SlideShare uma empresa Scribd logo

Gal Diskin - Virtually Impossible

DefconRussia
DefconRussia
Tecnologia
1 de 43
Baixar para ler offline
-CONFIDENTIAL- Virtually Impossible The Reality of Virtualization Security Gal Diskin / Chief Research Officer / Cyvera LTD.
-CONFIDENTIAL- /WhoAmI ? • Chief Research Officer @ Cvyera LTD • Formerly Security Evaluation Architect of the Software & Services Group @ Intel® • Before that – Entrepreneur, Consultant, IDF • Always a security “enthusiast”  – Personal focus areas: • • • • DBI, Fuzzing & Automated exploitation Exploitation techniques & Mitigations Vehicles & Traffic systems Embedded systems
-CONFIDENTIAL- ThankZ & GreetZ • My wife – For tolerating me doing security research • Everyone at Cyvera, special thanks to: – Harel Baris for help with the presentation design – Gal Badishi and Ariel Cohen for reviewing • All Intel security people – Especially my old team
-CONFIDENTIAL- What I will talk about today Beyond why virtualization is virtually impossible to secure… • Hardware assisted virtualization • SW stacks and different virtualization approaches and related weaknesses • The complexity in memory management and related weaknesses • Computer platforms internals and related weaknesses • Finally, I will present a small taxonomy of attacks against virtualization • Special bonus – potential VM escape ;-)
-CONFIDENTIAL- What is Virtualization? • In the context of this talk replacing the CPU and computer platform with a virtual environment • A bit of history: – Turing’s universal computing machine – Popek and Goldberg virtualization requirements
-CONFIDENTIAL- Terminology • A Virtual Machine Manager (VMM) is the software virtualizing privileged instructions and hardware • A Virtual Machine (VM) is a software stack running under a VMM • A Guest OS is the operating system of a VM • A Host OS is the operating system controlling the VMM • Root operation is when you execute inside a VMM
-CONFIDENTIAL- What is “secure” virtualization? Security Goals: – Prevent modification of VMM and host OS by guests – Prevent guest OS from modifying another guest – Prevent guest from subverting hardware or firmware* – Prevent guest from stealing data from other guest OS / host OS / VMM* – Prevent DOS by guest OS* or getting unfair share of resources relative to other guests* – Keep guest OS secure – don’t harm normal OS defenses* * Depending on the hypervisor design, might be a non-goal
-CONFIDENTIAL- SOFTWARE STACKS Piling different pieces of software
-CONFIDENTIAL- Software Stack Type 1 Hypervisor Process 1 Process 2 Process 3 Process 1 Process 2 Process 3 System Calls VM EXIT Guest Operating System 2 Guest Operating System 1 VM Exits / Entries VM Entry Virtual Machine Manager (Hypervisor / VMM) Instruction Set Hardware
-CONFIDENTIAL- Software Stack Type 2 Hypervisor Process 1 Process 2 Process 3 Virtualized System Calls Guest Operating System VM Exits / Entries Process 1 Process 2 Process 3 VMM System Calls Host Operating System Instruction Set Hardware
-CONFIDENTIAL- ISA emulation challenges • A VMM needs to emulate every instruction or event it registers on • A VMM must register to a certain set of instructions and x86 events known as the “fixed-1 exits” – e.g: CPUID, GETSEC, INVD, XSETBV and various VT ISA • ISA emulation challenges – Specification – Corner cases – Deciding if the guest has the right privilege from root operation is hard • Confused deputy situation…
-CONFIDENTIAL- Software Stack SMM with VMM RSM #SMI Process 1 SMM Process 2 Process 3 Process 1 Process 2 Process 3 System Calls Guest OS 2 Guest OS 1 VM Exits / Entries Virtual Machine Manager (Hypervisor / VMM) Instruction Set Hardware
-CONFIDENTIAL- Software Stack SMM Transfer Monitor (STM) Process 1 Process 2 Process 3 Process 1 Process 2 Process 3 SMM System Calls Guest OS 2 Guest OS 1 VM Exits / Entries STM Virtual Machine Manager (Hypervisor / VMM) Instruction Set Hardware
-CONFIDENTIAL- Micro-VMMs Process 1 Process 2 Process 3 System Calls Guest Operating System VM Exits / Entries Micro VMM Instruction Set Hardware
-CONFIDENTIAL- Section summary • There are many ways to use hardware virtualization technology: – Type I, Type II, Micro-VMMs, … • Each approach has its own unique challenges: – Full HW virtualization: Secure a big implementation of SW emulation for all HW – Para-virtualization: Secure the guest OS interface with the host OS – All implementations: Emulate ISA correctly and securely – Micro-VMMs: Defend from HW subversion • SMM is too privileged and where are the STMs?
-CONFIDENTIAL- MEMORY Where did I put that instruction?
-CONFIDENTIAL- Memory is simple, right? 0xFF…...FF 0x12345678 0xABABABAB 0x00……00
Memory – Intel manual -CONFIDENTIAL-
-CONFIDENTIAL- Memory – Address Translations Linear addressing DRAM System view Guest physical 0xFF…...FF 0x12345678 0xABABABAB Paging translation EPT translation MCH mappings 0x00……00 * MCH = Memory Control Hub (MMU) ** Segmentation adds another translation and the cache adds a whole new translation path
