine. operating systems on top of the existing native (host)
The paper is further organized such that, Sect. 3 is operating system [1]. It is a technique through which the
devoted for virtual machines (VM) usage. Section 4 sur- target hardware is emulated in full by directly executing
veys virtual machines environment. Section 5 is for virtu- some instructions on the hardware and some through the
alization benefits, Sect. 6 exhibits architecture of VMM [5]. The advantage of this technique is that the guest
virtualization, virtualization impact is surveyed in Sect. 7, operating (that runs on VMM) or the applications that are
Sect. 8 presents security issues, Sect. 9 surveys threads on executed on the guest operating system need not be mod-
virtualization, Sect. 10 is devoted for two case studies and ified [5]. In other side the disadvantage of Full-virtualiza-
finally, Sect. 11 explains implementation of some known tion requires one to provide the guest operating systems
attacks on virtualization, conclusion is drawn in Sect. 12 with an illusion of a complete virtual platform seen within
along with conclusion of case studies. a virtual machine behaviour same as a standard PC/server
platform [7].

2 Virtual machines 3.2 Para-virtualization

The technology that working by adding a layer of This type of virtualization requires modifications to guest
abstraction on top of physical system resources (Hard- operating systems to avoid binary translation. In this case,
ware), to be as a pool of virtual resources and allows para-virtualization is limiting the enterprise organization to
multiple operating systems (OS) to run on the same use this form of virtualization whereas native windows
physical hardware simultaneously is called Virtual operating system environment can’t use this form of vir-
Machines (VM) [1]. tualization because Microsoft usually does not allow
modifying the operating systems [1]. Device interaction in
2.1 Resource sharing para-virtualized environment is very similar to the device
interaction in full virtualized environment; the virtual
From the definition of Virtual Machines, the operating devices in para-virtualized environment also rely on
systems and programs running within these guests, it physical device drivers of the underlying host [6].
appears that they are running on their own physical com-
puter. In actuality, they may share the physical hardware of 3.3 Hardware supported virtualization
the machine, which may include processor(s), memory,
disks, and networking hardware, which can be allocated on This type of virtualization is offered from a big hardware
demand [2]. companies such as Intel and AMD. In architecture point of
view we can said that the virtualization layer below the
operating system is termed as Virtual Machine Monitor
2.2 Data isolation (VMM) that provide flexibility to run multiple operating
systems [7].
Data isolation benefit is one of the key issues that distin-
guish virtual computing from physical computing [2]. 3.4 Resource virtualization
Hence, in some typical cases, it is always beneficial to run
certain activities on isolated systems. It is mainly due to the There are various approaches to perform resources virtu-
reason that if one application is effected with virus, it might alization some of them are [6]:
affect other applications running parallel in the virtual
machines. While, running of application on isolated system • Computer cluster (Grid Computer) which used for
confirms its stability. [3]. Moreover, isolation ensures that high availability systems in these techniques is well
even if an intruder has completely subverted the monitored known specially in an enterprise environment spicily
host, he still cannot tamper with the IDS [4]. in financial environment where multiple discreet

123
Int. J. Mach. Learn. & Cyber. (2014) 5:729–742 731

computers combined to form large supercomputers

with enormous resources.
• Make a large resource pool consist of many individual
components.
• The third one is opposite the previous one which is
partitioning a single resource into number of smaller
resources can be accessed separately at the same time
with others.

4 Benefits of virtualization

The above virtualization formats at the end help enterprise Fig. 1 Full virtualization (source: [9])
to stand to benefit through virtualization. The benefits of
virtualization found during this course of research are [8].
• Lower TCO with multi-tenancy: When you combined
multiple servers into pool of virtualized resources this
is called ‘‘Server Consolidation’’ the resulting capacity
can be used to host multiple applications.
• Real estate savings: By doing Server consolidations
that will cause to reduce the number of physical servers
required in the datacenter and thus increase the
throughput per sqft. Of the datacenter.
• Greener IT: the energy requirement to power up the
servers ‘‘Power Consumption’’ and cool the datacenter
will go down.
• Ease of maintenance: The effort required to maintain
enterprise infrastructure will greatly reduce due to less Fig. 2 OS-layer virtualization (source: [9])
number of servers.
• Mobility: this benefits it is gives the environment more using this approach are VMware Workstation 1, Parallels 2
availability because the virtual image you can move it and Virtual PC3 [9].
to any server in your organization.
• Disaster recovery: with virtualization it is easy to do a 5.2 OS-layer virtualization
backup based on some backup software which make the
life easy in case of disaster recovery. This approach is known as Single Kernel Image (SKI) or
container-based virtualization, the concept of this approach
is to implements virtualization by running more instances
of the same OS in parallel. In this approach the OS is the
5 Virtual machine architecture one being virtualized which is called virtualization layer.
This architecture can be observed in Fig. 2. The products
The basic concepts or requirements for a VMM are using this approach are Virtuozzo4 and its open source
Equivalence, Control, Isolation, Performance, and Encap- variant OpenVZ5, Solaris Container6, BSD Jails7 and
sulation [9]. However, several virtualization approaches Linux VServer8 [9].
could be categorized into Full Virtualization, OS-Layer
Virtualization and Hardware-Layer Virtualization from 5.3 Hardware-layer virtualization
architectural point of view [9].
The concept of this approach is the VMM runs directly on
5.1 Full virtualization hardware, controlling and synchronizing the access of the
guest OSs to the hardware resources. The advantage of
This approach is also known as virtual machine manager, VMM in this approach is commonly used for high isolation
the VMM operates on the top of host operating system. and performance [9]. Figure 3 exhibits architecture of
This architecture can be observed in Fig. 1. The products hardware-layer virtualization.

123
732 Int. J. Mach. Learn. & Cyber. (2014) 5:729–742

branches, where multiple instances of a VM can exist at

any point in this tree at a given time. For example, in case
of any crash to the virtual OS rolling back a machine can
re-expose patched vulnerabilities, reactivate vulnerable
services, re-enable previously disabled accounts or pass-
words, use previously retired encryption keys, and change
firewalls to expose vulnerabilities. It might introduce
worms, viruses and other malicious code that had previ-
ously been removed’’ [11].

7.3 Diversity
Fig. 3 Hardware-layer virtualization (source: [9])
‘‘If the virtual machines in the environment does not have
the same level of security patches update then this will
6 Overall impact of virtualization
creates a range of problems as one must try and maintain
patches or other protection for a wide range of OS, and deal
The effects of virtualization technology depends the envi-
with the risk posed by having many un-patched machines
ronment being used, in addition to technology itself. These
on the network’’ [11].
impacts could be classified into following three groups
[10]:
• Extraction and selection of suitable features for 8 Case studies
practical applications
• Technical capabilities of features and their This section incorporates the elements that are associated
interrelationship with virtual machines and two papers implementing mal-
• Management of these features being operated ware with virtual machines and attacks on virtual machines
emulator are analyzed.
The security impact of virtualization in term of the five
security properties:
8.1 Case 1 ‘‘implementing malware with virtual
• Confidentiality machines’’
• Integrity
• Availability The entire research described in [16] revolves around the
• Authenticity scenario, that there are different attackers and defenders of
• Non-repudiation the computer system and their core objective is to gain the
control over the system so that they can either destroy it or
can fetch important information from it. Different strate-
7 Security problems in virtual environments gies are used by different programmers in order to get the
control of the system and research depicts that they are
Below mentioned are the serious security problems virtual using low level operating system techniques and pro-
environments [11]. gramming codes in doing that. There are certain scenarios
in which the attacker of the system uses malicious code in
7.1 Scaling order to get the control over different systems and through
this malicious code detection of these attackers becomes
The rapid scaling in virtual environments can tax the very difficult. Because of this the defenders of this attack
security systems of an organization. Rarely are all admin- are unable and helpless because they cannot do anything to
istrative tasks completely automated. Therefore, rapid and avoid it. Through these attacks they suffer huge losses in
erratic growth might occur that can make worse manage- both the short and the long run. This perspective of using a
ment of virtual machines and multiply the impact of malicious code should be kept in mind by the defenders.
disastrous such as virus attacks. The attackers are actually using a new class of rootkits to
pose an attack on the computer system and that is the
7.2 Software lifecycle reason why in the initial stages it becomes quite difficult to
predict and gauge the intensity of an attack. The new type
‘‘In a virtual environment machine state is more akin to a of malware is known as a virtual-machine based rootkit
tree: at any point the execution can fork off into N different (VMBR) and this code is actually installed in a virtual

