byWilson Leung leung_wilson@bah.com

Nima Khamooshikhamooshi_nima@bah.com

Theodore Winogradwinograd_theodore@bah.com

IT Security Risk Mitigation ReportVirtualization Security

AbstractVirtualization is the act of emulating individual computer systems within a single physical host system. Organizations have typically relied on the physical separation of servers (e.g., a separate machine for e-mail, one for Web Services, and another for the Domain Name Server [DNS]) to prevent a single server’s compromise that then directly contributes to the subsequent compromise of other systems or network services within the enterprise. Although this practice has proven security benefits, it also adds a number of costs and obstacles to the information technology (IT) infrastructure. With the introduction of virtualization, organizations can now leverage processing power that would otherwise sit idle by deploying a separate virtual machine (VM) for each network service on one physical host while maintaining a level of separation between distinct servers. Although VM deployment has its own security risks (e.g., increased availability risks as result of a single point of failure), organizations have achieved practical benefits from virtualization. Cloud Computing takes virtualization to the next step. It allows multiple organizations to deploy all of their individual VMs on the same virtualization platform (e.g., one or more physical hosts) and leverage their hardware in previously impossible ways.

Today’s organizations are increasingly taking advantage of various forms of virtualization to leverage new capabilities, ranging from server consolidation and enhanced recovery to increased secure computing operations through support of virtual networks and “sandboxing.” Because of its ability to enable a single physical platform to host multiple isolated and unique computing environments, virtualization has emerged as a key technology for supporting Cloud Computing delivery models, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Although virtualization has many benefits, it introduces a number of risks into the enterprise—caused in part by the increased complexity brought by the virtualized environment management (the “hypervisor”) and other

new computing paradigms. For example, the hypervisor, which is the software that mediates all interaction between the VMs and the physical host, serves as the only separation between different VMs on a single host while maintaining communication channels to the individual VMs (see Figure 1). Any successful attack on these communication channels will successfully hijack the VM itself. Similarly, virtualization’s support for server imaging increases the likelihood that a malicious agent can copy and send an image of an organizational system to a remote site for testing and analysis; it also enables the introduction of potentially malicious VM modifications while the VMs are at rest.

This paper identifies the most prevalent risks of virtualization and describes selected countermeasures that are available to mitigate these risks.

IntroductionVirtualization decouples the operating system (OS) from the physical hardware platform and the applications that run on it. As a result, organizations can achieve greater information technology (IT) resource utilization and flexibility. Virtualization allows multiple virtual machines (VM), often with heterogeneous OSs, to run in isolation side by side on the same physical machine. Each VM has its own set of virtual hardware upon which the OS and applications are loaded.

IT Security Risk Mitigation ReportVirtualization Security

Figure 1| Virtualization Overview

Host OS

GuestOS

GuestOS

GuestOS

Exhibit 1 | Virtualization Overview

1

2

Virtualization has been gaining immense popularity with both IT professionals and executives because it represents an approach to data center consolidation, improved asset utilization, and improved control over systems and other IT assets. However, virtualization has actually been around for more than three decades in one form or another, maturing this past decade. Once only accessible by the large enterprise, virtualization technologies are now available for virtually every aspect of computing, including hardware, software, and communications.

Although organizations can realize many benefits as they adopt and implement virtualization solutions, threats and risks are associated with these solutions. In the following sections, we address virtualization security benefits, threats to virtualized environments, attack vectors and security considerations, and attacker VM detection methods.

Virtualization Security BenefitsVirtualization is not just a compelling solution for server consolidation. It is becoming the most important security infrastructure element for security managers. Virtualization provides a wide range of security benefits spanning key items, such as environment “sandboxing,” data recovery, malware/forensic analysis, virtual machine introspection (VMI), and virtual machine live migration (VMLM). 1

Environment SandboxingA sandbox is a security mechanism for separating running programs. It is often used to execute and validate the operation of new or untested code or untrusted programs from unverified third parties, suppliers, and untrusted users. It offers a monitored and controlled environment so the unknown software cannot harm the real hosting computer system. Sandboxing is achievable simply by blocking some critical operations or implementing a complete virtual environment, wherein the processor, memory, and file system are simulated and the real system is inaccessible by the tested application. Virtualization is effective at providing a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system, and the ability to read from input devices are often disallowed or heavily restricted.

Continuity of Operations and Data RecoveryBusiness continuity of operations (COOP) and disaster recovery (DR) initiatives have gained recognition over the past few years. Customer demand and federal regulations, including civil and Department of Defense (DoD) regulations, have helped accelerate these efforts and give them the attention they have needed for some time. Virtualization is an ideal platform for most cases of data recovery because it eliminates the need to purchase an excessive amount of equipment. Most software vendors of backup/recovery products support the restoration of operational systems and applications of physical servers to virtual servers.

Traditional recovery plans are often difficult to test and keep up to date, and they depend on exact execution of complex and often manual processes. They also require duplicating either the entire production infrastructure or the major or key portions of that infrastructure—which, for reasons of surety, often equates to the total system. Although many organizations deploy total failover sites, smaller organizations may benefit from using a virtualized environment because more compact virtualized systems can be used for failover/backup and recovery purposes. Recovery testing is simpler because it allows for the execution of potentially disruptive tests using existing resources. Larger organizations may also benefit from virtualization by increasing the number of tests without straining the organization with a full system-wide test of recovery procedures. Hardware independence eliminates the complexity of recovery site maintenance by eliminating failures caused by hardware differences.

Another area that increases costs and complexity in any organization is the deployment of standby and failover servers to maintain system availability during times of planned or unplanned outages. Although capable of hosting the targeted workloads, such equipment remains idle between those outages and in some cases is never used at all. Thus, the expense provides primarily psychological, emergency, and obligatory compliance value but little to no operational value to the organization. Virtualization helps solve this problem by allowing just-in-time or on-demand provisioning of additional VMs as needed. A VM that has been built and configured can be put into an inactive state, ready to be activated when a failure occurs. When needed, the VM becomes active without hardware procurement, installation, or configuration. In addition, modern virtualization solutions provide

1In the following discussions, references are made to commercial products as examples of current tools. No endorsement is intended.

3

mechanisms for ensuring trans-system synchronization, or VMLM, when performing hot-swapping or failover across multiple VMs. Unlike a physical system, hypervisors can communicate the state of VMs’ internal memory across the network—ensuring two VMs are running in the identical configuration at the time of failover and thereby simplifying previously complex and sometimes unwieldy system synchronization for failover or hot-spare activation.

Malware Analysis and Defeat As computers became more sophisticated, so did the malware problem. Workgroup networks were affected by viruses that could infect not only local (server, node, or workstation) files but also the files of other users in the network. Malware researchers need a way to truly see what malware does to a server or a host in the workgroup network to have any hope of finding a way to prevent and recover from malware infections. Virtualization can be used to quarantine malware in a controlled environment where it can be studied, observed, tested, and eventually defeated and eradicated, and future instances can be prevented. Figure 2 illustrates that traditional malware infection cycle. Using virtualization, the user’s machine in Step 5 can be controlled and monitored to understand the malware itself while simultaneously preventing the compromised system from launching further attacks.

“Trusted” Application Test and DeploymentMost organizations do not have spare IT assets or the time to provision an application that is not associated with an approved project. As a result, most of the “proof of concept” applications and systems are either set up on inadequate equipment, such as desktops, or not established at all. This situation presents a significant risk if and when applications go to “production” status without appropriate testing. Virtualization helps resolve such problems.