-CONFIDENTIAL- Memory – point of view CPU MCH DRAM Devices CPU CPU CPU
Memory – MMIO -CONFIDENTIAL-
-CONFIDENTIAL- Special address ranges
-CONFIDENTIAL- Cache! Sorry, out of scope for today– there is no end to it once you start discussing cache and security Suffice to say that it adds another translation layer and that it is complex and performance oriented performance Security
-CONFIDENTIAL- Section summary • Memory is complex! • Attackers with access to MMIO or physical memory addresses can compromise anything on the system • Access to special address ranges is also dangerous • EPT can help mitigate some of the problems – If you can configure it correctly, if it is available
-CONFIDENTIAL- COMPUTER PLATFORMS The insides
-CONFIDENTIAL- What is a computer? • A very complex device internally • The logical software architecture can be complex • Every modern computer system is also a complex high speed network of interconnecting hardware components using many communication protocols
-CONFIDENTIAL- Computer Platform (1) CPU HT HT HT Core Shared HT Core Shared UnCore Integrated Devices PEG DMI BUS MMU RAM PCIe Device PCIe Device PCIe Device
-CONFIDENTIAL- Computer platform (2) PCH
-CONFIDENTIAL- Device virtualization • XEN and KVM use a modified QEMU – No vulnerabilities there, right?
-CONFIDENTIAL- VT-d (IOMMU) • Used for virtualizing chipset components • DMA remapping – Paging for devices – Nested translations • Interrupt remapping – Allows directing interrupts coming from hardware There is a good paper that explains the need for it by Rafal Wojtczuk and Joanna Rutkowska: • Following the White Rabbit: Software attacks against Intel® VT-d technology • What about older systems where you don’t have VT-d?
-CONFIDENTIAL- Section summary • Computer hardware is complex! • Emulating necessary components is hard: – Multiple CVEs already found in ACPI and APIC virtualization as well as QEMU • VT-d helps virtualizing DMA and hardware interrupts – If used correctly
-CONFIDENTIAL- ATTACK VECTORS TAXONOMY Potential and practical ones
-CONFIDENTIAL- Basic Vectors • ISA Implementation – Emulating x86 isn’t easy… • Performance monitoring – Classic side channels – Real Time Instruction Tracing – new feature coming up • Old systems – New defenses were introduced with the latest HW • New features – Approach to new features (CPU/PCH) • Whitelist or Blacklist?
-CONFIDENTIAL- Address Space Attacks • IO Address Space – How many IO ports are there in x86? – What happens if we configure port overlaps? • MMIO Overlaps – As discussed during the presentation • Special memory ranges access and overlaps – What happens when a guest can access special ranges? • MSR address space – MSRs define system configuration and behavior
-CONFIDENTIAL- Privileged Software • Corrupted ACMs – ACMs run in a very high privilege, if you can compromise one… • CPU/PCH Firmware(s) – Compromise of the CPU or PCH firmware naturally allows an attacker to control any VM • BIOS & SMM – The BIOS is a common component of the platform and controls both configuration and SMM code
-CONFIDENTIAL- Other Interesting Vectors • Intentional misconfiguration – It is possible to misconfigure PCIe config space, MSRs or MMIO constants in order to create unexpected situations for the VMM • Server platforms (are fun!) – Platforms and CPUs for the server market have special features, all of those usually run in very high privilege • Errata – What if there is an Errata in the CPU/PCH behavior we rely on to emulate something - sucks, right? 
-CONFIDENTIAL- Bonus: Interesting Errata • The below Errata appears in the June 2013 revision for 2nd generation core CPUs • Sounds like an exploitable issue IF you can prevent reload of CR3 with 32bit value
-CONFIDENTIAL- Summary • Computer platforms are complex • There are several approaches to virtualizing HW, each with its own inherent weaknesses – Full hardware virtualization: slower and uses SW emulation, therefore prone to SW vulnerabilities – Direct hardware access: prone to malicious HW manipulations (micro-VMMs) • Better defenses are available only with new and sometimes also high end HW
-CONFIDENTIAL- THE END Contact me at: http://www.cyvera.com/contact
-CONFIDENTIAL- BACKUP
-CONFIDENTIAL- Useful tools and info for people interested in virtualization research • LOLA by Jeff Forristal (free) – Because a Python interface to the HW rocks! • 8 series PCH manuals • 2nd generation core Errata • Intel software developer manuals – Volume 3 contains most information about VT – Other volumes are also useful to understand what is emulated • Patience! – Hardware debugging, reading long technical manuals
-CONFIDENTIAL- How different virtualization SW works • VMware Player – Emulates 440BX motherboard (15 years old) – Monitors PCIe configuration, at least IO ports, to some degree but because of Win95 and Win3.1 compatibility, not security!
-CONFIDENTIAL- Disclaimer • All product logos and names used in this presentation are the property of their respective owners. I make no claim for ownership on those. I am merely using them as examples of such products

Recomendados

Virtualization Basics
Virtualization BasicsVirtualization Basics
Virtualization BasicsSrikantMishra12
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor FrameworkEdgar Barbosa
 
Hypervisors
HypervisorsHypervisors
HypervisorsSrikantMishra12
 
Hardware support for efficient virtualization
Hardware support for efficient virtualizationHardware support for efficient virtualization
Hardware support for efficient virtualizationLennox Wu
 
Hardware supports for Virtualization
Hardware supports for VirtualizationHardware supports for Virtualization
Hardware supports for VirtualizationYoonje Choi
 
Symm.63
Symm.63Symm.63
Symm.63weiguang sun
 
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification planACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification planProject ACRN
 
Bootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-releaseBootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-releaseEric Koeppen
 

Recomendados

Virtualization Basics
Virtualization BasicsVirtualization Basics
Virtualization BasicsSrikantMishra12
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor FrameworkEdgar Barbosa
 
Hypervisors
HypervisorsHypervisors
HypervisorsSrikantMishra12
 
Hardware support for efficient virtualization
Hardware support for efficient virtualizationHardware support for efficient virtualization
Hardware support for efficient virtualizationLennox Wu
 
Hardware supports for Virtualization
Hardware supports for VirtualizationHardware supports for Virtualization
Hardware supports for VirtualizationYoonje Choi
 
Symm.63
Symm.63Symm.63
Symm.63weiguang sun
 
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification planACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification planProject ACRN
 
Bootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-releaseBootkits step by-step-slides-final-v1-release
Bootkits step by-step-slides-final-v1-releaseEric Koeppen
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
Project ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutionArasan Chip Systems
 
Remotely Attacking System Firmware
Remotely Attacking System FirmwareRemotely Attacking System Firmware
Remotely Attacking System FirmwarePriyanka Aash
 
Pico-ITX vs. Q7 & SMARC form factors
Pico-ITX vs. Q7 & SMARC form factorsPico-ITX vs. Q7 & SMARC form factors
Pico-ITX vs. Q7 & SMARC form factorsVIA Embedded
 
iWave Systems Techologies Pvt Ltd: Products-Hardware IPs
iWave Systems Techologies Pvt Ltd: Products-Hardware IPsiWave Systems Techologies Pvt Ltd: Products-Hardware IPs
iWave Systems Techologies Pvt Ltd: Products-Hardware IPsiWave Systems Technologies Pvt Ltd, Bangalore
 
Universal Flash Storage
Universal Flash StorageUniversal Flash Storage
Universal Flash StorageBhaumik Bhatt
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded Systemsمحمد عبد الحى
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisorACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisorProject ACRN
 
Useful USB Gadgets on Linux
Useful USB Gadgets on LinuxUseful USB Gadgets on Linux
Useful USB Gadgets on LinuxGary Bisson
 
LAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLinaro
 
Routerfundaments gurwinder
Routerfundaments gurwinderRouterfundaments gurwinder
Routerfundaments gurwinderCYBERINTELLIGENTS
 
System configuration
System configurationSystem configuration
System configurationAyubu Churi
 
I2C Drivers
I2C DriversI2C Drivers
I2C DriversSysPlay eLearning Academy for You
 
Spi drivers
Spi driversSpi drivers
Spi driverspradeep_tewani
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
System Client Details
System Client DetailsSystem Client Details
System Client DetailsSyAM Software
 
Virtualization in cloud
Virtualization in cloudVirtualization in cloud
Virtualization in cloudAshok Kumar
 
Xen revisited
Xen revisitedXen revisited
Xen revisitedShahbaz Sidhu
 

Mais conteúdo relacionado

Mais procurados

Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
Project ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN
 
Remotely Attacking System Firmware
Remotely Attacking System FirmwareRemotely Attacking System Firmware
Remotely Attacking System FirmwarePriyanka Aash
 
Pico-ITX vs. Q7 & SMARC form factors
Pico-ITX vs. Q7 & SMARC form factorsPico-ITX vs. Q7 & SMARC form factors
Pico-ITX vs. Q7 & SMARC form factorsVIA Embedded
 
Universal Flash Storage
Universal Flash StorageUniversal Flash Storage
Universal Flash StorageBhaumik Bhatt
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded Systeminsydesoftware
 
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisorACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisorProject ACRN
 
Useful USB Gadgets on Linux
Useful USB Gadgets on LinuxUseful USB Gadgets on Linux
Useful USB Gadgets on LinuxGary Bisson
 
LAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLinaro
 
System configuration
System configurationSystem configuration
System configurationAyubu Churi
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
System Client Details
System Client DetailsSystem Client Details
System Client DetailsSyAM Software
 

Mais procurados (20)

Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
Project ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config tool
 
eMMC 5.0 Total IP Solution
eMMC 5.0 Total IP SolutioneMMC 5.0 Total IP Solution
eMMC 5.0 Total IP Solution
 
Remotely Attacking System Firmware
Remotely Attacking System FirmwareRemotely Attacking System Firmware
Remotely Attacking System Firmware
 
Pico-ITX vs. Q7 & SMARC form factors
Pico-ITX vs. Q7 & SMARC form factorsPico-ITX vs. Q7 & SMARC form factors
Pico-ITX vs. Q7 & SMARC form factors
 
iWave Systems Techologies Pvt Ltd: Products-Hardware IPs
iWave Systems Techologies Pvt Ltd: Products-Hardware IPsiWave Systems Techologies Pvt Ltd: Products-Hardware IPs
iWave Systems Techologies Pvt Ltd: Products-Hardware IPs
 
Universal Flash Storage
Universal Flash StorageUniversal Flash Storage
Universal Flash Storage
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded Systems
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2O
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
 
Implementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded SystemImplementing a UEFI BIOS into an Embedded System
Implementing a UEFI BIOS into an Embedded System
 
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisorACRN vMeet-Up EU 2021 - debug ACRN hypervisor
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
 
Useful USB Gadgets on Linux
Useful USB Gadgets on LinuxUseful USB Gadgets on Linux
Useful USB Gadgets on Linux
 
LAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure bootLAS16-200: Firmware Summit - UEFI secure boot
LAS16-200: Firmware Summit - UEFI secure boot
 
Routerfundaments gurwinder
Routerfundaments gurwinderRouterfundaments gurwinder
Routerfundaments gurwinder
 
System configuration
System configurationSystem configuration
System configuration
 
I2C Drivers
I2C DriversI2C Drivers
I2C Drivers
 
Spi drivers
Spi driversSpi drivers
Spi drivers
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 
System Client Details
System Client DetailsSystem Client Details
System Client Details
 

Semelhante a Gal Diskin - Virtually Impossible

Virtualization in cloud
Virtualization in cloudVirtualization in cloud
Virtualization in cloudAshok Kumar
 
Presentation cloud computing workshop - virtualization
Presentation cloud computing workshop - virtualizationPresentation cloud computing workshop - virtualization
Presentation cloud computing workshop - virtualizationxKinAnx
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxssusere142fe
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsPriyanka Aash
 
5. IO virtualization
5. IO virtualization5. IO virtualization
5. IO virtualizationHwanju Kim
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to VirtualizationMuhammadRizkyFaza
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Riscure
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoNCCOMMS
 
PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)
PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)
PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)iXsystems
 
virtualization(1).pptx
virtualization(1).pptxvirtualization(1).pptx
virtualization(1).pptxAkashRajBehera
 

Semelhante a Gal Diskin - Virtually Impossible (20)

Virtualization in cloud
Virtualization in cloudVirtualization in cloud
Virtualization in cloud
 
Xen revisited
Xen revisitedXen revisited
Xen revisited
 
Presentation cloud computing workshop - virtualization
Presentation cloud computing workshop - virtualizationPresentation cloud computing workshop - virtualization
Presentation cloud computing workshop - virtualization
 
virtual machine.ppt
virtual machine.pptvirtual machine.ppt
virtual machine.ppt
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
 
Breaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisorsBreaking hardware enforced security with hypervisors
Breaking hardware enforced security with hypervisors
 
5. IO virtualization
5. IO virtualization5. IO virtualization
5. IO virtualization
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to Virtualization
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talk
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
 
PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)
PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)
PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)
 
virtualization(1).pptx
virtualization(1).pptxvirtualization(1).pptx
virtualization(1).pptx
 
virtualization.pptx
virtualization.pptxvirtualization.pptx
virtualization.pptx
 
Virtualization
VirtualizationVirtualization
Virtualization
 
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal CloudsBMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
 

Mais de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Mais de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Último

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Último (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Gal Diskin - Virtually Impossible

  • 1. -CONFIDENTIAL- Virtually Impossible The Reality of Virtualization Security Gal Diskin / Chief Research Officer / Cyvera LTD.
  • 2. -CONFIDENTIAL- /WhoAmI ? • Chief Research Officer @ Cvyera LTD • Formerly Security Evaluation Architect of the Software & Services Group @ Intel® • Before that – Entrepreneur, Consultant, IDF • Always a security “enthusiast”  – Personal focus areas: • • • • DBI, Fuzzing & Automated exploitation Exploitation techniques & Mitigations Vehicles & Traffic systems Embedded systems
  • 3. -CONFIDENTIAL- ThankZ & GreetZ • My wife – For tolerating me doing security research • Everyone at Cyvera, special thanks to: – Harel Baris for help with the presentation design – Gal Badishi and Ariel Cohen for reviewing • All Intel security people – Especially my old team
  • 4. -CONFIDENTIAL- What I will talk about today Beyond why virtualization is virtually impossible to secure… • Hardware assisted virtualization • SW stacks and different virtualization approaches and related weaknesses • The complexity in memory management and related weaknesses • Computer platforms internals and related weaknesses • Finally, I will present a small taxonomy of attacks against virtualization • Special bonus – potential VM escape ;-)
  • 5. -CONFIDENTIAL- What is Virtualization? • In the context of this talk replacing the CPU and computer platform with a virtual environment • A bit of history: – Turing’s universal computing machine – Popek and Goldberg virtualization requirements
  • 6. -CONFIDENTIAL- Terminology • A Virtual Machine Manager (VMM) is the software virtualizing privileged instructions and hardware • A Virtual Machine (VM) is a software stack running under a VMM • A Guest OS is the operating system of a VM • A Host OS is the operating system controlling the VMM • Root operation is when you execute inside a VMM
  • 7. -CONFIDENTIAL- What is “secure” virtualization? Security Goals: – Prevent modification of VMM and host OS by guests – Prevent guest OS from modifying another guest – Prevent guest from subverting hardware or firmware* – Prevent guest from stealing data from other guest OS / host OS / VMM* – Prevent DOS by guest OS* or getting unfair share of resources relative to other guests* – Keep guest OS secure – don’t harm normal OS defenses* * Depending on the hypervisor design, might be a non-goal
  • 9. -CONFIDENTIAL- Software Stack Type 1 Hypervisor Process 1 Process 2 Process 3 Process 1 Process 2 Process 3 System Calls VM EXIT Guest Operating System 2 Guest Operating System 1 VM Exits / Entries VM Entry Virtual Machine Manager (Hypervisor / VMM) Instruction Set Hardware
  • 10. -CONFIDENTIAL- Software Stack Type 2 Hypervisor Process 1 Process 2 Process 3 Virtualized System Calls Guest Operating System VM Exits / Entries Process 1 Process 2 Process 3 VMM System Calls Host Operating System Instruction Set Hardware
  • 11. -CONFIDENTIAL- ISA emulation challenges • A VMM needs to emulate every instruction or event it registers on • A VMM must register to a certain set of instructions and x86 events known as the “fixed-1 exits” – e.g: CPUID, GETSEC, INVD, XSETBV and various VT ISA • ISA emulation challenges – Specification – Corner cases – Deciding if the guest has the right privilege from root operation is hard • Confused deputy situation…
  • 12. -CONFIDENTIAL- Software Stack SMM with VMM RSM #SMI Process 1 SMM Process 2 Process 3 Process 1 Process 2 Process 3 System Calls Guest OS 2 Guest OS 1 VM Exits / Entries Virtual Machine Manager (Hypervisor / VMM) Instruction Set Hardware
  • 13. -CONFIDENTIAL- Software Stack SMM Transfer Monitor (STM) Process 1 Process 2 Process 3 Process 1 Process 2 Process 3 SMM System Calls Guest OS 2 Guest OS 1 VM Exits / Entries STM Virtual Machine Manager (Hypervisor / VMM) Instruction Set Hardware
  • 14. -CONFIDENTIAL- Micro-VMMs Process 1 Process 2 Process 3 System Calls Guest Operating System VM Exits / Entries Micro VMM Instruction Set Hardware
  • 15. -CONFIDENTIAL- Section summary • There are many ways to use hardware virtualization technology: – Type I, Type II, Micro-VMMs, … • Each approach has its own unique challenges: – Full HW virtualization: Secure a big implementation of SW emulation for all HW – Para-virtualization: Secure the guest OS interface with the host OS – All implementations: Emulate ISA correctly and securely – Micro-VMMs: Defend from HW subversion • SMM is too privileged and where are the STMs?
  • 16. -CONFIDENTIAL- MEMORY Where did I put that instruction?
  • 17. -CONFIDENTIAL- Memory is simple, right? 0xFF…...FF 0x12345678 0xABABABAB 0x00……00
  • 18. Memory – Intel manual -CONFIDENTIAL-
  • 19. -CONFIDENTIAL- Memory – Address Translations Linear addressing DRAM System view Guest physical 0xFF…...FF 0x12345678 0xABABABAB Paging translation EPT translation MCH mappings 0x00……00 * MCH = Memory Control Hub (MMU) ** Segmentation adds another translation and the cache adds a whole new translation path
  • 20. -CONFIDENTIAL- Memory – point of view CPU MCH DRAM Devices CPU CPU CPU
  • 23. -CONFIDENTIAL- Cache! Sorry, out of scope for today– there is no end to it once you start discussing cache and security Suffice to say that it adds another translation layer and that it is complex and performance oriented performance Security
  • 24. -CONFIDENTIAL- Section summary • Memory is complex! • Attackers with access to MMIO or physical memory addresses can compromise anything on the system • Access to special address ranges is also dangerous • EPT can help mitigate some of the problems – If you can configure it correctly, if it is available
  • 26. -CONFIDENTIAL- What is a computer? • A very complex device internally • The logical software architecture can be complex • Every modern computer system is also a complex high speed network of interconnecting hardware components using many communication protocols
  • 27. -CONFIDENTIAL- Computer Platform (1) CPU HT HT HT Core Shared HT Core Shared UnCore Integrated Devices PEG DMI BUS MMU RAM PCIe Device PCIe Device PCIe Device
  • 29. -CONFIDENTIAL- Device virtualization • XEN and KVM use a modified QEMU – No vulnerabilities there, right?
  • 30. -CONFIDENTIAL- VT-d (IOMMU) • Used for virtualizing chipset components • DMA remapping – Paging for devices – Nested translations • Interrupt remapping – Allows directing interrupts coming from hardware There is a good paper that explains the need for it by Rafal Wojtczuk and Joanna Rutkowska: • Following the White Rabbit: Software attacks against Intel® VT-d technology • What about older systems where you don’t have VT-d?
  • 31. -CONFIDENTIAL- Section summary • Computer hardware is complex! • Emulating necessary components is hard: – Multiple CVEs already found in ACPI and APIC virtualization as well as QEMU • VT-d helps virtualizing DMA and hardware interrupts – If used correctly
  • 33. -CONFIDENTIAL- Basic Vectors • ISA Implementation – Emulating x86 isn’t easy… • Performance monitoring – Classic side channels – Real Time Instruction Tracing – new feature coming up • Old systems – New defenses were introduced with the latest HW • New features – Approach to new features (CPU/PCH) • Whitelist or Blacklist?
  • 34. -CONFIDENTIAL- Address Space Attacks • IO Address Space – How many IO ports are there in x86? – What happens if we configure port overlaps? • MMIO Overlaps – As discussed during the presentation • Special memory ranges access and overlaps – What happens when a guest can access special ranges? • MSR address space – MSRs define system configuration and behavior
  • 35. -CONFIDENTIAL- Privileged Software • Corrupted ACMs – ACMs run in a very high privilege, if you can compromise one… • CPU/PCH Firmware(s) – Compromise of the CPU or PCH firmware naturally allows an attacker to control any VM • BIOS & SMM – The BIOS is a common component of the platform and controls both configuration and SMM code
  • 36. -CONFIDENTIAL- Other Interesting Vectors • Intentional misconfiguration – It is possible to misconfigure PCIe config space, MSRs or MMIO constants in order to create unexpected situations for the VMM • Server platforms (are fun!) – Platforms and CPUs for the server market have special features, all of those usually run in very high privilege • Errata – What if there is an Errata in the CPU/PCH behavior we rely on to emulate something - sucks, right? 
  • 37. -CONFIDENTIAL- Bonus: Interesting Errata • The below Errata appears in the June 2013 revision for 2nd generation core CPUs • Sounds like an exploitable issue IF you can prevent reload of CR3 with 32bit value
  • 38. -CONFIDENTIAL- Summary • Computer platforms are complex • There are several approaches to virtualizing HW, each with its own inherent weaknesses – Full hardware virtualization: slower and uses SW emulation, therefore prone to SW vulnerabilities – Direct hardware access: prone to malicious HW manipulations (micro-VMMs) • Better defenses are available only with new and sometimes also high end HW
  • 39. -CONFIDENTIAL- THE END Contact me at: http://www.cyvera.com/contact
  • 41. -CONFIDENTIAL- Useful tools and info for people interested in virtualization research • LOLA by Jeff Forristal (free) – Because a Python interface to the HW rocks! • 8 series PCH manuals • 2nd generation core Errata • Intel software developer manuals – Volume 3 contains most information about VT – Other volumes are also useful to understand what is emulated • Patience! – Hardware debugging, reading long technical manuals
  • 42. -CONFIDENTIAL- How different virtualization SW works • VMware Player – Emulates 440BX motherboard (15 years old) – Monitors PCIe configuration, at least IO ports, to some degree but because of Win95 and Win3.1 compatibility, not security!
  • 43. -CONFIDENTIAL- Disclaimer • All product logos and names used in this presentation are the property of their respective owners. I make no claim for ownership on those. I am merely using them as examples of such products