Hypervisors: is arbitrary code execution on the guest possible?

Question

Hi all,

I've been reading into virtualization security and came across Blue Pill, a malicious thin hypervisor (project website is down, archived version here: http://web.archive.org/web/20080418123748/http://www.bluepillproject.org/).

My question is: could a custom malicious hypervisor modify execution flow, inject and execute arbitrary code, look at private information in RAM of the VM or anything else?

I'm not asking whether this would be practical from a malware point of view (to implement these features, it may turn into a large and impractical backdoor). I'm interested in whether the malicious hypervisor would have complete control over every aspect of the virtualized machine.

Would there be any difference for this when it comes to a program like VirtualBox - could the Host OS execute arbitrary code inside the guest at any time it choses?

Any thoughts would be highly appreciated!

Thanks in advance,

r3mo

Answer 1

Yes, the hypervisor is running at a higher privilege level than the guest VM so it could easily modify the execution flow and read arbitrary parts of the VM.

The same is true for VirtualBox. The host OS can alter the guest provided that you have full access/permissions on the host OS.