One of the most attractive features of virtualization -- the ability to replicate virtual servers on the fly to meet demand -- has a big security downside -- from data theft to denial of service -- according to a talk scheduled for the Black Hat DC 2008 conference next week in Washington, D.C.

When a virtual machine migrates from one physical server to another, it can be subject to a range of attacks primarily because authentication between machines is weak and the virtual-machine traffic between physical machines is unencrypted, says Jon Oberheide, a Ph.D. candidate at University of Michigan who will present the briefing.

Short term, the cure is installing hardware-based encryption on all the physical servers that might send or receive virtual machines, Oberheide says, but long term, virtual-machine software should incorporate strong authentication that minimizes the risk.

During his talk, he will describe a proof-of-concept tool he used in a lab to execute man-in-the-middle attacks against virtual machines as they migrated from one physical server to another. His research targeted open source Xen and VMware virtualization platforms.

Citrix, which sells a commercial version of Xen, says it gets around the problem with its management server acting as a third party to authenticate origination and destination servers to each other, says Simon Crosby, CTO of the virtualization and management division at Citrix. “We avoid that man-in-the-middle attack by being the man in the middle,” he says.

For its part, VMware recommends encryption of virtual machine migration, which it calls VMotion. "VMotion network activity is not encrypted, so as a best practice this traffic should occur on a dedicated VLAN or connection and kept secure from network sniffing, as the running memory state of a virtual machine traverses the VMotion network and will likely contain privileged information,” the company says on its Web site. “Hardware based SSL encryption is an option for securing VMotion networks in high security deployments."

Oberheide says he will not demonstrate his attacks, but he plans to show screenshots of how an attack would occur, and what his tool does to enable the attacks.

"It’s not very difficult at all as long as the [attacker and servers] are on the same network,” he says. “The prerequisite is man-in-the-middle capabilities, which can be achieved through a number of different methods, such as IP hijacking or ARP spoofing, which makes them send their migration traffic to you first and you can forward it on to the destination.”