Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Similar documents
Virtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.

Module 1: Virtualization. Types of Interfaces

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Course Review. Hui Lu

Spring 2017 :: CSE 506. Introduction to. Virtual Machines. Nima Honarmand

CrashOS: Hypervisor testing tool

CSC 5930/9010 Cloud S & P: Virtualization

Virtualization. Pradipta De

Lecture 5: February 3

DOUG GOLDSTEIN STAR LAB XEN SUMMIT AUG 2016 ATTACK SURFACE REDUCTION

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

Virtual Machines. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Virtualization. Starting Point: A Physical Machine. What is a Virtual Machine? Virtualization Properties. Types of Virtualization

Virtualization. ! Physical Hardware Processors, memory, chipset, I/O devices, etc. Resources often grossly underutilized

Chapter 5 C. Virtual machines

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks

Nested Virtualization and Server Consolidation

Virtualization (II) SPD Course 17/03/2010 Massimo Coppola

Virtualization and Security

CHAPTER 16 - VIRTUAL MACHINES

Virtualization. Michael Tsai 2018/4/16

Secure Containers with EPT Isolation

CSE543 - Computer and Network Security Module: Virtualization

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Introduction Construction State of the Art. Virtualization. Bernhard Kauer OS Group TU Dresden Dresden,

Programmed I/O accesses: a threat to Virtual Machine Monitors?

CS 571 Operating Systems. Final Review. Angelos Stavrou, George Mason University

Securing your Virtualized Datacenter. Charu Chaubal Senior Architect, Technical Marketing 6 November, 2008

CS370 Operating Systems

The only open-source type-1 hypervisor

Knut Omang Ifi/Oracle 20 Oct, Introduction to virtualization (Virtual machines) Aspects of network virtualization:

CSE543 - Computer and Network Security Module: Virtualization

Virtualization and memory hierarchy

Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader

Virtual Machine Security

Introduction to Cloud Computing and Virtualization. Mayank Mishra Sujesha Sudevalayam PhD Students CSE, IIT Bombay

Meltdown and Spectre - understanding and mitigating the threats

Introduction to Qubes OS

Lecture 09: VMs and VCS head in the clouds

Virtualization History and Future Trends

Virtually Impossible

Micro VMMs and Nested Virtualization

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

IBM Research Report. Docker and Container Security White Paper

CS 550 Operating Systems Spring Introduction to Virtual Machines

CS-580K/480K Advanced Topics in Cloud Computing. VM Virtualization II

Advanced Systems Security: Virtual Machine Systems

CSE543 - Computer and Network Security Module: Virtualization

Back To The Future: A Radical Insecure Design of KVM on ARM

Introduction to SGX (Software Guard Extensions) and SGX Virtualization. Kai Huang, Jun Nakajima (Speaker) July 12, 2017

Virtualization. Dr. Yingwu Zhu

Advanced Systems Security: Virtual Machine Systems

Qiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016

W11 Hyper-V security. Jesper Krogh.


What is Cloud Computing? Cloud computing is the dynamic delivery of IT resources and capabilities as a Service over the Internet.

Privilege Escalation

Xen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems

SUSE An introduction...

Distributed Systems COMP 212. Lecture 18 Othon Michail

Multiprocessor Scheduling. Multiprocessor Scheduling

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

Xen and the Art of Virtualization

Chapter 5 B. Large and Fast: Exploiting Memory Hierarchy

LINUX Virtualization. Running other code under LINUX

Cloud Computing Virtualization

Meltdown and Spectre - understanding and mitigating the threats (Part Deux)

Testing System Virtual Machines

EE 660: Computer Architecture Cloud Architecture: Virtualization

Virtual Machines Disco and Xen (Lecture 10, cs262a) Ion Stoica & Ali Ghodsi UC Berkeley February 26, 2018

An overview of virtual machine architecture

CSE 120 Principles of Operating Systems

CS 470 Spring Virtualization and Cloud Computing. Mike Lam, Professor. Content taken from the following:

Cloud and Datacenter Networking

COS 318: Operating Systems. Virtual Machine Monitors

Intel Graphics Virtualization on KVM. Aug KVM Forum 2011 Rev. 3

QEMU 2.0 and Beyond. CloudOpen Anthony Liguori

CHAPTER 16 - VIRTUAL MACHINES

Painless switch from proprietary hypervisor to QEMU/KVM. Denis V. Lunev


CIT 480: Securing Computer Systems. Operating System Concepts

CS 350 Winter 2011 Current Topics: Virtual Machines + Solid State Drives

Virtual Machines. To do. q VM over time q Implementation methods q Hardware features supporting VM q Next time: Midterm?

Virtualization Introduction

Virtualization Overview NSRC

CprE Virtualization. Dr. Yong Guan. Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University

Linux and Xen. Andrea Sarro. andrea.sarro(at)quadrics.it. Linux Kernel Hacking Free Course IV Edition

Computer Architecture Background

CSE Memory Hierarchy Design Ch. 5 (Hennessy and Patterson)

Reducing CPU usage of a Toro Appliance

Virtual Machine Monitors!