123
Int. J. Mach. Learn. & Cyber. (2014) 5:729–742 733

machine monitor (VMM) that operates under an operating there are certain newly discovered attacks on the virtual
system of a computer [12, 16, 17]. machine emulators which are Hydra, Xen, QEMU, Bochs
This malware affects the original operating system and and it also describes how to defend against them [13, 14].
raise the operating system into a virtual machine (See Ferrie [15] discusses that there are different uses of a
Fig. 4). These virtual based rootkits are basically difficult virtual machine emulator and the most common use is to
to detect and they possess a characteristic that they cannot place an unknown code in an environment that posses a
be removed easily that is the reason the actual state of this virtual nature and then observe what is the behavior. One
rootkit might not be accessible by software that is running of the simplest attacks on virtual machine emulators is to
in the target computer system. Another important charac- detect the system. This paper involves the examples that
teristic is that these VMBRs support the general-purpose how virtual machine emulators are detected and what are
malicious services and their strategy is that these services the effects of these emulators. The emulators come in two
should be operated in a separate operating system that is forms these two forms are (1) hardware bound and (2) pure
sheltered from the target system. The new threat is actually software. These two categories are also known as para-
evaluated by the two proof-of-concepts in VMBRs. This virtualization and CPU emulation. Because of the advent of
strategy was used to subvert the target systems of Windows virtual machines different malicious codes are designed for
XP and Linux [16]. However, this research paper incor- these systems which can affect the virtual machine systems
porates four examples of malicious services which are and the host computer. There are different aspects involved
actually using the VMBR platform. However, it should be in a hardware assisted emulator and they have the capa-
kept in mind that these concepts must be learned to explore bility that virtualizes the operating system that is running in
new and modernized ways against the threat. That is the the computer system. In the similar manner the software
reason why a proper defense strategy is needed to minimize machine emulator works on the basis of performance
and reduce the threat [16]. If these policies and procedures equivalent operations for any instructions given by the
that are discussed in [16] are implemented then it can be CPU [15]. Furthermore, it can be said that there are dif-
said that organizations who implement these policies ferent emulators that are located in a virtual system.
would benefit in both the short and the long run. However, emphasis must be laid on the scenario how
software’s detect the ability of a virtual machine emulator.
8.2 Case 2 ‘‘attacks on virtual machine emulators’’ In the similar manner it can be said that the entire scenario
is based on the detection and security of a virtual machine
Ferrie [15] revolves around the scenario of virtual machine emulator. The recommendations that are used in [15] are
emulators. Research and analysis actually depicts that these for reducing the ability of software are for VMware and
virtual machine emulators have become quite a common different other emulators. Hiding the presence is an
practice when it comes to the analysis of malicious code. important aspect of Virtual PC and this is implemented to
However, this paper focuses on the scenario of virtual and check the maximum instruction length. It can be said that
known attacks against the VMware and Virtual PC. In the virtual machines are very important in today’s world and it
similar manner this paper also discusses the scenario that can be said that if majority of machines run a virtual

