Security of external harware when using VMs

Question

I'm new to using VMs, so I suspect this question may answer itself with experience, however, this question has been bugging me.

If a computer user has a VM set up, and plugs in a pen drive, what's stopping any potential malware from "hopping" from VM, to drive, to host?

I would expect that a secure VM would either not allow external devices, or isolate them from the host. E.g., a flash drive being used by the VM wouldn't be visible to the host.

However, this system wouldn't be practical for the user because of the various required interface devices. (Think USB keyboard or mouse. I know those can be targeted by a version of the BadUSB exploit.) If the VM isolated the keyboard, then the user would have no means of input while using the host, and no means of telling the system to switch back to the VM.

How is this security conflict resolved?

Answer 1

Think of a hardware based host as a fisk tank. Immagine that the virtual host is a smaller fish tank that sits inside the larger fish tank. You can add fish to your fish tank: either to the larger tank or the smaller tank. Generally the VM (smaller tank) is created in such a way that software running on the VM can't break free of the VM and run on the real hardware. Metaphorically, you don't let fish swim from the smaller tank into the bigger tank.

A VM comes with a set of virtual hardware: CPU, RAM, graphics chip or board, even BIOS and chipset. These pieces of virtual hardware are software programs running on the real hardware and providing service to the VM. Real USB devices are first plugged into real hardware. From there they can either be shared with a VM or dedicated either to the real machine or the virtual machine.

You can of course isolate a VM from any USB devices, but that would not necessarily protect them VM. The VM is vulnerable to software running on the real machine, because the VM depends on the real machine for it's CPU cycles, memory, and storage. If you plug a Bad USB device into your real machine, it could attack the VM by chnaging the contents of the VM memory or storage without accessing the VM through the virtual USB hardware interface.

There is no conflict here, because VMs are only ment to contain software running on the VM from gaining access to the resource of the real machine.