azrilazam-mosc2010
DESCRIPTION
Cloud Computing is actually an Internet Based Computing services similar to hosting service, server colocatedand server farming.TRANSCRIPT
Azril Azam Abdul Rahim, GCFA, CEI, ECSP, CEH Malaysia Open Source Conference 2010 July 1st 2010
How Does Open Source VMM Helps To Reduce The Risk Of HVM Rootkits That Can Effect Your Cloud Computing And Other VM Deployments
Agenda
• Introductions • Cloud computing and virtualization • Virtualization 101 • HVM Rootkits • Demo: From subverting an OS to subverting a VMM • Reduced The Risk Via Open Source VMM • Conclusion • References
2
Introduction
Introduction About Azril Azam, GCFA, CEI, ECSP, CEH Currently working as Team Leader for Malware System Development and Analysis at the Global Response Center – International Multilateral Partnership Against Cyber Threats (IMPACT)
An average computer hardware and software programmer with a huge interest Computer Security (Penetration Testing, Trusted Computing, Computer/Network Forensics) System Kernel and Virtualization Open Source Software
Has written and published many research papers, patent disclosures and open source software on his interest research areas, and has won a few awards
- 2006 Malaysia Best Open Source Software – Computer Forensics - 2006 ITEX Gold Award for Innovation – FIRST - 2006 Malaysia Minister Of Science Research Appreciation Recipient Award
Participated on global scale on virtualization research work XEN and KVM development groups, EMCSB and OpenTC.
Currently, he is in the midst of completing his own low overhead x86 virtualization system that is based on his 2007 linux ottawa symposium virtualization summit extended abstarct (at his spare time of course)
Published his OSS through his own domain @ diligentcode.com
4
Introduction About IMPACT
5
IMPACT
Non-Profit
Upper End of Cyber
Threats
International & Multilateral
Global Public-Private
Partnership
International Team of Experts
Introduction Launch of IMPACT
6
1. IMPACT was launched on May 2008 by the 4th Prime Minister of Malaysia, Tun Abdullah Ahmad Badawi
2. IMPACT’s Global Head Quarters in Cyberjaya, Malaysia was launched on 20 March 2009
3. Event was witnessed by the Secretary General of ITU, Dr. Hamadoun Touré
Introduction IMPACT partnership with UN/ITU
7
IMPACT HQ - physical home for ITU’s Global Cybersecurity Agenda (GCA)
IMPACT to operationalise UN/ITU’s global cybersecurity initiatives to all 191 countries
GCA – framework for international cooperation to enhance confidence and security in the information society
Introduction The Global Cybersecurity Agenda
8
Introduction Terminologies & Color Codes Guidelines
9
RING -‐1 (Hardware Level)
RING 0 (Kernel Level)
RING 1 -‐ 3 (Drivers, core libraries)
RING 3 (User space / ApplicaBons)
HAL: Hardware Abstraction Layer
VM: stands for virtual machine. A collection of emulated devices that works together to give a fake HAL view for OS to execute without calling the actual devices
VMM: is an entity that controls a VM by allocating resources and managing memory
Hypervisor: is a special VMM that provides emulated devices
Host OS: is an OS or Kernel that can call privilege instructions and talk to the actual devices within virtualized or non virtualized environment
Guest OS: is an OS or Kernel within virtualized environment that has been de-privilege
Cloud Computing And Virtualization
11
Cloud Computing & Virtualization What is Cloud Computing Cloud Computing is actually an Internet Based Computing services similar to hosting service, server co-located and server farming.
The different between cloud computing and traditional internet based computing are for
Vendor - Managed all services with different OS requirement all in 1 server instead of many. - Reduced cost - Easy to managed
Customer - Isolated and scalable resources - Cheaper solution
Cloud Computing Logical Diagram
12
Cloud Computing & Virtualization Cloud Computing Layers
Client
ApplicaBon SoFware As A Service (SAAS)
PlaHorm PlaHorm As A Service (PAAS)
Infrastructure Infrastructure As A Service (IAAS)
Server
Virtualization
Data Storage, Bandwidth, Processing Power
Google Earth API, Google Map API
Virtualization 101
CPU
14
Virtualization 101 The Fundamental: Von Nuemann Architecture
Memory (RAM)
Control Unit
Arithmetic Logic Unit
Accumulator
Input Device
Output Device
Von Nuemann Architecture is the foundation on modern computer that utilizing Alan Turing “The Turing Machine” binary concept
Von Nuemann Architecture
15
Virtualization 101 The Fundamental: Von Nueman Architecture
VM
Guest OS
Virtual RAM
Virtual I/O
Virtual CPU
Applications
• To create a virtual machine, all components of Von Nuemann Arch must be emulated • Compare to other CPU architecture, x86 is the hardest to be virtualized • Therefore, to achieve virtualization state, all components are emulated by software codes
CPU
Memory (RAM)
Control Unit
Arithmetic Logic Unit
Accumulator
Input Device
Output Device
Von Nuemann Architecture
16
Virtualization 101 Earlier Implementation
Operating System
Virtual Memory (STACK, HEAP, BSS) 4GB
CPU
Memory (RAM)
Control Unit
Arithmetic Logic Unit
Accumulator
Input Device
Output Device
Virtual Memory (STACK, HEAP, BSS) 4GB
User Space Applications (Word, Excel)
VM
Guest OS
Virtual RAM
Virtual I/O
Virtual CPU
Applications
• Early implementation on x86 virtualization runs as an application on top of underlying OS
• This approach seems to be inefficient due to - Sharing resources with other apps - Unable to schedule priority for emulations
Earlier VMM is just simply a 32bit protected memory managed by OS and programmed by using OS API running
at RING 3 with no HAL
17
Virtualization 101 Earlier Implementation
Operating System
Virtual Memory (STACK, HEAP, BSS) 4GB
CPU
Memory (RAM)
Control Unit
Arithmetic Logic Unit
Accumulator
Input Device
Output Device
Virtual Memory (STACK, HEAP, BSS) 4GB
User Space Applications (Word, Excel)
VM
Guest OS
Virtual RAM
Virtual I/O
Virtual CPU
Applications
• More efforts were made to make CPU emulation more by bringing it closer to actual CPU
• The VMM must be a part of the OS/kernel or running by itself exactly at RING 0 for better HAL
✔ Virtual
CPU
18
Virtualization 101 A new concept of VMM
VM 1
Guest OS
Virt RAM
Virt I/O
Applications
Hypervisor / VMM
TRAP ALL CPU INSTRUCTIONS
Privilege Instructions
ACTUAL CPU
YES
NO
VM 2
Guest OS
Virt RAM
Virt I/O
Applications
• A new concept called virtual machine monitor (VMM) called hypervisor was introduced
• In the VMM/hypervisor concept, VMM runs as the same level of OS/kernel at RING 0. This will allow the VMM to control the HW directly
• VMM runs on its on real memory instead on protected memory previously
• VMM controls the VM resources and trapped CPU instructions calling. All non-privilege instructions are reroute and execute by the actual CPU. The privilege instructions are emulated.
• Increase performance almost to near native speed
• There 2 types of architecture - Para virtualization - Full virtualization - RING 0 (Software VMM) - RING -1 (HW VMM)
Virt CPU
Virt CPU
19
HVM Rootkits Para virtualization
VM Domain 0 VM Guest Domain
Modified Guest OS
Applications
HW CPU
Modified Host OS
Host Apps
Hypervisor / VMM
TRAP ALL CPU INSTRUCTIONS BASED ON VMM
INS
Privilege Instructions
YES
NO
Virtual RAM
Virtual I/O
Virtual CPU
Device drivers
• VMM is now running at RING 0
• Host OS runs in special Domain with Direct interface with the Hardware
• Guest Domain can make calls to VMM via using VMM Instruction Set. Therefore no legacy OS can run in this setup.
• VMM then decides whether VMM API calling are privilege or otherwise
• Example - XEN - MICROSOFT HYPER-V
20
HVM Rootkits Full Virtualization: Software VMM
VM 1
Guest OS
Virt RAM
Virt I/O
Applications
Hypervisor / VMM
TRAP ALL CPU INSTRUCTIONS
Privilege Instructions
ACTUAL CPU
YES
NO
VM 2
Guest OS
Virt RAM
Virt I/O
Applications
Virt CPU
Virt CPU
Host OS
Host Apps
Device drivers
• VMM is now running at RING 0
• VMM runs as drivers for Host OS
• This setup allows legacy OS without modifications
• Example - VMWARE - Qemu with KQemu - VirtualBox*
21
HVM Rootkits Full Virtualization: Hardware VMM
HW CPU
VMX Root
VMX Non-root
Guest OS
Apps
Virtual CPU
Virtual RAM
Virtual I/O
HVM VMM
TRAP ALL CPU INSTRUCTIONS
Privilege Instructions
YES
NO: Execute
Host OS or minimalistic
kernel
HAL Device drivers
• VMM is now running at RING -1 by the CPU itself
• Similar like XEN, HVM will create a special privilege domain for host software and unprivileged domain for guest OS
• Host OS provides devices drivers
• HAL layer provides the calling of the actual machine device drivers
• This setup allows legacy OS without modifications
• Example - KVM - VMWARE 64bits - XEN-CITRIX HVM extension*
HVM Rootkits
23
HVM Rootkits What is HVM Rootkits
HVM rootkits is a piece of malicious code embedded in the OS kernel as driver and uses AMD-V or Intel-VT HVM extension for its operation
The birth of HVM rootkit idea is actually was based on a paper called SubVirt, Malicous kernel module modifies boot sequence to load original OS inside Virtual PC by a group researcher from the University of Michigan and Microsoft Research.
The objective of HVM rootkit is to subvert a host OS by putting it into a less privilege environment and reassert itself as the host OS. By doing this, everything happened in original host OS can be trapped by the rootkit
In the case of subvert OS make privilege calls from the less privilege domain, AMD-V and Intel-VT will ignore it, and reroute to VMM (which is in the case the rootkit) for emulation.
The rootkit is not a VMM and it does not have all the resources to run the emulation. When it received signal from AMD-V or Intel-VT for emulation, it just reroute it back to the actual CPU
24
HVM Rootkits What is HVM Rootkits
The end game of HVM root is not about virtualization, but hiding it self in privilege domain container to hide its process.
It does not matter whether you are running VMWARE ESX, XEN or MICROSOFT Hyper-V, as long the CPU processor supports HVM
extension, the rootkit can work out itself
25
HVM Rootkits Subverting an OS
HW CPU
V/VT
Host OS (Win, Linux, Mac)
Applications
HW CPU
V/VT
Host OS (Win, Linux, Mac)
Applications
HVM ROOTKIT
Host OS Runs Normal
HW CPU
V/VT
Host OS (Win, Linux, Mac)
Applications
VM Root
HVM ROOTKIT
VM Non-root
Host OS infected by HVM Rootkit
1
2
Since HVM rootkit has direct access to HW allows it to call the AMD-V or Intel-VT HVM extension to create the root and non-root domain
HVM rootkit then carved at bit of the host OS info, and then set it run into non-root domain. The rootkit also reinstate the HVM extension by notifying that it as VMM running in root domain
Privilege calls are reroute to HVM rootkit. Then it relay back to the CPU
26
HVM Rootkits Where can I find HVM Rootkits
• At current stage, there are available HVM rootkits for AMD-V and Intel-VT HVM extension.
• And the HVM rootkits works on major operating system such Windows, Linux and Mac kernel
• Available HVM Rootkits
- Bluepill (AMD & VT) - Developed by Joanna Rutkowska, COSEINC - Runs as Windows 64bit driver
- Hyperjack (VT) - Developed by Nate Lawson, Matasano Security - Runs as Linux kernel driver
- Virtriol (VT) - Developed by Dino A. Dai Zovi, Matasano Security
- Similar to Hyperjack except it convert into Mac / FreeBSD kernel module
27
HVM Rootkits How Does BLUEPILLS works?
28
HVM Rootkits How Does Hyperjack / Virtriol Works?
Demonstration: From Subverting An OS To Subverting A VMM
30
DEMO! A few notes before conceptual the conceptual demo • The HVM rootkits is to subvirt host OS into non-root domain so the HVM rootkit can monitor (or intervine maybe) the calls made by the host OS to the hardware
• Among the HVM rootkits, BluePill shows termendous effort on Nested VMM (HVM rootkits running infected HVM rootkit OS)
• By using the idea of Joanna’s BluePill nested VMM and Nested KVM, it is possible to create a powerful HVM rootkit to subvirt a VMM!
• Recall: VMM is a kernel layer code that controls VMs
• Currently, there are no actual codes have been released or any proven from theory-to-POC has been made to prove whether is feasable to subvirt a VMM
• However, I currently in the mist of coming with the code of a HVM rootkit capable of being a VMM. I have not giving it a name yet, but being a Malaysian, I may called it PadanMuka or something else
31
DEMO! How Should The PADANMUKA Scenarios Works?
• The demo might be a live demo by the presenter
• Or a recorded simulation. Please Get the copy from conference organizer if available
32
DEMO! How does PadanMuka End Game Should Work?
HW CPU VMCS
VMM
VM Root
Guest OS
Apps
VM Non-root
Guest OS
Apps
VM Non-root
PADAN MUKA
HW CPU
VMCS
VMM
VM Non-Root
Guest OS
Apps
VM Non-root
Guest OS
Apps
VM Non-root
PADAN MUKA
PADAN MUKA VMM
VM Root
Download via internet by PADAN MUKA rootkit
Could be modified XEN vmm
****
Malicious code can call PADANMUKA
extension to BLUE PILL other VM
How To Reduced The Risk Via Open Source VMM
34
Reduced The Risk Via OSS VMM The best thing is to prevent HVM Rootkit infections at the beginning.
• By using VMM gives better security to your OS from malicious activities
• VMM also prevents HVM rootkit to access the HVM extension at all to subvert your OS
• However, if PADANMUKA scenario does exist? Can the VMM defend itself from being subvert?
35
Reduced The Risk Via OSS VMM Recommended VMM with its advantages and disadvantages.
• XEN – XEN.ORG (www.xen.org) • Advantage: XEN VMM is a micro-kernel and does not allow drivers insertion during runtime. All drivers insertion are done through special non-root VM which pretty much useless for a HVM rootkit
• Disadvantage: XEN requires guest OS to be modified to accept XEN API. Pretty much does not work with WINDOWS except in HVM mode which performance are more or less like qemu. Best works with XEN-LINUX
• TURAYA – EMSCB (www. http://www.emscb.com/content/pages/turaya.htm) • Advantage: Similar to XEN
• Disadvantage: Only run L4-LINUX
• MESINMAYA – DiligentCode Computing (www.diligentcode.com) • Advantage: Similar to XEN and TURAYA that does not allow additional drivers insertion during runtime. All changes must recompiled before used. Support full virtualization with almost all legacy OS with modified KVM extension. Supports Trusted Computing modules
• Disadvantage: VM Does not support extended HW capabilities like graphic acceleration and DMA for plug-n-play
36
Reduced The Risk Via OSS VMM And why not the commercial VMM
• VMWARE ESX - Using Linux Kernel and allows drivers insertion during run-time
• MICROSOFT HYPER-V - Windows kernel? - With windows architecture? Go figure
• RED HAT KVM - VMM on User-space environment. Cool Idea - But still similar to VMWARE ESX runs on top of configurable run-time kernel
Conclusions
38
Conclusions
• HVM Rootkit uses HVM extension to subvert an OS not VMM
• PADANMUKA scenario shows more advance HVM rootkit can subvert a VMM and allows malicious code from non-root to manipulate the original VMM operations.
• PADANMUKA scenario fit the current deployment of Cloud Computing and if it to be deployed, it will seriously interrupt the operation
• If you read on the internet, HVM rootkit can be detected by various tedious way. In fact, advance anti-virus may be able to do that. But it is unlikely in PADANMUKA scenario. In fact no anti-virus can run at RING 0 VMM.
• The best way to reduced the risk either effecting of HVM rootkit or PADANMUKA scenario, is via running your OS with static kernel VMM such as XEN, TURAYA or MesinMaya
References
40
References
J. Rutkowska, Subvirting Vista Kernel For Fun And Profit, Black HAT USA, 2006
Dino A. Dai Zovi, Hardware Virtualization Rootkits, Matasano.com
N. Lawson, Dont tell joanna, the virtualized rootkits is dead, Matasano.com
Yu Ke, Intel Virtualization Technology Overview, Intel System Software Division
D. Chisnall, The definitive Guide to XEN hypervisor, Prentice Hall
IMPACT Jalan IMPACT63000 Cyberjaya Malaysia
T +60 (3) 8313 2020 F +60 (3) 8319 2020 E [email protected] impact-alliance.org © Copyright 2010 IMPACT. All Rights Reserved.
Thank You