Rapid provisioning or minimal additional hardware investment, safety, security, and reliability are the computing environment qualities needed to quickly build a proof-of-concept environment. If proof of concept is successful, the VM application can be efficiently and effectively migrated from the test infrastructure to the production virtual infrastructure without additional cost. In addition, virtualization enables companies to streamline their software and/or system life-cycle development model. From development and testing through integration, staging, deployment, and management, virtualization offers a comprehensive framework for virtual software life-cycle automation that streamlines these adjacent yet sometimes disconnected processes and simultaneously closes the loops between them. By pushing a staged configuration into production after successful testing, virtualization can minimize errors associated with incorrect deployment and configuration of the production environment.

Figure 2 | A sample of malware infection

Hacker insertsmalicious URL

User is redirectedto Bad Web site

Badsite sends obfuscatedexploit for vulnerabilityon end user’s system

Malware installedwithout User noticing

Malware sendsprivate datato hacker

1 2 3

4

56

Web User visitsGood Web site

Exhibit 2 | Sample Malware Infection

4

Virtual Machine Introspection The recent development of virtualization products has led to the evolution of VMI techniques and tools to monitor VM operations and behavior. VMI tools inspect a VM from the outside to assess what is happening on the inside, making it possible for security tools, such as virus scanners and intrusion detection and prevention systems (IDPS), to observe and respond to VM events from a “safe” location outside the monitored machine. A major advantage of VMI is knowledge capture of context and environment, which is critical to proper event interpretation. VMI allows event replay, which can determine whether analysis must be performed in real time as the target system executes or at a later time under the analyst’s control.

Threats to the Virtualized Network EnvironmentVirtualization in a network environment complicates the enterprise’s security needs. The standard threats and attacks to the enterprise infrastructure remain, and the introduction of the virtualization software simultaneously increases the surface area of attack. This situation creates a significant need to harden and secure the virtualization system and protect against the standard attack channels.

The virtualization software itself is of particular concern. If an attacker can gain access to a virtualized environment, the attacker can potentially escape the VM and move up the chain to the virtualization host. Because this host runs, monitors, and administers the guest OSs contained under its purview, the host can be a jumping off point for additional system access by an attacker. In an environment where a single host can have numerous guest OSs running mission-critical network services, the problem is clear. If an attacker can gain access to the host, then it is an easy task for the attacker to gain access to the virtual guests controlled by that host.

As mentioned earlier, the standard computing attacks are still present in the virtual environment. A system administrator must apply security patches, updates, service packs, hotfixes, etc., to secure and protect the OS against malicious attacks. The administrator must also ensure that any software installed on the VM (e.g., web server software or other client-side software) is up to date. Likewise, the system developers must use high-quality coding practices to ensure the system is not vulnerable to other forms of attacks, such as Structured Query Language (SQL) injection attacks

wherein a hacker submits malicious SQL code into an online web application.

The need to update the software installed on the host itself a result of the increasing trend in client-side software attacks. Administrators should also address direct attacks against services, such as Domain Name Server (DNS), Dynamic Host Configuration Protocol (DHCP), Active Directory, etc. As with any system, system administrators must ensure they have fully secured the system and all of its applications to provide the best protection profile.

Although many of the standard attacks apply to any system—virtual or physical—virtualization-specific considerations also exist. Many of these virtualization-specific attacks take advantage of the specific nature of the virtual environment and are not exploitable in non-virtualized systems. These attacks are known in the IT community as VMEscape, VMchat, VMcat, VMdrag-n-hack, VMdrag-n-sploit, and VMftp.2

VMEscapeOne of the most critical attacks on the virtualization environment is the potential for a VM “escape.” In this attack, a malicious actor gains access to a VM guest OS using one of the standard threats mentioned earlier. Once the hacker has access, he or she will escape the VM guest OS to gain access to the host OS. As previously mentioned, the host has direct access to all guest OSs. By taking over the host, a hacker has increased potential to negatively affect all VMs managed under that host. Figure 3 illustrates a successful VMEscape attack.3

Exhibit 3 | VMEscape

Host OS

GuestOS

GuestOS

GuestOS

Figure 3 | VMEscape

2These names are based on the presentation from IntelGuardians at SANSFire 2007, which is referenced in the following web pages: http://www.cutawaysecurity.com/blog/archives/170 and http://www.foolmoon.net/cgibin/blog/index.cgi?mode=viewone&blog=1185593255/, accessed June 15, 2009.3Joab Jackson, Government Computer News, “VMware vulnerability allows users to escape virtual environment,” http://gcn.com/articles/2008/02/28/vmware-vulnerability-allows-users-to-escape-virtual-environment.aspx, accessed June 15, 2009.

