Two researchers from North Carolina State University have developed software that they say can protect virtualization hypervisors from malicious “Blue Pill” rootkit threats.

“HyperSafe enables the hypervisor self-protection from code injection attempts,” said Xuxian Jiang, an assistant professor of computer science at NCSU.

Jiang, along with his PhD. student Zhi Wang, developed the software, called HyperSafe, with funding from the U.S. Army Research Office and the National Science Foundation.

For the rest of this article please follow this link, blue pill.

Virtualization Myths

Thought I would share this presentation with everyone from a recent seminar that I gave at the back end of last year entitled “Security in a Virtual World”.

You can check out the presentation at this link: http://bit.ly/8Vh4MM

This appeared on a VMware KB article back in August but some of you may have not seen it. Basically if you use a port scanner like NMAP and scan an ESX host in particular on port 8000, subsequent VMotion events will fail.

The only way to get VMotion to work again is to disable and then re-enable VMotion. It’s interesting that this service is obviously not robust enough to cope with a simple port scan and also highlights the fact that you should be isolating your vmotion network from general network traffic.

The original VMware article can be viewed here, KB1010672

If you didn’t already know this the VMware Web Services SDK is a WSDL API that allows developers to write applications that integrate with VMware. You can also query this API using a standard web browser. The WSDL interface requires authentication and once authenticated you have access to the entire API as shown in the screenshot below.

Even if you are not a developer once authenticated using the browser you can query the virtual infrastructure in much the same way as you would using the standard VI client. You can also scheduled tasks which means you have a lot of power, eg. shutdown VM’s, Change configs etc.

Bruteforce Attack

The interesting thing to note is that the interface can be attacked using Brute Force techniques, so if you do not have adequate access control mechanisms in place you are leaving your virtual infrastructure open to compromise.

To mitigate this from happening I would suggest you lock down which source IP’s in your network are allowed to access vCenter and each ESX host, and never expose your Virtual Management layer to the Internet.

First UK VirtSec Training course to be offered in London from February 2010. I am just putting the finishing touches to the content and format for this 2 day course. More details will follow shortly if you would like to register your interest in attending this course then please register here.