2014.08.30 virtual machine threat 세미나
DESCRIPTION
Threats around virtual machineTRANSCRIPT
system utilization
management costconsolidation
isolationtrusted environment resource aggregation
GRID system
MPP (Massively Parallel Processing)resource access control
mobility
emulation
1960 1970 1999 2006 현재
CP-40, IBM, Cambridge Scientific Cen-terfull virtualization
System/370, IBM
x86 virtualization, VMWare
application virtualization (application streaming)
x86,x64, ARM, …Storage,Network…VMWare, Virtual Box, Xen……OpenStack, CloudStack,……Amazon, Google…
Shared Device
Memory and I/OVirtualization
VMM
CPU CPU MEMORY
Physical H/W Control
Guest OS Guest OS
physical h/w
virtualized h/w
VMM must …- support same hardware interface- can control guest OS when accessing H/W resources.
mov eaxmov ebx…
Types of operation…
Direct Execution
eflagscontrol registersMSRprivileged instructions
????
Full Virtualization- No OS modification- Emulating, Binary translation, Trace
cache,…- VMware ESX server- QEMU
Para Virtualization- Need OS modification- Hypercall- Xen- Bochs
Hardware Assisted Virtualization
Virtualize…
CPU - AMD-V , VT-xIOMMU- AMD-Vi, VT-dNetwork- VT-c
VMX operation
VMX root operation
VMX non-root operation
Hardware Assisted Virtualization
Trap based development for Virtual-Machine- handle_cupid_instruction()- handle_mov_crX()- handle_read_msr()- handle_write_msr()- …
HW based Hypervisor programming = VMEXIT handler programming
VMX (Intel Virtual Machine Extension)
VMXON
VMCLEAR
VMPTRLD
VMWRITE
VMLAUNCH
GUEST Exit
VMREAD
VMRESUME
VMXOFF
VMX – new instructions, new data structureVMXON Region- created per logical processor- used by VMX instructions
VMCS Region- created per virtual CPU for guest OS- used by CPU and VMM
- 4Kb aligned- PHYSICAL_ADDRESS == typedef
LARGE_INTEGER- …
VMM (Virtual Machine Monitor) programming summary
check VMX support allocate VMXON region execute VMXON
allocate VMCS regionexecute VMCLEARexecute VMPTRLD
initialize VMCS data
host-state area fields
VM-exit control fields
VM-entry control fields
VM-execution control fields
guest-state area fields
execute VMLAUNCH handling various VM-exits
VMCS data organization
#1 Guest state fields- saved on VM exits, loaded on VM en-
tries
#2 Host state fields- loaded on VM exits
#3 Execution control fields- control VMX-non root operations
#4 Exit control fields- control VM exits
#5 Entry control fields- control VM entries
#6 VM Exit info- saved VM exits information on VM ex-
its
pin-based controls
processor-based controls
exception-bitmap address
I/O bitmap address
Timestamp counter offset
CR0/CR4 guest/host masks
CR3 targets
MSR bitmaps
Accessing VMCS data
VMWRITE
VMREADvirtual address / physical address
READ
virtual address / physical addressWRITE
Accessing VMCS data
Initialize VMM and Run VMM
Handling VM exits
#6 VM Exit info
Handling VM exits
Virtual Machine Threat
Attacks on Binary TranslatorCVE-2009-1542 - VirtualPC instruction decoding
• wbinvd (write back and invalidate cache), clts (clear task-switched flag in cr0)CVE-2008-4915 - VMware, Trap Flag Set by IRET Not Cleared for CCh InstructionCVE-2009-2267 - VMware Mishandled Exception on Page Faults…
Attacks on Para-virtualizationCVE-2008-4279 - VMware, Interrupt Can Occur at NonCanonical RIP After Indirect JumpCVE-2012-0217 - Advanced Exploitation of Xen Hypervisor Sysret VM Escape Vulnerability ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php )
…
Attacks on Device Emulation / AccelerationCVE-2012-0217 ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php )
CVE-2009-3827 - Virtual PC VMExit Event Confusion• exit reason MOV_CR, MOV_DR• MOV_CR : check guest cpl == 0• MOV_DR : !!• ring3 에서 DR 레지스터를 조작가능 !? DoS ?!
CVE-2009-3722 - KVM VMExit Event Confusion• CVE-2009-3827 와 동일한 버그
Attacks on HVM
더 자세한 내용은 http://www.cr0.org/paper/jt-to-virtualisation_security.pdf 를 참고하세요 .
VM Detection
너무 많다 !
HVM base rootkit
최초의 가상머신 기반 루트킷 ( http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf )
HVM base rootkit – keylogger
PS/2Keyboard Con-
troller
KeyboardMouse
CPU
Port 0x64
Port 0x60
CPU 가상화
HVM rootkit• CPU 의 특권 명령을 가로챔 (e.g. IN, OUT)• PORT I/O 를 OS 보다 먼저 하드웨어 레벨에서 처리
CPU CPU bugs ? Micro code update ?
Chipset
BIOS
Hypervisor
OS / Device Drivers
rootkit code in SMM / ACPI / UEFI / PCI
HVM rootkit
OS Level
Attack Hypervisor ?! or Another Attack Surface
http://leaksource.files.wordpress.com/2013/12/nsa-ant-souf-fletrough.jpg