osseu17: how open source project xen puts security software vendors ahead of emerging threats -...
TRANSCRIPT
Talk Title HereAuthor Name, Company
How Open Source Project Xen
Puts Security Ahead of
Emerging ThreatsMihai Donțu, Bitdefender
Andrei Florescu, Bitdefender
In An Ideal World…
OSes would be
designed differently
Humans would not
code
… In The Real World
OSes are flawed by
design
Humans (still) code
Perfect St[w]orms
Vulnerability in widely-used services or protocols
Vulnerable service exposed to the outside world
Vulnerability remotely exploitable
Both Servers and Workstations vulnerable
Vulnerability affects OS Kernel
“Wormable”
Some Examples?
MS08-067 – MS NetAPI32 Vulnerability
* https://blogs.technet.microsoft.com/johnla/2015/09/26/the-inside-story-behind-ms08-067/
1 AD…
Vulnerability
present and
exploitable
MS caught wind
of 0-day through
WER*
09/25/2008
10/23/2008
Out-of-band
patch released
11/2008
Conficker/Downadup
worm released in the
wild
1/2009
Infected >9mil
systems including:
defense, gov,
commercial
… 9 years later
MS17-010 – MS SMB v1 Vulnerability (EternalBlue)
*https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
1 AD…
Vulnerability
present and
exploitable
MS released
patch (on a
Tuesday)
3/14/2017
4/14/2017
Some bad people
released a public
exploit -
EternalBlue
5/12/2017
WannaCry Released
in the wild. Over
300k systems
infected in 3 days.
6/27/2017
NotPetya (or
something) released
So What Really Changed?
Vulns & Exploit
Branding!
OS-based
Exploit Mitigation
In-Guest
Security Tools
ASLR
DEP
SafeSEH
SEHOP
Next-Gen Stuff
Endpoint Detection and
Response (EDR)
Threat-hunting
Incident Response
Sandboxing
?
In Reality…
Vulns & Exploit
Branding!
OS-based
Exploit Mitigation
In-Guest
Security Tools
?
Back To The Ideal World…
Generic Exploit
Prevention
No Prior Knowledge
Required
Real-Time Alerts
Forensics Details
Provided
Isolated From
Attackable Surface
HVI Demo: Defeating EternalBlue
Open Source Collaboration
2003
2008
2010
2012
2014
2014
2016
2017
First notable academic research (by Garfinkel & Rosenblum)
First proof of concept on Xen (Ether)
Started working on a VMI-based security technology using a custom hypervisor
First proof of concept with Xen
Started working with the Xen Project community on improving and extending Xen’s VMI
features
Intel announced the first CPU features aimed at speeding up VMI
First beta for Bitdefender’s HVI technology
First commercial release with Citrix XenServer 7.0 (Xen 4.6)
Project History
How HVI Works
• Uses the VMI capabilities of Xen (xen-access, vm-events)
• Builds a "shadow" state of the OS
• Enforces certain access restrictions on:• Code (kernel or user application)
• Stack
• Heap
• Data
• Driver Objects (Windows)
• IDT/GDT etc.
• Sensitive MSR-s (eg. MSR_LSTAR)
Guest Guest Guest Guest Guest
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
Networking StorageCompute
XenServer Hypervisor
XenServer
Control
Domain
(dom0)
Security
Appliance
(domU)
Memory
Introspection
Engine
Direct Inspect APIs
Architecture Overview
A Closer Look: EternalBlue
MS17-010: The Vulnerability
Integer Overflow
DWORD subtracted into a WORD
Buffer Overflow
memove operation in srv!SrvOs2FeaToNt
Arbitrary write-what-where primitive
(Classic heap spraying & grooming to gain
RCE)
RIP is hijacked in
srvnet!SrvNetWskReceiveComplete
MS17-010 : Exploiting The Vulnerability
• The exploit is using MDL (Memory Descriptor Lists) to control the
source & destination of arbitrary writes
• ASLR is bypassed by using hard-coded memory regions
o HalHeap is located at 0xffffffffffd00000
o Fixed in Windows 10 Redstone 1 (april 2017)
• Page-Table addresses are also “hard-coded”
o Self mapped at entry 0x1ed
o Fixed in Windows 10 Anniversary Update (august 2016)
• DEP is disabled on the HalHeap region by directly editing the
page-tables
• The payload is placed inside the HalHeap
• The handler for the connection-close is overwritten and offers
RCE
• The shellcode is executed when the connection is closed
MS17-010: The Payload – Stage 1
Trick to determine if the OS is 32 or 64 bit
If 32 bit then bail out else continue
execution (in this example) 1
• Read Model Specific Register
(MSR) 0xC0000082 –
IA32_LSTAR MSR – and
save it
• This MSR contains the kernel
address of the SYSCALL
handling routine
• Any SYSCALL made by a
user-mode app will end up
running the code pointed by
IA32_LSTAR
2
Modify IA32_LSTAR MSR so that it points
to the main payload inside the HalHeap3
MS17-010: The Payload – Stage 2
As soon as an application initiates a SYSCALL, the main
payload gains code execution
• It restores the original SYSCALL handler
• It does whatever the payload was programmed to do
This is the main functionality of the exploit
4
MS17-010: The Payload – Stage 3
(The stage 2?3) payload:
• Iterates all the loaded drivers, searches for the samba drivers
• Overwrites a SrvTransactionNotImplemented function inside the
SrvTransaction2DispatchTable => backdoor
• Next time someone wants to see if a system ha been compromised, it can
simply “knock” and see if DoublePulsar responds
… and HVI Defeats EternalBlue
Trick to determine if the OS is 32 or 64 bit
If 32 bit then bail out else continue
execution (in this example) 1
• Read Model Specific Register
(MSR) 0xC0000082 –
IA32_LSTAR MSR – and
save it
• This MSR contains the kernel
address of the SYSCALL
handling routine
• Any SYSCALL made by a
user-mode app will end up
running the code pointed by
IA32_LSTAR
2
The IA32_LSTAR MSR is protected against modifications
• Although the stage 1 payload may get code execution, it cannot
ensure the execution of the main payload; the main payload will
never run3
MS17-010: Preventing Exploitation
MS17-010: Preventing Exploitation
The samba drivers are protected against modifications and the SrvTransaction2DispatchTable is
located inside such a driver (srv.sys)
• The backdoor cannot be installed on the system
• … although it never gets to this, because we already blocked it at stage 1
• Expand the protection over more OS areas (eg. HAL’s heap)
• Prevent credential theft from Windows LSASS
• Integrate more hardware features to accelerate VMI (eg. Intel’s #VE)
• Extract more context out of the guest to improve attack analysis (opened connections, accessed files
etc.)
• Help create an ecosystem for VMI-based security tools to which more organizations can contribute
Future Work
1Open-source
Collaboration is Key
2VMI is Changing the
Security Industry
3Commercial
Implementations Are
Available
Conclusions
Time For Questions!