In vmware can host hacker break into guest that uses full disk encryption?

Discussion in 'sandboxing & virtualization' started by Ulysses_, Mar 27, 2015.

  1. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    I know it is unlikely but let us say host has got owned, ie a hacker has managed to break into the host.

    How would they go about breaking into a linux VM that uses full disk encryption?

    They can't mess with the .vmdk without damaging it - it is encrypted by the guest.

    They can't use vmrun because they do not know the guest passwords.

    They can't attach to processes in the guest with debugging tools because they cannot see individual guest processes.

    What can they do? And crucially, what can I do as a countermeasure?
     
    Last edited: Mar 27, 2015
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Valid thing to think about. My main fear would be KSL on the host for when the VM is decrypted when you use it, or substituting rogue VM code. I would guess that -depending on the OS and encryption used, a rootkit could be written to the MBR code? Not sure how I feel about VM level encryption (which Vmware offers).

    Countermeasures are to harden the host generally, run an anti-keylogger utility, and avoid using the host for risky things - browsing, images, documents - but then you have VMs to do that, no? You could also run the VM from an encrypted container (e.g. Truecrypt or whatever), but that only improves the encryption at the expense of having the un-encrypted vm files open to other processes, so probably a bad idea.
     
  3. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    If an attacker has control over your host, they can break into the encrypted VM by capturing the password the next time you type it in, using any of several methods not limited to a traditional keylogger. An anti-keylogger utility as mentioned above is quite frankly bs, it's a false sense of security, they could simply RDP into your system and that will allow them to see keystrokes after they're decrypted from the keystroke scrambler.
     
  4. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    If the keyboard is a usb one and connected directly to the VM (so it does not appear in the hardware list of the host), and furthermore the anti-keylogger utility is installed in the VM, is the keylogging attack still possible?
     
  5. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Does it matter that the FDE passphrase is typed at boot time?
     
  6. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Can they still do this when full disk encryption is used inside the VM so the entire disk image is encrypted?
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    Some thoughts on your questions:

    Generally, if the host is compromised, particularly at root, it's game over. For example, the connection to the usb is via the VM software, which is executing on the host. And vulnerable. There's lots of ways to attack the process as it boots up and runs.

    If you're not sufficiently confident in your host, then use of pendrives/LiveCD is an alternative.
     
  8. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    489
    Location:
    Earth .... occasionally
    Is that still the case if you use the " on-screen keyboard" ?

    And is there any real security advantage to using a virtual keyboard for online banking in a VM ?
     
    Last edited: Mar 29, 2015
  9. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    Are any of these ways available as standard tools in the backtrack CD or are you talking about underground stuff?
     
  10. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Neither criminal hackers out to steal your bank account details nor governments rely on Backtrack/Kali, that's mainly just what teenagers play around with :)
     
  11. Boblvf

    Boblvf Registered Member

    Joined:
    Aug 10, 2014
    Posts:
    103

    They use what?... governments and hackers ? they have only better exploits, and they use Kali, Wireshark, Nmap, etc... like teenagers.
     
    Last edited: Mar 30, 2015
  12. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    I don't think that I'm going out on a limb when I say that criminal types are relying on keyloggers/trojans spread mainly through spam emails and flash/java exploits (old ones are indeed likely to be in Metasploit but I don't think many if any will work on a fully up to date system besides XP), whereas governments are going to be using sophisticated malware spread through a multitude of hard to defend against ways.

    Wireshark and Nmap are simply networking utilities with many very legitimate uses, hardly the essence of a hacker's toolkit besides maybe the shady guy sitting next to you in Starbucks trying to get into your Facebook account
     
  13. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    I doubt it, it'll most likely only protect against hardware keyloggers, software keyloggers should be able to capture all text regardless of whether it's from an on-screen keyboard. Maybe it will help against some percentage of poorly designed malware.

    My position is that if part of your host is owned, assume that everything is owned- only a full format/reinstall will help, trying to defend an already compromised system with virtual keyboards and anti-keyloggers seems to be an exercise in futility.
     
  14. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    If the host is linux and you connect a usb keyboard directly to the VM, then there is not a single process for the usb port that you can attack as it boots up and runs, is there. You'd need to intercept the entire kernel and develop special software to intercept keystrokes in the form they appear in the usb port.

    Also there is no single process for the "onscreen keybaord" from the point of view of the host, the entire hypervisor would have to be intercepted, no?
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    How do you connect a usb keyboard directly to anything but a usb port on the host.
     
  16. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    489
    Location:
    Earth .... occasionally

    Good point ! :)
     
  17. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    The thing I've seen addressing this class of threat is the work being done in Qubes - you can assign Pci devices (including USB hub controllers) to a VM. I think this is relying on VT-d isolation mechanisms.
     
  18. Ulysses_

    Ulysses_ Registered Member

    Joined:
    Jun 27, 2010
    Posts:
    207
    PCI devices definitely need VT-d to be assigned to a VM and it does not always work. But not usb devices:

    You connect the usb keyboard to the usb port and the hypervisor virtually connects it to the virtual usb port of the VM. From then on it does not appear in the hardware list of the host. In linux the kernel module for the usb keyboard is unloaded, if you type lsmod it is not there any more.
     
  19. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    I'd like to point out the fact that the GRUB bootloader is unencrypted, and a reasonably sophisticated hacker would be able to inject a keylogger into that.

    It's too bad that you can't use hardware encryption on a VM as that would largely prevent this. Trusted Grub is something you might need to look into.
     
  20. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,147
    Location:
    UK
    The point with Qubes is that you'd assign a pci-e USB controller card - the whole hub - to the VM using VT-d. Agree that if you hook the VM usb connection up normally, then they're known to the host.
     
Loading...