virtualization – Does a virtual machine prevent malware from doing harm?

Disclaimer: I'm going for a high level understanding. If you want a detailed guide, it's out of reach. In addition, there are other ways (fully software) to implement virtual machines to which this does not apply. I also focus on "dismantling" virtualization mechanisms only – that is, not the ones that can happen from PC to PC over real networked hosts.

I like the details, so let's go with it. First of all, codeproject has excellent assembler references on the different modes of an x86 processor (real, protected and long) and on the use of virtualization. There is an Intel VT blog (I'm not sure that Intel is writing this) and, finally, the first part of the Arsenal Rootkit is devoted to the x86 explanation and constitutes an excellent read, supplemented by procedures step by step and beautiful diagrams. To understand all this requires patience, so I will give you a very brief introduction to how it works.

The way we switched when we ran DOS

DOS systems and the first 16-bit real-mode systems use a segmented memory model. There is no control over the size of the segments and there is no protection switch on any of these segments. The code is loaded into a heap and executes. it can go far into other segments, so any code, no matter where, can alter anything, including the production of a piece of code TSR (terminate and stay resident) that simply points to one of the IVT entries (interrupt vector table) to an address located in its space, before running the original. Basically, there is no protection. No. Nada.

Rising to 32-bit protected mode

The protected mode gets complicated quickly. It consists of three parts: segmentation, pagination and EAP. Each requires a data table that informs the CPU of that segment, this page or the help to extend the address space (EAP). These include the famous ring flags (they apply to segments and pages) that implement process isolation. Paging allows you to load data from RAM onto a disk and create sophisticated elements like virtual memory (see the virtual word! We get there!)

Long mode

The long mode suppresses segmentation and simply enforces PAE / Paging structures. Again, to completely simplify the implementation of an operating system, paging is controlled by memory structures that are then configured through special instructions. That's it, we can achieve process isolation with the right parameters. Once again, I trivialize slightly …

Give me the virtualization!

D & # 39; agreement. Virtualization is the same general concept. Virtual machines are configured using virtual machine control structures that dictate how their memory is mapped to physical memory. a bit like pagination. Crucially, under certain conditions, the virtual machine will have to request something from the host operating system, a bit like process isolation, much like a software interruption. These are referred to the VM outputs and provide information to the host, such as the status of the registers at the output. A bit like a system call.

Can malicious software come out of a virtual machine?

Thus, with regard to the VM, the host operating system has all its memory space and can be infected / damaged / destroyed as it sees fit.

In terms of directly affecting the memory of the host, the virtual machine can not because it can not see it. The host must map the required memory into the space of the virtual machine. It must also, in this memory space, implement everything from the BIOS. In order to communicate with certain host devices for certain tasks, the host machine must configure these virtual machine exit conditions and the target virtual machine must fire them. When this happens, the control is transferred to the host.

There are therefore two possible risk areas:

  1. The actions of the host in response to a virtual machine output. If there are any bugs in this manipulation, it may be possible to persuade the host to perform something that he should not do.
  2. Any host access to the memory space of the guest machine. Remember that the code of the 0 ring host machine can come in and rain the party wherever you want. It turns out that you can set the guest's memory from the guest (surprisingly).

This leads you to your operating mechanism. You need a handling bug in the virtual machine exit routine. You must then be able to persuade this code to run out of memory, ideally the code you just put in a guest vm page. Once done, say goodbye to Kansas.

As Tom Leek says, virtual machines are incredibly effective at defending against forklift bombs. In the same way that the operating system can limit the amount of memory allocated by a process, it can therefore limit the amount of memory mapped to the virtual machine. Exhaust and the guest operating system thinks that it lacks physical memory; the host will not allocate more unless you implement a VM output to do that, which would be a bit dangerous and I do not think that's done.

What is the probability of this?

Not very. It depends entirely on these VM exit implementations, or reading the guest memory on the host with a nice bug in your reading code. It is also necessary that this bug allows you to control the crash in order to be able to force the execution to the address memory of your host. The exit of the virtual machine must be able to access this memory.

What did not I cover?

  1. Attacks on existing software stacks such as TCPIP. The vulnerabilities here are the same as if you had two real physical PCs.
  2. Fully software virtualization.
  3. Virtualization on any other type of chip. This applies to Intel VT compatible configurations.

Finally, I've already argued that process isolation is a form of sandbox. By reading this answer and this one, you should now be able to understand why I define them this way. There are remarkable similarities between process isolation and virtual machines in x86.


I have therefore deepened this subject even more, especially in research on the blue pill. What I have described is a very simplistic high level view. I found more details. Here is an article dedicated to him by Invisible Things Lab. It turns out that their defense speech included the concept of denying user mode page access execution from ring 0, thus preventing the direct execution of the data that the virtual machine has stored in memory. It turns out that this is being implemented in Intel processors and that patches currently exist in the Linux kernel. Thus, depending on the circumstances, it may be that attacks of this nature become much more difficult, even if exploits exist.