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

Operating Systems 4/27/2015

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

ECE 331 Hardware Organization and Design. UMass ECE Discussion 11 4/12/2018

Advanced Operating Systems (CS 202) Virtualization

Virtual Virtual Memory

Overview of System Virtualization: The most powerful platform for program analysis and system security. Zhiqiang Lin

Transcription:

Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017

whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2

Agenda Why hypervisor security How hypervisors work Threat model & attack surface Virtualization bugs Questions 3

Why hypervisor security Virtualization is relied upon in many areas: Server and cloud Embedded and automotive Desktop security R&D 4

5

6

7

CVE statistics summary KVM has smallest code base Qemu is a device emulator - huge code base Both KVM and Xen rely on Qemu for device emulation 8

CVE statistics summary Microsoft HyperV has 0 reported CVEs VmWare ESXi has no reported VM escapes in 2016 9

CVE statistics summary 10

Computer system as an API CPUs (x86 ISA) Memory (segmentation, paging) I/O (MMIO, PIO) Networking protocols 11

Emulation and Virtualization Emulation Imitation of a different system, usually software Virtualization Partitioning same system into multiple virtual instances Both are implementation of a computer system API 12

Virtual memory, for example An early example of resource virtualization memory address space 13

Virtual systems Consolidation Flexibility Isolation 14

Hypervisor privileged role Drives virtualization hardware Executes in privileged CPU mode Manages VMs and platform resources. Emulates hardware requests Provide services to enlightened OS 15

Hypervisor privileged role 16

Hypervisor privileged role 17

Type-1 hypervisor Hypervisor runs on bare-metal Can be a very small code base.... but has to solve driver problem All OS kernels run in isolated environment and don t touch hardware Xen, Hyperv, VMWare ESX 18

Type-2 hypervisor Hypervisor is an OS component Host OS provides all drivers Huge trusted computing base. KVM, VirtualBox, VMWare workstation 19

Threat model Hypervisor is a privileged code base Hardware and firmware are usually trusted VMs should never be trusted by hypervisor VM may not trust hypervisor or other VMs 20

Type-1 vs Type-2 trust boundary 21

Type-1 root domain trust Type-1 often runs a special guest, a root domain More trusted than normal guest Runs OS kernel to drive host hardware Runs device (para-)virtualization stack Xen Dom0 22

Security threats Denial of service Privilege escalation (VM-local or VM-host) Information leak 23

Attack surface Hypercalls MMIO and device emulation Paravirtualization Side-channels 24

Hypercalls Hypercalls are services for hypervisor-aware guest: Virtual hardware and events Memory management Cross-VM communication Crash handling Security 25

Hypercalls Relatively small surface, can be fuzz-tested Usually available only in guest ring 0 Not a lot of issues, especially in HWVMs Be wary of double-fetch bugs 26

Double-fetch bugs http://tkeetch.co.uk/blog/?p=58 27

Device emulation Huge code base with bad track record Obscure CPU features and registers Complicated hardware with dodgy corner cases MMIO instruction decoding 28

Device emulation: vmexit 29

Device emulation: MMIO 30

Device emulation KVM MMIO emulation - 5k LoC, 50% KVM CVEs Most of Xen CVEs Most of qemu CVEs Google even decided to roll its own emulator 31

Device emulation: Dark Portal VGA VM escape: http://www.powerofcommunity.net/poc2016/wei.pdf Attacker controls VGA bank offset register Bank offset used as unbounded offset into array Attacker can read or write 32bit value anywhere 32

Paravirtualization Vmexit is a huge performance hit Hardware emulation using vmexits is slow Shared memory is fast Let s build virtual hardware protocol on shared memory! Virtio, VMBus, Xen 33

Paravirtualization Virtio-disk talks to guest driver through shared memory More performance But guest OS needs a specific driver Also some interesting security challenges 34

Paravirtualization Shared memory simplified device interface and implementation Ring buffers on shared memory vulnerable to double-fetch bugs Xenpwn: https://youtu.be/xob--niy_0m 35

Side-channels Not an attack on hypervisor itself Co-located VM information leaks Hardware optimizations (CPU caches, DRAM timings) Memory deduplication 36

Memory deduplication 37

Memory deduplication Turns out deduplicated memory has measurable access time delays Attacker VM can guess co-located memory contents CAIN: Silently Breaking ASLR in the Cloud https://www.usenix.org/node/191961 38

Caches and DRAM timings CPU cache optimizes memory access Evict and measure attacks Attacker VM evicts cache line Victim VM fetches it back Attacker VM measures evicted line access timing DRAM has an internal cache line too! 39

Caches and DRAM timings 40

Conclusion Hypervisors are getting more attention lately Device emulation is historically most vulnerable Paravirtualization is probably next big thing Co-localed leaks are very promising A lot of undiscovered problems in closed-source products 41

Thanks! Questions? insoreiges at gmail dot com https://github.com/warfish https://www.facebook.com/evgeny.yakovlev.5268 42

Motivations I m a developer and i build stuff I want my stuff to be secure Researchers make stuff more secure Let s share knowledge 43

44

Device emulation: XSA-190 http://xenbits.xen.org/xsa/advisory-190.html Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it. 45

Conclusion Moving code to user space (KVM split-irq chip) Fuzzing entry points and devices Live patching 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback