Questions:
- if a VM is corrupted (hacked), what do I risk on others VMs running on the same physical machine?
- What kind of security issues is there between VMs running on the same physical host?
- Is there (can you make) a list of those (potential) weaknesses and/or issues?
Warning:
I know many virtualization types/solutions exist, and may have different weaknesses. However, I'm mostly looking for general security issues about the virtualization techniques, rather than a particular vendor bug.
Please provide real facts, (serious) studies, experienced issues or technical explanations. Be specific. Do not (only) give your opinion.
- Examples:
Two years ago, I've heard that there could be security issues related to the MMU (accessing other machines main memory, I think), but I don't know if that is a practical threat as of today, or just a theoretical research subject.
EDIT: I also found this "Flush+Reload" attack capable of retrieving GnuPG secret keys on the same physical machine, by exploiting the L3 CPU cache, even if GnuPG runs on another VM. GnuPG has been patched since.
Best Answer
Of course it is possible to exploit another VM running on the same hardware, given a working exploit. Additionally, one can exist. Your question cites some recent work showing one. I'm not going to share any specific exploits or PoC here, but I'll gladly say how they can be made.
The exploits that are used in this context are naturally different from ones that function when you're running on the same machine you are trying to exploit a service on, and they tend to be quite a bit harder due to the increased isolation. However, some general approaches that can be used to accomplish such an exploit include:
Specific attacks will arise and be patched as time goes on, so it isn't ever valid to classify some particular mechanism as being exploitable, exploitable only in lab conditions, or unexploitable. As you can see, the attacks tend to be involved and difficult, but which ones are feasible at a particular time is something that changes rapidly, and you need to be prepared.
That said, the vectors I've mentioned above (with the possible exception of the last one in certain cases of it) simply don't exist in bare-metal environments. So yes, given that security is about protecting against the exploits you don't know about and that aren't in the wild as well as the ones which have been publicly disclosed, you may gain a little security by running in bare metal or at least in an environment where the hypervisor doesn't host VMs for all and sundry.
In general, an effective strategy for secure application programming would be to assume that a computer has other processes running on it that might be attacker-controlled or malicious and use exploit-aware programming techniques, even if you think you are otherwise assuring no such process exists in your VM. However, particularly with the first two categories, remember that he who touches the hardware first wins.