Virtually Impossible

Similar documents
Intel Virtualization Technology Roadmap and VT-d Support in Xen

Micro VMMs and Nested Virtualization

Hardware Involved Software Attacks


An Introduction to Platform Security

Intel Graphics Virtualization on KVM. Aug KVM Forum 2011 Rev. 3

Virtualization. Pradipta De


Virtualization. Adam Belay

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader

DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

I/O virtualization. Jiang, Yunhong Yang, Xiaowei Software and Service Group 2009 虚拟化技术全国高校师资研讨班

Nested Virtualization and Server Consolidation

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

CrashOS: Hypervisor testing tool

Knut Omang Ifi/Oracle 20 Oct, Introduction to virtualization (Virtual machines) Aspects of network virtualization:

STM/PE & XHIM. Eugene D. Myers Trust Mechanisms Information Assurance Research NSA/CSS Research Directorate May 24, 2018

Nested Virtualization Update From Intel. Xiantao Zhang, Eddie Dong Intel Corporation

Knut Omang Ifi/Oracle 6 Nov, 2017

AMD SEV Update Linux Security Summit David Kaplan, Security Architect

CSE 120 Principles of Operating Systems

Introduction to Virtual Machines. Carl Waldspurger (SB SM 89 PhD 95) VMware R&D

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

Scotch: Combining Software Guard Extensions and System Management Mode to Monitor Cloud Resource Usage

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Secure Containers with EPT Isolation

I Don't Want to Sleep Tonight:

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

Past, Present, and Future Justin Johnson Senior Principal Firmware Engineer

24-vm.txt Mon Nov 21 22:13: Notes on Virtual Machines , Fall 2011 Carnegie Mellon University Randal E. Bryant.

Speculative Execution Side Channel Mitigations

Making Nested Virtualization Real by Using Hardware Virtualization Features

Virtual Machine Monitors (VMMs) are a hot topic in

AMD Pacifica Virtualization Technology

CS 550 Operating Systems Spring Introduction to Virtual Machines

COSC6376 Cloud Computing Lecture 14: CPU and I/O Virtualization

Programmed I/O accesses: a threat to Virtual Machine Monitors?

SR-IOV support in Xen. Yaozu (Eddie) Dong Yunhong Jiang Kun (Kevin) Tian

KVM CPU MODEL IN SYSCALL EMULATION MODE ALEXANDRU DUTU, JOHN SLICE JUNE 14, 2015

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Operating system hardening

On the DMA Mapping Problem in Direct Device Assignment

Chapter 5 C. Virtual machines

SecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity

Optimizing and Enhancing VM for the Cloud Computing Era. 20 November 2009 Jun Nakajima, Sheng Yang, and Eddie Dong

Virtual Virtual Memory

Pacifica Next Generation Architecture for Efficient Virtual Machines

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Lecture 5. KVM for ARM. Christoffer Dall and Jason Nieh. 5 November, Operating Systems Practical. OSP Lecture 5, KVM for ARM 1/42

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Virtualization. Dr. Yingwu Zhu

What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks

Runtime VM Protection By Intel Multi-Key Total Memory Encryption (MKTME)

Virtualization History and Future Trends

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors. Pedro Fonseca, Xi Wang, Arvind Krishnamurthy

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

Attacking and Defending the Platform

Virtualization. Application Application Application. MCSN - N. Tonellotto - Distributed Enabling Platforms OPERATING SYSTEM OPERATING SYSTEM

Live Demo: A New Hardware- Based Approach to Secure the Internet of Things

VT-d Posted Interrupts. Feng Wu, Jun Nakajima <Speaker> Intel Corporation

Introduction Construction State of the Art. Virtualization. Bernhard Kauer OS Group TU Dresden Dresden,

CHAPTER 16 - VIRTUAL MACHINES

[537] Virtual Machines. Tyler Harter

HW isolation for automotive environment BoF

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

Module 1: Virtualization. Types of Interfaces

CIT 480: Securing Computer Systems. Operating System Concepts

CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization

1 Virtualization Recap

Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay

Intel SGX Virtualization

PROTECTING VM REGISTER STATE WITH AMD SEV-ES DAVID KAPLAN LSS 2017

Overview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin

Performance Aspects of x86 Virtualization

Virtualization and memory hierarchy

ECE 331 Hardware Organization and Design. UMass ECE Discussion 11 4/12/2018

Introduction to Qubes OS

Virtual Machine Security

Development of I/O Pass-through: Current Status & the Future. Nov 21, 2008 Yuji Shimada NEC System Technologies, Ltd.

Virtualization. Virtualization

Intel Virtualization Technology for Directed I/O

W11 Hyper-V security. Jesper Krogh.

Testing System Virtual Machines

CS-580K/480K Advanced Topics in Cloud Computing. VM Virtualization II

Virtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?

64-bit ARM Unikernels on ukvm

Hardware assisted Virtualization in Embedded

Intel Virtualization Technology for Directed I/O

Spring 2017 :: CSE 506. Device Programming. Nima Honarmand

COLORADO, USA; 2 Usov Aleksey Yevgenyevich - Technical Architect, RUSSIAN GOVT INSURANCE, MOSCOW; 3 Kropachev Artemii Vasilyevich Manager,

W H I T E P A P E R. Virtual Machine Monitor Execution Modes in VMware vsphere 4.0

A Hardware-Assisted Virtualization Based Approach on How to Protect the Kernel Space from Malicious Actions

System Simulator for x86

Transcription:

Virtually Impossible The Reality of Virtualization Security Gal Diskin / Chief Research Officer / Cyvera LTD.

/WhoAmI? Chief Research Officer @ Cvyera LTD Formerly Security Evaluation Architect of the Software & Services Group @ Intel Before that Entrepreneur, Consultant, IDF Always a security enthusiast Personal focus areas: DBI, Fuzzing & Automated exploitation Exploitation techniques & Mitigations Vehicles & Traffic systems Embedded systems

ThankZ & GreetZ My wife For tolerating me doing security research Everyone at Cyvera, special thanks to: Harel Baris for help with the presentation design Gal Badishi and Ariel Cohen for reviewing All Intel security people Especially my old team

What I will talk about today Beyond why virtualization is virtually impossible to secure Hardware assisted virtualization SW stacks and different virtualization approaches and related weaknesses The complexity in memory management and related weaknesses Computer platforms internals and related weaknesses Finally, I will present a small taxonomy of attacks against virtualization Special bonus potential VM escape ;-)

What is Virtualization? In the context of this talk replacing the CPU and computer platform with a virtual environment A bit of history: Turing s universal computing machine Popek and Goldberg virtualization requirements

Terminology A Virtual Machine Manager (VMM) is the software virtualizing privileged instructions and hardware A Virtual Machine (VM) is a software stack running under a VMM A Guest OS is the operating system of a VM A Host OS is the operating system controlling the VMM Root operation is when you execute inside a VMM

What is secure virtualization? Security Goals: Prevent modification of VMM and host OS by guests Prevent guest OS from modifying another guest Prevent guest from subverting hardware or firmware* Prevent guest from stealing data from other guest OS / host OS / VMM* Prevent DOS by guest OS* or getting unfair share of resources relative to other guests* Keep guest OS secure don t harm normal OS defenses* * Depending on the hypervisor design, might be a non-goal

SOFTWARE STACKS Piling different pieces of software

Software Stack Type 1 Hypervisor - C O N F I D E N T I A L - Process 1 Process 2 Process 3 Process 1 Process 2 Process 3 VM EXIT VM Entry Guest Operating System 2 Guest Operating System 1 Virtual Machine Manager (Hypervisor / VMM) Hardware System Calls VM Exits / Entries Instruction Set

Software Stack Type 2 Hypervisor - C O N F I D E N T I A L - Process 1 Process 2 Process 3 Process 1 Process 2 Process 3 Host Operating System Guest Operating System VMM Virtualized System Calls VM Exits / Entries System Calls Instruction Set Hardware

ISA emulation challenges A VMM needs to emulate every instruction or event it registers on A VMM must register to a certain set of instructions and x86 events known as the fixed-1 exits e.g: CPUID, GETSEC, INVD, XSETBV and various VT ISA ISA emulation challenges Specification Corner cases Deciding if the guest has the right privilege from root operation is hard Confused deputy situation

Software Stack SMM with VMM RSM #SMI Process 1 Process 2 Process 3 Process 1 Process 2 Process 3 SMM Guest OS 2 Guest OS 1 Virtual Machine Manager (Hypervisor / VMM) Hardware System Calls VM Exits / Entries Instruction Set

Software Stack - C O N F I D E N T I A L - SMM Transfer Monitor (STM) SMM STM Process 1 Process 2 Guest OS 2 Process 3 Hardware Process 1 Process 2 Guest OS 1 Process 3 Virtual Machine Manager (Hypervisor / VMM) System Calls VM Exits / Entries Instruction Set

Micro-VMMs Process 1 Process 2 Process 3 Guest Operating System Micro VMM System Calls VM Exits / Entries Instruction Set Hardware

Section summary There are many ways to use hardware virtualization technology: Type I, Type II, Micro-VMMs, Each approach has its own unique challenges: Full HW virtualization: Secure a big implementation of SW emulation for all HW Para-virtualization: Secure the guest OS interface with the host OS All implementations: Emulate ISA correctly and securely Micro-VMMs: Defend from HW subversion SMM is too privileged and where are the STMs?

MEMORY Where did I put that instruction?

Memory is simple, right? 0xFF...FF 0x12345678 0xABABABAB 0x00 00

Memory Intel manual

Memory Address Translations Linear addressing Guest physical System view DRAM 0xFF...FF 0x12345678 0xABABABAB Paging translation EPT translation MCH mappings * MCH = Memory Control Hub (MMU) ** Segmentation adds another translation and the cache adds a whole new translation path 0x00 00

Memory point of view CPU MCH DRAM Devices CPU CPU CPU

Memory MMIO - C O N F I D E N T I A L -

Special address ranges

Cache! Sorry, out of scope for today there is no end to it once you start discussing cache and security Suffice to say that it adds another translation layer and that it is complex and performance oriented performance Security

Section summary Memory is complex! Attackers with access to MMIO or physical memory addresses can compromise anything on the system Access to special address ranges is also dangerous EPT can help mitigate some of the problems If you can configure it correctly, if it is available

COMPUTER PLATFORMS The insides

What is a computer? A very complex device internally The logical software architecture can be complex Every modern computer system is also a complex high speed network of interconnecting hardware components using many communication protocols

Computer Platform (1) CPU HT HT Core Shared HT HT Core Shared PEG UnCore Integrated Devices DMI BUS MMU PCIe Device PCIe Device PCIe Device RAM

Computer platform (2) PCH

Device virtualization XEN and KVM use a modified QEMU No vulnerabilities there, right?

VT-d (IOMMU) Used for virtualizing chipset components DMA remapping Paging for devices Nested translations Interrupt remapping Allows directing interrupts coming from hardware There is a good paper that explains the need for it by Rafal Wojtczuk and Joanna Rutkowska: Following the White Rabbit: Software attacks against Intel VT-d technology What about older systems where you don t have VT-d?

Section summary Computer hardware is complex! Emulating necessary components is hard: Multiple CVEs already found in ACPI and APIC virtualization as well as QEMU VT-d helps virtualizing DMA and hardware interrupts If used correctly

ATTACK VECTORS TAXONOMY Potential and practical ones

Basic Vectors ISA Implementation Emulating x86 isn t easy Performance monitoring Classic side channels Real Time Instruction Tracing new feature coming up Old systems New defenses were introduced with the latest HW New features Approach to new features (CPU/PCH) Whitelist or Blacklist?

Address Space Attacks IO Address Space How many IO ports are there in x86? What happens if we configure port overlaps? MMIO Overlaps As discussed during the presentation Special memory ranges access and overlaps What happens when a guest can access special ranges? MSR address space MSRs define system configuration and behavior

Privileged Software Corrupted ACMs ACMs run in a very high privilege, if you can compromise one CPU/PCH Firmware(s) Compromise of the CPU or PCH firmware naturally allows an attacker to control any VM BIOS & SMM The BIOS is a common component of the platform and controls both configuration and SMM code

Other Interesting Vectors Intentional misconfiguration It is possible to misconfigure PCIe config space, MSRs or MMIO constants in order to create unexpected situations for the VMM Server platforms (are fun!) Platforms and CPUs for the server market have special features, all of those usually run in very high privilege Errata What if there is an Errata in the CPU/PCH behavior we rely on to emulate something - sucks, right?

Bonus: Interesting Errata The below Errata appears in the June 2013 revision for 2 nd generation core CPUs Sounds like an exploitable issue IF you can prevent reload of CR3 with 32bit value

Summary Computer platforms are complex There are several approaches to virtualizing HW, each with its own inherent weaknesses Full hardware virtualization: slower and uses SW emulation, therefore prone to SW vulnerabilities Direct hardware access: prone to malicious HW manipulations (micro-vmms) Better defenses are available only with new and sometimes also high end HW

THE END Contact me at: http://www.cyvera.com/contact

BACKUP

Useful tools and info for people interested in virtualization research LOLA by Jeff Forristal (free) Because a Python interface to the HW rocks! 8 series PCH manuals 2 nd generation core Errata Intel software developer manuals Volume 3 contains most information about VT Other volumes are also useful to understand what is emulated Patience! Hardware debugging, reading long technical manuals

How different virtualization SW works VMware Player Emulates 440BX motherboard (15 years old) Monitors PCIe configuration, at least IO ports, to some degree but because of Win95 and Win3.1 compatibility, not security!

Disclaimer All product logos and names used in this presentation are the property of their respective owners. I make no claim for ownership on those. I am merely using them as examples of such products

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback