Can virtualized applications interact without permission?
From my understanding, if a guest OS in a virtualized system is compromised, it could theoretically go through the hypervisor layer and get to the rest of the guest operating systems and compromise those as well. In an environment with virtualized applications, would the applications be able to interact with each other without explicit permission in any way?
Let's take a few seconds and look back at the virtual machine (VM) escape techniques we have seen in the past few years. First, attacks targeted the devices that Qemu, a processor emulator, created for the virtual OS, including video and network cards. Shortly after the Qemu escapes, a VMware virtual machine escape was demonstrated by researchers Ed Skoudis and Tom Liston at the SANS Institute's 2007 SANSFIRE conference. And recently, there were virtual machine escape attacks incorporated into Core Impact, a commercial penetration testing application developed by Core Security Technologies Inc. So, virtual machine escape is no longer theoretical; there are practical attacks currently available in the wild.
All of the above attacks focus on gaining access to the host machine. Once accomplished, an attacker has the ability to access all of the guest operating systems and applications being hosted.
So now let's look at application virtualization. Application virtualization focuses on virtualizing applications and the necessary operating system components for the app to function. While I think that the technology helpfully reduces the attack surface available to an attacker, many of the same attack and escape vectors will remain.
What we must be cautious of is falling into the same trap that many security professionals were caught in with virtual machines. Just because no exploits are currently available for virtualized applications, it does not mean one will not surface in the near future. Development of our architectures in such a fashion -- where our public and sensitive data is hosted on different host machines -- is necessary. The arrangement would prevent a compromise on a public system or the exposing of sensitive data from a virtualized application.
More information:Learn how well virtualization technology defends against malware.
What is application virtualization? Get this IT definition and many others from Whatis.com.
This was first published in October 2008