Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks on Virtual Machine Emulators Peter Ferrie, Security Architect 4 October, 2007.

Published byPenelope Mullady Modified over 9 years ago

Similar presentations

Presentation on theme: "Attacks on Virtual Machine Emulators Peter Ferrie, Security Architect 4 October, 2007."— Presentation transcript:

1 Attacks on Virtual Machine Emulators Peter Ferrie, Security Architect 4 October, 2007

2 2 Agenda Attack Types1 Types of Virtual Machine Emulators2 Detection of Hardware VMEs3 Detection of Software VMEs4 What can we do?5

3 3 Attack Types Detection Denial-of-service Escape!

4 4 Attack Types : Detection

5 5

6 6 Attack Types : Denial-of-Service

7 7 Attack Types : Escape!

8 8

9 9 Types of Virtual Machine Emulators Virtual Machine Emulators Hardware-Bound Pure Software Hardware-Assisted Reduced-Privilege Guest

10 10 Reduced-Privilege Guest VMEs Software-based virtualization of important data structures and registers Guest runs at lower privilege level than before No way to avoid notification of all CPU events

11 11 Reduced-Privilege Guest VMEs VMware Xen Parallels VirtualBox

12 12 Hardware-Assisted VMEs Uses CPU-specific instructions to place system into virtual mode Guest privileges unchanged Separate host and guest copies of important data structures and registers Guest copies have no effect on the host Host can request notification of specific CPU events

13 13 Hardware-Assisted VMEs BluePill Vitriol Xen 3.x Virtual Server 2005 Parallels

14 14 Detection of Hardware VMEs : TSC Method Physical Hardware Virtual Hardware T1……Instruction 1 T1.……..Instruction 1 T1+1...Instruction 2 T1+1…..Instruction 2 T1+2...Instruction 3 T1+2…..[VM fault] T1+N….Instruction 3 where N is a large number

15 15 Detection of Hardware VMEs : TLB Method T1………read memory 1 T1+X1…read memory 2 T1+X2…read memory 3 T1+X3…read memory 4 FT (Fill Time) = ((T1+X3)-T1)/4 T2………read memory 1 T2+Y1…read memory 2 T2+Y2…read memory 3 T2+Y3…read memory 4 CT (Cached Time) = ((T2+Y3)-T2)/4 1 2

16 16 Detection of Hardware VMEs : TLB Method Execute CPUID T3………read memory 1 T3+Z1…read memory 2 T3+Z2…read memory 3 T3+Z3…read memory 4 DT (Detect Time) = ((T3+Z3)-T3)/4 If DT ~= CT, then physical If DT ~= FT, then virtual 3 4 5

17 17 Detection of Hardware VMEs : L2 and MSRs L2 cache fill via PREFETCH Last Branch Record MSR Last Exception Record MSR Fixed-Function Performance Counter Register 0 (Core 2)

18 18 Pure Software VMEs CPU operation implemented entirely in software Emulated CPU does not have to match physical CPU Portable Can optionally support multiple CPU generations Examples –Hydra –Bochs –QEMU

19 19 Pure Software VMEs (Hybrid model) Commonly used by anti-virus software Emulates CPU and partial operating system CPU operation implemented entirely in software Examples –Atlantis –Sandbox

20 20 Malicious VMEs (SubVirt) Reduced-privilege guest Installs second operating system Runs on Windows and Linux Carries VirtualPC for Windows Carries VMware for Linux Difficult to detect compromised system

21 21 Malicious VMEs (BluePill) Hardware-assisted VME Actively tries to hide itself Not persistent, aids stealth Runs on Windows, AMD SVM only Detection of VME != detection of BluePill BluePill has bugs and unimplemented features That behaviour allows identification and even recognition! It’s a hack, but that’s okay – BluePill tech is a dead end

22 22 Malicious VMEs (Vitriol) Hardware-assisted VME No stealthing capabilities Runs on OS X, Intel VT-x only

23 23 Detecting VMware IDT/GDT at high memory address Non-zero LDT Port 5658h Windows registry Video and ROM BIOS text strings Device names MAC address ranges

24 24 Detecting VirtualPC IDT/GDT at high memory address Non-zero LDT 0F 3F opcode 0F C7 C8 opcode Overly long instruction Device names

