this presentation is for informational purposes only ......hypercalls • “system calls” of the...
TRANSCRIPT
![Page 1: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/1.jpg)
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
![Page 2: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/2.jpg)
![Page 3: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/3.jpg)
![Page 4: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/4.jpg)
![Page 5: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/5.jpg)
Hypervisor (Type 1, Bare Metal)
“Host OS” VM 1 VM … VM N
Root Partition Partition 1 Partition … Partition n
Manages physical address space of
partitions (via EPT)
Manages virtualization specific
hardware configuration
Handles intercepts (i.e. HyperCall,
in/out instructions, CPUID
instruction, EPT page fault, etc.)
Interrupt delivery to guests
Most Hyper-V attack surface is not in the hypervisor
Hypervisor EPT enforces physical memory isolation between partitions
![Page 6: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/6.jpg)
Hypervisor (Type 1, Bare Metal)
“Host OS” VM 1 VM … VM N
Root Partition Partition 1 Partition … Partition n
Manages other VM’s
(create/destroy/etc.)
Access to the physical memory of
other partitions
Access to all hardware
Provides services such as device
emulation, para-virtualized
networking/storage, etc.
Most Hyper-V attack surface is in the root partition
Root partition can access other partitions’ physical memory
![Page 7: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/7.jpg)
Hypervisor (Type 1, Bare Metal)
“Host OS” VM 1 VM … VM N
Root Partition Partition 1 Partition … Partition n
No access to other partitions
physical memory
No access to hardware
Access to limited set of HyperCalls
(example: faster TLB flush)
No ability to communicate with
partitions other than the root
There is no direct guest-to-guest attack surface
Communicates with root partition & hypervisor using well defined interfaces
![Page 8: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/8.jpg)
![Page 9: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/9.jpg)
![Page 10: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/10.jpg)
Hyper-V Architecture: Root Partition Services
![Page 11: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/11.jpg)
![Page 12: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/12.jpg)
Hyper-V Architecture: Root Partition
• Virtual Devices
• Emulators
• Non-emulated devices
• vSMB Server (containers)
• Plan9FS (containers)
• Integration Components
Virtualization
Infrastructure
Driver
VID.sys
Para-
virtualized
Networking
VMSwitch.sys
Para-
virtualized
Storage
StorVSP.sys
Para-
virtualized PCI
vPCI.sys
VMBUS
VMBusR.sys
VM Worker Process - VMWP.exe
Responsible for managing the
state of all the VM’s. No direct
guest attack surface.
VM Mgmt Service – VMMS.exe
Kernel-
Hypervisor
Interface
WinHV.sys
Responsible for VM
management and container
management.
VM Compute – VMCompute.exe
Virtualization
Infrastructure
Driver
VID.sys
Para-
virtualized
Networking
VMSwitch.sys
Para-
virtualized
Storage
StorVSP.sys
Para-
virtualized PCI
vPCI.sys
VMBUS
VMBusR.sys
Kern
el-M
od
eU
ser-M
od
e
VM Worker Process - VMWP.exeVM Mgmt Service – VMMS.exe
Kernel-
Hypervisor
Interface
WinHVr.sys
VM Compute – VMCompute.exe
A minimal process. Used as a
separate virtual address space
to make certain mappings.
VM Mem – vmmem.exe
![Page 13: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/13.jpg)
Hypercalls
• “System calls” of the hypervisor
• Guest accessible hypercalls are documented as part of the Hyper-V TLFS
• Some Hypercalls pass arguments via registers, others use physical pages (GPA in register)
Overlay Pages
• A way for the hypervisor to forcibly map a physical page in to a partition
• Example: Hypercall code page
• Primarily used to communicate data to a guest partition
Faults• Triple fault, EPT page faults (i.e. permission faults, GPA not mapped, etc.)
• This is how MMIO can be virtualized by VDEV’s (fault on access to virtual MMIO range)
Instruction
Emulation• Attempt to execute instructions such as CPUID, RDTSC, RDPMC, INVLPG, IN, OUT, etc.
Register Access • Attempt to read/write control registers, MSR’s
![Page 14: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/14.jpg)
Extended
Hypercalls
• Hypercalls that the hypervisor forwards directly to the VID
• Very few
VMBUS• High-speed communication channel accessed through via Kernel Mode Client Library
(KMCL) abstraction layer
Aperture• Host can map guest physical memory and interact with it
• Rarely used by kernel
Intercept Handling
• Hypervisor forwards some intercepts it receives to the host for processing
• IO port read/write (does it need emulation?)
• EPT faults: is the memory paged out?, is that memory a virtual MMIO page?
• Etc.
![Page 15: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/15.jpg)
IO Ports
• User-mode components can register for notifications when particular IO ports are
written/read
• Used to emulate hardware
MMIO
• Components can register GPA ranges as MMIO ranges, receive notifications when the
ranges are written/read
• Used to emulate hardware
VMBUS • High-speed communication channel accessed through named pipes or sockets
Aperture• Map guest physical addresses into the virtual address space of VMWP
• Need to be careful to avoid shared-memory issues such as double-fetch
Read/Write
Notifications
• Triggered when a specified GPA is read/written, EIP is not advanced (no emulation)
• Used to track when pages are dirtied while live migrating (as an example)
![Page 16: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/16.jpg)
0x1000
…
0x8F000
0x90000
0x91000
![Page 17: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/17.jpg)
![Page 18: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/18.jpg)
Called to process each packet received from the guest
Calls to this function are serialized per-channel
Buffer contains guest-controlled data, NOT in shared memory
Called after a group of packets has been delivered
![Page 19: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/19.jpg)
![Page 20: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/20.jpg)
RangeBase,
RangeOffset,
NumberOfBytes,
ReadBuffer[]
RangeBase,
RangeOffset,
NumberOfBytes,
WriteBuffer[]
IoAddress,
AccessSize,
ReadData
IoAddress,
AccessSize,
WriteData
![Page 21: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/21.jpg)
![Page 22: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/22.jpg)
https://blogs.technet.microsoft.com/virtualization/2018/04/25/hyper-v-symbols-for-debugging/
![Page 23: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/23.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 24: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/24.jpg)
Hyper-V Architecture: Root Partition
• Virtual Devices
• Emulators
• Non-emulated devices
• vSMB Server (containers)
• Plan9FS (containers)
• Integration Components
Virtualization
Infrastructure
Driver
VID.sys
Para-
virtualized
Networking
VMSwitch.sys
Para-
virtualized
Storage
StorVSP.sys
Para-
virtualized PCI
vPCI.sys
VMBUS
VMBusR.sys
VM Worker Process - VMWP.exe
Responsible for managing the
state of all the VM’s. No direct
guest attack surface.
VM Mgmt Service – VMMS.exe
Kernel-
Hypervisor
Interface
WinHV.sys
Responsible for VM
management and container
management.
VM Compute – VMCompute.exe
Virtualization
Infrastructure
Driver
VID.sys
Para-
virtualized
Networking
VMSwitch.sys
Para-
virtualized
Storage
StorVSP.sys
Para-
virtualized PCI
vPCI.sys
VMBUS
VMBusR.sys
Kern
el-M
od
eU
ser-M
od
e
VM Worker Process - VMWP.exeVM Mgmt Service – VMMS.exe
Kernel-
Hypervisor
Interface
WinHVr.sys
VM Compute – VMCompute.exe
A minimal process. Used as a
separate virtual address space
to make certain mappings.
VM Mem – vmmem.exe
![Page 25: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/25.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 26: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/26.jpg)
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
![Page 27: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/27.jpg)
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
Patch the Linux
drivers in
rndis_filter.c
Run ifconfig
RNDIS packet sent
to the VMBUS
VmsMpCommonPvtSetNetwork
Address with a long
unterminated string
Cause an error to log
the long string
![Page 28: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/28.jpg)
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
![Page 29: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/29.jpg)
Other VMSwitch issues
https://bugs.chromium.org/p/project-zero/issues/detail?id=688
https://bugs.chromium.org/p/project-zero/issues/detail?id=689
https://bugs.chromium.org/p/project-zero/issues/detail?id=690
![Page 30: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/30.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 31: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/31.jpg)
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
![Page 32: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/32.jpg)
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
VpciMsgCreateInterruptMessage = 0x42490014
VpciMsgQueryProtocolVersion
![Page 33: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/33.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 34: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/34.jpg)
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
![Page 35: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/35.jpg)
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
• Leak 0x86 bytes of heap memory to the guest
• Variant for a stack object in VideoSynthDevice::SendNextMessageInternal
Hyper-V Bug Bounty Today: $15,000
Double your gain with another $15,000
sizeof(SYNTHVID_SUPPORTED_RES)
Only 9 bytes initialized
![Page 36: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/36.jpg)
Change the type, size, content and start fuzzing!
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
![Page 37: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/37.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 38: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/38.jpg)
CVE-2018-0888 – Information disclosure during MMIO emulation
void BatteryEmulator::NotifyMmioRead(_In_ UINT64 RangeBase,_In_ UINT64 RangeOffset,_In_ UINT64 NumberOfBytes,_Out_writes_bytes_(NumberOfBytes) BYTE ReadBuffer[] ) noexcept
{if (NumberOfBytes != 4)
return;…
Hyper-V Bug Bounty Today: $15,000
![Page 39: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/39.jpg)
• Intercepted I/O vulnerabilities
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
CVE-2018-0964 – vPCI VpciMsgCreateInterruptMessage Uninitialized Stack Object
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Object Field
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
CVE-2018-0888 – Information disclosure during MMIO emulation
![Page 40: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/40.jpg)
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
DriveStateBufferOffset was not properly set
![Page 41: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/41.jpg)
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
$150,000
![Page 42: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/42.jpg)
![Page 43: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/43.jpg)
HARDENING HYPER-V THROUGH OFFENSIVE SECURITY RESEARCH
![Page 44: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/44.jpg)
![Page 45: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/45.jpg)
http://www.alex-ionescu.com/syscan2015.pdf
www.andrea-allievi.com/files/Recon_2017_Montreal_HyperV_public.pptx
![Page 46: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/46.jpg)
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs
Component Location
VMBUS drivers/hv/vmbus_drv.c
Synthetic IDE/SCSI drivers/scsi/storvsc_drv.c
Synthetic NIC drivers/net/hyperv
PCI drivers/pci/host/pci-hyperv.c
Dynamic Memory drivers/hv/hv_balloon.c
Synthetic Video drivers/video/fbdev/hyperv_fb.c
HID drivers/hid/hid-hyperv.c
Misc. (IC’s, etc.) drivers/hv
https://github.com/LIS
https://docs.microsoft.com/en-us/virtualization/api/hypervisor-platform/hypervisor-platform
![Page 47: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/47.jpg)
![Page 48: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/48.jpg)
![Page 49: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/49.jpg)
Called to process each packet received from the guest
Calls to this function are serialized per-channel
Buffer contains guest-controlled data, NOT in shared memory
Called after a group of packets has been delivered if there will be a pause in future packet delivery
![Page 50: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/50.jpg)
![Page 51: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/51.jpg)
![Page 52: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/52.jpg)
![Page 53: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/53.jpg)
![Page 54: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/54.jpg)
![Page 55: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/55.jpg)
![Page 56: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/56.jpg)
![Page 57: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/57.jpg)
RangeBase,
RangeOffset,
NumberOfBytes,
ReadBuffer[]
RangeBase,
RangeOffset,
NumberOfBytes,
WriteBuffer[]
![Page 58: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/58.jpg)
IoAddress,
AccessSize,
ReadData
IoAddress,
AccessSize,
WriteData
HRESULT RegisterIoPortHandler([in] VID_IO_PORT_ADDRESS PortRangeBegin,[in] VID_IO_PORT_ADDRESS PortRangeEnd,[in] IO_PORT_HANDLER_FLAGS Flags,[in] IVndIoPortHandler* Handler,[in] BOOL IsEmulationHelpful,[in, unique] IVndHandlerCallbackBatch* CallbackBatch,[out] IVndRegisteredNotifier** Notifier );
![Page 59: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/59.jpg)
![Page 60: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/60.jpg)
![Page 61: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/61.jpg)
![Page 62: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/62.jpg)
![Page 63: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/63.jpg)
CVE-2017-0051 – VMSwitch VmsMpCommonPvtSetNetworkAddress Out-of-Bounds Read Vulnerability
![Page 64: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/64.jpg)
CVE-2017-8706 – VideoSynthDevice::SynthVidSendSupportedResolutionsResponse Uninitialized Stack Object
![Page 65: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/65.jpg)
CVE-2018-0959 – Out-of-Bounds Read/Write in VmEmulatedStorage
![Page 66: This presentation is for informational purposes only ......Hypercalls • “System calls” of the hypervisor • Guest accessible hypercalls are documented as part of the Hyper-V](https://reader033.vdocuments.net/reader033/viewer/2022041614/5e3a3538126b63547852a886/html5/thumbnails/66.jpg)
0:001> kcCall Sitevmchipset!BatteryEmulator::NotifyMmioReadvmwp!VmbComMmioHandlerAdapter::ReadCallbackvmwp!VmbCallback::NotifyMmioReadvmwp!VND_HANDLER_CONTEXT::NotifyMmioReadvmwp!EmulatorVp::DispatchMmioOperationvmwp!EmulatorVp::FinishReadMemoryOperationvmwp!EmulatorVp::FinishReadModRmOperationvmwp!EmulatorVp::ExecuteGEInstructionvmwp!EmulatorVp::ExecuteInstructionsvmwp!EmulatorVp::ActuallyAttemptEmulationvmwp!EmulatorVp::TryEmulationvmwp!VndIce::HandleExecutionRequestvmwp!VndCompletionHandler::HandleVndCallbackvmwp!VndCompletionThread::RunSelfvmwp!<lambda_0d2132334fa52e9e02abe1e6c85d8104>::operator()vmwp!Vml::VmThread::Runvmwp!Vml::VmThread::OnRunThreaducrtbase!invoke_thread_procedureucrtbase!thread_start<unsigned int (__cdecl*)(void * __ptr64)>KERNEL32!BaseThreadInitThunkntdll!RtlUserThreadStart
CVE-2018-0888 – Information disclosure during MMIO emulation