Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.

Slides:



Advertisements
Similar presentations
Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.
Advertisements

Virtualization Technology
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Attacks on Virtual Machine Emulators Peter Ferrie, Security Architect 4 October, 2007.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Unit 4 Chapter-1 Multitasking. The Task State Segment.
E Virtual Machines Lecture 3 Memory Virtualization
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Memory Management (II)
Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
To run the program: To run the program: You need the OS: You need the OS:
What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.
CSE 451: Operating Systems Winter 2012 Module 18 Virtual Machines Mark Zbikowski and Gary Kimura.
Tanenbaum 8.3 See references
CS 149: Operating Systems April 21 Class Meeting
CS533 Concepts of Operating Systems Jonathan Walpole.
Symantec Managed Security Services The Power To Protect Duncan Evans Director, Cyber Security Services 1.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.
1 Safely Using Shared Computers Amanda Grady December 2013.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
Laface Operating System Design Booting a PC to run a kernel from Low memory VGA display.
The ISA Level The Instruction Set Architecture (ISA) is positioned between the microarchtecture level and the operating system level.  Historically, this.
CS533 Concepts of Operating Systems Jonathan Walpole.
Quick Thoughts on PGP Use Cases for KMIP 1 Michael Allen Sr. Technical Director.
The current state of Cybersecurity Targeted and In Your Pocket Dale “Dr. Z” Zabriskie CISSP CCSK Symantec Evangelist.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.
Introduction to virtualization
Full and Para Virtualization
Installation of Storage Foundation for Windows High Availability 5.1 SP2 1 Daniel Schnack Principle Technical Support Engineer.
Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,
Introduction Why are virtual machines interesting?
Copy to Tape TOI. 2 Copy to Tape TOI Agenda Overview1 Technical Feature Implementation2 Q&A3.
Shared Engineering Services APJ Ghostdetect ver 1.0 for SPC Donghyun Seo Dec 12, 2008.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
QEMU, a Fast and Portable Dynamic Translator Fabrice Bellard (affiliation?) CMSC 691 talk by Charles Nicholas.
Optimized Synthetics 1 OpenStorage Optimized Synthetics.
Type presentation name here in slide master © 2007 SDL. Company Confidential. Forward-looking information is based upon multiple assumptions and uncertainties.
Information Security - 2. Descriptor Tables Descriptors are stored in three tables: – Global descriptor table (GDT) Maintains a list of most segments.
Partner Proctored Assessment Registration Process Ajit Jha 1 Partner Assessment.
OST Virtual Synthetics 1. Synthetics Overvier Definitions – Catalog – Image – Extent Process Overview (today) – Extent map derivation – Read agenda –
APIs related to NBU AIR Feature 1 OST APIs Related to NBU AIR Feature.
Maximize Profits Through Stronger Security Brook Chelmo Product Marketing
Virtualization Neependra Khare
Virtualization for Cloud Computing
Virtualization.
Virtual Machine Monitors
Virtualization D. J. Foreman 2009.
Fundamentals Sunny Sharma Microsoft
Protection in Virtual Mode
An Interrupt is either a Hardware generated CALL (externally derived from a hardware signal) OR A Software-generated CALL (internally derived from.
CSC 482/582: Computer Security
Attacks on Virtual Machine Emulators
Windows API.
Running other code under LINUX
CIT 480: Securing Computer Systems
Chapter 2. Malware Analysis in VMs
OS Virtualization.
A Survey on Virtualization Technologies
Pedro Miguel Teixeira Senior Software Developer Microsoft Corporation
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Introduction to Virtual Machines
Introduction to Virtual Machines
First Generation 32–Bit microprocessor
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
CS295: Modern Systems Virtualization
Presentation transcript:

Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007

2 Agenda Attack Types1 Types of Virtual Machine Emulators2 Detection of Hardware VMEs3 Detection of Software VMEs4 What can we do?5

3 Attack Types Detection Denial-of-service Escape!

4 Attack Types : Detection

5

6 Attack Types : Denial-of-Service

7 Attack Types : Escape!

8

9 Types of Virtual Machine Emulators Virtual Machine Emulators Hardware-Bound Pure Software Hardware-Assisted Reduced-Privilege Guest

10 Reduced-Privilege Guest VMEs Software-based virtualization of important data structures and registers Guest runs at lower privilege level than before No way to avoid notification of all CPU events

