Security Risks Posed by Shared Images & Management OS

Security Risks Posed by Shared Images in Cloud Services

Shared images, like Amazon Machine Images (AMIs), are pre-configured templates used to create virtual machines (VMs) in cloud services. These images contain the operating system, software, and configurations necessary to run applications. While these shared images make it easy to deploy VMs quickly, they can introduce serious security risks if not managed carefully.

1. Leftover Credentials

  • Creators of shared images may forget to remove sensitive information, such as passwords, API keys, or SSH keys before sharing the image. These leftover credentials can be exploited by attackers.
  • Example: If an SSH key is left in the shared image, an attacker can use it to log in to your virtual machine and gain unauthorized access.

2. Malware in Images

  • Shared images may contain hidden malware or viruses intentionally embedded by attackers.
  • Using such images can compromise the system and steal sensitive data.

Example: A script in the image sends your system data to the attacker without your knowledge.

3. Hidden Connections

  • Some images include hidden programs or scripts that establish unauthorized connections to an attacker’s server.
  • These connections can be used to extract confidential information (provide backdoor access)

Example: Logs or credentials are secretly sent to an external server.

4. Old and Vulnerable Software

  • Shared images may use outdated software versions with known security vulnerabilities.
  • Hackers exploit these weaknesses to attack systems.

Example: An image with an old operating system is vulnerable to a publicly known attack.

Precautions to Stay Safe

  1. For Image Creators:
    • Remove sensitive data like credentials and keys before sharing.
    • Use tools to clean up residual data.
  2. For Image Users:
    • Only use images from trusted sources.
    • Scan images for malware and vulnerabilities before deploying them.

Security Risks Posed by a Management Operating System (OS)

Virtualization is often considered secure because hypervisors, such as the Xen Virtual Machine Monitor (VMM), are smaller and simpler than traditional operating systems.

However, the security of the virtualization environment also depends heavily on the management OS, which plays a crucial role in controlling the hypervisor and virtual machines (VMs).

The management OS (e.g., Dom0 in Xen) introduces vulnerabilities:

  1. Trusted Computing Base (TCB): The TCB refers to the components of the system that must be trusted for the system’s overall security. In a Xen-based virtualized system, the TCB includes the hardware, hypervisor, and management OS (Dom0). If any of these components are vulnerable or compromised, the entire system’s security can be compromised.
  2. Reported Vulnerabilities in Xen:
    • Out of 23 attacks analysed, 21 attacks were against service components of the control VM (Dom0).
    • 11 were buffer overflow attacks, and 8 were denial-of-service (DoS) attacks.

Risks During VM Creation (DomU by Dom0)

  1. Steps in VM Creation:
  2. Allocate memory in Dom0 (the management OS).
  3. Load the guest OS kernel into the new VM.
  4. Transfer the kernel to the new VM using foreign mapping.
  5. Set up page tables and virtual CPU registers for the VM.
  6. Possible Malicious Activities by Dom0:
    • Refuse to start a new VM (DoS attack).
    • Modify the guest OS kernel for unauthorized monitoring.
    • Manipulate page tables or virtual CPU registers.
    • Refuse to release the foreign mapping and Retain access to the VM’s memory during runtime.

Risks During VM Runtime: Once VMs are running, there are several ways the management OS (Dom0) can interact with the VMs:

  • Interaction via Split Drivers: Split drivers allow communication between Dom0 and DomU (the guest VM), and they often rely on shared memory. This shared memory creates opportunities for Dom0 to extract sensitive data (such as cryptographic keys) from DomU without the VM’s knowledge.
  • System State Vulnerabilities: XenStore, which maintains the system state, can be exploited by malicious VMs to deny access or compromise other VMs.

Security Enhancements

VM Creation Safeguards:

  • Restrict Dom0’s “foreign mapping” use unless explicitly initiated by DomU.
  • Encrypt memory pages and CPU registers during operations.

Runtime Protections:

  • Encrypt and hash VM memory pages and CPU states.
  • Use version numbers in hashes to ensure data freshness.

Trade-offs: Enhanced security measures increase system overhead:

  • Domain build time: 1.7x to 2.3x longer.

Domain save time: 1.3x to 1.5x longer.

  • Domain restore time: 1.7x to 1.9x longer.

The trusted computing base of a Xen-based environment

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *