Csw2016 tang virtualization_device emulator testing technology
-
Upload
cansecwest -
Category
Internet
-
view
1.154 -
download
2
Transcript of Csw2016 tang virtualization_device emulator testing technology
![Page 1: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/1.jpg)
1
Speaker: Qinghao Tang
Title:360 Marvel Team Leader
Virtualization Device Emulator Testing Technology
![Page 2: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/2.jpg)
2
360 Marvel Team Established in May 2015, the first professional could
computing and virtualization security team in China.
Focusing on attack and defense techniques in virtualization
system.
● fuzzing framework
● guest machine escape technology
● Hypervisor risk defense technology
![Page 3: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/3.jpg)
3
Agenda
• Virtualization System Attack Surface
• Fuzzing framework
• Case study
![Page 4: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/4.jpg)
4
Virtualization System Attack Surface
![Page 5: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/5.jpg)
5
Cloud Computing
![Page 6: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/6.jpg)
6
Hypervisor
Types
Xen Kvm Vmware
function
quantizing distribution
flexible scheduling
![Page 7: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/7.jpg)
7
Distinctions
OS
Physical Devices
Guest OS
Hardware emulator
Hypervisor
Physical Devices
Guest OS
Hardware emulator
Normal Server Virtualization Server
![Page 8: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/8.jpg)
8
Attacking Processes in cloud computing
1. Enter VM via web or other devices
2. Exploit virtualization system vulnerabilities to escape VM
3. lateral movements to others VMs on host
4. Access to host network
![Page 9: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/9.jpg)
9
Operation Principles of device emulators
![Page 10: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/10.jpg)
10
The attack surface
• Hardware virtualization components’ diversity
Qemu: 30+
Vmware:20+
• Bridge between inside-outside
VM os -> device emulators -> Host os
• Related Vulnerabilities result big dangers
• Limitation
![Page 11: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/11.jpg)
11
Fuzzing Framework
![Page 12: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/12.jpg)
12
Basic intro
Attack surface : hardware virtual components
Environment : qemu , vmware
Testing results : more than 20 vulnerabilities
Challenges : lower layers hard to predict;
Trends
• more attack surfaces
• more kinds of virtualization systems
![Page 13: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/13.jpg)
13
• Hardware virtualization focus on lower layers
• Testing data totally different
Compare to traditional targets
System Kernel
Hypervisor
![Page 14: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/14.jpg)
14
1. Analyze data which flowed to components
2. Change flowed-in data’s contents and timing
3. Recording all of tiny abnormal activities
4. Analyze abnormal activities, takes and optimize fuzz
framework.
Methods for testing hardware virtual components
![Page 15: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/15.jpg)
15
Other factors of fuzz framework
1.Flexibility (other OS)
• vm in Linux
• coding in C and Python
2. Deeply understand VM system
• language for coding
• development environment
• coding style
![Page 16: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/16.jpg)
16
os
Control Center
Fuzz framework structure
Host Host
os os os os os
![Page 17: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/17.jpg)
17
Fuzz framework working flow (part 1)
1. Set up network and hardware environment, launch server, client
and monitor.
2. Load system hook module, get all of machines’ device emulators
3. Client ask server for testing data of emulators, server send out
required data.
4. Client received and loaded testing data, launch test.
5. Monitor continually monitor hypervisor, and record logs.
![Page 18: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/18.jpg)
18
Fuzz framework working flow (part 2)
6. Notify the server after client testing finished
7. Server get logs from client and monitor, save it.
8. Server launch log analyze module, determine if anything
wrong happened, and notify admins.
9. Analyze program exceptions, optimize fuzz framework
![Page 19: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/19.jpg)
19
Functions of controlling center
![Page 20: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/20.jpg)
20
Get target components info
![Page 21: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/21.jpg)
21
• Device access ports
• Device deal with structures used by data.
• Device data processing
Testing data
![Page 22: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/22.jpg)
• User space: generate testing dat,
send request to client kernel
• Kernel space: apply for memory, fill
memory, send info to ports
• Device emulator:testing data flow
inside,trigger exceptions
22
Testing data attacks
user space
Kernel space
Device controller
![Page 23: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/23.jpg)
23
Monitor
VM management • Snapshot • Reboot
• VM device editing
Dynamic debugging • Debugging Mode on Start
• Load Debugging Plugin
VM processing log • User space
• Kernel space
![Page 24: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/24.jpg)
24
Exceptions occur in device emulator
• VM os crash
• Hypervisor crash
• Invisible results
![Page 25: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/25.jpg)
25
Advanced monitoring skills
• Dynamic
• Static
![Page 26: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/26.jpg)
26
Optimize fuzz framework by using log data
• Client log
Decrease invalid combinations
• Monitor log
Promote coverage
• Server log
![Page 27: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/27.jpg)
27
Vulnerabilities found by us
![Page 28: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/28.jpg)
28
Case Study
![Page 29: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/29.jpg)
29
• Initialization Port Allocation , Address Mapping
Device Status Setting, Resource Allocation
• Data Transfer 'Write Command' to device TDT register
process of descriptor
3 types descriptor : context , data , legacy
data xfer
set status , wait for next instruction
• Processing Details Circular Memory
TSO : tcp segmentation/flow control.
Principle of e1000 Network Device
![Page 30: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/30.jpg)
30
• Qemu e1000 Network Device • Vmware e1000 Network Device
E1000 vulnerability analysis
![Page 31: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/31.jpg)
31
Pcnet network card emulator working processes
Io port write Control and
Status Registers
write
Receive Send
Virtual Network Interface
![Page 32: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/32.jpg)
32
• Qemu pcnet Network Device
Pcnet vulnerability analysis
![Page 33: Csw2016 tang virtualization_device emulator testing technology](https://reader034.fdocuments.in/reader034/viewer/2022042723/58730c931a28ab99088b6f29/html5/thumbnails/33.jpg)
33
Summary
Stay tuned for more achievements by 360 Marvel Team