azrilazam-mosc2010

Azril Azam Abdul Rahim, GCFA, CEI, ECSP, CEH Malaysia Open Source Conference 2010 July 1st 2010

How Does Open Source VMM Helps To Reduce The Risk Of HVM Rootkits That Can Effect Your Cloud Computing And Other VM Deployments

Agenda

•  Introductions •  Cloud computing and virtualization •  Virtualization 101 •  HVM Rootkits •  Demo: From subverting an OS to subverting a VMM •  Reduced The Risk Via Open Source VMM •  Conclusion •  References

2

Introduction

Introduction About Azril Azam, GCFA, CEI, ECSP, CEH Currently working as Team Leader for Malware System Development and Analysis at the Global Response Center – International Multilateral Partnership Against Cyber Threats (IMPACT)

An average computer hardware and software programmer with a huge interest Computer Security (Penetration Testing, Trusted Computing, Computer/Network Forensics) System Kernel and Virtualization Open Source Software

Has written and published many research papers, patent disclosures and open source software on his interest research areas, and has won a few awards

- 2006 Malaysia Best Open Source Software – Computer Forensics - 2006 ITEX Gold Award for Innovation – FIRST - 2006 Malaysia Minister Of Science Research Appreciation Recipient Award

Participated on global scale on virtualization research work XEN and KVM development groups, EMCSB and OpenTC.

Currently, he is in the midst of completing his own low overhead x86 virtualization system that is based on his 2007 linux ottawa symposium virtualization summit extended abstarct (at his spare time of course)

Published his OSS through his own domain @ diligentcode.com

4

Introduction About IMPACT

5

IMPACT

Non-Profit

Upper End of Cyber

Threats

International & Multilateral

Global Public-Private

Partnership

International Team of Experts

Introduction Launch of IMPACT

6

1.  IMPACT was launched on May 2008 by the 4th Prime Minister of Malaysia, Tun Abdullah Ahmad Badawi

2.  IMPACT’s Global Head Quarters in Cyberjaya, Malaysia was launched on 20 March 2009

3.  Event was witnessed by the Secretary General of ITU, Dr. Hamadoun Touré

Introduction IMPACT partnership with UN/ITU

7

  IMPACT HQ - physical home for ITU’s Global Cybersecurity Agenda (GCA)

  IMPACT to operationalise UN/ITU’s global cybersecurity initiatives to all 191 countries

  GCA – framework for international cooperation to enhance confidence and security in the information society

Introduction The Global Cybersecurity Agenda

8

Introduction Terminologies & Color Codes Guidelines

9

RING -‐1 (Hardware Level)

RING 0 (Kernel Level)

RING 1 -‐ 3 (Drivers, core libraries)

RING 3 (User space / ApplicaBons)

HAL: Hardware Abstraction Layer

VM: stands for virtual machine. A collection of emulated devices that works together to give a fake HAL view for OS to execute without calling the actual devices

VMM: is an entity that controls a VM by allocating resources and managing memory

Hypervisor: is a special VMM that provides emulated devices

Host OS: is an OS or Kernel that can call privilege instructions and talk to the actual devices within virtualized or non virtualized environment

Guest OS: is an OS or Kernel within virtualized environment that has been de-privilege

Cloud Computing And Virtualization

11

Cloud Computing & Virtualization What is Cloud Computing Cloud Computing is actually an Internet Based Computing services similar to hosting service, server co-located and server farming.

The different between cloud computing and traditional internet based computing are for

Vendor - Managed all services with different OS requirement all in 1 server instead of many. - Reduced cost - Easy to managed

Customer - Isolated and scalable resources - Cheaper solution

Cloud Computing Logical Diagram

12

Cloud Computing & Virtualization Cloud Computing Layers

Client

ApplicaBon SoFware As A Service (SAAS)

PlaHorm PlaHorm As A Service (PAAS)

Infrastructure Infrastructure As A Service (IAAS)

Server

Virtualization

Data Storage, Bandwidth, Processing Power

Google Earth API, Google Map API

Virtualization 101

CPU

14

Virtualization 101 The Fundamental: Von Nuemann Architecture

Memory (RAM)

Control Unit

Arithmetic Logic Unit

Accumulator

Input Device

Output Device

Von Nuemann Architecture is the foundation on modern computer that utilizing Alan Turing “The Turing Machine” binary concept

Von Nuemann Architecture

15

Virtualization 101 The Fundamental: Von Nueman Architecture

VM

Guest OS

Virtual RAM

Virtual I/O

Virtual CPU

Applications

•  To create a virtual machine, all components of Von Nuemann Arch must be emulated •  Compare to other CPU architecture, x86 is the hardest to be virtualized •  Therefore, to achieve virtualization state, all components are emulated by software codes

CPU

Memory (RAM)

Control Unit


Accumulator

Input Device

Output Device

Von Nuemann Architecture

16

Virtualization 101 Earlier Implementation

Operating System

Virtual Memory (STACK, HEAP, BSS) 4GB

CPU

Memory (RAM)

Control Unit


Accumulator

Input Device

Output Device


User Space Applications (Word, Excel)

VM

Guest OS

Virtual RAM

Virtual I/O

Virtual CPU

Applications

•  Early implementation on x86 virtualization runs as an application on top of underlying OS

•  This approach seems to be inefficient due to - Sharing resources with other apps - Unable to schedule priority for emulations

Earlier VMM is just simply a 32bit protected memory managed by OS and programmed by using OS API running

at RING 3 with no HAL

17

Virtualization 101 Earlier Implementation

Operating System


CPU

Memory (RAM)

Control Unit


Accumulator

Input Device

Output Device


User Space Applications (Word, Excel)

VM

Guest OS

Virtual RAM

Virtual I/O

Virtual CPU

Applications

•  More efforts were made to make CPU emulation more by bringing it closer to actual CPU

•  The VMM must be a part of the OS/kernel or running by itself exactly at RING 0 for better HAL

✔ Virtual

CPU

18

Virtualization 101 A new concept of VMM

VM 1

Guest OS

Virt RAM

Virt I/O

Applications

Hypervisor / VMM

TRAP ALL CPU INSTRUCTIONS

Privilege Instructions

ACTUAL CPU

YES

NO

VM 2

Guest OS

Virt RAM

Virt I/O

Applications

•  A new concept called virtual machine monitor (VMM) called hypervisor was introduced

•  In the VMM/hypervisor concept, VMM runs as the same level of OS/kernel at RING 0. This will allow the VMM to control the HW directly

•  VMM runs on its on real memory instead on protected memory previously

•  VMM controls the VM resources and trapped CPU instructions calling. All non-privilege instructions are reroute and execute by the actual CPU. The privilege instructions are emulated.

•  Increase performance almost to near native speed

•  There 2 types of architecture - Para virtualization - Full virtualization - RING 0 (Software VMM) - RING -1 (HW VMM)

Virt CPU

Virt CPU

19

HVM Rootkits Para virtualization

VM Domain 0 VM Guest Domain

Modified Guest OS

Applications

HW CPU

Modified Host OS

Host Apps

Hypervisor / VMM

TRAP ALL CPU INSTRUCTIONS BASED ON VMM

INS


YES

NO

Virtual RAM

Virtual I/O

Virtual CPU

Device drivers

•  VMM is now running at RING 0

•  Host OS runs in special Domain with Direct interface with the Hardware

•  Guest Domain can make calls to VMM via using VMM Instruction Set. Therefore no legacy OS can run in this setup.

•  VMM then decides whether VMM API calling are privilege or otherwise

•  Example - XEN - MICROSOFT HYPER-V

20

HVM Rootkits Full Virtualization: Software VMM

VM 1

Guest OS

Virt RAM

Virt I/O

Applications

Hypervisor / VMM



ACTUAL CPU

YES

NO

VM 2

Guest OS

Virt RAM

Virt I/O

Applications

Virt CPU

Virt CPU

Host OS

Host Apps

Device drivers

•  VMM is now running at RING 0

•  VMM runs as drivers for Host OS

•  This setup allows legacy OS without modifications

•  Example - VMWARE - Qemu with KQemu - VirtualBox*

21

HVM Rootkits Full Virtualization: Hardware VMM

HW CPU

VMX Root

VMX Non-root

Guest OS

Apps

Virtual CPU

Virtual RAM

Virtual I/O

HVM VMM



YES

NO: Execute

Host OS or minimalistic

kernel

HAL Device drivers

•  VMM is now running at RING -1 by the CPU itself

•  Similar like XEN, HVM will create a special privilege domain for host software and unprivileged domain for guest OS