Fig. 4 This figure shows the

way how VMBR raise the host
OS to be as guest machine

123
734 Int. J. Mach. Learn. & Cyber. (2014) 5:729–742

machine emulator then the malicious code will eventually 9.1.1 Description
not run in its presence [15]. Thus, it can be said that
organizations stresses a lot on this approach and on the
This exploit is based on a bug in the ‘‘VBoxDrv.sys’’
analysis of malicious codes in virtual machine emulators.
kernel driver to control virtualization of guest operating
However, it should be kept in mind that the known attacks
systems if VirtuaBox is installed on a Windows Host
on virtual machines would negatively affect the growth of
Operating System. The vulnerability is based on bad input
these machines in both the short and the long run.
validation in the driver that allows attacker to access and
modify any memory location on the host and execute
arbitrary code within the kernel of the Windows operating
9 Implementation part
system and gain complete control over the host.
In this section we had chosen a few exploits from the
9.1.2 Implementation
existing software and attempted to demonstrate the
impact that they have on the host and guest operating
What really happens is this driver allows an unprivileged
systems. We attempted to exploit several different,
user to open the ‘\\.\VBoxDrv’ device and using IOCTLs
commercial and open source virtual machines and find
(IO Controls) tied with a buffering mode of
remote and local vulnerabilities as well as ones that
METHOD_NEITHER skipping validation. The result is
affect the host and the guest. We also attempted to find
user code giving arbitrary memory addresses to the kernel.
exploits that would cause a wide range of effects, from
With a skillful crafted exploit the user can execute arbitrary
denial of service, privilege escalation to manipulation of
code on the machine within the kernel.
virtual machine data.
The logic behind the exploit works because communi-
cation between the driver module and user application and
9.1 Vulnerability 1: Sun xVM VirtualBox privilege
the method of communication will determine how the I/O
escalation vulnerability
Manager manipulates the memory buffers used in com-
munication. What happens when METHOD_NEITHER is
Exploit reference CVE-2008-3431 chosen is that the pointer ‘DeviceIoControl’ is sent along
Exploitability Local only with the input and output buffers directly to the driver and
Reported date [2008-08-04] therefore the checks should be done by the driver and not
Exploit type Host to Host privilege escalation the method, and they obviously are not.
Virtual machines Sun xVM VirtualBox 1.6.0 and 1.6.2 As a result of running this code what happens is we try
Affected hosts Windows XP SP3, Windows Vista SP1 to write to an unpaged area of memory at address
and other flavours of Windows ‘‘0x80808080’’and cause a system crash. Here is the crash
report (Fig. 5):

123
Int. J. Mach. Learn. & Cyber. (2014) 5:729–742 735

Fig. 5 Windows crash due to

page fault

9.2 Vulnerability 2: VmWare Inc version 6.0.0 9.2.1 Description

CreateProcess & CreateProcessEx Remode code
execution exploit This exploit is based on the Vielib.dll library that is prone
to multiple remote execution vulnerabilities via an ActiveX
control. These controls are normally used in the Internet
Exploit reference CVE-2007-4155
Explorer browser and a successful attack will allow remote
Exploitability Remote only
execution of code on the host machine.
Reported date [2007-07-30]
Exploit type Remote code execution exploit 9.2.2 Implementation
Virtual machines VMWare Workstation 6.0
VMWare Workstation 5.5.4 The implementation is done by creating a JavaScript
VMWare VMWare Workstation 5.5 object in the webpage that contains the ActiveX element.
VMWare Server 1.0.3 When this element gets created it refers to the faulty DLL
VMWare Player 2.0 object. The faulty library does not check who is calling
VMWare Player 1.0.4 the CreateProcess and CreateProcessEx functions so any
VMWare ACE 2.0 ActiveX control using this will be able to exploit this bug
VMWare ACE 1.0.3 and execute its own commands on the user’s computer.
Affected hosts Windows XP SP1/SP2 French/English The way this relates to the virtual machine is that the
with IE 6.0/7.0 and possibly other DLL is supposed to allow only for controlled creating of
Window’s versions
processes but it seems that this can be bypassed and

123
736 Int. J. Mach. Learn. & Cyber. (2014) 5:729–742

Fig. 6 Exploit demo—

launching calc.exe app from IE

anyone is able to create their own processes on the host 9.3.2 Implementation
(Fig. 6).
For the implementation part of this vulnerability, we tried
9.3 Vulnerability 3: empirical exploitation of live to get the source code of the developed tool from the
virtual machine migration development team to run and see how the manipulation of
guest operating system memory is going on, but unfortu-
nately we could not receive any response from them. After
that we decided to summarize the paper idea and show how
Exploit reference http://jon.oberheide.org/files/blackhat08-
the vulnerabilities are going on.
migration.pdf
Exploitability attack Live Migration among network 1. Simple memory manipulation [19]: In Xen terminology,
Reported date 2008-02-21 a host VMM is known as a dom0 domain while guest
Exploit type guest memory manipulation and guest sshd VMs are known as domU. This pilot phase consist of three
authentication manipulation peripherals (three computers). The first part called dom0
Virtual machines latest versions of the popular Xen and VMware and the receiver part called dom0 and the malicious part
virtual machine monitors
running Xensploit. The source dom0 start running guest
Affected hosts Linux and Windows (VMware ESX Server domU and inside domU there was simple program
3.0.1 and VMware Virtual Infrastructure
Client/Server 2.0.1) printing string ‘‘Hello World’’ on the terminal.

