CrashOS: Hypervisor testing tool

Similar documents
Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Virtualization. Pradipta De

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Virtually Impossible

Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Micro VMMs and Nested Virtualization

CSC 5930/9010 Cloud S & P: Virtualization

The only open-source type-1 hypervisor

Distributed Systems COMP 212. Lecture 18 Othon Michail

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION

CIT 480: Securing Computer Systems. Operating System Concepts

Chapter 5 C. Virtual machines

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

1 Virtualization Recap

Virtual Machine Security

24-vm.txt Mon Nov 21 22:13: Notes on Virtual Machines , Fall 2011 Carnegie Mellon University Randal E. Bryant.

A Hardware-Assisted Virtualization Based Approach on How to Protect the Kernel Space from Malicious Actions

Module 1: Virtualization. Types of Interfaces

Lecture 5: February 3

Virtual machine architecture and KVM analysis D 陳彥霖 B 郭宗倫

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Virtual Machines. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Virtual Virtual Memory

Hypervisors on ARM Overview and Design choices

Virtualization. Adam Belay


CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

System Virtual Machines

Testing System Virtual Machines

Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay

CS 550 Operating Systems Spring Introduction to Virtual Machines

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

Virtualization. Virtualization

Advanced Operating Systems (CS 202) Virtualization

Overview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin

Xen is not just paravirtualization

AWS EC2 Virtualization: Introducing Nitro

Background. IBM sold expensive mainframes to large organizations. Monitor sits between one or more OSes and HW

Virtualization. Michael Tsai 2018/4/16

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

Lecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems

Virtualisation: The KVM Way. Amit Shah

CIS 21 Final Study Guide. Final covers ch. 1-20, except for 17. Need to know:

System Virtual Machines

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors. Pedro Fonseca, Xi Wang, Arvind Krishnamurthy

W4118: virtual machines

Xen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems

Virtualisation on Mobile Devices {Hugo Marques, Nuno Conceição, Luis Pereira}

Nested Virtualization and Server Consolidation

Virtualization Introduction

for Kerrighed? February 1 st 2008 Kerrighed Summit, Paris Erich Focht NEC

Nested Virtualization Update From Intel. Xiantao Zhang, Eddie Dong Intel Corporation

CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives

CSE 120 Principles of Operating Systems

Chapter 5 B. Large and Fast: Exploiting Memory Hierarchy

Porting bhyve on ARM. Mihai Carabas, Peter Grehan BSDCan 2016 University of Ottawa Ottawa, Canada June 10 11, 2016

Monitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015

Operating Systems 4/27/2015

Making Nested Virtualization Real by Using Hardware Virtualization Features

Dan Noé University of New Hampshire / VeloBit

What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks

Virtual Leverage: Server Consolidation in Open Source Environments. Margaret Lewis Commercial Software Strategist AMD

CS-580K/480K Advanced Topics in Cloud Computing. VM Virtualization II

Linux and Xen. Andrea Sarro. andrea.sarro(at)quadrics.it. Linux Kernel Hacking Free Course IV Edition

Advanced Systems Security: Virtual Machine Systems

LINUX Virtualization. Running other code under LINUX

CodeTickler: Automated Software Testing as a Service. Cris%an Zamfir, Vitaly Chipounov, George Candea

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy


An overview of virtual machine architecture

Back To The Future: A Radical Insecure Design of KVM on ARM

COLORADO, USA; 2 Usov Aleksey Yevgenyevich - Technical Architect, RUSSIAN GOVT INSURANCE, MOSCOW; 3 Kropachev Artemii Vasilyevich Manager,

Xen and the Art of Virtualization. Nikola Gvozdiev Georgian Mihaila

CHAPTER 16 - VIRTUAL MACHINES

The Future of Virtualization

CS370 Operating Systems

Transplantation of VirtualBox to the NOVA microhypervisor. Norman Feske

Cloud Computing Virtualization

Oracle-Regular Oracle-Regular

Virtual Machine Monitors!

CS370 Operating Systems

Operating System Security

Knut Omang Ifi/Oracle 20 Oct, Introduction to virtualization (Virtual machines) Aspects of network virtualization:

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

VIRTUALIZATION. Dresden, 2011/12/6. Julian Stecklina

Advanced Systems Security: Virtual Machine Systems

Virtualization and memory hierarchy

Dawn Song

Using MySQL in a Virtualized Environment. Scott Seighman Systems Engineer Sun Microsystems

[537] Virtual Machines. Tyler Harter

Zdeněk Kubala Senior QA

Qemu code fault automatic discovery with symbolic search. Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel

Virtual Machine Monitors (VMMs) are a hot topic in

CSE543 - Computer and Network Security Module: Virtualization

Secure Containers with EPT Isolation

Transcription:

ISSRE 2017 Anaïs GANTET - Airbus Digital Security October 2017

Outline 1 Why CrashOS? 2 CrashOS presentation 3 Vulnerability research and results October 2017 2 ISSRE

Outline 1 Why CrashOS? 2 CrashOS presentation 3 Vulnerability research and results October 2017 3 ISSRE

Project context Goal Scope Test the robustness of virtualization solutions Targeted architecture: Intel x86 Initial targeted software: Ramooflax (https://github.com/airbus-seclab/ramooflax) Other targeted software: VMware, Xen, etc. October 2017 4 ISSRE

Virtualization in a nutshell Aim: allow several Operating Systems (OS) to share hardware resources October 2017 5 ISSRE

Virtualization in a nutshell Aim: allow several Operating Systems (OS) to share hardware resources October 2017 5 ISSRE

Hypervisor role To provide an equivalent environment to a physical machine Processor virtualization Let directly execute non-sensitive instructions Trap and virtualize sensitive instructions Memory access virtualization Device virtualization Hypervisors are Complex programs Operating at low level October 2017 6 ISSRE

Security issues Without virtualization: physical isolation With virtualization: software isolation (implemented by hypervisors) October 2017 7 ISSRE

Security issues Without virtualization: physical isolation With virtualization: software isolation (implemented by hypervisors) Problem Are hypervisors reliable? October 2017 7 ISSRE

Our approach Behaviour analysis Build a testing VM Imagine tests involving the hypervisor Be aware of known hypervisor weak points (CVE) Instruction disassembly Sensitive instruction emulation Unusual CPU configuration Device virtualization etc. Launch them and observe hypervisor behaviour October 2017 8 ISSRE

Outline 1 Why CrashOS? 2 CrashOS presentation 3 Vulnerability research and results October 2017 9 ISSRE

Our way to build a malicious VM Potential candidates? Windows, Linux: only partial control of hardware communication Simple Operating System, OSv, etc.: not appropriate for vulnerability research VESPA: Only part targeting device virtualization is published October 2017 10 ISSRE

Our way to build a malicious VM Potential candidates? Windows, Linux: only partial control of hardware communication Simple Operating System, OSv, etc.: not appropriate for vulnerability research VESPA: Only part targeting device virtualization is published Our choice: develop our own OS dedicated to test hypervisors October 2017 10 ISSRE

October 2017 11 ISSRE

How does CrashOS work? October 2017 12 ISSRE

CrashOS test format Init function Save the current machine state Define the desired context Test function Execute instruction Print adapted logs Restore function Reinit the saved machine state October 2017 13 ISSRE

CrashOS: Core and libraries System features Physical memory access Memory protection mechanisms Interrupt handling Device communication Paravirtualization support Example: October 2017 14 ISSRE

CrashOS: Core and libraries System features Physical memory access Memory protection mechanisms Interrupt handling Device communication Paravirtualization support Example: Other interesting features Printing logs on the screen Printing logs on the serial port October 2017 14 ISSRE

Outline 1 Why CrashOS? 2 CrashOS presentation 3 Vulnerability research and results October 2017 15 ISSRE

Attack approach Prerequisites Advanced understanding of Intel processor mechanisms Good knowledge of hypervisor role Elaboration of relevant tests Not only fuzz all instructions Always involve a specific hypervisor handling Sensitive instructions Memory management Device emulation etc. October 2017 16 ISSRE

A first example: write a big buffer on serial port COM 1 October 2017 17 ISSRE

A first example: write a big buffer on serial port COM 1 October 2017 17 ISSRE

A first example: write a big buffer on serial port COM 1 Buffer overflow and memory corruption of Ramooflax data (including VMCS) October 2017 18 ISSRE

A first example: write a big buffer on serial port COM 1 Buffer overflow in Ramooflax causes a VMware crash October 2017 19 ISSRE

A second example: Privilege changing (FAR JMP) Our test case Launch FAR JMP from high level to low level (not allowed - segmentation fault must occur) What is FAR JMP instruction? Changes the current execution context to a new one Can modify the current privilege level Why to test this instruction? FAR JMP success: only if parameters meet about 20 conditions Sensitive instruction, intercepted and handled by hypervisors Test based on CVE-2014-8595 - Xen HVM October 2017 20 ISSRE

A second example: Privilege changing (FAR JMP) Xen (HVM): October 2017 21 ISSRE

A second example: Privilege changing (FAR JMP) VMware: October 2017 22 ISSRE

CrashOS: Some test cases October 2017 23 ISSRE

Results and discussions Vmware: Monitor panic VERIFY Monitor panic NOT_IMPLEMENTED Monitor panic NOT_REACHED Monitor panic EPT Misconfiguration Contact: VMware Security Response Center Xen Bad emulation of far jmp and far call instructions reported Ongoing to be fixed (https: //lists.xenproject.org/archives/html/xen-devel/2017-09/msg03701.html) Ramooflax All bugs fixed October 2017 24 ISSRE

Conclusion and future outlook CrashOS today Opensource Configurable minimal OS Simplified framework to write attacks on hypervisors First results on VMware, Xen and Ramooflax Future outlook Elaborate new tests Implement new CrashOS features (64 bit support, nested virtualization, etc.) Test other hypervisors (Xen PV, KVM, Virtualbox, etc.) October 2017 25 ISSRE

Thanks for your attention Questions? https://github.com/airbus-seclab/crashos French paper: https://www.sstic.org/media/sstic2017/sstic-actes/crashos/ SSTIC2017-Article-crashos-gantet.pdf anais.gantet@airbus.com October 2017 26 ISSRE

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback