Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Open Source Project Xen Puts Security Ahead of Emerging Threats

Published byMarvin Kennedy Modified over 6 years ago

Similar presentations

Presentation on theme: "How Open Source Project Xen Puts Security Ahead of Emerging Threats"— Presentation transcript:

1 How Open Source Project Xen Puts Security Ahead of Emerging Threats
Mihai Donțu, Bitdefender Andrei Florescu, Bitdefender

2 In An Ideal World…

3 OSes would be designed differently
Humans would not code

4 … In The Real World

5 OSes are flawed by design
Humans (still) code

6 Perfect St[w]orms “Wormable”
Vulnerability in widely-used services or protocols Vulnerability remotely exploitable “Wormable” Vulnerable service exposed to the outside world Both Servers and Workstations vulnerable Vulnerability affects OS Kernel

7 Some Examples?

8 MS08-067 – MS NetAPI32 Vulnerability
Out-of-band patch released Infected >9mil systems including: defense, gov, commercial Vulnerability present and exploitable 09/25/2008 11/2008 1 AD… 1/2009 10/23/2008 MS caught wind of 0-day through WER* Conficker/Downadup worm released in the wild *

9 … 9 years later

10 MS17-010 – MS SMB v1 Vulnerability (EternalBlue)
Some bad people released a public exploit - EternalBlue NotPetya (or something) released Vulnerability present and exploitable 5/12/2017 3/14/2017 1 AD… 4/14/2017 6/27/2017 MS released patch (on a Tuesday) WannaCry Released in the wild. Over 300k systems infected in 3 days. *

11 So What Really Changed?

12 Vulns & Exploit Branding! Endpoint Detection and Response (EDR)
In Reality… Next-Gen Stuff Vulns & Exploit Branding! DEP Threat-hunting OS-based Exploit Mitigation Endpoint Detection and Response (EDR) ASLR In-Guest Security Tools SafeSEH SEHOP Sandboxing ? Incident Response

13 ? Back To The Ideal World… Vulns & Exploit Branding!
Generic Exploit Prevention Isolated From Attackable Surface OS-based Exploit Mitigation No Prior Knowledge Required In-Guest Security Tools Real-Time Alerts ? Forensics Details Provided

14 HVI Demo: Defeating EternalBlue

15 Open Source Collaboration

16

17 Project History 2003 First notable academic research (by Garfinkel & Rosenblum) 2008 First proof of concept on Xen (Ether) 2010 Started working on a VMI-based security technology using a custom hypervisor 2012 First proof of concept with Xen 2014 Started working with the Xen Project community on improving and extending Xen’s VMI features 2014 Intel announced the first CPU features aimed at speeding up VMI 2016 First beta for Bitdefender’s HVI technology 2017 First commercial release with Citrix XenServer 7.0 (Xen 4.6)

18 How HVI Works Uses the VMI capabilities of Xen (xen-access, vm-events)
Builds a "shadow" state of the OS Enforces certain access restrictions on: Code (kernel or user application) Stack Heap Data Driver Objects (Windows) IDT/GDT etc. Sensitive MSR-s (eg. MSR_LSTAR)

19 Architecture Overview
XenServer Control Domain (dom0) Security Appliance (domU) Memory Introspection Engine Guest Critical Memory Access XenServer Hypervisor Direct Inspect APIs Networking Storage Compute

20 A Closer Look: EternalBlue

21 MS17-010: The Vulnerability
Integer Overflow DWORD subtracted into a WORD Buffer Overflow memove operation in srv!SrvOs2FeaToNt Arbitrary write-what-where primitive (Classic heap spraying & grooming to gain RCE) RIP is hijacked in srvnet!SrvNetWskReceiveComplete

22 MS17-010 : Exploiting The Vulnerability
The exploit is using MDL (Memory Descriptor Lists) to control the source & destination of arbitrary writes ASLR is bypassed by using hard-coded memory regions HalHeap is located at 0xffffffffffd00000 Fixed in Windows 10 Redstone 1 (april 2017) Page-Table addresses are also “hard-coded” Self mapped at entry 0x1ed Fixed in Windows 10 Anniversary Update (august 2016) DEP is disabled on the HalHeap region by directly editing the page-tables The payload is placed inside the HalHeap The handler for the connection-close is overwritten and offers RCE The shellcode is executed when the connection is closed

23 MS17-010: The Payload – Stage 1
Trick to determine if the OS is 32 or 64 bit If 32 bit then bail out else continue execution (in this example) 1 2 Read Model Specific Register (MSR) 0xC – IA32_LSTAR MSR – and save it This MSR contains the kernel address of the SYSCALL handling routine Any SYSCALL made by a user-mode app will end up running the code pointed by IA32_LSTAR Modify IA32_LSTAR MSR so that it points to the main payload inside the HalHeap 3

24 MS17-010: The Payload – Stage 2
As soon as an application initiates a SYSCALL, the main payload gains code execution It restores the original SYSCALL handler It does whatever the payload was programmed to do This is the main functionality of the exploit 4

25 MS17-010: The Payload – Stage 3
(The stage 2?3) payload: Iterates all the loaded drivers, searches for the samba drivers Overwrites a SrvTransactionNotImplemented function inside the SrvTransaction2DispatchTable => backdoor Next time someone wants to see if a system ha been compromised, it can simply “knock” and see if DoublePulsar responds

26 … and HVI Defeats EternalBlue

27 MS17-010: Preventing Exploitation
Trick to determine if the OS is 32 or 64 bit If 32 bit then bail out else continue execution (in this example) 1 2 Read Model Specific Register (MSR) 0xC – IA32_LSTAR MSR – and save it This MSR contains the kernel address of the SYSCALL handling routine Any SYSCALL made by a user-mode app will end up running the code pointed by IA32_LSTAR The IA32_LSTAR MSR is protected against modifications Although the stage 1 payload may get code execution, it cannot ensure the execution of the main payload; the main payload will never run 3

28 MS17-010: Preventing Exploitation
The samba drivers are protected against modifications and the SrvTransaction2DispatchTable is located inside such a driver (srv.sys) The backdoor cannot be installed on the system … although it never gets to this, because we already blocked it at stage 1 

29 Future Work Expand the protection over more OS areas (eg. HAL’s heap)
Prevent credential theft from Windows LSASS Integrate more hardware features to accelerate VMI (eg. Intel’s #VE) Extract more context out of the guest to improve attack analysis (opened connections, accessed files etc.) Help create an ecosystem for VMI-based security tools to which more organizations can contribute

30 2 3 1 Conclusions VMI is Changing the Security Industry
Commercial Implementations Are Available 1 Open-source Collaboration is Key

31 Time For Questions!

32

Download ppt "How Open Source Project Xen Puts Security Ahead of Emerging Threats"

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)

SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)
Protection and the Kernel: Mode, Space, and Context.

Protection and the Kernel: Mode, Space, and Context.
1 UCR Firmware Attacks and Security introduction.

1 UCR Firmware Attacks and Security introduction.
Module 7: Hyper-V. Module Overview List the new features of Hyper-V Configure Hyper-V virtual machines.

Module 7: Hyper-V. Module Overview List the new features of Hyper-V Configure Hyper-V virtual machines.
Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.

Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
Operating Systems Security

Operating Systems Security
Wireless and Mobile Security

Wireless and Mobile Security

Similar presentations

Ads by Google