Can hackers compromise a VM to the point that they compromise your host OS?

Question

Recently I was reading up on various security strategies and one that has been around for a while but is starting to gain traction now is working within a VM on your desired OS. If that VM ever gets compromised you can simply revert the system back to date and time you know it was in a healthy state or even delete the entire VM and start again.

This sounds simple enough and so there are OS's that build and expand on this VM idea like Qubes

While reading the info page on Qubes I came across a section that mentions the following:

VirtualBox or VMware Workstation are popular because they’re designed primarily to be easy to use and run under popular OSes like Windows (which is called the host OS, since it “hosts” the VMs). However, the fact that Type 2 hypervisors run under the host OS means that they’re really only as secure as the host OS itself. If the host OS is ever compromised, then any VMs it hosts are also effectively compromised.

From that statement I am getting the idea that if I do everything, and I mean everything on my VM and only use the host OS for running VirtualBox and nothing else; is it safe to assume that my host OS won't be able to get corrupted? Or can a hacker identify fairly easy that they're inside a VM and work their way into my host OS?

Answer 1

There are cases where a VM can escape (to one degree or another) the virtualization environment and manipulate data outside of what it should be able to. This can mean that one guest VM can get code executed on a different guest, or even within the host OS itself.

These vulnerabilities are typically referred to as 'escape bugs', wikipedia has a list for some examples: https://en.wikipedia.org/wiki/Virtual_machine_escape

Also, it is pretty easy in most cases to find out that you are on a guest VM. Virtual hardware usually identifies itself as such and you can see that in things like device manager.

Running within a VM is more secure, as a lot of virus/malware isn't going to be trying to exploit guest escape bugs (unless everyone starts running as VM, then you'll probably see an uptick), but it's not a sure thing.