5

VMchatOne of the benefits of utilizing virtualization in a network is the ability to separate machines logically, thereby placing each OS into its own separate sandbox free from external inputs. However, utilities like VMchat raise certain issues. VMchat is an administration utility in which the system administrator is able to send instant messages (IM) between VMs. This function gives system administrators the ability to communicate service interruptions or other administrative issues to pertinent staff. The problem, however, lies in the potential for a malicious actor to take advantage of this shared memory space and inject a malicious Dynamic-Link Library (DLL) into memory. When a hacker does this, he or she has effectively bridged the sandboxed memory space of each VM.

VMcatVMcat is a netcat equivalent software for the virtualized environment. Netcat is popularly known as the hacker’s “Swiss Army Knife.”4 It allows a plethora of capabilities, including port scanning, file transfer, IM/chat, and command shell sending. Netcat is a hacker’s tool of choice because of its numerous capabilities and small file size. The problems with VMcat are apparent. A system with VMcat installed can facilitate the exfiltration of files and data in the same way hackers use netcat. VMcat also supports secondary attacks and OS fingerprinting, thereby increasing its threat capabilities once installed.

VMdrag-n-hackVMdrag-n-hack is an exploit where an attacker attempts to take advantage of an unsuspecting system administrator’s ability to drag and drop files between VMs. As the administrator drags a file between the two systems, he or she is unknowingly executing malicious code. An attacker can determine the area of memory that is read and written to as the administrator moves the file between systems (see Figure 4). Because of this, the attacker can inject malicious code into memory that the secondary system will read, thereby allowing a hidden communication channel between the two systems.

VMdrag-n-sploitVMdrag-n-sploit works very similarly to the VMdrag-n-hack attack. In this attack, the malicious actor takes advantage of a user with system access who drags and drops a file between two VMs. When the innocent party performs this task, he or she unknowingly executes the

VMdrag-n-sploit file in memory, which in turn executes on both of the VMs. The VMdrag-n-sploit file provides functionality to exploit VMchat or VMcat attacks.

VMftpAs seen with the other utilities, VMftp opens up yet another channel for communication between VMs. VMftp provides the ability to send files between VMs quickly and easily. It operates in much the same way as a traditional File Transfer Protocol (FTP) system. It presents problems because it can potentially allow a malicious actor to exfiltrate any file, as well as take advantage of the shared memory space issues described above.

Security ConsiderationsAlthough virtualization offers a number of benefits to organizations, like any new technology, virtualization increases the attack surface of systems within an organization. In many cases, the risks associated with virtualization can be mitigated in an effective manner; however, it is important to fully understand these risks before introducing virtualization into an organization’s infrastructure. This section provides a full description of these risks, along with discussions of the countermeasures organizations may put in place to mitigate each of these risks.

In general, the mitigation strategies for virtualization-related risks are very similar to the defense-in-depth strategies employed in any IT environment. Specifically, organizations should expand their security patching programs to include the hypervisor, the host system, and all VMs used in the organization. In the past, this wide coverage may have been difficult, but modern hypervisors provide capabilities for patching VMs even when they are

4More information about Netcat is available at http://netcat.sourceforge.net.

Host OS Guest

OS

SharedMemory

Figure 4 | Memory in a virtual environmentExhibit 4 | Memory in a Virtual Environment

offline, removing the need for organizations to launch all VMs to deploy security patches.

Organizations should also ensure their hypervisors are configured and deployed using least privilege: the administrators and permissions on the hypervisor should have privileges no higher than necessary to complete their functions. In some instances, least privilege may extend to hosting different categories of VMs on separate physical hypervisors to prevent attacks against a single hypervisor from affecting the entire virtual infrastructure. In addition, organizations may take advantage of guidance for hardening hypervisors provided by virtualization vendors and other organizations (e.g., Center for Internet Security, Defense Information Systems Agency).

VMEscapeOne of the most discussed attack vectors in virtualization security is the concept of VMEscape. VMEscape entails breaking out of the VM and directly interacting with the hypervisor. There are only a few instances of successful VMEscape occurrences. One of the most detailed writeups on this topic was published in 2007 by Google’s Tavis Ormandy.5 In his paper, Ormandy developed tools to perform fuzzing attacks (e.g., sending random data to the hypervisor to assess its security). He identified several vulnerabilities that could potentially lead to a successful VMEscape.

VMEscape has been highlighted as one of the most dangerous attacks an organization deploying virtualization can face. To address this risk, virtualization vendors have begun developing “thin” hypervisors, with the goal of reducing the size of the code base and reducing the likelihood of exploitable defects.

VMDetectionWith the advent of security researchers using virtualization to monitor malware, malware authors and attackers have begun performing detection routines to determine whether or not they are running in a virtualization sandbox. Although most organizations may not explicitly deploy virtualization in this manner, intrusion detection systems are increasingly offering sandboxing as an effective tool for detecting zero-day exploits in an organization.

In their presentation On the Cutting Edge: Thwarting Virtual Machine Detection,6 Tom Liston and Ed Skoudis identify a number of techniques malware uses to determine whether it is running in a virtual sandbox:

Artifacts in processes, the file system, or registry•

Artifacts in memory•

Hardware that describes itself as provided by a •virtualization vendor

Artifacts in the instruction set architecture (ISA) •that are accepted only by hypervisors.

In light of these techniques, some virtualization vendors aim to reduce the number of “fingerprints” provided by their virtualization software. Using the virtualization extensions to the x86-64 instruction set, it is becoming increasingly difficult for malware to determine whether or not it is running in a VM. Although malware’s ability to determine whether or not it is running in a virtual environment is becoming less of a concern (especially with the rise of Cloud services leveraging virtualization), the difficulty of determining which specific hypervisor is controlling a VM makes deploying effective malicious attacks against the hypervisor even harder—adding to an organization’s defense-in-depth posture.

Communication ChannelsVirtualization increases the number of communication channels in a computing environment. These channels can range from virtual switches, networks, and firewalls to communication paths between VMs and the hypervisor. This section discusses these communication paths and mitigation strategies for securing them.

Virtual Switches and NetworksVirtual networking allows organizations to logically deploy their VMs in a manner consistent with the organization’s physical network. Organizations may configure virtual local area networks (VLAN), take advantage of switched port analyzer (SPAN) ports, and integrate with any existing network management infrastructure. Important key points to consider when deploying virtual networks include—

Ensuring VMs in promiscuous mode (i.e., utilizing •a network card configuration that makes the card pass all traffic it receives to the central processing unit rather than only packets addressed to it—a feature normally used for packet sniffing) may access the necessary network traffic; this is necessary when deploying an IDPS within a VM

6

5Tavis Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, http://taviso.decsystem.org/virtsec.pdf, accessed on June 15, 2009. 6Tom Liston and Ed Skoudis, On the Cutting Edge: Thwarting Virtual Machine Detection, http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf, accessed June 15, 2009.

7

Ensuring the virtual network complies with •appropriate policies and regulations regarding network security devices; some organizations may require an IDPS logically in front of the VM—an IDPS alone in front of the virtual network may be insufficient

Ensuring appropriate COOP procedures are in •place; if an organization relies on the virtual network for its mission, a failure of the physical host may compromise the entire virtual network

Ensuring malicious activity within the network •cannot leave the virtual network and affect external systems.

To support these activities, organizations should employ the same strategies they would in a physical network environment: taking full advantage of VLANs, firewalls, IDPS, and—when necessary—MAC locking. In most virtual environments, the virtual switches, routers, and firewalls behave in a manner similar to their physical counterparts—possibly with additional capabilities. In addition, organizations should include their virtual networks in all network architecture documentation and security risk assessments.

VM IntrospectionVMI is a powerful tool. It allows organizations to deploy security solutions that cannot be compromised by rootkits or other malicious software within the VM. However, this functionality can introduce privacy concerns in certain organizations. Although the hypervisor traditionally has physical access to all components within a VM, VMI allows the hypervisor to actively monitor—and in some cases modify—the activities within the VM itself. This monitoring may be inconsistent with an organization’s security and privacy policies. In addition, organizations offering Cloud services may need to explicitly state that they are performing VMI to ensure customers are fully aware that some level of monitoring is occurring.7

VMI tools can be configured to meet organizational policy. For example, some instances of VMI simply offer on-demand analysis of the processes running within the guest OS or the installed software; others may perform real-time anti-malware analysis of the running system. Software deployed within VMs may improve their level of security and privacy by ensuring their data is secure at rest and in transit—minimizing the

possibility that the hypervisor may unintentionally store any sensitive information outside of the VM.8

VM StateBecause virtual machines exist as an abstraction on a hosted system, all state information is accessible to the host system. This scenario means the Basic Input/Output System (BIOS) does not reside within read-only memory (ROM) as it does on traditional computing systems. Instead, the hypervisor emulates the BIOS. In addition, most virtual machines are often represented as a file on the hard disk of the host OS, allowing any user with access to the file to view—and potentially modify—the VM, even when it is at rest. This file includes the current state of system memory for the VM, the state of the VM hard disk, and information stored in central processing unit (CPU) registers—providing a wealth of information that may benefit a potential malicious user.

Virtualization vendors offer solutions to mitigate the risks associated with VM files by limiting access to only the hypervisor and potential administrators. Organizations can also take advantage of disk encryption to ensure the VM—and any backups—cannot be viewed directly from the storage device (this is especially true for network-based storage). Organizations should also be aware that VM state information travels over the network whenever VMLM is implemented—requiring assurance that the state transfer across the network is protected in transit as well.

HypervisorWhen introducing virtualization into an organization, it is important to understand the various communication mechanisms between an individual VM and the hypervisor. Although some of these communication channels depend on the functionality deployed, the majority of these channels are in use and often required for the hypervisor to function properly. A number of these direct channels are implemented as extensions to the ISA as machine instructions, meaning they may be accessible to any application on the system. It is important to note that in most cases, applications in user mode will receive a general protection fault when attempting to access these interfaces. Some common functions include—

Clipboard sharing• —Where the hypervisor shares the contents of the OS clipboard between the guest OS and the host OS

7This would be a part of the agreement between the user and the supplier in a services contract model.8It is important to note that these privacy concerns are an inherent aspect of virtualization. Any information stored within RAM or on the VM’s hard disk may be accessible—often in plain text—through the host system’s RAM or on its hard disk as a snapshot of the running VM.

Memory management• —Where the guest OS communicates with the host OS to coordinate the amount of physical memory in use for the application

Device management• —For some devices (e.g., processor, graphics card, network interface card), the hypervisor mediates all communication between VMs and physical devices9

Others• —Depending on the vendor solution, additional communication channels exist; for example, when using paravirtualization solutions, all system calls are implemented as function calls to the hypervisor rather than as software interrupts.

Because many of these interfaces are implemented as simple commands (e.g., as machine instructions), it is possible to minimize their accessibility to only those processes and applications on the VM that must have access to these systems. In addition, organizations deploying virtualization environments that do not need specific functionality (e.g., clipboard sharing) may simply disable the communication feature, preventing malicious users or software from taking advantage of it.

ConclusionVirtualization security is a major area of concern for any organization deploying a virtual environment. As shown in this report, the introduction of VMs creates new and profound security considerations that were unheard of just a few years ago. Booz Allen is the one firm that can help clients solve their toughest IT security problems. Our experienced and proven staff works side by side with our clients, helping them achieve their missions every day. Our security experts have the experience and knowledge to help the Federal Government develop comprehensive and secure virtualization solutions. Booz Allen not only understands and implements the federal security standards that protect our homeland but also advises the policy organizations and contributes to thought leadership by helping them develop the policies on which those standards are created. Booz Allen is committed to delivering results that endure.

AcronymsBIOS Basic Input/Output System

COOP Continuity of Operations

CPU Central Processing Unit

DHCP Dynamic Host Configuration Protocol

DLL Dynamic-Link Library

DNS Domain Name Server

DoD Department of Defense

DR Disaster Recovery

FTP File Transfer Protocol

IaaS Infrastructure as a Service

IDPS Intrusion Detection and Prevention System

IM Instant Message

ISA Instruction Set Architecture

IT Information Technology

OS Operating System

PaaS Platform as a Service

ROM Read-Only Memory

SaaS Software as a Service

SPAN Switched Port Analyzer

SQL Structured Query Language

VLAN Virtual Local Area Network

VM Virtual Machine

VMI Virtual Machine Introspection

VMLM Virtual Machine Live Migration

8

9Some devices (e.g., universal serial bus interface) have a channel-based architecture. With these devices, the hypervisor needs only to assign a specific channel to the VM and the majority of the interaction need not be mediated directly.

About Booz Allen

To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit www.boozallen.com.

Booz Allen Hamilton has been at the forefront of strategy and technology consulting for 95 years. Every day, government agencies, institutions, corporations, and not-for-profit organizations rely on the firm’s expertise and objectivity, and on the combined capabilities and dedication of our exceptional people to find solutions and seize opportunities. We combine a consultant’s unique problem-solving orientation with deep technical knowledge and strong execution to help clients achieve success in their most critical missions. Providing a broad range of services in strategy, operations, organization and change, information

technology, systems engineering, and program management, Booz Allen is committed to delivering results that endure.

With more than 22,000 people and $4.5 billion in annual revenue, Booz Allen is continually recognized for its quality work and corporate culture. In 2009, for the fifth consecutive year, Fortune magazine named Booz Allen one of “The 100 Best Companies to Work For,” and Working Mother magazine has ranked the firm among its “100 Best Companies for Working Mothers” annually since 1999.

Contact Information:

Wilson Leung Nima Khamooshi Theodore Winograd Associate Associate Associate leung_wilson@bah.com khamooshi_nima@bah.com winograd_theodore@bah.com 703/604-7557 703/984-7533 703/377-5544

www.boozallen.com

The most complete, recent list of offices and their and addresses and telephone numbers can be found on www.boozallen.com by clicking the “Offices” link under “About Booz Allen.”

Principal OfficesALABAMAHuntsville

CALIFORNIALos AngelesSan DiegoSan Francisco

COLORADOColorado SpringsDenver

FLORIDAPensacolaSarasotaTampa

GEORGIAAtlanta

HAWAIIHonolulu

ILLINOISO’Fallon

OHIODayton

PENNSYLVANIAPhiladelphia

SOUTH CAROLINACharleston

TEXASHoustonSan Antonio

VIRGINIAArlingtonChantillyFalls ChurchHerndon McLean NorfolkStafford

WASHINGTON, DC

KANSASLeavenworth

MARYLANDAberdeenAnnapolis JunctionLexington ParkLinthicum Rockville

MICHIGANTroy

NEBRASKAOmaha

NEW JERSEYEatontown

NEW YORKRome

©2009 Booz Allen Hamilton Inc.

09.134.09