•  Host OS provides devices drivers

•  HAL layer provides the calling of the actual machine device drivers

•  This setup allows legacy OS without modifications

•  Example - KVM - VMWARE 64bits - XEN-CITRIX HVM extension*

HVM Rootkits

23

HVM Rootkits What is HVM Rootkits

HVM rootkits is a piece of malicious code embedded in the OS kernel as driver and uses AMD-V or Intel-VT HVM extension for its operation

The birth of HVM rootkit idea is actually was based on a paper called SubVirt, Malicous kernel module modifies boot sequence to load original OS inside Virtual PC by a group researcher from the University of Michigan and Microsoft Research.

The objective of HVM rootkit is to subvert a host OS by putting it into a less privilege environment and reassert itself as the host OS. By doing this, everything happened in original host OS can be trapped by the rootkit

In the case of subvert OS make privilege calls from the less privilege domain, AMD-V and Intel-VT will ignore it, and reroute to VMM (which is in the case the rootkit) for emulation.

The rootkit is not a VMM and it does not have all the resources to run the emulation. When it received signal from AMD-V or Intel-VT for emulation, it just reroute it back to the actual CPU

24

HVM Rootkits What is HVM Rootkits

The end game of HVM root is not about virtualization, but hiding it self in privilege domain container to hide its process.

It does not matter whether you are running VMWARE ESX, XEN or MICROSOFT Hyper-V, as long the CPU processor supports HVM

extension, the rootkit can work out itself

25

HVM Rootkits Subverting an OS

HW CPU

V/VT

Host OS (Win, Linux, Mac)

Applications

HW CPU

V/VT


Applications

HVM ROOTKIT

Host OS Runs Normal

HW CPU

V/VT


Applications

VM Root

HVM ROOTKIT

VM Non-root

Host OS infected by HVM Rootkit

1

2

Since HVM rootkit has direct access to HW allows it to call the AMD-V or Intel-VT HVM extension to create the root and non-root domain

HVM rootkit then carved at bit of the host OS info, and then set it run into non-root domain. The rootkit also reinstate the HVM extension by notifying that it as VMM running in root domain

Privilege calls are reroute to HVM rootkit. Then it relay back to the CPU

26

HVM Rootkits Where can I find HVM Rootkits

•  At current stage, there are available HVM rootkits for AMD-V and Intel-VT HVM extension.

•  And the HVM rootkits works on major operating system such Windows, Linux and Mac kernel

•  Available HVM Rootkits

- Bluepill (AMD & VT) - Developed by Joanna Rutkowska, COSEINC - Runs as Windows 64bit driver

- Hyperjack (VT) - Developed by Nate Lawson, Matasano Security - Runs as Linux kernel driver

- Virtriol (VT) - Developed by Dino A. Dai Zovi, Matasano Security

- Similar to Hyperjack except it convert into Mac / FreeBSD kernel module

27

HVM Rootkits How Does BLUEPILLS works?

28

HVM Rootkits How Does Hyperjack / Virtriol Works?

Demonstration: From Subverting An OS To Subverting A VMM

30

DEMO! A few notes before conceptual the conceptual demo •  The HVM rootkits is to subvirt host OS into non-root domain so the HVM rootkit can monitor (or intervine maybe) the calls made by the host OS to the hardware

•  Among the HVM rootkits, BluePill shows termendous effort on Nested VMM (HVM rootkits running infected HVM rootkit OS)

•  By using the idea of Joanna’s BluePill nested VMM and Nested KVM, it is possible to create a powerful HVM rootkit to subvirt a VMM!

•  Recall: VMM is a kernel layer code that controls VMs

•  Currently, there are no actual codes have been released or any proven from theory-to-POC has been made to prove whether is feasable to subvirt a VMM

•  However, I currently in the mist of coming with the code of a HVM rootkit capable of being a VMM. I have not giving it a name yet, but being a Malaysian, I may called it PadanMuka or something else

31

DEMO! How Should The PADANMUKA Scenarios Works?

•  The demo might be a live demo by the presenter

•  Or a recorded simulation. Please Get the copy from conference organizer if available

32

DEMO! How does PadanMuka End Game Should Work?

HW CPU VMCS

VMM

VM Root

Guest OS

Apps

VM Non-root

Guest OS

Apps

VM Non-root

PADAN MUKA

HW CPU

VMCS

VMM

VM Non-Root

Guest OS

Apps

VM Non-root

Guest OS

Apps

VM Non-root

PADAN MUKA

PADAN MUKA VMM

VM Root

Download via internet by PADAN MUKA rootkit

Could be modified XEN vmm

****

Malicious code can call PADANMUKA

extension to BLUE PILL other VM

How To Reduced The Risk Via Open Source VMM

34

Reduced The Risk Via OSS VMM The best thing is to prevent HVM Rootkit infections at the beginning.

•  By using VMM gives better security to your OS from malicious activities

•  VMM also prevents HVM rootkit to access the HVM extension at all to subvert your OS

•  However, if PADANMUKA scenario does exist? Can the VMM defend itself from being subvert?

35

Reduced The Risk Via OSS VMM Recommended VMM with its advantages and disadvantages.

•  XEN – XEN.ORG (www.xen.org) • Advantage: XEN VMM is a micro-kernel and does not allow drivers insertion during runtime. All drivers insertion are done through special non-root VM which pretty much useless for a HVM rootkit

• Disadvantage: XEN requires guest OS to be modified to accept XEN API. Pretty much does not work with WINDOWS except in HVM mode which performance are more or less like qemu. Best works with XEN-LINUX

•  TURAYA – EMSCB (www. http://www.emscb.com/content/pages/turaya.htm) • Advantage: Similar to XEN

• Disadvantage: Only run L4-LINUX

•  MESINMAYA – DiligentCode Computing (www.diligentcode.com) •  Advantage: Similar to XEN and TURAYA that does not allow additional drivers insertion during runtime. All changes must recompiled before used. Support full virtualization with almost all legacy OS with modified KVM extension. Supports Trusted Computing modules

•  Disadvantage: VM Does not support extended HW capabilities like graphic acceleration and DMA for plug-n-play

36

Reduced The Risk Via OSS VMM And why not the commercial VMM

•  VMWARE ESX - Using Linux Kernel and allows drivers insertion during run-time

•  MICROSOFT HYPER-V - Windows kernel? - With windows architecture? Go figure

•  RED HAT KVM - VMM on User-space environment. Cool Idea - But still similar to VMWARE ESX runs on top of configurable run-time kernel

Conclusions

38

Conclusions

•  HVM Rootkit uses HVM extension to subvert an OS not VMM

•  PADANMUKA scenario shows more advance HVM rootkit can subvert a VMM and allows malicious code from non-root to manipulate the original VMM operations.

•  PADANMUKA scenario fit the current deployment of Cloud Computing and if it to be deployed, it will seriously interrupt the operation

•  If you read on the internet, HVM rootkit can be detected by various tedious way. In fact, advance anti-virus may be able to do that. But it is unlikely in PADANMUKA scenario. In fact no anti-virus can run at RING 0 VMM.

•  The best way to reduced the risk either effecting of HVM rootkit or PADANMUKA scenario, is via running your OS with static kernel VMM such as XEN, TURAYA or MesinMaya

References

40

References

J. Rutkowska, Subvirting Vista Kernel For Fun And Profit, Black HAT USA, 2006

Dino A. Dai Zovi, Hardware Virtualization Rootkits, Matasano.com

N. Lawson, Dont tell joanna, the virtualized rootkits is dead, Matasano.com

Yu Ke, Intel Virtualization Technology Overview, Intel System Software Division

D. Chisnall, The definitive Guide to XEN hypervisor, Prentice Hall

azrilazam-mosc2010

Documents