When a virtual machine migrates from one physical server to another, it can be subject to a range of attacks primarily because authentication between machines is weak and the virtual-machine traffic between physical machines is unencrypted, said Oberheide. In the short term, the cure is installing hardware-based encryption on all the physical servers that might send or receive virtual machines, Oberheide says, but long term, virtual-machine software should incorporate strong authentication that minimises the risk.
During his talk, he will describe a proof-of-concept tool he used in a lab to execute man-in-the-middle attacks against virtual machines as they migrated from one physical server to another. His research targeted open source Xen and VMware virtualisation platforms.
Citrix, which sells a commercial version of Xen, says it gets around the problem with its management server acting as a third party to authenticate origination and destination servers to each other, says Simon Crosby, CTO of the virtualisation and management division at Citrix. "We avoid that man-in-the-middle attack by being the man in the middle," he said.