Attacks on Virtual Machine Emulators Peter Ferrie Senior Principal Researcher Symantec Security Response 5 December 2006
A G E N D A Attack Types Types of Virtual Machine Emulators Detection of Hardware VMEs Detection of Software VMEs What can we do? Q and A 1 2 3 4 5 6
Attack Types DETECTION DENIAL-OF-SERVICE ESCAPE!
Attack Types : Detection
Attack Types : Detection
Attack Types : Denial-of-Service
Attack Types : Escape!
Attack Types : Escape!
Types of Virtual Machine Emulators Hardware-Bound Pure Software Hardware-Assisted Reduced-Privilege Guest
Reduced-Privilege Guest VMEs Software-based virtualization of important data structures and registers Guest runs at lower privilege level than before No way to avoid notification of all CPU events
Examples of Reduced-Privilege Guest VMEs VMware Xen Parallels Virtuozzo (probably)
Hardware-Assisted VMEs Uses CPU-specific instructions to place system into virtual mode Guest privileges unchanged Separate host and guest copies of important data structures and registers Guest copies have no effect on the host Host can request notification of specific CPU events
Examples of Hardware-Assisted VMEs BluePill Vitriol Xen 3.x Virtual Server 2005 Parallels Virtuozzo (probably)
Detection of Hardware VMEs : TSC Method Physical Hardware Virtual Hardware T1……Instruction 1 T1.……..Instruction 1 T1+1...Instruction 2 T1+1…..Instruction 2 T1+2...Instruction 3 T1+2…..[VM fault] T1+N….Instruction 3 where N is a large number
Detection of Hardware VMEs : TLB Method 1 T1………read memory 1 T1+X1…read memory 2 T1+X2…read memory 3 T1+X3…read memory 4 FT (Fill Time) = ((T1+X3)-T1)/4 T2………read memory 1 T2+Y1…read memory 2 T2+Y2…read memory 3 T2+Y3…read memory 4 CT (Cached Time) = ((T2+Y3)-T2)/4 2
Detection of Hardware VMEs : TLB Method Execute CPUID T3………read memory 1 T3+Z1…read memory 2 T3+Z2…read memory 3 T3+Z3…read memory 4 DT (Detect Time) = ((T3+Z3)-T3)/4 If DT ~= CT, then physical If DT ~= FT, then virtual 3 4 5
Pure Software VMEs CPU operation implemented entirely in software Emulated CPU does not have to match physical CPU Portable Can optionally support multiple CPU generations Examples Hydra Bochs QEMU
Pure Software VMEs (Hybrid model) Commonly used by anti-virus software Emulates CPU and partial operating system CPU operation implemented entirely in software Examples Atlantis Sandbox
Malicious VMEs (SubVirt) Reduced-privilege guest Installs second operating system Runs on Windows and Linux Carries VirtualPC for Windows Carries VMware for Linux Difficult to detect compromised system
Detecting VMware IDT/GDT at high memory address Non-zero LDT Port 5658h Windows registry Video and ROM BIOS text strings Device names MAC address ranges
Detecting VirtualPC IDT/GDT at high memory address Non-zero LDT 0F 3F opcode 0F C7 C8 opcode Overly long instruction Device names
Detecting Parallels IDT/GDT at high memory address Non-zero LDT Device names
Detecting Bochs [WB] INVD flushes TLBs REP CMPS/SCAS flags CPUID processor name CPUID AMD K7 Easter Egg 32-bit ARPL register corruption 16-bit segment wraparound Device names
Attacking Bochs Bochs denial-of-service Floppy with >18 sectors per track Floppy with >512 bytes per sector Non-ring0 SYSENTER CS MSR
Detecting Hydra REP MOVS/SCAS integer overflow 16-bit segment wraparound
Detecting QEMU CPUID processor name CPUID K7 Easter Egg CMPXCHG8B memory write Double-faulting CPU
Detecting Atlantis and Sandbox Unimplemented APIs Incorrectly-emulated APIs Example: Beep() in Windows 9x vs Windows NT Unfortunately correct emulation Example: not crashing on corrupted WMFs
What can we do? Reduced-privilege guests VirtualPC Bochs, Hydra, QEMU Nothing VirtualPC Intercept SIDT Check for maximum instruction length Remove custom CPUID processor name Bochs, Hydra, QEMU Bug fixes Full stealth should be possible
Questions? Thank you. e-mail: peter_ferrie@symantec.com