1180795919.260261: Hello World!

1180795920.270992: Hello World!
1180795921.281870: Hello World!
9.3.1 Description

This paper describes and shows three classes of attacks to

Now live migration trigged to run and to move domU from
virtual machine migration: control plane, data plane, and
source dom0 to destination dom0. When the memory pages
migration module attacks [18]. Then show how man in the
of the running guest OS are transmitted over the network
middle attack concept using these attack strategies can
and pass through the malicious party that running Xensploit,
exploit the latest versions of the popular Xen and VMware
the ‘‘Hello World’’ string is replaced with ‘‘Xensploited’’.
virtual machine monitors and present a tool (Xensploit) to
automate or operate the manipulation of a guest operating
system’s memory during a live virtual machine migration. 1180795921.920290: Xensploited!
Thus, it discusses strategies to address the deficiencies in 1180795922.932574: Xensploited!
virtualization software and secure the live migration pro- 1180795923.942636: Xensploited!
cess (Fig. 7) [19].

123
Int. J. Mach. Learn. & Cyber. (2014) 5:729–742 737

Fig. 7 Man-in-the-middle
attack against live migration

After some seconds of transmitting, the guest OS has been 9.4.1 Description
migrated to the destination dom0. And man-in-the-middle
attack was successful and the memory of the test process VMware Fusion is virtualization software that allows users
has been manipulated. to run various guest Windows applications on any Mac OS.
2. Authentication manipulation [19]: This hack has been The application is prone to a buffer-overflow vulnera-
tested over four machines. The source and destination bility caused by an unspecified integer-overflow issue in
VMMs were running VMware ESX Server 3.0.1, there the vmx86 kernel extension. Integer overflow vulnerability
was a node running VMware Virtual Infrastructure in the vmx86 kernel extension allows a guest user on the
Client/Server 2.0.1 to control the VM monitors and host to be root by running the root shell code.
starting the migration, and the malicious party running A file permission problem in the vmx86 kernel exten-
Xensploit. Before running the hack network they tried sion allows for executing arbitrary code in the host system
to ssh to the guest OS running with the source VMM kernel context by a guest user on the host system. An
but the process was refused as the following: attacker can exploit this issue to crash the affected system,
resulting in denial-of-service conditions. Given the nature
jonojono@apollo˜ $ ssh root@testvm1 of this issue, the attacker may also be able to run arbitrary
Permission denied (publickey, keyboard-interactive) code, but this has not been confirmed [20].

After running or initiating the live migration by VIC 9.4.2 Implementation

(Virtual Infrastructure Client) and employing man-in-the-
middle attack the result was shown like following: For the implementation part of this vulnerability, we use
Mac OS (10.5.x). We install VMware Fusion 2.0.4.
First of all we create user account on the host and give
jonojono@apollo˜ $ ssh root@testvm1
this account regular privilege as usual. After that we
Last login: Tue Jun 5 19:25:19 2007 from localhost
brought the source code from [20]. The code is written with
testvm1˜ #
C language and the main target of the code is achieving
denial of service of the host by an unprivileged user on the
host system.
9.4 Vulnerability 4: VMware Fusion 2.0.5 vmx86 kext
local kernel root exploit
9.4.3 Steps of running

Exploit reference CVE-2009-3281 CVE-2009-3282 1. Install or upload the source code [20] into the created
Exploitability Local only user account before.
Reported date 2009-06-22 2. Use ls command to be sure the target file under
Exploit type Host to Host privilege escalation compilation directory.
Virtual machines [Put here the virtual machines and versions 3. We choose arbitrary name for .c file (in this process we
on which this exploit works and the affected call file as 12.c).
versions 4. We check our status in this account by using command
Affected hosts VMWare Fusion 2, VMWare Fusion 2.0.2 build ‘‘whoami’’ (Fig. 8)
147997, VMWare Fusion 2.0.4 and VMWare 5. After this step we run ‘‘whoami’’ command again and
Fusion 2.0.5
we found the following (Fig. 9):

