Security in Azure WebApp Instance

Question

My web-app has a certificate with private keys and signs xml. When signing, the private keys are in memory (Protected by LSA since .Net uses NCrypt).

Question: My understanding is the azure web-app instances are individual VMs running IIS and the VMs might be running on a hyper-V host along with other VMs. Given this, is it possible for the VM-Host to access the VM-Guest's memory, and read the private keys - thus compromising signing cert?

Answer 1

You are running a server that you have no physical control over, you have no security from the people who do.

It would be a reasonably trivial matter to retrieve private keys from a running VM. Firstly you would take a memory dump, in standard hyper-v (we don't know what MS uses in Azure)

livekd -hvl
livekd -hv <VMName> -p -o C:\Memory.dmp

This will list all VMs, the second command will dump the memory of one of them. (taken from Taking a dump of a VM running on Hyper-V

Secondly you need to locate and extract the private keys, and there is even a python script that will do that for you. Read about it here

In short, you can find RSA private keys (PKCS #8) and SSL certificates (x509) by scanning for header and version constants found in the ASN.1 representations. The dumpcerts plugin for Volatility uses this scanning approach to find, extract, and parse these keys and certificates from physical memory or virtual memory

(have a read of the theory behind the script here )

Also consider that Microsoft wrote the entire stack, it is highly likely they have debug versions of the VMs, they know EXACTLY how the certificates are stored (because they wrote the code) they wouldn't need to reverse engineer like those articles did, they could talk to the engineer who wrote it.