9.0

Table Of Contents

VMware, Inc. 23

ThischapterprovidesbackgroundinformationaboutsecurityoftheVMCIdevice,especiallyabou tinterfaces

thatarenotpartofthepublicVMCISocketsAPI.VMCISocketsareimplementedontopoftheVMCIdevice.

 “InterfacesforVMCISettings”onpage 23

 “VMCIDeviceAlwaysEnabled”onpage 23

 “IsolationofVirtualMachines”onpage 24

Interfaces for VMCI Settings

VMCIisusedprimarilyforcommunicationbetweenvirtualmachinesandthehypervisor.Communication

betweenvirtualmachinesisnotsupported,butcanbeaccomplishedbyuseofnormalTCPorUDPsockets.

OnESXi5.1andlater,theVMCIdevice>EnableVMCIbetweenVMssetting(ifpresent)hasnoeffect.

AfterWorkstation8.x,Sett

ings>Options>GuestIsolation>EnableVMCIwillbediscontinued.

ForoldervirtualhardwareversionswithoutVMCI,thehypervisorrevertstoa“backdoor”mechanismfor

communication.HoweverVMwareservicesintroducedinnewproductsmayhavenobackdoorfallback, so

someservicesmayrequireVMCItoworkcorrectly.

VMCI Device Always Enabled

TheVMCIdeviceisalwayspresentinrecentlycreatedVMwarevirtualmachines,raisingquestionsaboutthe

securityimplicationsofhavingaVMCIdevice.

VMCI and Hardware Version

StartingwithVMwarevirtualhardwareversion7,theVMCIdeviceisenabledbydefault.Virtualmachines

upgradedfromolderhardwareversionstoversion7acquiretheVMCIdeviceevenifitwasnotpresentbefore

upgradingthevirtualhardware.TheVMCIdevicecannotberemoved.Onmostguestoperatingsystems,

VMwareT

oolsshouldbeinstalledtoprovideaVMCIdevicedriver.

Toaddresssecurityconcerns,VMwareprovidedamethodtorestrictVMCI‐basedservicesthatareavailable

toavirtualmachine.Serviceswererestrictedtoatrustedsubsetofonlythehypervisor‐relatedservicesneeded

torunavirtualmachineinisolation.Restrictedwa

sthedefault,asisnowtheonlyconfiguration.

Authentication

AllVMCIcommunicationsareauthenticated.Thesource(contextID)maynotbespoofed.TheVMCIfacility

implicitlyauthenticatesanyhypervisorserviceasbeingpartofthetrustedcodebase.VMCIdoesnotprovide

finegrainedauthenticationofcommunicationendpoints,soapplicationsmustdealwithfinegrained

authenticationasaseparateissue.Itisthere

sponsibilityofapplicationsrunningontopofVMCItoimplement

theirownauthenticationmechanismsifnecessary.VMCIensuresonlythatmalicioussoftwarecannotspoof

thesourcefieldinVMCIdatagramsidentifyingthesendingvirtualmachine.

Security of the VMCI Device