11 Reduced-Privilege Guest VMEs VMware Xen Parallels VirtualBox

12 Hardware-Assisted VMEs Uses CPU-specific instructions to place system into virtual mode Guest privileges unchanged Separate host and guest copies of important data structures and registers Guest copies have no effect on the host Host can request notification of specific CPU events

13 Hardware-Assisted VMEs BluePill Vitriol Xen 3.x Virtual Server 2005 Parallels

14 Detection of Hardware VMEs : TSC Method Physical Hardware Virtual Hardware T1……Instruction 1 T1.……..Instruction 1 T1+1...Instruction 2 T1+1…..Instruction 2 T1+2...Instruction 3 T1+2…..[VM fault] T1+N….Instruction 3 where N is a large number

15 Detection of Hardware VMEs : TLB Method (Intel) T1………read memory 1 T1+X1…read memory 2 T1+X2…read memory 3 T1+X3…read memory 4 FT (Fill Time) = ((T1+X3)-T1)/4 T2………read memory 1 T2+Y1…read memory 2 T2+Y2…read memory 3 T2+Y3…read memory 4 CT (Cached Time) = ((T2+Y3)-T2)/4 1 2

16 Detection of Hardware VMEs : TLB Method (Intel) Execute CPUID T3………read memory 1 T3+Z1…read memory 2 T3+Z2…read memory 3 T3+Z3…read memory 4 DT (Detect Time) = ((T3+Z3)-T3)/4 If DT ~= CT, then physical If DT ~= FT, then virtual 3 4 5

17 Detection of Hardware VMEs : L2 and MSRs L2 cache fill via PREFETCH Last Branch Record MSR Last Exception Record MSR Fixed-Function Performance Counter Register 0 (Core 2)

18 Pure Software VMEs CPU operation implemented entirely in software Emulated CPU does not have to match physical CPU Portable Can optionally support multiple CPU generations Examples –Hydra –Bochs –QEMU

19 Pure Software VMEs (Hybrid model) Commonly used by anti-virus software Emulates CPU and partial operating system CPU operation implemented entirely in software Examples –Atlantis –Sandbox

20 Malicious VMEs (SubVirt) Reduced-privilege guest Installs second operating system Runs on Windows and Linux Carries VirtualPC for Windows Carries VMware for Linux Difficult to detect compromised system

21 Detecting VMware IDT/GDT at high memory address Non-zero LDT Port 5658h Windows registry Video and ROM BIOS text strings Device names MAC address ranges

22 Detecting VirtualPC IDT/GDT at high memory address Non-zero LDT 0F 3F opcode 0F C7 C8 opcode Overly long instruction Device names

23 Detecting Parallels IDT/GDT at high memory address Non-zero LDT Device names

24 Detecting VirtualBox CPUID K7 Easter Egg CMPXCHG8B memory write Double-faulting CPU

25 Detecting Bochs [WB] INVD flushes TLBs REP CMPS/SCAS flags CPUID processor name CPUID AMD K7 Easter Egg 32-bit ARPL register corruption 16-bit segment wraparound Device names Undocumented opcodes and opcode maps

26 Attacking Bochs Bochs denial-of-service –Floppy with >18 sectors per track –Floppy with >512 bytes per sector –Non-ring0 SYSENTER CS MSR

27 Detecting Hydra REP MOVS/SCAS integer overflow 16-bit segment wraparound

28 Detecting QEMU CPUID processor name CPUID K7 Easter Egg CMPXCHG8B memory write Double-faulting CPU

29 Detecting Atlantis and Sandbox Unimplemented APIs Incorrectly-emulated APIs –Example: Beep() in Windows 9x vs Windows NT Unfortunately correct emulation –Example: not crashing on corrupted WMFs

30 Detecting Sandbox IDT at high memory address GDT in low memory address Non-zero LDT Misaligned IDT/GDT limits Unsupported common instructions Unexpected CPUID presence and behaviour CMPXCHG memory write

31 Detecting CWSandbox cws_[pid]_mutex cws_[pid]_event_data cws_[pid]_event_result cws_[pid]_mapping 290 hooked APIs! 10 hooked methods

32 Escaping from CWSandbox Step 1. FreeLibrary(GetModuleHandleA("cwmonitor")) Step 2. …that’s it.

33 What can we do? Reduced-privilege guests –Nothing VirtualPC –Intercept SIDT –Check for maximum instruction length –Remove custom CPUID processor name Bochs, Hydra, QEMU –Bug fixes Full stealth should be possible

34 Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank You! Peter Ferrie

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.