Download - 2014.08.30 Virtual Machine Threat 세미나
system utilization
management costconsolidation
isolationtrusted environment resource aggregation
GRID system
MPP (Massively Parallel Processing)resource access control
mobility
emulation
1960 1970 1999 2006 현재
CP-40, IBM, Cambridge Scientific Cen-terfull virtualization
System/370, IBM
x86 virtualization, VMWare
application virtualization (application streaming)
x86,x64, ARM, …Storage,Network…VMWare, Virtual Box, Xen……OpenStack, CloudStack,……Amazon, Google…
Shared Device
Memory and I/OVirtualization
VMM
CPU CPU MEMORY
Physical H/W Control
Guest OS Guest OS
physical h/w
virtualized h/w
VMM must …- support same hardware interface- can control guest OS when accessing H/W resources.
mov eaxmov ebx…
Types of operation…
Direct Execution
eflagscontrol registersMSRprivileged instructions
????
Full Virtualization- No OS modification- Emulating, Binary translation, Trace
cache,…- VMware ESX server- QEMU
Para Virtualization- Need OS modification- Hypercall- Xen- Bochs
Hardware Assisted Virtualization
Virtualize…
CPU - AMD-V , VT-xIOMMU- AMD-Vi, VT-dNetwork- VT-c
VMX operation
VMX root operation
VMX non-root operation
Hardware Assisted Virtualization
Trap based development for Virtual-Machine- handle_cupid_instruction()- handle_mov_crX()- handle_read_msr()- handle_write_msr()- …
HW based Hypervisor programming = VMEXIT handler programming
VMX (Intel Virtual Machine Extension)
VMXON
VMCLEAR
VMPTRLD
VMWRITE
VMLAUNCH
GUEST Exit
VMREAD
VMRESUME
VMXOFF
VMX – new instructions, new data structureVMXON Region- created per logical processor- used by VMX instructions
VMCS Region- created per virtual CPU for guest OS- used by CPU and VMM
- 4Kb aligned- PHYSICAL_ADDRESS == typedef
LARGE_INTEGER- …
VMM (Virtual Machine Monitor) programming summary
check VMX support allocate VMXON region execute VMXON
allocate VMCS regionexecute VMCLEARexecute VMPTRLD
initialize VMCS data
host-state area fields
VM-exit control fields
VM-entry control fields
VM-execution control fields
guest-state area fields
execute VMLAUNCH handling various VM-exits
VMCS data organization
#1 Guest state fields- saved on VM exits, loaded on VM en-
tries
#2 Host state fields- loaded on VM exits
#3 Execution control fields- control VMX-non root operations
#4 Exit control fields- control VM exits
#5 Entry control fields- control VM entries
#6 VM Exit info- saved VM exits information on VM ex-
its
pin-based controls
processor-based controls
exception-bitmap address
I/O bitmap address
Timestamp counter offset
CR0/CR4 guest/host masks
CR3 targets
MSR bitmaps
Accessing VMCS data
VMWRITE
VMREADvirtual address / physical address
READ
virtual address / physical addressWRITE
Accessing VMCS data
Initialize VMM and Run VMM
Handling VM exits
#6 VM Exit info
Handling VM exits
Virtual Machine Threat
Attacks on Binary TranslatorCVE-2009-1542 - VirtualPC instruction decoding
• wbinvd (write back and invalidate cache), clts (clear task-switched flag in cr0)CVE-2008-4915 - VMware, Trap Flag Set by IRET Not Cleared for CCh InstructionCVE-2009-2267 - VMware Mishandled Exception on Page Faults…
Attacks on Para-virtualizationCVE-2008-4279 - VMware, Interrupt Can Occur at NonCanonical RIP After Indirect JumpCVE-2012-0217 - Advanced Exploitation of Xen Hypervisor Sysret VM Escape Vulnerability ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php )
…
Attacks on Device Emulation / AccelerationCVE-2012-0217 ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php )
CVE-2009-3827 - Virtual PC VMExit Event Confusion• exit reason MOV_CR, MOV_DR• MOV_CR : check guest cpl == 0• MOV_DR : !!• ring3 에서 DR 레지스터를 조작가능 !? DoS ?!
CVE-2009-3722 - KVM VMExit Event Confusion• CVE-2009-3827 와 동일한 버그
Attacks on HVM
더 자세한 내용은 http://www.cr0.org/paper/jt-to-virtualisation_security.pdf 를 참고하세요 .
VM Detection
너무 많다 !
HVM base rootkit
최초의 가상머신 기반 루트킷 ( http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf )
HVM base rootkit – keylogger
PS/2Keyboard Con-
troller
KeyboardMouse
CPU
Port 0x64
Port 0x60
CPU 가상화
HVM rootkit• CPU 의 특권 명령을 가로챔 (e.g. IN, OUT)• PORT I/O 를 OS 보다 먼저 하드웨어 레벨에서 처리
CPU CPU bugs ? Micro code update ?
Chipset
BIOS
Hypervisor
OS / Device Drivers
rootkit code in SMM / ACPI / UEFI / PCI
HVM rootkit
OS Level
Attack Hypervisor ?! or Another Attack Surface
http://leaksource.files.wordpress.com/2013/12/nsa-ant-souf-fletrough.jpg