I regularly scour the Net for the latest security updates, and a few attack vectors of late have stuck in my mind. One could argue that bleeding-edge, proof-of-concepts will probably never result in an actual attack vector. Then again, there was a time, too, where rootkits and completely self-propagating viruses — what we now know as worms, were nothing more than concepts.
In a virtual-machine-based attack, the host operating system could be subverted and attacked by code executed inside a virtual environment yet remain oblivious of the compromise. Because the virtual machine is hostile, the stage is set for a perfect execution of a man-in-the-middle attack. In addition, any form of authentication with remote systems that is not based on two-factor authentication is completely compromised.
As far as I am aware, there haven’t been any ready-made hacking kits that leverage virtual machine technology at this point. Still, as hypervisors go mainstream, the increasing sophistication of hypervisor technology might just change the situation. Indeed, VMware recently announced that its ESXi hypervisor will be made available for free in direct response to Microsoft releasing Hyper-V for a nominal fee. The possibility of hackers tapping into existing hypervisor code to build their “blue pill” malware cannot be denied.
Thankfully, work has been done to detect the presence of a virtual environment (PDF). Of course, the existence of a new root kit based on Cisco’s IOS complicates the situation further by introducing the prospect of the same kind of threat to appliances — not just computing platforms.
It must also be pointed out that it is trivial for a disgruntled staff person who has physical access to machines to image a production system with free migration tools from VM vendors. While this is something that has always been possible, the technical barrier to do so has never been so low.
Certainly, this is an area to keep an eye on.
Cold boot attacks
Earlier this year, a Princeton University team demonstrated what was termed as a “cold boot” attack on encryption keys. The principle of this attack vector is that data stored in random access memory (RAM) is not immediately lost upon powering down a system. Rather, this data slowly fades over a period of seconds or even minutes – even if the memory module is physically removed from a motherboard.
The team demonstrated how a DIMM containing 128-bit AES encryption keys could be copied, reconstructing any already decayed bits along the way without using any custom-made hardware or materials.
What is the relevance of a cold bootattack in the grand scheme of things? Consider just how this attack is able to defeat current disk encryption schemes such as BitLocker, FileVault, and TrueCrypt by reading their cryptographic key from system memory. Indeed, the researchers were able to mount a BitLocker-encrypted volume in an external USB drive in about 25 minutes.
One might argue that stealing a “live” system is no simple affair. However, it raises the question of whether systems in hibernate mode could be susceptible and considering the the percentage of laptop users who use this feature to get started quicker. You can find the research paper as well as an explanatory video and the source code here.
Scheduled to take place at the Hack In The Box (HITB) Security Conference held in Kuala Lumpur in October, the demonstration will target fully patched operating systems. The systems will range from the various Windows variants to Linux, BSD, and even the possibility of a Mac.
What do you think of the potential of these new-wave security threats? Which new attack vectors are you most concerned about?