Posts: 391 +71
Google is unveiling a new feature of the Google Cloud Platform that looks to protect virtual machines (VMs) from rootkit installations or any kind of persistent malware. This new feature is called "Shielded VMs" and rolling out in beta now.
The way it works is that a cryptographically protected baseline is created of the original VM image. The encryption keys are stored using a combination of Secure Boot and vTPM (Trusted Platform Module). These ensure that the VM only runs software that's been verified and compares new instances of the VM to previous baselines to ensure the VM hasn't been tampered with. This also prevents "snap-shot" attacks that try to duplicate VMs in order to steal the data.
Chris Vickery, the director of cyber risk research at security firm Upguard, spoke with Ars Technica about the how human errors and misconfiguration can leave systems vulnerable:
"A more common situation would be that someone left AWS credentials in a Github repo that was exposed to the public and forgot to limit the permissions on the credentials in the first place." Once an attacker gains those credentials, they could snapshot the virtual machines "and then migrate the snapshots over to an account owned by [the attacker] for pilfering".
Apparently, Russian hackers were able to penetrate the DNC cloud servers by gaining access to a virtual machine by spear phishing administrative credentials to the VM and saving snapshots to clone elsewhere. From there, they could extract the analytics data from the virtual machine.
In addition to Shielded VMs, Google is also rolling out a feature called Binary Authorization which protects the integrity of the container environment itself. This forces signature verification of images before they're deployed. This is combined with Google's container registry vulnerability scanning that adds more security validation before environments are deployed.