How your data leaks from a virtual machine

Virtual machines (VMs) can help make life easier. Unfortunately, they can also be a pain point when it comes to security. To better protect your data, it is helpful to understand how your data can leak from a virtual machine.

What you need to know about a virtual machine is that it is just a normal process running on a hypervisor. Every process has its own memory space and you could treat it like the “virtual memory” in the virtual machine. Every memory page could be directly accessed by the hypervisor; therefore, it could be used inspect all the confidential information stored in the virtual memory on your VM.

When you are using secure shell to access your VM, all the traffic is encrypted and you also encrypt the virtual disk using a strong PGP encryption algorithm. You think everything is protected and no one can steal your data. However, if your VMs are running on a compromised hypervisor, your data is not safe at all. The key point is that all encrypted data will be eventually be stored in the memory in plain text format. Otherwise how could you read it from your editor? Consequently, everything shows on your editor and any strings you input on the browser could be directly access from the memory. Your data is naked.

Every process running on Linux kernel has two files that store all the memory information:

  1. /proc/<the pid of the process>/maps
  2. /proc/<the pid of the process>/mem

In the first file, it is possible to know exactly how the virtual memory is mapped to physical memory and get many ranges from this file to access the physical memory.

Here is the snippet from the /proc/pid/maps:

7f56bc021000-7f56c0000000 —p 00000000 00:00 0
7f56c0000000-7f56c0021000 rw-p 00000000 00:00 0
7f56c0021000-7f56c4000000 —p 00000000 00:00 0
7f56c4000000-7f56c4021000 rw-p 00000000 00:00 0
7f56c4021000-7f56c8000000 —p 00000000 00:00 0
7f56c8000000-7f56c8021000 rw-p 00000000 00:00 0
7f56c8021000-7f56cc000000 —p 00000000 00:00 0

After getting all the ranges to access the physical memory, they could be used to go through the second file. The second file contains all the contents in the memory. It is that easy to search for a credit card number in the memory by doing pattern matching.

The precondition of using this technique is to have root privilege on the hypervisor. The new question becomes: is it easy to get the root privilege? Think about the public cloud. The public cloud providers will definitely have the root privilege to their hypervisors, therefore your data is transparent to them. You are the only person that could access the data stored in your VM!

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Archive Stories

Using cloud to tap into the rapidly expanding market in China

Do you want to quickly establish a presence where there are 632 million Internet users and over 83 percent of them have mobile access? These are pretty compelling numbers that represent massive growth potential for your company. It has never been easier to establish your business applications and services on a readymade information technology (IT) […]

How to select an IBM provisioning product for your needs

Sergio discusses different cloud management products and selection criteria.

Top benefits of software as a service (SaaS) for IT consulting

Information technology (IT) consulting measured on a per-day basis is becoming rare since customers want to know how much they will spend on each project. It’s more common to find fixed-price IT consulting contracts or per module and project phase pricing with a well-defined scope and activities. In this scenario, IT consulting companies do not […]