I was reading this post on SuperUser, and it made me wonder about security. I've read somewhere else that some viruses/malware/whatever CAN break outside of a VM... and then infect the host OS. BUT, what if the virus considers the 1st VM as the Host OS? Or what if you had a Windows box, Linux VM, then a Windows VM? Surely this cross-platforming would be extremely hard to get across / subvert. Would this be an ideal way for someone to study viruses or malware if they couldn't afford the correct tools? Surely a firewall and antivirus scanner on each "system" would be good enough to protect the real host, unless it was a pretty badass virus.
Asked
Active
Viewed 1,524 times
6
-
This is interesting, but not highly practical. I wonder if anyone has created a honey pot host for the purpose of detecting said viruses. – emory Jul 08 '12 at 05:00
3 Answers
18
Firstly, there is no guarantee you'll even be able to run a VM inside a VM. It may seem obvious but it is by no means certain it will even work. This is because VM's may rely on virtualization features of your hardware which are not exposed inside the VM itself.
Secondly, why two, why not three, four, five, etc... There is such a thing as overkill security. If the virus can "escape" the inner VM, then it can just as easily escape the outer VM, and reach the host. Besides, most viruses transmit themselves via the network and not through some hole in the VM, and in that case just nesting VM's changes nothing since the host network will be equally visible on every level.
If your virus is dangerous enough for you to even consider nesting multiple virtual machines, it must be one hell of a virus, and consequently you should just grab a cheap netbook with no network/bluetooth capability and roll with that. Otherwise, a single VM ought to be enough.
Thomas
- 460
- 4
- 13
-
I tried it once, but the guest running on the actual iron didn't allow me to try to start a secondary VM. Good question though. – jippie Jul 07 '12 at 21:29
-
Nested virtualization is a thing now. Both Intel and AMD processors have supported it for a few years now, and hypervisors are (sometimes slowly) beginning to add support. – Michael Hampton Nov 23 '14 at 04:32
9
The short answer is: No, this would not be an ideal or foolproof way to study a virus.
If the virus is designed to break out of the VM, there is no reason to believe it would stop at doing that once. For all you know, it might test whether it is run inside a second VM and break out of that one, too. That does not require much more sophistication than breaking out of a single VM.
If you are concerned about this threat, there are better defenses, such as running with a machine you use for no other purposes and that you securely wipe every so often to return it to a known-good state.
D.W.
- 98,420
- 30
- 267
- 572
0
You can run VM inside a VM, but you probably won't be able to use hardware virtualization. It should still work thought, but you will probably have to use different hypervisors (example: VirtualBox for first VM, VMware for second). I think this is unnecessary and insecure. RHEL and Fedora (and maybe others) have built-in support for running KVM and using SElinux to restrict the VM process on the host. SElinux provides ample protection, but not against paravirtualized driver vulnerabilities. For maximum security, do not use paravirtualized drivers.
Matrix
- 3,988
- 14
- 25
-
not in citation given - nothing I could find suggests that SELinux is ineffective when paravirtualized drivers are in use on KVM, and a quick Google search didn't turn up anything either. Do you have a source for this? – Michael Hampton Nov 23 '14 at 04:36
-
@MichaelHampton I think the last part was my own idea and there is no other source. IMO, paravirtualized drivers are not subject to SELinux security controls because SELinux controls userspace processes, files, etc. I think paravirtualized drivers work by direct communication between guest kernel and hypervisor, which results in superior performance, but expose a part of hypervisor to the guest, that would otherwise be unreachable. I have no evidence for this, so I could be completely wrong. – Matrix Nov 24 '14 at 08:04
-
https://security.stackexchange.com/questions/73522/are-paravirtualized-drivers-a-security-risk – Matrix Nov 24 '14 at 08:20