Defanging Venom hypervisor attacks 'easy': researcher

The recently discovered critical vulnerability in Xen and other hypervisors using the open source Quick Emulator (QEMU) code can be mitigated against with a simple configuration change, a security researcher claimed.

Source: The Xen Project.

Tamas Lengyel, a security researcher at the Technische Universität München, Germany, said in a blog post on the Xen Project site that the Venom bug is one of a known class of threats brought on by complex and error-prone programming when emulating hardware devices in software.

It is however relatively easy to deploy counter-measures against attacks that use the emulation layer to escape virtual machine security contexts, Lengyel noted.

Lengyel said that to protect against Venom and any other attacks via hardware emulation, administrators need to add just one line to the Xen domain configuration:

device_model_stubdomain_override = 1

This enables the so-called stubdomains feature that means the QEMU code is restricted to just the virtual machine it provides emulation for, and not the top-level domain 0. 

Attackers attempting to use QEMU will not make it further than the stubdomain in question, Lengyel said. Since QEMU in stubdomains runs the Xen Mini-OS small operating kernel, attackers would only have a very limited environment to execute code in, further enhancing the security of the system.

The drawback to using stubdomains in Xen for Dom0 Disaggregation is increased memory usage.

Lengyel told iTnews that the amount of memory depends on how intensive the emulation process is, but enabling stubdomains normally uses around eight megabytes more RAM.

This in turn may limit the number of virtual machines a cloud provider can sell, Lengyel said, reducing the incentive to deploy the stubdomains feature.

He pointed out that using stubdomains to protect against QEMU-borne attacks works best if all virtual machines on a server have the feature enabled. Otherwise, attacks could take place from VMs that do not run with stubdomains.

Venom has seen many reevaluate risks when using cloud infrastructure, which is a good thing, Lengyel said.

"Virtualisation and the cloud have been erroneously considered by many to be a silver bullet against intrusions and malware. The fact is the cloud is anything but a safe place. There are inherent risks in the cloud and it’s very important to put those risks in their proper context," he wrote.