A discussion on another board brought a question to my attention that I found pretty interesting, and I wanted to ask some more experienced security folks about it, since I'm a novice when it comes to this.
Obviously it's pretty common to do experiments with viruses on a virtual machine, but is there a possibility of this virus "jumping" to the host machine?
Again obviously, if the VM were connected to the internet, it could probably infect anything else on the same network as it, but would there somehow be some way of using the internet to bring the virus from the VM and back to the host machine, and if so how would that even be possible? Even though the virus should not be able to detect the host at all, I've read that new viruses are starting to be able to tell that they're on VM, but that may be bullshit scaremongering and I don't know how it could possibly infect the host machine from the VM that way.
tl;dr What methods, if any, are viruses able to "escape" from the host machine, short of getting a stupid user to execute some code outside of it? It seems impossible to me but I don't know anything about how viruses affect a computer on a hardware level or through a kernel. As far as I know the virtual hardware is completely separate from the host machine.
Picture unrelated.
>>54710522
Here ya go,
https://en.wikipedia.org/wiki/Virtual_machine_escape
Most VM's don't actually simulate the hardware exactly, they provide a layer of abstraction above whatever they are running upon which software can execute, ie they provide the necessary API's, ABI's, functions etc but don't actually simulate it if they don't have to; they translate the calls and pass them up. The running environment of the VM could be disrupted from inside the VM if there was an undocumented "feature" which could be exploited.
From what I hear Virtualisation is pretty hard to get right.
>>54710696
So from what I understand, most of the methods are using exploits in the software itself rather than inherent flaws of virtualization?
>>54710916
I don't quite understand what you are asking?
>>54711015
Like, for the most part, if a virus was able to get out of the VM, it'd be because of a flaw, bug or exploit in the VMWare program itself, right? And wouldn't have anything to do with utilizing the physical hardware or network to infect the host machine?
>>54711091
I'm still not quite sure what you are asking but I'll try to answer anyway.
A virtual machine provides the resources for software run within itself, either through emulation or by requesting those resources from it's host machine (I had a professor who would argue that an OS was a virtual machine). Ideally whatever is running within the VM would be oblivious to its "prison", it would make a request for a resource(say some memory address) and the VM would oblige by requesting the real resource from the host or from a suitable emulation. The process is obviously not perfect however and it is seemingly possible for software running withing a VM to ascertain that it's living in the matrix so to speak.
I think you might be confusing terminology, say we had an OS running on real hardware(things you can touch with grimy fingers) big, expensive, powerful hardware. We want to run a web server on this OS, actually we want to run a bunch of them and some don't play well with together; So we run VM's each with their own OS running their own server. This has the added advantage that if one of our OS's running on a virtual machine is attacked and compromised the others are still safe, unless some chosen software could break out of the compromised VM and do stuff within the host OS.
>>54711597
I *think* OP is asking if a VM escape could be done because the virus in said VM has access to hardware that the host does. Like my kid is sick, and he and I use the same door handle to get in to the house. Can his virus infect me?
In that case of course, but this one is in question.
Beyond that, it is kinda possible for a VM virus to burst out of the VM over the network afaik. Not in to the main network on one jump, but VM to host to network, as the VM and host usually share some network access.
>>54710522
Do you just want to be able to be on the internet without concern of getting a virus? Forget Virtual Machines and run Linux in a Live CD/USB.
>>54711597
The OS's running inside the VM's would (hopefully) run just like they were running on "real" hardware, even though some of that might just be an emulation (can't touch it with your filthy hands). Emulation is complicated and that usually means somebody will make a mistake at some point. Mistakes are generally called "bugs" or "undocumented features" and can be used in creative ways to do things that the software designers were explicitly trying to prevent.
I would imagine even calls to real hardware could be exploited from within the vm.
>>54711749
No, it's more for the purpose of studying viruses in a VM. I just want to make sure there's not much risk of my PC getting somehow infected by a virus that's infected the VM.
I'm sorry for making the question kind of confusing, but put simply this is what I mean.
>>54710522
It is simple to detect that you are in a vm in most cases.
Many vm clients use shared ram for things like networking.
Any network worm could jump from one system to another.
There are probably unpublished 0 days specific to vm architectures. NSA probably spends millions to develop and cultivate them and they will not waist that investment to make us more secure because they are bastards.
>>54711711
>>54711091
Oh I think I understand, OP was asking if some link other than the host-VM-virtualised could be used to infect the host machine from whatever was running within the VM? like over a shared network or such?
Of course? To the virtualised OS it's host just looks like another OS over a network, it has no idea that that is what's running it. That's not really escaping a virtual machine though.
>>54711781
Oh, ok. Yea very unlikely, but possible. Use a different machine for testing or at the very least backup frequently to separate media. Have fun.
>>54711781
Buy a testing machine, get a $50 thinkpad or something.
You can't do that sort of work and keep your data on the same machine is just ridiculously stupid to risk it, back up your shit, keep it in separate external drives and then do all the testing you want on a separate machine.
