We think of a virtual machine as a way to isolate one system from another and, in general, it works well. But not always.
Pwn2Own is a hacking contest that is part of the CanSecWest security conference in Vancouver, BC, Canada.
This year researchers who were members of Qihoo 360’s security team figured out a way to exploit a heap overflow bug in the Microsoft Edge browser. Using that, they were able to execute code in the browser that allowed them to exploit a Windows 10 bug to escape the Edge sandbox.
But they weren’t done yet.
Finally, they exploited a hardware simulation bug in VMware to escape from the virtual machine completely and get down to the host hypervisor.
All of this started with visiting a website.
Obviously, the affected vendors will be issuing patches for all these bugs, but it points to the fact – and it is a fact – that nothing is bulletproof, only bullet resistant.
That means that you need to be smart in segmenting workloads on VM hosts (that means any VM hypervisor – VMWare, HyperV, Openbox, etc.).
To the degree that you can implement micro segmentation, that should be your goal. Micro segmentation allows you to create many network segments, not just a couple, or one.
Then you need to make sure that you only place compatible workloads on the same host. If you combine micro segmentation with smart virtual load management, you make your environment as secure as you can in the case of a virtual machine escape.
The folks that engineered this attack won a prize of $105,000. Before you think that they got all that money for a few hours of work, many times the researchers work on these attacks for a year (starting right after the last Pwn2Own) and then release them at the next hack-fest.
This year Pwn2Own distributed more than a half million dollars of prize money. That is a lot of motivation for researchers.
The only question is whether I.T. security engineers are smart enough to use the results of Pwn2Own to reconsider how they are engineering their workloads. Doing that reengineering is a lot of work, but modern day hypervisors allow companies to easily move loads, sometimes with no downtime at all.
Information for this post came from Ars Technica.