If I am running a Windows 7 virtual machine on a Windows 7 host using VMWare or VirtualBox (or anything else) and the virtual machine is completely overloaded with viruses and other malicious software, should I worry about my host machine?
If I have an anti-virus program on host machine will it detect any problems?
Answer
What every answer has missed so far is that there are more attack vectors than just network connections and file sharing, but with all the other parts of a virtual machine - especially in regards to virtualizing hardware. A good example of this is shown below (ref. 2) where a guest OS can break out of the VMware container using the emulated virtual COM port.
Another attack vector, commonly included and sometimes enabled by default, on almost all modern processors, is x86 virtualization. While you can argue that having networking enabled on a VM is the biggest security risk (and indeed, it is a risk that must be considered), this only stops viruses from being transmitted how they are transmitted on every other computer - over a network. This is what your anti-virus and firewall software is used for. That being said...
There have been outbreaks of viruses which can actually "break out" of virtual machines, which has been documented in the past (see references 1 and 2 below for details/examples). While an arguable solution is to disable x86 virtualization (and take the performance hit running the virtual machine), any modern (decent) anti-virus software should be able to protect you from these viruses within limited reason. Even DEP will provide protection to a certain extent, but nothing more then when the virus would be executed on your actual OS (and not in a VM). Again, noting the references below, there are many other ways malware can break out of a virtual machine aside from network adapters or instruction virtualization/translation (e.g. virtual COM ports, or other emulated hardware drivers).
Even more recently is the addition of I/O MMU Virtualization to most new processors, which allows DMA. It does not take a computer scientist to see the risk of allowing a virtual machine with a virus direct memory and hardware access, in addition to being able to run code directly on the CPU.
I present this answer simply because all of the other ones allude you to believe that you just need to protect yourself from files, but allowing virus code to directly run on your processor is a much bigger risk in my opinion. Some motherboards disable these features by default, but some don't. The best way to mitigate these risks is to disable virtualization unless you actually need it. If you aren't sure if you need it or not, disable it.
While it is true that some viruses can target vulnerabilities in your virtual machine software, the severity of these threats is drastically increased when you take into account processor or hardware virtualization, especially those that require additional host-side emulation.
How to recover virtualized x86 instructions by Themida (Zhenxiang Jim Wang, Microsoft)
Escaping VMware Workstation through COM1 (Kostya Kortchinsky, Google Security Team)
No comments:
Post a Comment