123
738 Int. J. Mach. Learn. & Cyber. (2014) 5:729–742

Fig. 8 At run time the program

changing privileges

9.4.4 Solution The main advantage of this vulnerability is the size of the
source code, since it only requires a call to a single instruc-
VMware Fusion 2.0.6 (for Intel-based Macs): Download tion. See the implementation subsection for a full listing.
including VMware Fusion and a 12 months complimentary
subscription to McAfee VirusScan Plus 2009. This solution 9.5.2 Implementation
based on suggestion from vmware.com. That means regular
user now can act as root. For the implementation part of this vulnerability, we use
Ubuntu Linux 8.10. All the old versions of VirtualBox are
9.5 Vulnerability 5: ‘‘sysenter’’ exploitation still available on the website, we used the 3.0.2. After
on VirtualBox installing VirtualBox on Ubuntu, we install another Ubuntu
as a guest. Since this vulnerability only requires gcc (C
compiler/linker) and nasm (ASM compiler), we did not
Exploit reference CVE-2009-2715
have to install extra software.
Exploitability Local only
Here is the full listing of this vulnerability, extracted
Reported date 2009-08-01
from [21]:
Exploit type Denial of Service (DOS)
Virtual machines Virtual Box (2.0.4, 2.2 and 3.0.2 r49928)
BITS 32
Affected hosts Linux only (Tested on Ubuntu 8.10)
SECTION.text
GLOBAL main
main:
sysenter
9.5.1 Description ret

This vulnerability is based on a misinterpretation of the Then, we compile the exploit:

instruction ‘‘systenter’’ by VirtualBox [21]. When a guest
system execute this instruction, the host system reboot without
nasm -f elf vmhostreboot.asm
any notice. This instruction is usually used by user code run-
gcc vmhostreboot.o -o vmhostreboot
ning at privilege level 3 to fast call a procedure at level 0 [22].
According to the change set of the source code tree at the same
period [23], this was apparently due to an inefficient amount of And when we run it (./vmhostreboot), the host rebooted
check before the effectively call of the instruction. instantly.

123
Int. J. Mach. Learn. & Cyber. (2014) 5:729–742 739

Fig. 9 whoami command show

the result of attack

9.6 Vulnerability 6: BIOS infection on VMware 4. Reinject the BIOS or modify VM configuration to boot
on it
For the first part and since this vulnerability was tested
Exploit Phrack #66-7 on mac, we used the gobjdump command which print the
reference sections of an executable. (This tool is available through
Exploitability Local only MacPort).
Reported date 2009-06-01 Here is a part of the output of this command on
Exploit type Host to guest VM control VMware:
Virtual VMware all versions (Tested on VMware Fusion
machines 2.0.5)
$ gobjdump -h/Library/Application Support/VMware Fusion/
Affected hosts All supported platforms (Tested on MacOSX 10.5) vmware-vmx
…
16 __VMWARE..vmibios 00001800 0086be00 0086be00
005d2e00 2**0
9.6.1 Description
CONTENTS, ALLOC, LOAD, DATA
17 __VMWARE..lsibios 00001e00 0086d600 0086d600 005d4600
This infection is a part of the article [24], which describes 2**0
the infection of BIOS on both virtual machine and real
CONTENTS, ALLOC, LOAD, DATA
hardware. One particularity of VMware over the other
18 __VMWARE..bios440 00080000 0086f400 0086f400
virtual machine managers is that when we analyze its 005d6400 2**0
executable, the BIOS for the guest is defined in a special CONTENTS, ALLOC, LOAD, DATA
section. Therefore it is possible to extract it and inject some 19 __VMWARE..nbios 00008800 008ef400 008ef400 00656400
malicious code in it. Finally, the developers of VMware 2**0
offer the possibility to declare the BIOS path in the guest CONTENTS, ALLOC, LOAD, DATA
configuration and therefore use hacked BIOS. 20 __VMWARE..nvram 000021d8 008f7c00 008f7c00 0065ec00
2**0
9.6.2 Implementation CONTENTS, ALLOC, LOAD, DATA
…
This implementation can be divided into four parts:
1. Seek and extract software BIOS from vmware-vmx As described in the article, there is a bios440 section
2. Uncompress the BIOS which contains the software BIOS. We can now extract it
3. Modify, possibly inject malicious code with:

123
740 Int. J. Mach. Learn. & Cyber. (2014) 5:729–742

Fig. 10 Editing the Bios

$ gobjcopy -j __VMWARE..bios440 -O binary –set-section-

We are now ready for the last part, i.e. boot on the new
flags.bios440 = a vmware-vmx */Desktop/bios1.rom BIOS. Currently, we have a clean version of OpenBSD
(4.5) and its configuration file is OpenBSD.vmx. We add
the following line in it (Fig. 11):
bios440.filename = ‘‘ */bios440-hacked.rom’’
The BIOS is now ready to be decompressed. This We can now start the virtual machine and see in the log
operation can be performed by using Phoenix BIOS Editor that the new BIOS has been used:
on Windows (Fig. 10): Unfortunately, we were not able to go any further (i.e.
We can change some parameters of the BIOS to see install a rootkit or, as suggested in the article, change the
their impacts. Here, we choose ‘‘System Manufacturer root password at boot) because of the lack of precision in
Name’’ and ‘‘System Product Name’’. We reassemble the the article (e.g. shellcode memory location).
BIOS using the same software.

10 Conclusion

Virtual machines are the need of the day to reduce cost

factor in computing environment, however, it is a big threat
if taken incorrectly. The paper has presented a brief
description about the security errors in the virtual machine
environment. Nonetheless, few threats pointed already
discussed in detail in this paper, might be taken as benefits
in certain conditions, however, the purpose here is to fully
aware its users to take appropriate care while designing and
implementing the virtual machine environment. In this
regard, two major issues are discussed, first, virtual
machines are actually, logical instance of an original sys-
tem and hence, most of the conventional computer security
Fig. 11 The Bios hacked flaws are equally applicable to these virtual machines.

123
Int. J. Mach. Learn. & Cyber. (2014) 5:729–742 741

Second, there are enormous types of virtualization tech- 5. Nellitheertha H—InfoSys.com (2006) Virtualization technolo-
nologies along with own pros, cons that makes its under- gies, white paper. http://216.52.49.31/IT-services/infrastructure-
services/white-papers/virtualization-technologies.pdf. Accessed
standing, selection really hard. 10 Feb 2013
We can also conclude that, any single virtualization tech- 6. Reuben JS (2007) A survey on virtual machine security. Helsinki
nology is not enough to protect all security flaws. Hence, to University of Technology. http://www.tml.tkk.fi/Publications/C/
come out with a good virtualization environment, careful 25/papers/Reuben_final.pdf. Accessed 10 Feb 2013
7. Nakajima J, Mallick AK (2007) Hybrid-virtualization—enhanced
selection of the virtualization environment is mandatory virtualization for Linux. In: Proc. of the 2007 Linux Symposium,
while keeping in view requirements and aims of the enter- 2007. http://kernel.org/doc/ols/2007/ols2007v2-pages-87-96.pdf.
prise. At the same time, all the potential security concerns that Accessed 10 Feb 2013
put the virtual machines at threat should not be overlooked. 8. Menasc0 e DA (2005) Virtualization: concepts, applications, and
performance modeling. Int. CMG Conference, Orlando, Florida,
To secure a computing environment, this paper has USA, pp 407–414
presented two case studies to handle virtual machine 9. Marinescu D, Kröger R. State of the art in autonomic computing
security challenges. and virtualization. Technical report, Distributed Systems Lab,
Wiesbaden University of Applied Sciences. http://wwwvs.cs.
hs-rm.de/downloads/extern/pubs/techreports/STAR.pdf. Accessed
10.1 Case 1 Conclusion 10 Feb 2013
10. Cleeff AV, Pieters W, Wieringa R. Security implications of vir-
Only 3 days after the discovery of this vulnerability, Sun tualization: a literature study. University of Twente. http://doc.
released the version 3.0.4 which is not affected. This attack utwente.nl/67484/1/Security_Implications_of_Virtualization.pdf.
Accessed 10 Feb 2013
may still be used on some computers that have not been 11. Garfinkel T, Rosenblum M (2005) When Virtual is Harder than
updated. However, the main point of this attack is to show Real: Security Challenges in Virtual Machine Based Computing
how complex virtual machines are to design and how much Environments. Tenth Workshop on Hot Topics in Operating
forethought the developers need to get when they imple- Systems (HotOS), June 2005
12. Rehman A, Saba T (2012) Evaluation of artificial intelligent
ment them. techniques to secure information in enterprises. Artif Intell Rev.
doi:10.1007/s10462-012-9372-9
10.2 Case 2 Conclusion 13. Higgins KJ (2007) Vm’s create potential risks. Technical report,
dark READING. http://www.darkreading.com/document.asp?
doc_id=117908. Accessed 10 Feb 2013
This vulnerability is very powerful and enables any users 14. Sailer R, Valdez E, Jaeger T, Perez R, van Doorn L, Griffin JL,
that have access to either the configuration file of a guest or Berger S (2005) sHype: secure hypervisor approach to trusted
the VMware executable to use specific BIOS. Moreover, if virtualized systems. IBM, Yorktown Heights NY, RC23511
the vmware-vmx has been infected, any future virtual 15. Ferrie P (2007) Attacks on virtual machine emulators. Symantec
Advanced Threat Research
machine will also use the modified BIOS. Currently, this 16. King ST, Chen PM (2006) SubVirt: implementing malware with
vulnerability is known by VMware developers [25] and virtual machines. University of Michigan, Ann Arbor
nothing has by implemented to prevent it. One optimum 17. GOODFELLAS Security Research TEAM (2007) [http://
option could be to inform the user if specific BIOS are going goodfellas.shellcode.com.ar]. VmWare Inc version 6.0.0 Create-
Process & CreateProcessEx Remode code execution exploit.
to be used whenever the virtual machine is launched [26]. http://www.milw0rm.com/exploits/4245. Accessed 10 Feb 2013
18. Core Security Technologies—CoreLabs Advisory (2008) [http://
Acknowledgments My thanks and appreciation to the Deanship for www.coresecurity.com/corelabs/]. Sun xVM VirtualBox privi-
Scientific Research at King Saud University Riyadh Saudi Arabia for lege escalation vulnerability. http://www.milw0rm.com/exploits/
funding this research. 6218. Accessed 10 Feb 2013
19. Oberheide J, Cooke E, Jahanian F (2008) Empirical exploitation
of live virtual machine migration. http://www.eecs.umich.edu/
techreports/cse/2007/CSE-TR-539-07.pdf. Accessed 10 Feb
References
2013
20. Mann A (2007) The pros and cons of virtualization.BTQ. http://
1. Shroff A, Donthireddy VR—itlinfosys.com. Virtualization btquarterly.com/?mc=pros-consvirtualization&page=virt-view%
imperatives and performance. http://www.infosys.com/IT-services/ research. Accessed 10 Feb 2013
application-services/white-papers/Documents/virtualization- 21. Vilkeliskis T (2009) Sun’s VirtualBox host reboot PoC. http://
imperatives-performance.pdf. Accessed 10 Feb 2013 www.milw0rm.com/exploits/9323. Accessed 10 Feb 2013
2. Reuben JS (2007) A survey on virtual machine security, 22. Huston B (2007) Security tip: 3 steps towards securing virtual
TKK T-110.5290 seminar on network. http://www.tml.tkk.fi/ machines. Security. http://security.itworld.com/4367/nlssecurity
Publications/C/25/papers/Reuben_final.pdf. Accessed 10 Feb 2013 071009/page_1.html. Accessed 10 Feb 2013
3. Rose R (2004) Survey of system virtualization techniques. 23. Kirch J (2007) Virtual machine security guidelines. The center
http://citeseer.ist.psu.edu/720518.html. Accessed 10 Feb 2013 for internet security. http://www.cisecurity.org/tools2/vm/CIS_
4. Garfinkel T, Rosenblum M (2003) A virtual machine introspec- VM_Benchmark_v1.0.pdf. Accessed 10 Feb 2013
tion based architecture for intrusion detection. In: Proc. Net. and 24. Alfredo. Persistent BIOS Infection. Phrack. [Online]. 13(66). http://
Distributed Sys. Sec. Symp., Feb 2003 phrack.org/issues.html?issue=66&id=7. Accessed 10 Feb 2013

123
742 Int. J. Mach. Learn. & Cyber. (2014) 5:729–742

25. Ferrie P (2013) Attacks on virtual machine Emulators. 26. Saba T, Rehman A (2012) Effects of artificially intelligent tools
SYMANTEC ADVANCED THREAT RESEARCH. http://www. on pattern recognition. Int J Mach Learn Cybern. doi:10.1007/
symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf. s13042-012-0082-z
Accessed 10 Feb 2013

123