![Page 1: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/1.jpg)
Hardening Hyper-V through offensive security research
Jordan Rabet, Microsoft OSR
Note: all vulnerabilities mentioned in this talk have been addressed
![Page 2: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/2.jpg)
Hyper-V 101
![Page 3: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/3.jpg)
3
![Page 4: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/4.jpg)
3
Guest OSHost OS
![Page 5: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/5.jpg)
Hardware
Guest OSHost OS
Kernel modeKernel mode
User modeUser mode
vmbus
Storage Physical memoryNetwork card
Hyper-V architecture: layout
CPUs …
Hypercalls Address manager MSRs …
4
Hypervisor
![Page 6: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/6.jpg)
Storage Physical memoryNetwork card
foo.exe
Hyper-V architecture: accessing hardware resources from Guest OS
CPUs …
Hypercalls Address manager MSRs …
5
vmbus
Kernel modeKernel mode
User modeUser mode
Hardware
Guest OSHost OS
Hypervisor
![Page 7: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/7.jpg)
Storage Physical memoryNetwork card
I/O stack
foo.exe
Hyper-V architecture: accessing hardware resources from Guest OS
CPUs …
Hypercalls Address manager MSRs …
5
vmbus
Kernel modeKernel mode
User modeUser mode
Hardware
Guest OSHost OS
Hypervisor
![Page 8: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/8.jpg)
Storage Physical memoryNetwork card
I/O stack
foo.exe
Hyper-V architecture: accessing hardware resources from Guest OS
CPUs …
Hypercalls Address manager MSRs …
5
vmbus
Kernel modeKernel mode
User modeUser mode
Hardware
Guest OSHost OS
Hypervisor
![Page 9: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/9.jpg)
Storage Physical memoryNetwork card
storVSC
I/O stack
foo.exe
Hyper-V architecture: accessing hardware resources from Guest OS
CPUs …
Hypercalls Address manager MSRs …
5
vmbus
Kernel modeKernel mode
User modeUser mode
Hardware
Guest OSHost OS
Hypervisor
![Page 10: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/10.jpg)
Storage Physical memoryNetwork card
storVSCstorVSP
I/O stack
foo.exe
Hyper-V architecture: accessing hardware resources from Guest OS
CPUs …
Hypercalls Address manager MSRs …
5
vmbus
Kernel modeKernel mode
User modeUser mode
Hardware
Guest OSHost OS
Hypervisor
![Page 11: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/11.jpg)
Storage Physical memoryNetwork card
storVSCstorVSP
I/O stack
foo.exe
I/O stack
Hyper-V architecture: accessing hardware resources from Guest OS
CPUs …
Hypercalls Address manager MSRs …
5
vmbus
Kernel modeKernel mode
User modeUser mode
Hardware
Guest OSHost OS
Hypervisor
![Page 12: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/12.jpg)
Storage Physical memoryNetwork card
VMWP.exe
VSMB
I/O stack
Hyper-V architecture: virtualization providers can be in user-mode
CPUs …
Hypercalls Address manager MSRs …
6
vmbus
Kernel modeKernel mode
User modeUser mode
Hardware
Guest OSHost OS
Hypervisor
I/O stack
foo.exe
![Page 13: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/13.jpg)
vmbus internals: small packet
Physical addresses(PA)
Guest Virtual Addresses
(GVA)
Guest Physical Addresses
(GPA)
System Virtual Addresses
(SVA)
7
Kernel modeKernel modeGuest OSHost OS
Physical memory
Host physicalmemory
Guest physicalmemory
Shared virtual ringbufferShared virtual ringbuffer
System Physical Addresses
(SPA)
VSC
vmbusvmbusr
VSP
Packet
![Page 14: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/14.jpg)
vmbus internals: small packet
Physical addresses(PA)
Guest Virtual Addresses
(GVA)
Guest Physical Addresses
(GPA)
System Virtual Addresses
(SVA)
7
Kernel modeKernel modeGuest OSHost OS
Physical memory
Host physicalmemory
Guest physicalmemory
Shared virtual ringbufferShared virtual ringbuffer
System Physical Addresses
(SPA)
VSC
vmbusvmbusr
VSP
Packet
Packet
Packet
Packet Packet
![Page 15: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/15.jpg)
vmbus internals: small packet
Physical addresses(PA)
Guest Virtual Addresses
(GVA)
Guest Physical Addresses
(GPA)
System Virtual Addresses
(SVA)
7
Kernel modeKernel modeGuest OSHost OS
Physical memory
Host physicalmemory
Guest physicalmemory
Shared virtual ringbufferShared virtual ringbuffer
System Physical Addresses
(SPA)
VSC
vmbusvmbusr
VSP
Packet
![Page 16: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/16.jpg)
vmbus internals: small packet passing a direct mapping (GPADL)
Packet PacketGPADL GPADL
Physical addresses(PA)
Guest Virtual Addresses
(GVA)
Guest Physical Addresses
(GPA)
System Virtual Addresses
(SVA)
8
Kernel modeKernel modeGuest OSHost OS
Physical memory
Host physicalmemory
Guest physicalmemory
Shared virtual ringbufferShared virtual ringbuffer
System Physical Addresses
(SPA)
![Page 17: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/17.jpg)
What about security? Host OS mitigations
• Full KASLR
• Kernel Control Flow Guard• Optional
• Hypervisor-enforced code integrity (HVCI)• Optional
• No sandbox
Host OS kernel
• ASLR
• Control Flow Guard (CFG)
• Arbitrary Code Guard (ACG)
• Code Integrity Guard (CIG)
• Win32k lockdown
VM Worker Process
9
![Page 18: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/18.jpg)
VSP case study: vmswitch
![Page 19: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/19.jpg)
Storage Physical memoryNetwork card
netVSCvmswitch
I/O stack
I/O stack
vmswitch: virtualized network provider
vmswitch is a VSP, lives in host kernel
netVSC tunnels traffic over to vmswitch
CPUs …
Hypercalls Address manager MSRs …
11
vmbus
Kernel modeKernel mode
User modeUser mode
foo.exe
Hardware
Guest OSHost OS
Hypervisor
vmswitch emulates a network card through the RNDIS protocol
![Page 20: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/20.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
vmbus messages
12
vmswitch: initialization sequence
![Page 21: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/21.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
vmbus messages
12
vmswitch: initialization sequence
![Page 22: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/22.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
vmbus messages
12
vmswitch: initialization sequence
![Page 23: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/23.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Receive BufferReceive Buffer
vmbus messages
12
vmswitch: initialization sequence
![Page 24: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/24.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Receive BufferSend BufferReceive Buffer Send Buffer
vmbus messages
12
vmswitch: initialization sequence
![Page 25: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/25.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
13
vmswitch
vmswitch: sending RNDIS packets
![Page 26: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/26.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
13
vmswitch
vmswitch: sending RNDIS packets
![Page 27: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/27.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISQUERY
13
vmswitch
vmswitch: sending RNDIS packets
![Page 28: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/28.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISQUERY
13
vmswitch
vmswitch: sending RNDIS packets
![Page 29: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/29.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISQUERY
13
vmswitch
vmswitch: sending RNDIS packets
![Page 30: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/30.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISQUERY
13
vmswitch
vmswitch: sending RNDIS packets
![Page 31: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/31.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISQUERY
13
vmswitch
vmswitch: sending RNDIS packets
![Page 32: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/32.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISCMPLT
RNDISQUERY
13
vmswitch
vmswitch: sending RNDIS packets
![Page 33: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/33.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISCMPLT
13
vmswitch
vmswitch: sending RNDIS packets
![Page 34: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/34.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISCMPLT
13
vmswitch
vmswitch: sending RNDIS packets
![Page 35: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/35.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISCMPLT
13
vmswitch
vmswitch: sending RNDIS packets
![Page 36: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/36.jpg)
Guest OSHost OS Kernel modeKernel mode
Receive buffer Send buffer
vmbus messages
…netVSC
RNDISCMPLT
13
vmswitch
vmswitch: sending RNDIS packets
![Page 37: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/37.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY
![Page 38: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/38.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY
![Page 39: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/39.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
SEND_RNDIS_PKTSUBALLOC 0
RNDISQUERY
![Page 40: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/40.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY
SEND_RNDIS_PKTSUBALLOC 0
![Page 41: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/41.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY
![Page 42: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/42.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY SEND_RNDIS_PKT
SUBALLOC 2
![Page 43: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/43.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY
RNDISSET
SEND_RNDIS_PKTSUBALLOC 2
![Page 44: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/44.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY
RNDISSET
![Page 45: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/45.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY
RNDISSET
![Page 46: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/46.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
14
RNDISQUERY
RNDISCMPLT
RNDISSET
RNDISCMPLT
![Page 47: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/47.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
Channelthread
RNDISCMPLT
RNDIS worker thread 2vmswitch
14
RNDISSET
RNDISCMPLT
![Page 48: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/48.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
Channelthread
RNDISCMPLT
RNDIS worker thread 2vmswitch
14
RNDISSET
RNDISCMPLT
![Page 49: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/49.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
Channelthread
RNDISCMPLT
RNDISCMPLT
RNDIS worker thread 2vmswitch
14
RNDISCMPLT
![Page 50: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/50.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
Channelthread
RNDISCMPLT
RNDISCMPLT
RNDIS worker thread 2vmswitch
14
RNDISCMPLT
![Page 51: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/51.jpg)
Initialization sequence vulnerability
![Page 52: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/52.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Messing with the initialization sequence
Receive Buffer Pointer
16
![Page 53: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/53.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Messing with the initialization sequence
Receive Buffer Pointer
GPADL 0
16
![Page 54: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/54.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Messing with the initialization sequence
Receive Buffer Pointer
GPADL 0GPADL 0
16
![Page 55: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/55.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Messing with the initialization sequence
Receive Buffer Pointer
GPADL 0 GPADL 1GPADL 0
16
![Page 56: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/56.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Messing with the initialization sequence
Receive Buffer Pointer
GPADL 0 GPADL 1GPADL 0 GPADL 1
16
![Page 57: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/57.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Messing with the initialization sequence
Receive Buffer Pointer
GPADL 0 GPADL 1 GPADL 2GPADL 0 GPADL 1 GPADL 2
16
![Page 58: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/58.jpg)
vmswitch receive buffer update
Receive buffer update isn’t atomic1. Updates the pointer to the buffer
2. Generates and updates sub-allocations
No locking on the receive buffer• It could be used in parallel
Update pointer to receive buffer1
17
Generate bounds of sub-allocations2
Update bounds of sub-allocations3
![Page 59: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/59.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
![Page 60: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/60.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
![Page 61: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/61.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
![Page 62: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/62.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
![Page 63: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/63.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
![Page 64: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/64.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
![Page 65: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/65.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
Update pointer to receive buffer1
![Page 66: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/66.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
Update pointer to receive buffer1
![Page 67: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/67.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
Update pointer to receive buffer1
Generate bounds of sub-allocations2
![Page 68: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/68.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
Update pointer to receive buffer1
Generate bounds of sub-allocations2
Update bounds of sub-allocations3
![Page 69: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/69.jpg)
Host OSKernel mode
vmswitch receive buffer update
GPADL 0
vmswitch vmbus channel
GPADL 1
Receive Buffer Pointer
18
Update pointer to receive buffer1
Generate bounds of sub-allocations2
Update bounds of sub-allocations3
![Page 70: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/70.jpg)
vmswitch receive buffer update
• During this short window, we can have out-of-bound sub-allocations
• This results in a useful out-of-bounds write if:
1. We can control the data being written
2. We can win the race
3. We can place a corruption target adjacent to the receive buffer
Receive buffer race condition
GPADL 1
19
Update pointer to receive buffer1
Generate bounds of sub-allocations2
Update bounds of sub-allocations3
![Page 71: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/71.jpg)
Exploiting the vulnerability
Controlling what’s written out-of-bounds
Winning the race
Finding a reliable corruption target
?
?
?
![Page 72: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/72.jpg)
Exploiting the vulnerability
Controlling what’s written out-of-bounds
Winning the race
Finding a reliable corruption target
?
?
?
![Page 73: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/73.jpg)
Controlling the OOB write contents
• OOB write contents: RNDIS control message responses
• RNDIS_QUERY_MSG messages can return large buffers of data
22
Offset Size Field
0 4 MessageType
4 4 MessageLength
8 4 RequestId
12 4 Status
16 4 InformationBufferLength
20 4 InformationBufferOffset
![Page 74: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/74.jpg)
Controlling the OOB write contents
• OOB write contents: RNDIS control message responses
• RNDIS_QUERY_MSG messages can return large buffers of data
22
Offset Size Field
0 4 MessageType
4 4 MessageLength
8 4 RequestId
12 4 Status
16 4 InformationBufferLength
20 4 InformationBufferOffset
![Page 75: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/75.jpg)
Exploiting the vulnerability
Controlling what’s written out-of-bounds
Winning the race
Finding a reliable corruption target
?
?
![Page 76: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/76.jpg)
Host OSKernel mode
vmswitch: handling RNDIS messages is asynchronous, but not really
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
RNDIS worker thread 2vmswitch
RNDISMSG 0
RNDISMSG 1
RNDISMSG 2
24
Channelthread
![Page 77: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/77.jpg)
Host OSKernel mode
vmswitch: handling RNDIS messages is asynchronous, but not really
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
RNDIS worker thread 2vmswitch
RNDISMSG 2
RNDISMSG 0
RNDISMSG 1
24
Channelthread
![Page 78: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/78.jpg)
Host OSKernel mode
vmswitch: handling RNDIS messages is asynchronous, but not really
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
RNDISMSG 0 CMPLT
RNDIS worker thread 2vmswitch
RNDISMSG 2
RNDISMSG 0
RNDISMSG 1 CMPLT
RNDISMSG 1
24
Channelthread
![Page 79: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/79.jpg)
Host OSKernel mode
vmswitch: handling RNDIS messages is asynchronous, but not really
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
RNDIS worker thread 2vmswitch
RNDISMSG 2
24
Channelthread
![Page 80: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/80.jpg)
Host OSKernel mode
vmswitch: handling RNDIS messages is asynchronous, but not really
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
RNDIS worker thread 2vmswitch
RNDISMSG 2
Waiting on MSG 0 ack from guest
Waiting on MSG 1 ack from guest
24
Channelthread
![Page 81: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/81.jpg)
Host OSKernel mode
vmswitch: handling RNDIS messages is asynchronous, but not really
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
RNDIS worker thread 2vmswitch
RNDISMSG 2
Waiting on MSG 0 ack from guest
Waiting on MSG 1 ack from guest
24
Channelthread
![Page 82: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/82.jpg)
Host OSKernel mode
vmswitch: handling RNDIS messages is asynchronous, but not really
vmbus channel
RNDIS MSG queue
RNDIS worker thread 1
RNDIS worker thread 2vmswitch
RNDISMSG 2
Waiting on MSG 1 ack from guest
24
Channelthread
![Page 83: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/83.jpg)
Winning the race: delaying one RNDIS message?
• Can’t have RNDIS messages continuously write to the receive buffer• But we don’t need continuous RNDIS messages – we just need one
• Can we send an RNDIS message and have it be processed in a delayed way?
• No by-design way of delaying RNDIS messages…
• …but not all messages require an ack from the guest• Example: malformed RNDIS_KEEPALIVE_MSG message
• Idea: “cascade of failure”• Block off all RNDIS worker threads
• Chain N malformed RNDIS_KEEPALIVE_MSG messages
• Append a single valid RNDIS message
25
![Page 84: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/84.jpg)
Kernel mode
The Cascade Of Failure: making the host race itself
vmbus channel
RNDIS MSG queue
vmswitch
RNDISMSG 0
RNDISMSG 1
RNDISMSG 4
RNDISMSG 5
RNDISMSG 6
RNDISMSG 7
RNDISMSG 3
Host OS
RNDISMSG 8
26
Channelthread
RNDIS worker thread 1
RNDIS worker thread 2
![Page 85: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/85.jpg)
Kernel mode
The Cascade Of Failure: making the host race itself
vmbus channel
RNDIS MSG queue
RNDISMSG 0 CMPLT
vmswitch
RNDISMSG 0
RNDISMSG 1 CMPLT
RNDISMSG 1
RNDISMSG 4
RNDISMSG 5
RNDISMSG 6
RNDISMSG 7
RNDISMSG 3
Host OS
RNDISMSG 8
26
Channelthread
RNDIS worker thread 1
RNDIS worker thread 2
![Page 86: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/86.jpg)
Kernel mode
The Cascade Of Failure: making the host race itself
vmbus channel
RNDIS MSG queue
vmswitch
Waiting on MSG 0 ack from guest
RNDISMSG 4
RNDISMSG 5
RNDISMSG 6
RNDISMSG 7
RNDISMSG 3
Host OS
RNDISMSG 8
Waiting on MSG 1 ack from guest
26
Channelthread
RNDIS worker thread 1
RNDIS worker thread 2
![Page 87: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/87.jpg)
Kernel mode
The Cascade Of Failure: making the host race itself
vmbus channel
RNDIS MSG queue
vmswitch
Waiting on MSG 0 ack from guest
RNDISMSG 4
RNDISMSG 5
RNDISMSG 6
RNDISMSG 7
RNDISMSG 3
Host OS
RNDISMSG 8
Waiting on MSG 1 ack from guest
26
Channelthread
RNDIS worker thread 1
RNDIS worker thread 2
![Page 88: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/88.jpg)
Kernel mode
The Cascade Of Failure: making the host race itself
vmbus channel
RNDIS MSG queue
vmswitch
Host OS
RNDISMSG 8 CMPLT
RNDISMSG 8
Waiting on MSG 1 ack from guest
26
Channelthread
RNDIS worker thread 1
RNDIS worker thread 2
![Page 89: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/89.jpg)
Kernel mode
The Cascade Of Failure: making the host race itself
vmbus channel
RNDIS MSG queue
vmswitch
Host OS
RNDISMSG 8 CMPLT
RNDISMSG 8
Written to the receive buffer after a controlled delay
Waiting on MSG 1 ack from guest
26
Channelthread
RNDIS worker thread 1
RNDIS worker thread 2
![Page 90: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/90.jpg)
Winning the race: configuring the delay
• We can delay the event by N time units, but what’s N’s value?• We have a limited number of tries: need to be smart
• Can we distinguish between race attempt outcomes?• If so we could search for the right N
27
![Page 91: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/91.jpg)
GPADL 0
Too early
Too late
Just right
28
GPADL 1
GPADL 1
Update pointer to receive buffer1
Update bounds of sub-allocations3
![Page 92: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/92.jpg)
GPADL 0
Too early
Too late
Just right
RNDISCMPLT
28
GPADL 1
GPADL 1
Update pointer to receive buffer1
Update bounds of sub-allocations3
![Page 93: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/93.jpg)
GPADL 0
Too early
Too late
Just right
RNDISCMPLT
28
GPADL 1
GPADL 1
RNDISCMPLT
Update pointer to receive buffer1
Update bounds of sub-allocations3
![Page 94: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/94.jpg)
GPADL 0
Too early
Too late
Just right
RNDISCMPLT
28
GPADL 1
RNDISCMPLT
GPADL 1
RNDISCMPLT
Update pointer to receive buffer1
Update bounds of sub-allocations3
![Page 95: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/95.jpg)
Winning the race: configuring the delay
• We can delay the event by N time units, but what’s N’s value?• We have a limited number of tries: need to be smart
• Can we distinguish between race attempt outcomes?• Yes
• If we’re too early, increase N
• If we’re too late, decrease N
• If we’re just right… celebrate ☺
• In practice we usually converge to the right N in <10 attempts• N can vary from machine to machine and session to session
29
![Page 96: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/96.jpg)
Exploiting the vulnerability
Controlling what’s written out-of-bounds
Winning the race
Finding a reliable corruption target?
![Page 97: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/97.jpg)
Finding a target: where’s our buffer?
• GPADL mapping
• GPADL PAs mapped into an MDL using VmbChannelMapGpadl
• MDL then mapped to VA space using MmGetSystemAddressForMdlSafe
• Where are MDLs mapped to? The SystemPTE region
• What’s mapped adjacent to our MDL?
• ...other MDLs
0: kd> !address @@c++(ReceiveBuffer)Usage: Base Address: ffffdd80`273d5000End Address: ffffdd80`27606000Region Size: 00000000`00231000VA Type: SystemRange
31
![Page 98: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/98.jpg)
Finding a target: other MDLs and… stacks???
0: kd> !address
... ffffdd80`273bb000 ffffdd80`273c1000 0`00006000 SystemRange Stack Thread: ffffc903f188b080ffffdd80`273c1000 ffffdd80`273c6000 0`00005000 SystemRangeffffdd80`273c6000 ffffdd80`273cc000 0`00006000 SystemRange Stack Thread: ffffc903eed10800ffffdd80`273cc000 ffffdd80`273cf000 0`00003000 SystemRangeffffdd80`273cf000 ffffdd80`273d5000 0`00006000 SystemRange Stack Thread: ffffc903f182b080ffffdd80`273d5000 ffffdd80`27606000 0`00231000 SystemRangeffffdd80`27606000 ffffdd80`2760c000 0`00006000 SystemRange Stack Thread: ffffc903f181f080ffffdd80`2760c000 ffffdd80`2760d000 0`00001000 SystemRangeffffdd80`2760d000 ffffdd80`27613000 0`00006000 SystemRange Stack Thread: ffffc903ee878080ffffdd80`27613000 ffffdd80`27625000 0`00012000 SystemRangeffffdd80`27625000 ffffdd80`2762b000 0`00006000 SystemRange Stack Thread: ffffc903ee981080ffffdd80`2762b000 ffffdd80`2762c000 0`00001000 SystemRangeffffdd80`2762c000 ffffdd80`27632000 0`00006000 SystemRange Stack Thread: ffffc903f1bc64c0...
32
![Page 99: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/99.jpg)
Finding a target: kernel stacks
• Windows kernel stacks• Fixed 7 page allocation size
• 6 pages of stack space
• 1 guard page at the bottom
• Allocated in the SystemPTE region
• Great corruption target if within range – gives instant ROP
• Problems• How does the SystemPTE region allocator work?
• Can we reliably place a stack at a known offset from our receive buffer?
• Can we even “place” a stack? How do we spawn threads?
33
![Page 100: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/100.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
SystemPTE allocator
Free page
Allocated page
Bitmap hint
34
![Page 101: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/101.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
SystemPTE allocator
Free page
Allocated page
Bitmap hint
35
![Page 102: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/102.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
SystemPTE allocator
Free page
Allocated page
Bitmap hint
35
![Page 103: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/103.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
SystemPTE allocator
Free page
Allocated page
Bitmap hint
35
![Page 104: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/104.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
• Example 2: allocating 5 pages again
SystemPTE allocator
Free page
Allocated page
Bitmap hint
36
![Page 105: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/105.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
• Example 2: allocating 5 pages again
SystemPTE allocator
Free page
Allocated page
Bitmap hint
36
![Page 106: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/106.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
• Example 2: allocating 5 pages again
SystemPTE allocator
Free page
Allocated page
Bitmap hint
36
![Page 107: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/107.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
• Example 2: allocating 5 pages again
• Example 3: allocating 17 pages
SystemPTE allocator
Free page
Allocated page
Bitmap hint
37
![Page 108: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/108.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
• Example 2: allocating 5 pages again
• Example 3: allocating 17 pages
SystemPTE allocator
Free page
Allocated page
Bitmap hint
37
![Page 109: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/109.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
• Example 2: allocating 5 pages again
• Example 3: allocating 17 pages
SystemPTE allocator
Free page
Allocated page
Bitmap hint
37
![Page 110: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/110.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
• Example 2: allocating 5 pages again
• Example 3: allocating 17 pages
SystemPTE allocator
Free page
Allocated page
Bitmap hint
37
![Page 111: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/111.jpg)
Allocation bitmap
• Bitmap based• Each bit represents a page
• Bit 0 means free page, 1 means allocated
• Uses a “hint” for allocation• Scans bitmap starting from hint
• Wraps around bitmap if needed
• Places hint at tail of successful allocations
• Bitmap is expanded if no space is found
• Example 1: allocating 5 pages
• Example 2: allocating 5 pages again
• Example 3: allocating 17 pages
SystemPTE allocator
Free page
Allocated page
Bitmap hint
37
![Page 112: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/112.jpg)
Finding a target: allocation primitives
• Receive/send buffers: we can map an arbitrary number of arbitrarily sized MDLs• (“arbitrary”: still have size/number limits, but they’re pretty high)
• Receive/send buffers: can be revoked• NVSP_MSG1_TYPE_REVOKE_RECV_BUF and NVSP_MSG1_TYPE_REVOKE_SEND_BUF
• Since replacing buffers is a bug, we can only revoke the last one sent for each
• We have pretty good allocation and freeing primitives for manipulating the region
• But we need a way to allocate new stacks if we want to target them…• Can we spray host-side threads?
38
![Page 113: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/113.jpg)
Finding a target: stack allocation primitives
• vmswitch relies on System Worker Threads to perform asynchronous tasks• NT-maintained thread pool
• Additional threads are added to the pool when all others are busy
• Basic idea: trigger an asynchronous task many times in rapid succession• If enough tasks are queued quickly enough, threads will be spawned
• Several vmswitch messages rely on System Worker Threads• In this exploit we use NVSP_MSG2_TYPE_SEND_NDIS_CONFIG
• Problem• This method usually lets us create about 5 threads
• What if there are already a lot of threads in the system worker pool?
• Would be nice to be able to terminate them…
39
![Page 114: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/114.jpg)
Finding a target: stack allocation primitives
• There’s no by-design way to terminate worker threads from a guest
• But there are bugs we can use! ☺
• NVSP_MSG1_TYPE_REVOKE_SEND/RECV_BUF• Revocation done on system worker threads
• Deadlock bug: when multiple revocation messages handled, all but the last system worker thread would be deadlocked forever
• We can use this to lock out an “arbitrary” number of system worker threads
• We now have a limited thread stack spray!
40
![Page 115: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/115.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
Two possible outcomes, both manageable
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
41
![Page 116: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/116.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 117: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/117.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 118: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/118.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 119: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/119.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 120: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/120.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 121: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/121.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 122: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/122.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 123: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/123.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 124: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/124.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 125: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/125.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
42
![Page 126: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/126.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
43
![Page 127: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/127.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
43
![Page 128: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/128.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
43
![Page 129: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/129.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
44
![Page 130: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/130.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
44
![Page 131: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/131.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
44
![Page 132: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/132.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
45
![Page 133: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/133.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
45
![Page 134: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/134.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
46
![Page 135: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/135.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #1
46
![Page 136: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/136.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Replaceable receivebuffer
Threadstack
Outcome #1
46
![Page 137: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/137.jpg)
Exploiting the vulnerability
Controlling what’s written out-of-bounds
Winning the race
Finding a reliable corruption target
Bypassing KASLR?
![Page 138: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/138.jpg)
Bypassing KASLR
![Page 139: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/139.jpg)
nvsp_message struct
• Represents messages sent to/from vmswitch over vmbus
49
struct nvsp_message {struct nvsp_message_header hdr;union nvsp_all_messages msg;
} __packed;
![Page 140: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/140.jpg)
nvsp_message struct
• Represents messages sent to/from vmswitch over vmbus
49
struct nvsp_message {struct nvsp_message_header hdr;union nvsp_all_messages msg;
} __packed;
![Page 141: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/141.jpg)
50
NVSP_MSG1_TYPE_SEND_RNDIS_PKT_COMPLETE
NVSP_MSG1_TYPE_SEND_NDIS_VER
UINT32 hdr.msg_type
UINT32 ndis_major_ver
UINT32 ndis_minor_ver
UINT32 hdr.msg_type
UINT32 status
![Page 142: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/142.jpg)
50
NVSP_MSG1_TYPE_SEND_RNDIS_PKT_COMPLETE
NVSP_MSG1_TYPE_SEND_NDIS_VER
UINT32 hdr.msg_type
UINT32 ndis_major_ver
UINT32 ndis_minor_ver
UINT32 hdr.msg_type
UINT32 status
msg.send_ndis_ver msg.send_rndis_pkt_complete
![Page 143: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/143.jpg)
50
NVSP_MSG1_TYPE_SEND_RNDIS_PKT_COMPLETE
NVSP_MSG1_TYPE_SEND_NDIS_VER
UINT32 hdr.msg_type
UINT32 ndis_major_ver
UINT32 ndis_minor_ver
UINT32 hdr.msg_type
UINT32 status
UINT32 hdr.msg_type
UINT32 ndis_major_ver
UINT32 ndis_minor_ver
UINT32 hdr.msg_type
UINT32 status
![Page 144: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/144.jpg)
50
NVSP_MSG1_TYPE_SEND_RNDIS_PKT_COMPLETE
NVSP_MSG1_TYPE_SEND_NDIS_VER
UINT32 hdr.msg_type
UINT32 ndis_major_ver
UINT32 ndis_minor_ver
UINT32 hdr.msg_type
UINT32 status
sizeof(nvsp_message)
UINT32 hdr.msg_type
UINT32 ndis_major_ver
UINT32 ndis_minor_ver
UINT32 hdr.msg_type
UINT32 status
![Page 145: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/145.jpg)
nvsp_message
Infoleak UINT32 MessagetypeUINT32 hdr.msg_type
UINT32 status
32 uninitializedstack bytes
51
• nvsp_message is allocated on the stack
• Only the first 8 bytes are initialized
• sizeof(nvsp_message) is returned
32 bytes of uninitialized stack memory are sent back to guest
![Page 146: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/146.jpg)
Putting it all together
• We can leak 32 bytes of host stack memory
• We can leak a vmswitch return address
• With a return address we can build a ROP chain ☺
52
![Page 147: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/147.jpg)
Putting it all together
• We can leak 32 bytes of host stack memory
• We can leak a vmswitch return address
• With a return address we can build a ROP chain ☺
• Final exploit:• Use infoleak to locate vmswitch
• Use information to build a ROP chain• We don’t know for sure which stack we’re corrupting, so we prepend a ROP NOP-sled
• (that just means a bunch of pointers to a RET instructions in a row)
• Perform host SystemPTE massaging
• Use race condition to overwrite host kernel thread stack with ROP chain
52
![Page 148: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/148.jpg)
Bypassing KASLR without an infoleak
• Our infoleak applied to Windows Server 2012 R2, but not Windows 10• Oops
• How do we deal with KASLR without an infoleak?• KASLR only aligns most modules up to a 0x10000 byte boundary
• As a result, partial overwrites are an option
• Example:• Return address is: 0xfffff808e059f3be (RndisDevHostDeviceCompleteSetEx+0x10a)
• Corrupt it to: 0xfffff808e04b8705 (ROP gadget: pop r15; ret;)
• Can only do a single partial overwrite though… is that useful?• Only one partial overwrite because our OOB write is contiguous
53
![Page 149: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/149.jpg)
SystemPTE massaging
Free page
Allocated page
Replaceable receivebuffer
SystemPTE massaging
Threadstack
54
![Page 150: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/150.jpg)
SystemPTE massaging
Free page
Allocated page
Replaceable receivebuffer
SystemPTE massaging
Threadstack
Send buffer immediately after target stack
54
![Page 151: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/151.jpg)
Partial overwriteFFFFC500F5FFF700 Target kernel thread stack
FFFFC500F5FFF800 0xFFFFF808E059F3BE
FFFFC500F5FFF900 …
FFFFC500F5FFFA00 …
FFFFC500F5FFFB00 …
FFFFC500F5FFFC00 …
FFFFC500F5FFFD00 …
FFFFC500F5FFFE00 …
FFFFC500F5FFFF00 …
FFFFC500F6000000 Send buffer
FFFFC500F6000100 00 00 00 00 00 00 00 00
FFFFC500F6000200 00 00 00 00 00 00 00 00
FFFFC500F6000300 00 00 00 00 00 00 00 00
FFFFC500F6000400 00 00 00 00 00 00 00 00
FFFFC500F6000500 00 00 00 00 00 00 00 00
FFFFC500F6000600 00 00 00 00 00 00 00 00
FFFFC500F6000700 00 00 00 00 00 00 00 00
FFFFC500F6000800 00 00 00 00 00 00 00 00
FFFFC500F6000900...
