3

I have a CentOS based product I'm looking to distribute it as a virtual machine (VMWare, XEN and KVM) and I have been lately assessing the steps needed to protect the VM. The VM's data shouldn't be accessible to anyone other than authorized people as it contains sensitive data, by this I mean a root password should always be requested or access denied.

Using XEN it was possible to have access to the machine via the following ways:

  • By editing the bootloader using the Dom0, therefore defeating any bootloader protections: xe-edit-bootloader -u -p 1
  • By adding init=/bin/sh to the VM startup options

Using VMWare you can mount the image on an other system and access the files.

Possibly there are other ways of accessing the machine, my question here is, what are these other ways I should take into consideration and how can I prevent them including the ones I listed above?

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
Laoneo
  • 274
  • 1
  • 3
  • 13
  • If you mean you're distributing a disk image and you want to protect the information on the disk from your end customers seeing it, how can you prevent them from just modifying and mounting the raw disk image, bypassing anything you put in place? – Bart Silverstrim Apr 18 '12 at 13:59
  • 1
    Falling into the same mistake as bluray/dvd. You can't protect something and give access to it at the same time. – JamesRyan Apr 18 '12 at 14:24

2 Answers2

3

Well, as long as people have 'physical' access (which would mean they have the VM in this case), there's always some way around - single user mode, or some tool like konboot.

The only practical way i can see to handle this is to encrypt the entire hard disk - you'll have some performance issues, but since you'd need a password to access the data at all, single user mode would do no good, nor would mounting the image.

This should handle most attack vectors, except exotic ones - for example a compromised host that could dump the contents of memory (should such a thing exist)

Journeyman Geek
  • 6,977
  • 3
  • 32
  • 50
0

I don't really see a way of preventing end users from seeing the data on the disk without encryption, and even then there would be ways around it (or else they'd not be able to actually use the VM)

The solution I see is to automate a way to customize the product to each user who uses your product, or generalize the VM in a way that the end user has to set proper credentials and administer the machine themselves. You're not getting into what your product is, but really you can't completely prevent them from being able to mount a disk image and bypassing protection, and anything you put in place will most likely become more burdensome to the legitimate end users to have to deal with.

Basically you need to engineer the solution with the idea that the end customer can and will see this information, so you can't put secret information into your product that you're distributing. Customize the solution to that user's site, or force them to administer it by setting passwords and credentials at setup.

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87