25 25 Detecting Xen Documented hypercall (int 82) interface

26 26 Detecting Parallels IDT/GDT at high memory address Non-zero LDT Device names

27 27 Detecting VirtualBox CPUID K7 Easter Egg CMPXCHG8B memory write Double-faulting CPU

28 28 Detecting Bochs [WB] INVD flushes TLBs REP CMPS/SCAS flags CPUID processor name CPUID AMD K7 Easter Egg 32-bit ARPL register corruption 16-bit segment wraparound Device names Undocumented opcodes and opcode maps

29 29 Attacking Bochs Bochs denial-of-service –Floppy with >18 sectors per track –Floppy with >512 bytes per sector –Non-ring0 SYSENTER CS MSR

30 30 Detecting Hydra REP MOVS/SCAS integer overflow 16-bit segment wraparound

31 31 Detecting QEMU CPUID K7 Easter Egg CMPXCHG8B memory write Double-faulting CPU

32 32 Detecting Atlantis and Sandbox Unimplemented APIs Incorrectly-emulated APIs –Example: Beep() in Windows 9x vs Windows NT Incorrectly-emulated operating-system behaviour –Example: illegal instruction sequence containing value F0 –Windows returns “invalid lock” instead of “illegal instruction”

33 33 Detecting Sandbox IDT at high memory address GDT in low memory address Non-zero LDT Misaligned IDT/GDT limits Unsupported common instructions Unexpected CPUID presence and behaviour CMPXCHG memory write

34 34 Detecting CWSandbox cws_[pid]_mutex cws_[pid]_event_data cws_[pid]_event_result cws_[pid]_mapping 290 hooked APIs! 10 hooked methods

35 35 Escaping from CWSandbox Step 1. FreeLibrary(GetModuleHandleA("cwmonitor")) Step 2. …that’s it.

36 36 What can we do? Reduced-privilege guests –Nothing VirtualPC –Intercept SIDT –Check for maximum instruction length –Remove custom CPUID processor name Bochs, Hydra, QEMU –Bug fixes Full stealth should be possible This is all short-term and not very interesting

37 37 What’s in the future? VMEs will be in hardware/OS and always present BluePill-style attacks will go away VMEs will support third-party plug-ins (AV, IDS, crypto, …) Plug-ins will have bugs, like kernel-mode drivers now Plug-ins will be exploited -> compromised VME Periodic measurement (eg PatchGuard) -> race condition Can’t measure everything anyway So, much harder to detect Now *that* is scary.

38 38 Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Thank You! Peter Ferrie peter_ferrie@symantec.com

Download ppt "Attacks on Virtual Machine Emulators Peter Ferrie, Security Architect 4 October, 2007."

Similar presentations

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.

Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.

Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
E Virtual Machines Lecture 3 Memory Virtualization

E Virtual Machines Lecture 3 Memory Virtualization
Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T.King University of Illionis at Urbana-Champaign Hai D. Nguyen Hanoi University of.

Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T.King University of Illionis at Urbana-Champaign Hai D. Nguyen Hanoi University of.
Symantec De-Duplication Solutions Complete Protection for your Information Driven Enterprise Richard Hobkirk Sr. Pre-Sales Consultant.

Symantec De-Duplication Solutions Complete Protection for your Information Driven Enterprise Richard Hobkirk Sr. Pre-Sales Consultant.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Memory Management (II)

Memory Management (II)
Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.

Xen and the Art of Virtualization A paper from the University of Cambridge, presented by Charlie Schluting For CS533 at Portland State University.
1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.

1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
LINUX Virtualization Running other code under LINUX.

LINUX Virtualization Running other code under LINUX.
Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.

Xen and the Art of Virtualization. Introduction  Challenges to build virtual machines Performance isolation  Scheduling priority  Memory demand  Network.
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.

What are Exception and Interrupts? MIPS terminology Exception: any unexpected change in the internal control flow – Invoking an operating system service.
CSE 451: Operating Systems Winter 2012 Module 18 Virtual Machines Mark Zbikowski and Gary Kimura.

CSE 451: Operating Systems Winter 2012 Module 18 Virtual Machines Mark Zbikowski and Gary Kimura.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Similar presentations

Ads by Google