Hijacking Virtual Machine Execution for Fun and Profit presented at DeepSec 2007

by Nguyen Anh Quynh,

Summary : In general Virtual machine (VM) technology can guarantee strong isolation between VMs, so even if a VM is hacked, other VMs are still not vulnerable. However, this talk demonstrates that if the attacker takes over the host VM, he can do pretty much anything he wants with the guest VMs. Several sophisticated techniques to hijack the execution of a running VM are presented, which can be used to redirect any VM execution at will. While the proposed methods are not limited to any kind of virtual machine, we demonstrate them with Xen Virtual Machine. In a demo, the attacker dynamically injects few bytes (less than 10 bytes) into a running Linux VM, then captures (and later replay) all the keystrokes and output screen of the VM's consoles. The hijacking does not generate any negative impact in I/O performance, therefore not likely to cause any suspect to the VM's owner. Meanwhile, the hijacking technique can also offer great benefit for the white-hat people. The second demo proves that with only few bytes injected into a protected VM, we can have a file-system integrity tool. Compared to traditional approaches like Tripwire, this IDS offers some advantages such as: real-time detection, zero deployment cost, richer intrusion evidence, and less exposed to attacker. The presented techniques work with any kind of OS-es, and need absolutely no modification to the kernel of the guest VMs or to the hypervisor. Besides, everything is done inside the user-space, thus straightforward to implement, and requires no deep knowledge about OS kernel.