00 00 00 00 00 00 00 00…
• What if we use it to get RSP into our send buffer?• Target return address: 0xFFFFF808E059F3BE
• We corrupt it to: 0xFFFFF808E059DA32
• We end up doing RSP += 0xE78
lea r11, [rsp+0E50h]mov rbx, [r11+38h]mov rbp, [r11+40h]mov rsp, r11...retn
55
![Page 152: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/152.jpg)
Partial overwrite
• What if we use it to get RSP into our send buffer?• Target return address: 0xFFFFF808E059F3BE
• We corrupt it to: 0xFFFFF808E059DA32
• We end up doing RSP += 0xE78
lea r11, [rsp+0E50h]mov rbx, [r11+38h]mov rbp, [r11+40h]mov rsp, r11...retn
FFFFC500F5FFF700 Target kernel thread stack
FFFFC500F5FFF800 0xFFFFF808E059DA32
FFFFC500F5FFF900 …
FFFFC500F5FFFA00 …
FFFFC500F5FFFB00 …
FFFFC500F5FFFC00 …
FFFFC500F5FFFD00 …
FFFFC500F5FFFE00 …
FFFFC500F5FFFF00 …
FFFFC500F6000000 Send buffer
FFFFC500F6000100 00 00 00 00 00 00 00 00
FFFFC500F6000200 00 00 00 00 00 00 00 00
FFFFC500F6000300 00 00 00 00 00 00 00 00
FFFFC500F6000400 00 00 00 00 00 00 00 00
FFFFC500F6000500 00 00 00 00 00 00 00 00
FFFFC500F6000600 00 00 00 00 00 00 00 00
FFFFC500F6000700 00 00 00 00 00 00 00 00
FFFFC500F6000800 00 00 00 00 00 00 00 00
FFFFC500F6000900...
00 00 00 00 00 00 00 00…
55
![Page 153: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/153.jpg)
Partial overwrite
• What if we use it to get RSP into our send buffer?• Target return address: 0xFFFFF808E059F3BE
• We corrupt it to: 0xFFFFF808E059DA32
• We end up doing RSP += 0xE78
lea r11, [rsp+0E50h]mov rbx, [r11+38h]mov rbp, [r11+40h]mov rsp, r11...retn
RSP
FFFFC500F5FFF700 Target kernel thread stack
FFFFC500F5FFF800 0xFFFFF808E059DA32
FFFFC500F5FFF900 …
FFFFC500F5FFFA00 …
FFFFC500F5FFFB00 …
FFFFC500F5FFFC00 …
FFFFC500F5FFFD00 …
FFFFC500F5FFFE00 …
FFFFC500F5FFFF00 …
FFFFC500F6000000 Send buffer
FFFFC500F6000100 00 00 00 00 00 00 00 00
FFFFC500F6000200 00 00 00 00 00 00 00 00
FFFFC500F6000300 00 00 00 00 00 00 00 00
FFFFC500F6000400 00 00 00 00 00 00 00 00
FFFFC500F6000500 00 00 00 00 00 00 00 00
FFFFC500F6000600 00 00 00 00 00 00 00 00
FFFFC500F6000700 00 00 00 00 00 00 00 00
FFFFC500F6000800 00 00 00 00 00 00 00 00
FFFFC500F6000900...
00 00 00 00 00 00 00 00…
55
![Page 154: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/154.jpg)
Partial overwrite
• What if we use it to get RSP into our send buffer?• Target return address: 0xFFFFF808E059F3BE
• We corrupt it to: 0xFFFFF808E059DA32
• We end up doing RSP += 0xE78
• This moves RSP into our send buffer…
… which is shared with the guest
lea r11, [rsp+0E50h]mov rbx, [r11+38h]mov rbp, [r11+40h]mov rsp, r11...retn
RSP
FFFFC500F5FFF700 Target kernel thread stack
FFFFC500F5FFF800 0xFFFFF808E059DA32
FFFFC500F5FFF900 …
FFFFC500F5FFFA00 …
FFFFC500F5FFFB00 …
FFFFC500F5FFFC00 …
FFFFC500F5FFFD00 …
FFFFC500F5FFFE00 …
FFFFC500F5FFFF00 …
FFFFC500F6000000 Send buffer
FFFFC500F6000100 00 00 00 00 00 00 00 00
FFFFC500F6000200 00 00 00 00 00 00 00 00
FFFFC500F6000300 00 00 00 00 00 00 00 00
FFFFC500F6000400 00 00 00 00 00 00 00 00
FFFFC500F6000500 00 00 00 00 00 00 00 00
FFFFC500F6000600 00 00 00 00 00 00 00 00
FFFFC500F6000700 00 00 00 00 00 00 00 00
FFFFC500F6000800 00 00 00 00 00 00 00 00
FFFFC500F6000900...
00 00 00 00 00 00 00 00…
55
![Page 155: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/155.jpg)
Host kernel stack in shared memory: what now?
1. The host CPU core throws a General Protection Fault (GPF)• No KASLR bypass means the RET instruction will necessarily cause a fault
2. The address where the GPF happened is dumped to the stack• In shared memory! We can read it, and that’s our KASLR bypass
3. Windows executes its GPF handler, still with the stack in shared memory
4. As attackers, we can:1. Locate valid ROP gadget thanks to addresses being dumped to the stack
2. Manipulate the stack as the exception handler is being executed• Includes exception records and of course other return addresses
5. As a result, we get ROP execution in host ☺
56
![Page 156: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/156.jpg)
Demo time
![Page 157: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/157.jpg)
Hardening Hyper-V
![Page 158: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/158.jpg)
Vulnerability discovery
Exploitation
Post-exploitation
Breaking the chain
1
2
3
Targeted, continuous internal code review
effort
Break exploit techniques
Make components less attractive targets, invest in detection
![Page 159: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/159.jpg)
Hardening: kernel stack isolation
To prevent overflowing into kernel stacks, we’ve moved them to their own region
0: kd> !address
...
ffffae8f`050a8000 ffffae8f`050a9000 0`00001000 SystemRangeffffae8f`050a9000 ffffae8f`050b0000 0`00007000 SystemRange Stack Thread: ffffbc8934d51700ffffae8f`050b0000 ffffae8f`050b1000 0`00001000 SystemRangeffffae8f`050b1000 ffffae8f`050b8000 0`00007000 SystemRange Stack Thread: ffffbc8934d55700ffffae8f`050b8000 ffffae8f`050b9000 0`00001000 SystemRangeffffae8f`050b9000 ffffae8f`050c0000 0`00007000 SystemRange Stack Thread: ffffbc8934d59700ffffae8f`050c0000 ffffae8f`050c1000 0`00001000 SystemRangeffffae8f`050c1000 ffffae8f`050c8000 0`00007000 SystemRange Stack Thread: ffffbc8934d5d700
...
60
![Page 160: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/160.jpg)
Hardening: other kernel mitigations
• Hypervisor-enforced Code Integrity (HVCI)• Attackers can’t inject arbitrary code into Host kernel
• Kernel-mode Control Flow Guard (KCFG)• Attackers can’t achieve kernel ROP by hijacking function pointers
• Work is being done to enable these features by default
• Future hardware security features: CET• Hardware shadow stacks to protect return addresses and prevent ROP
61
![Page 161: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/161.jpg)
Hardening: VM Worker Process
• Improved sandbox• Removed SeImpersonatePrivilege
• Improved RCE mitigations• Enabled CFG export suppression
• Large reduction in number of valid CFG targets
• Enabled “Force CFG”• Only CFG-enabled modules modules can be loaded into VMWP
• Several Hyper-V components being put in VMWP rather than kernel
62
![Page 162: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/162.jpg)
The Hyper-V bounty program
• Up to $250,000 payout• Looking for code execution, infoleaks and denial of service issues
• https://technet.microsoft.com/en-us/mt784431.aspx
• Getting started• Joe Bialek and Nicolas Joly’s talk: “A Dive in to Hyper-V Architecture &
Vulnerabilities”
• Hyper-V Linux integration services• Open source, well-commented code available on Github
• Good way to understand VSP interfaces and experiment!
• Public symbols for some Hyper-V components
63
![Page 163: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/163.jpg)
Thank you for your time
Special thanks to Matt Miller, David Weston, the Hyper-V team, the vmswitch team, the MSRC team and all my OSR buddies
64
![Page 164: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/164.jpg)
Appendix
![Page 165: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/165.jpg)
Kernel modeKernel mode
User modeUser mode
Storage Physical memoryNetwork card
VMWP.exe
VSMB
Hyper-V architecture: VMWP compromise
Malicious guest
Host technically compromised, but limited to VMWP user-mode
CPUs …
Hypercalls Address manager MSRs …
66
vmbus
Hardware
Guest OSHost OS
Hypervisor
![Page 166: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/166.jpg)
Kernel modeKernel mode
User modeUser mode
Storage Physical memoryNetwork card
VMWP.exe
VSMB
Hyper-V architecture: VMWP to host kernel compromise
Malicious guest
Attacker escapes user-mode through local kernel, driver exploit… NT
CPUs …
Hypercalls Address manager MSRs …
67
vmbus
Hardware
Guest OSHost OS
Hypervisor
![Page 167: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/167.jpg)
Kernel modeKernel mode
User modeUser mode
Storage Physical memoryNetwork card
VMWP.exe
VSMB
Hyper-V architecture: VMWP to host kernel compromise
Malicious guestAttacker goes for host kernel directly through VSP surface storVSP
CPUs …
Hypercalls Address manager MSRs …
68
vmbus
Hardware
Guest OSHost OS
Hypervisor
![Page 168: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/168.jpg)
Kernel modeKernel mode
User modeUser mode
Storage Physical memoryNetwork card
VMWP.exe
VSMB
Hyper-V architecture: hypervisor compromise
Malicious guestAttacker compromises hypervisor, either directly from guest or through the host
CPUs …
Hypercalls Address manager MSRs …
69
vmbus
Hardware
Guest OSHost OS
Hypervisor
![Page 169: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/169.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
vmbus messages
70
![Page 170: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/170.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
vmswitch initialization: NVSP_MSG_TYPE_INIT
vmbus messages
70
![Page 171: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/171.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
vmswitch initialization: NVSP_MSG1_TYPE_SEND_NDIS_VER
vmbus messages
70
![Page 172: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/172.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Receive BufferReceive Buffer
vmswitch initialization: NVSP_MSG1_TYPE_SEND_RECV_BUF
vmbus messages
70
![Page 173: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/173.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
Receive Buffer
Send Buffer
Receive Buffer
Send Buffer
vmswitch initialization: NVSP_MSG1_TYPE_SEND_SEND_BUF
vmbus messages
70
![Page 174: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/174.jpg)
Guest OSHost OS Kernel modeKernel mode
Host physicalmemory
Guest physicalmemory
Physical memory
vmswitch initialization: NVSP_MSG5_TYPE_SUBCHANNEL
Subchannel 1 vmbus buffer
Subchannel 2 vmbus buffer
Subchannel 3 vmbus buffer
Receive Buffer
Send Buffer
Subchannel 1 vmbus buffer
Subchannel 2 vmbus buffer
Subchannel 3 vmbus buffer
Receive Buffer
Send Buffer
vmbus messages
70
![Page 175: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/175.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
![Page 176: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/176.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
![Page 177: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/177.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
SEND_RNDIS_PKTSUBALLOC 0
RNDISQUERY
![Page 178: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/178.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
SEND_RNDIS_PKTSUBALLOC 0
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
![Page 179: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/179.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
SEND_RNDIS_PKTSUBALLOC 0
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
SEND_RNDIS_PKTSUBALLOC 2
RNDISQUERY
![Page 180: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/180.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
SEND_RNDIS_PKTSUBALLOC 0
SEND_RNDIS_PKTSUBALLOC 2
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
![Page 181: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/181.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
SEND_RNDIS_PKTSUBALLOC 0
SEND_RNDIS_PKTSUBALLOC 2
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
![Page 182: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/182.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
SEND_RNDIS_PKTSUBALLOC 0
SEND_RNDIS_PKTSUBALLOC 2
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
![Page 183: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/183.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
SEND_RNDIS_PKTSUBALLOC 0
SEND_RNDIS_PKTSUBALLOC 2
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
![Page 184: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/184.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDISSET
SEND_RNDIS_PKTSUBALLOC 2
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
![Page 185: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/185.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
SEND_RNDIS_PKTSUBALLOC 2
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
RNDISSET
![Page 186: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/186.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
SEND_RNDIS_PKTSUBALLOC 2
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
RNDISSET
![Page 187: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/187.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
SEND_RNDIS_PKTSUBALLOC 2
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
RNDISSET
![Page 188: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/188.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
RNDISSET
![Page 189: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/189.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
RNDISSET
![Page 190: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/190.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDIS MSG queue
RNDIS worker thread 1
ChannelthreadRNDIS worker thread 2
vmswitch
71
RNDISQUERY
RNDISCMPLT
RNDISSET
RNDISCMPLT
![Page 191: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/191.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDIS MSG queue
RNDIS worker thread 1
Channelthread
RNDISCMPLT
RNDIS worker thread 2vmswitch
71
RNDISSET
RNDISCMPLT
![Page 192: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/192.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDIS MSG queue
RNDIS worker thread 1
Channelthread
RNDISCMPLT
RNDIS worker thread 2vmswitch
71
RNDISSET
RNDISCMPLT
![Page 193: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/193.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDIS MSG queue
RNDIS worker thread 1
Channelthread
RNDISCMPLT
RNDISCMPLT
RNDIS worker thread 2vmswitch
71
RNDISCMPLT
![Page 194: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/194.jpg)
Receive buffer Send buffer
Host OSKernel mode
vmswitch: how are RNDIS messages handled?
vmbus channel
Channel message batch
RNDIS MSG queue
RNDIS worker thread 1
Channelthread
RNDISCMPLT
RNDISCMPLT
RNDIS worker thread 2vmswitch
71
RNDISCMPLT
![Page 195: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/195.jpg)
vmswitch messages
None
Initializing
HaltedOperational
RNDIS_INITIALIZE_MSG RNDIS_HALT_MSG
NVSP_MSG_TYPE_INIT
RNDIS_INITIALIZE_MSG
RNDIS_HALT_MSG
0
1
2 3
NVSP Message Type State # 0 1 2 3
NVSP_MSG_TYPE_INIT
NVSP_MSG1_TYPE_SEND_NDIS_VER
NVSP_MSG1_TYPE_SEND_RECV_BUF
NVSP_MSG1_TYPE_REVOKE_RECV_BUF
NVSP_MSG1_TYPE_SEND_SEND_BUF
NVSP_MSG1_TYPE_REVOKE_SEND_BUF
NVSP_MSG1_TYPE_SEND_RNDIS_PKT
NVSP_MSG5_TYPE_SUBCHANNEL
72
vmswitch state machine
![Page 196: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/196.jpg)
vmswitch takeaways
• Send/receive buffers are used to transfer many messages at a time
• Opposite end needs to be prompted over vmbus to read from them
• vmswitch relies on different threads for different tasks• vmbus dispatch threads
• Setup send/receive buffers, subchannels…• Read RNDIS messages from send buffer
• The system worker threads• Process RNDIS messages• Write responses to receive buffer
• Subchannels only increase bandwidth in that they allow us to alert the opposite end more often
73
![Page 197: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/197.jpg)
vmswitch state machine
None
Initializing
HaltedOperational
RNDIS_INITIALIZE_MSG RNDIS_HALT_MSG
NVSP_MSG_TYPE_INIT
RNDIS_INITIALIZE_MSG
RNDIS_HALT_MSG
0
1
2 3
NVSP Message Type State # 0 1 2 3
NVSP_MSG_TYPE_INIT
NVSP_MSG1_TYPE_SEND_NDIS_VER
NVSP_MSG1_TYPE_SEND_RECV_BUF
NVSP_MSG1_TYPE_REVOKE_RECV_BUF
NVSP_MSG1_TYPE_SEND_SEND_BUF
NVSP_MSG1_TYPE_REVOKE_SEND_BUF
NVSP_MSG1_TYPE_SEND_RNDIS_PKT
NVSP_MSG5_TYPE_SUBCHANNEL
74
![Page 198: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/198.jpg)
vmswitch state machine
None
Initializing
HaltedOperational
RNDIS_INITIALIZE_MSG RNDIS_HALT_MSG
NVSP_MSG_TYPE_INIT
RNDIS_INITIALIZE_MSG
RNDIS_HALT_MSG
0
1
2 3
NVSP Message Type State # 0 1 2 3
NVSP_MSG_TYPE_INIT
NVSP_MSG1_TYPE_SEND_NDIS_VER
NVSP_MSG1_TYPE_SEND_RECV_BUF
NVSP_MSG1_TYPE_REVOKE_RECV_BUF
NVSP_MSG1_TYPE_SEND_SEND_BUF
NVSP_MSG1_TYPE_REVOKE_SEND_BUF
NVSP_MSG1_TYPE_SEND_RNDIS_PKT
NVSP_MSG5_TYPE_SUBCHANNEL
74
![Page 199: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/199.jpg)
• Easy way to win the race: queue up RNDIS messages and keep having them write to receive buffer continuously• Doesn’t work: RNDIS threads blocked until ack from guest
• Ack and buffer replacement happen on same channel: can’t happen simultaneously…
• …unless we use subchannels!• Multiple channels = simultaneity
Winning the race: continuous writing?
75
![Page 200: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/200.jpg)
vmswitch state machine
NVSP Message Type State # 0 1 2 3
NVSP_MSG_TYPE_INIT
NVSP_MSG1_TYPE_SEND_NDIS_VER
NVSP_MSG1_TYPE_SEND_RECV_BUF
NVSP_MSG1_TYPE_REVOKE_RECV_BUF
NVSP_MSG1_TYPE_SEND_SEND_BUF
NVSP_MSG1_TYPE_REVOKE_SEND_BUF
NVSP_MSG1_TYPE_SEND_RNDIS_PKT
NVSP_MSG5_TYPE_SUBCHANNEL
• Easy way to win the race: queue up RNDIS messages and keep having them write to receive buffer continuously• Doesn’t work: RNDIS threads blocked until ack from guest
• Ack and buffer replacement happen on same channel: can’t happen simultaneously…
• …unless we use subchannels!• Multiple channels = simultaneity
• …but we can’t because of the state machine
Winning the race: continuous writing?
0 1
2
3
75
![Page 201: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/201.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 202: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/202.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 203: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/203.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 204: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/204.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 205: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/205.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 206: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/206.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 207: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/207.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 208: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/208.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 209: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/209.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
76
![Page 210: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/210.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
77
![Page 211: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/211.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
77
![Page 212: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/212.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
77
![Page 213: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/213.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
78
![Page 214: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/214.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
78
![Page 215: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/215.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
78
![Page 216: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/216.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
79
![Page 217: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/217.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
79
![Page 218: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/218.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
79
![Page 219: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/219.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
80
![Page 220: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/220.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Outcome #2
80
![Page 221: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/221.jpg)
Allocation bitmap
1. Spray 1MB buffers
2. Allocate a 2MB - 1 page buffer• (SystemPTE expansions are done in 2MB steps)
3. Allocate a 1MB buffer
4. Allocate a 1MB - 7 pages buffer
5. Spray stacks
SystemPTE massaging strategy
Free page
Allocated page
Bitmap hint
Replaceable receivebuffer
Threadstack
Outcome #2
80
![Page 222: Hardening Hyper-V through offensive security research · 2018-08-08 · Jordan Rabet, Microsoft OSR Note: all vulnerabilities mentioned in this talk have been addressed. Hyper-V 101](https://reader034.vdocuments.net/reader034/viewer/2022050413/5f8a3f5632aaf37ff50d5ba4/html5/thumbnails/222.jpg)
Finding a target: SystemPTE massaging
• After massaging, we know a stack is at one of two offsets from the receive buffer• Either 3MB - 6 pages away or 4MB - 6 pages away
• Since we can perform the race reliably, we can just try both possible offsets• Note: doing the race requires revoking and re-mapping the receive buffer
• We can do this because the SystemPTE bitmap will free our 2MB block and reuse it for next 2MB block allocation
• As a result, we’re almost guaranteed to fall back into the same slot if we’re fast enough
• We can overwrite a stack, but what do we write?• Overwriting return addresses requires a host KASLR bypass
• Easiest way to do this: find an infoleak vulnerability
81