Forensic analysis helps close gaps in hypervisor vulnerabilities

In June 2019, the National Institute of Standards and Technology (NIST) published its draft of NISTIR 8221, “A Methodology for Enabling Forensic Analysis Using Hypervisor Vulnerabilities Data.”

The report provides guidance on how to use forensic analysis to detect, reconstruct and prevent attacks based on hypervisor vulnerabilities as they occur. The report focuses on two open-source hypervisors — Xen (in the Linux kernel) and Kernel-based Virtual Machine (KVM) — to illustrate the methodology.

Xen vs. KVM

Xen is a type 1 hypervisor whereas KVM can be either a type 1 or type 2 hypervisor.

A Type 1 hypervisor is a bare-metal hypervisor that runs directly on the host’s hardware to control the hardware and manage guest operating systems.

Type 2 hypervisors run on an operating system as a process and adds other features of a type 1 hypervisor to most Linux operating systems. For example, Red Hat Enterprise Virtualization uses KVM and Critix uses Xen in the commercial XenServer.

NIST collected and analyzed hypervisor vulnerabilities in 83 Xen and 20 KVM products from the 2016 and 2017 NIST National Vulnerability Database. They were classified based on their underlying hypervisor functionalities, attack types and attack sources. All hypervisor vulnerabilities that occurred after 2017 were not included in the analysis.

Forensic analysis

Two sample attacks were launched to exploit vulnerabilities in the hypervisor’s functionality. Upon the conclusion of the sample attacks, the NIST was able to identify the evidence gaps required to detect and reconstruct the attacks for further examination. The techniques required to gather missing evidence were incorporated into forensic analysis during subsequent attack runs.

The types of attacks caused by Xen and KVM hypervisor vulnerabilities include:

  1. Denial-of-service (DoS);
  2. Privilege escalation;
  3. Information leakage;
  4. Arbitrary code extension;
  5. Unauthorized file read, modify and delete; and
  6. Other, such as data corruption or canceling of administrators’ other operations.

The most common attack was DoS, which came in at 44% for Xen and 63% for KVM. This result indicates that an attack on the availability of cloud services could be a serious security problem. The other top attacks were privilege escalation — 30% for Xen and 11% for KVM, information leakage — 14% for Xen and 19% for KVM and arbitrary code execution — 7 % for both Xen and KVM.

Although each of these attacks occurs with less frequency than a DoS attack, they all carry the potential risks, such as user information leaks or compromised host or guest VMs.

The report also divided the attack sources into five categories:

  1. Administrator;
  2. Guest OS administrators;
  3. Guest OS user;
  4. Remote attacker; and
  5. Host OS user

The highest attack source was from guest OS users — 76% for Xen and 85% for KVM. The NIST suggests that cloud providers should closely monitor guest users’ activities to reduce attack risks. The second highest attack source came from a guest OS administrator — 20% for Xen and 5% for KVM.

While the forensic analysis approach taken by the NIST to close the gaps is encouraging, enterprise users should move beyond these results for better security. Consider other factors — such as how to overcome hypervisor’s inability to generate sufficient entropy — can tighter your data protection and reduce hypervisor vulnerabilities in your systems.