- 초보 분석가의 눈물겨운 가상화 입문기

www.CodeEngn.com2014 CodeEngn Conference 10

Index

ⓒ 2014 CodeEngn hakbaby

ü Origin of the Hypervisor

ü Hardware Assisted

Virtualization

About Hypervisor Attack Hypervisor

ü HVM Rootkit

ü SMM Rootkit

ü Hypervisor in Cloud

ü Trust Execution

Technology

ü Secure Virtual Machine

Protect Hypervisor

Virtualization : 가상화

ⓒ 2014 CodeEngn hakbaby

하나의 하드웨어에서

여러 운영체제를

실행할 수 있는 기술

Virtualization – Hypervisor?!

ⓒ 2014 CodeEngn hakbaby

하나의 하드웨어에서

여러 운영체제를

실행할 수 있는 기술

가상화를 구현하기 위해 필요한

논리적인 플랫폼 : Hypervisor

Origin of the Hypervisor - Emulator

ⓒ 2014 CodeEngn hakbaby

운영체제와 하드웨어를 1 대 1로 매칭하여 명령어를 수정해주는 방식

(Binary Translation)

Hardware (Intel IA-32)

Blade Hardware

Other HardwareCPU Memory NIC Disk

Emulation Engine(ARM)

Emulation Engine(IBM Power PC)

Guest OS (MAC OS X) Guest OS (Android)

Host PC OS (Windows 8)

Application

MOV R0, R1

MOV EAX, EBX

Binary Translation

Origin of the Hypervisor – Full & Para

ü Full Virtualization

시스템 전체를 가상화하여 시스템의 BIOS, CPU, 메모리 등을 완전히 에뮬레이션 하는 방식

ⓒ 2014 CodeEngn hakbaby

Ring 3(User Application)

Ring 2

Ring 1(Guest OS)

Ring 0 (Virtual Machine Monitor)

Host ComputerSystem Hardware

Dir

ect

Execu

tio

n(U

ser

Req

uest

)

Binary Translation

Emulation vs Virtualization? : What’s different?

ⓒ 2014 CodeEngn hakbaby

Hardware (Intel IA-32)

Guest OS(Windows XP)

Host PC OS (Windows 8)

Guest OS (Ubuntu)Application

Virtual Machine Monitor

[Virtualization]

Hardware (Intel IA-32)

Emulation Engine(ARM)

Guest OS(Android)

Host PC OS (Windows 8)

Emulation Engine(IBM Power PC)

Guest OS(MAC )

Application

[Emulator]

Origin of the Hypervisor – Full & Para

ü Para Virtualization

Guest OS의 커널을 일부 수정하여 사용하며, OS 레벨 요청을 Hypercall이 처리

ⓒ 2014 CodeEngn hakbaby

Hypervisor Call(Hypercall)

Ring 3(User Application)

Ring 2

Ring 1

Ring 0 ( Modified-Guest OS)

Virtual Machine Monitor

Host ComputerSystem Hardware

Dir

ect

Execu

tio

n(U

ser

Req

uest

)

Para Virtualization – Hypercall?

ⓒ 2014 CodeEngn hakbaby

Interrupt Gate Descriptor

InterruptDescriptor Table

INT 2E SYSENTER

SYSENTER_EIP(MSR)

ISR Offset

SegmentSelector

CodeDescriptor

Code Segment Base Address

Privilege Level(DPL)

System Service Dispatcher

(KiSystemService)

System Service Table(ntoskrnl.exe)

System Service Table(win32k.sys)

GlobalDescriptor Table

ServiceDescriptor Table

Service Table

Counter Table

Service Limit

Argument Table

KeServiceDescriptorTable

Function Address

System ServiceDispatch Table

Kernel Function

EAX

[System Calls on Windows]

Hypervisor : Hardware-Assist Virtualization

ü Hardware-Assist Virtualization

가상화 방식의 가장 큰 과부화 원인인 Binary Translation이 없어지고 CPU의 지원을 받기 시작함

ⓒ 2014 CodeEngn hakbaby

Ring 3(User Application)

Ring 2

Ring 1

Ring 0 (Guest OS)

Hypervisor Layer

Host ComputerSystem Hardware

Non-Root ModePrivilege Levels

Root Mode Privilege Levels

Dir

ect

Execu

tio

n(U

ser

Req

uest

)특정 명령어 실행과H/W 제어권한이

일부 제한됨

CPU나 H/W의모든제어권을 가짐

Guest 0 Guest 1

VM MonitorVMXON VMXOFF

VM Entry VM ExitVM Exit

[INTEL Virtual Machine Monitor & Guests]

Hypervisor – Type of Hypervisor

ⓒ 2014 CodeEngn hakbaby

Hypervisor

Hypervisor

Native (Bare Metal)

호스트의 하드웨어에 위치하여, 하드웨어 제어와

Guest OS 모니터링을담당함

Hosted

호스트의 운영체제에 위치하며, 단순히

소프트웨어의역할로써 Guest OS에 관리를담당함

Attack of Hypervisor : Virtual Machine Extensions

ⓒ 2014 CodeEngn hakbaby

Ring 3

Ring 0

Root Mode

Guest OS (Windows XP)Guest OS (Ubuntu)

Application Application

VM Entry VM Exit VMM Configuration

VMM Control Structure (VMCS)

Memory and I/O Virtualization

Host PC Hardware Virtual CPU

①

②

③

④

⑤

Intel VT-x

HVM Rootkit : HVM

ⓒ 2014 CodeEngn hakbaby

ü Hardware-assisted Virtualization Machine : HVM

HVM은일반적으로 VMCS를설정해 Guest OS를 구동하고 Guest OS의코드가 실행되다가 설정된

동작을 수행하면 Exit 되도록하여 이를 VMM에서 처리

Operating System - Kernel’s Processor Control Block (KPCB)

VM Guest 0

Guest0 VMCS

VM Guest 1

Guest1 VMCS

VM Guest 2

Guest2 VMCS

VM Guest 3

Guest3 VMCS

Active VMCS

*VMCS

Active VMCS

*VMCS

Current VMCS

*VMCS

*simplicityKPRCB

*CurrentThread

*NextThread

*IdleThread

KPROCESS

EPROCESS

LIST_ENTRY {FLINKBLINK }

KPROCESS

EPROCESS

LIST_ENTRY {FLINKBLINK }

KPROCESS

EPROCESS

LIST_ENTRY {FLINKBLINK }

KTHREADETHREAD

ApcState

Hypervisor – Virtual Machine Control Data Structures (VMCS)

Hypervisor : VMCS (Intel)

VMX Non-Root 오퍼레이션과 VMX 전환을 제어하는 구조체

ⓒ 2014 CodeEngn hakbaby

ActiveNot Current

Clear

InactiveNot Current

Clear

ActiveNot CurrentLaunched

AnythingElse

ActiveCurrent

Clear

ActiveCurrent

Launched

VM

PTR

LD Y

VM

PTR

LD X

VM

PTR

LD Y

VM

PTR

LD X

VMCLEAR X

VMCLEAR XVMCLEAR X

VMLAUNCH

[States of VMCS X]

HVM Rootkit : VMRUN Instruction

ⓒ 2014 CodeEngn hakbaby

Instruction Flow(Outside Matrix)

VMCB(AMD)

VMRUN

Guest state andspecification of

what guest enventsare intercepted

Host PC(Hypervisor) Virtual

Machine

Instruction Fllow(Inside Guest)

Guest has beenIntercepted

Resume at the next

instructionAfter VMRUN

(Exit code written to

VMCB on exit)

HVM Rootkit : Blue Pill Infection

ⓒ 2014 CodeEngn hakbaby

CALL BluePill

CALL BluePill

Enable SVM

Prepare VMCB

VMRUN

Check VMCS.exitcode

RET

RIP

VMCB

NativeOperating System

Native Operating Systemcontinues to execute,

But inside Virtual Machine this time

Blue PillHypervisor

Only DuringFirst Call

RET From Blue Pill PROC,Never reached in host mode, Only executed once in guest mode

HVM Rootkit : Blue Pill

ⓒ 2014 CodeEngn hakbaby

Instdrv.exe

CPU

Ring 0

VMCB Host

Bluepill.sys

①

②③

HVM Rootkit : Blue Pill

ⓒ 2014 CodeEngn hakbaby

Instdrv.exe

CPU

Ring 0

VMCB Host

Bluepill.sys

Hypervisor Bluepill

④

Cheat Engine - DBVM

ⓒ 2014 CodeEngn hakbaby

Cheat Engine - DBVM

ⓒ 2014 CodeEngn hakbaby

Cheat Engine - DBVM

ⓒ 2014 CodeEngn hakbaby

Imagine of Story!

ⓒ 2014 CodeEngn hakbaby

üCloud Computing

인터넷상의 서버를통하여데이터 저장, 네트워크, 콘텐츠사용 등 IT 관련서비스를

한번에 사용할 수 있는컴퓨팅

Cloud Computing Services

ⓒ 2014 CodeEngn hakbaby

Software as a Service

Infra as a service

Platform as a service

Network Architects

Application Developers

End Users

Network

Storage

Server

Virtualization

Attack of Cloud System!

ⓒ 2014 CodeEngn hakbaby

Cloud Hypervisor

Cloud Physical Hardware

…

Guest 0 Guest 1 Guest 2 Guest 3 Guest X

Attack of Cloud System!

ⓒ 2014 CodeEngn hakbaby

Infected-Cloud Hypervisor

Cloud Physical Hardware

…

Guest 0 Infected-Guest 1 Guest 2 Guest 3 Guest X

①

② ③

Control Another Guest OS

So, How Detected?

ⓒ 2014 CodeEngn hakbaby

Trust Execution Technology

(TXT)

Secure Virtual Machine

(SVM)

INTEL – Trust Execution Technology

ⓒ 2014 CodeEngn hakbaby

INTEL TXT

Hardware

Hardware

Hypervisor

Hardware

Hypervisor

Hardware

Hypervisor

Hardware

Hypervisor

MATCH

NO MATCH

Trusted Platform Module : TPM

장비에암호화 키를통합하여 하드웨어를 보호하기 위해설계된전용 마이크로프로세서

ⓒ 2014 CodeEngn hakbaby

Conclusion

Reference

ü Intel, “Intel 64 and IA-32 Architectures Software Developer's Manual”

ü David Chisnall, “Xen 하이퍼바이저 완벽가이드“

ü Joanna Rutkowska, “Introducing Blue Pill”

ü Rafal Wojtczuk, Joanna Rutkowska, “Attacking Intel Trusted Execution Technology”

ü Hanbum Bak, “Virtualization Technology for Security”

ü MJ0011, “Analyzing VMware Operating System & Detecting Rootkit from Outside”

ü Farzad Sabahi, “Secure Virtualization for Cloud Environment Using Hypervisor-based Technology”

ü Rafal Wojtczuk, Joanna Rutkowska, Attacking Intel TXT via SINIT Code Execution Hijacking

ⓒ 2014 CodeEngn hakbaby

Speaker Info

순천향대학교 정보보호학과 SecurityFirst

hakbaby92@gmail.com (fb.com/hakbaby)

김학수

ⓒ 2014 CodeEngn hakbaby

www.CodeEngn.com2014 CodeEngn Conference 10