Joanna Rutkowska- Security Challenges in Virtualized Environments
Transcript of Joanna Rutkowska- Security Challenges in Virtualized Environments
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
1/97
Security Challenges in
Virtualized Environments
Joanna Rutkowska,Invisible Things Lab
RSA Conference,San Francisco, April 8th 2008
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
2/97
Virtualization-based MALWARE
Using Virtual Machines for ISOLATION
NESTED virtualization
1
2
3
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
3/97
Virtualization-basedMALWARE
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
4/97
AMD-V
Intel VTx
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
5/97
NO HOOKS!Cannot be detected usingany integrity scanner
On the fly installationNo boot/BIOS/etcmodifications necessary
No I/O virtualizationNegligible performanceimpact (your brand new 3Dcard will still work!)
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
6/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
7/97
Blue Pill detection
Detecting a VMM Detecting
virtualization based
malware
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
8/97
VMM detection
Directtimingana
lysis
BlueC
hicke
n
CPUspecificbehavior
TLBprofiling
Guesttimevirtualization
HPETtimers
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
9/97
VMM detection?
Everything is going to be virtualized! Thus the information that there is ahypervisor in the system...
...would be pretty much useless...
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
10/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
11/97
No Hooks!
Search for code Detect activity
(e.g. network packets)
Stealth by Design concept Covert channels
Wont workNested Page Tables(hardware SPT)
By PatternHeuristics
SimpleObfuscation
0day malwareMassive malware
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
12/97
But why we cant use obfuscation for classic malware?
Because it leaves hooks anyways!And we can always find those hooks, no matter how
obfuscated the classic malware is!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
13/97
The whole big deal about Blue Pill is:NO HOOKS in the system!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
14/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
15/97
Disable virtualization?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
16/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
17/97
Install a trustedhypervisor first?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
18/97
Installing trusted
hypervisor
Static Root of Trust
Measurement
Dynamic Root of Trust
Measurement
BIOS > MBR > VMM
e.g. MS Bitlocker
SENTER (Intel TXT)
SKINIT (AMD SVM)
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
19/97
SRTM and DRTM only assures that whatwe load is trusted...
...at the moment ofloading!
3 sec later... it could be exploited and get
compromised!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
20/97
Trusted != Secure (e.g. flawless)
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
21/97
E.g. #1: The famous DMA problem
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
22/97
Some
driver
Some
deviceI/O: asks the
device to
setup a DMA
transfer
Read/Write
memory access!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
23/97
IOMMU
Solution to the problem of DMA attacks
Intel calls it: VT-d Not much PC hardware supports it yet
Expected to change soon
No THIN HYPERVISORS without IOMMU!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
24/97
Other problems with VMMs?Stay tuned...
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
25/97
All in all: its not trivial to have a trusted & secure
hypervisor installed...
... but for sure this is the proper way to go...
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
26/97
Using Virtual Machines for ISOLATION
NESTED virtualization
2
3
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
27/97
Using Virtual Machinesfor ISOLATION
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
28/97
Originally ISOLATION was supposed to be provided byOperating Systems...
Separate processes/address spaces, User accounts & ACLs...
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
29/97
But in practice current OSes simplyfail at providing isolation!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
30/97
Kernel bugs!
Kernel bugs!! Kernel bugs!!!
Bad design, e.g.:
XP and all runs as admin assumption
Vistas UAC assumes admin rights shouldbe granted to every installer program!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
31/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
32/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
33/97
Challenges
Performance
Why is VMM/hypervisor going to be moresecure then OSs kernel?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
34/97
VMM bugs?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
35/97
VMM Bugs
Bugs in hypervisors Bugs in additional
infrastructure
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
36/97
E.g. #1: CVE-2007-4496
VMWare ESX 3.0.1 http://www.vmware.com/support/vi3/doc/esx-8258730-patch.html
Found by Rafal Wojtczuk (McAfee)
September 2007
Guest OS can cause memory corruptionon the host and potentiallyallow for
arbitrary code execution on the host
http://www.vmware.com/support/vi3/doc/esx-8258730-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-8258730-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-8258730-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-8258730-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-8258730-patch.html -
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
37/97
E.g. #2: CVE-2007-0948
Microsoft Virtual Server 2005 R2
http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx
Found by Rafal Wojtczuk (McAfee)
August 2007
Heap-based buffer overflow allows guest OSto execute arbitrary code on the host OS
http://www.vmware.com/support/vi3/doc/esx-8258730-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-8258730-patch.htmlhttp://www.vmware.com/support/vi3/doc/esx-8258730-patch.html -
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
38/97
E.g. #3: CVE-2007-4993
Xen 3.0.3 http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068
Found by Joris van Rantwijk
September 2007
By crafting a grub.conf file, the root user ina guest domain can trigger execution of
arbitrary Python code in domain 0.
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068 -
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
39/97
E.g. #4: Various Bugs
Paper by Tavis Ormandy (Google) http://taviso.decsystem.org/virtsec.pdf
April 2007 Disclosed bugs in VMWare, XEN, Bochs,
Virtual PC, Prallels
A simple fuzzers for: Instruction parsing by VMMs
I/O device emulation by VMMs
http://taviso.decsystem.org/virtsec.pdfhttp://taviso.decsystem.org/virtsec.pdf -
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
40/97
As you see current VMMs are far from being flawless...
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
41/97
To make VMMs more secure we need to keep them
ultra-thin and small!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
42/97
Phoenix HyperSpace
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
43/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
44/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
45/97
HyperCore:the type I hypervisor used for HyperSpace
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
46/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
47/97
The HyperCore
Targets desktop/laptop systems
Guest OS execute at near-nativeperformance (including fancy graphics)
Support for full ACPI (Power Management)
Integrity: loaded via SecureCore BIOS
(Static Root of Trust Measurement)
Very thin - easy to audit!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
48/97
Speeding things up
Pass through for most devices SPT: 1-1 mapping for most pages for the
Primary OS
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
49/97
Power Management
ACPI tables exposed to the Primary OS, so
that the overall power performance isoptimized
Efficient intercepts for power managementcontrol
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
50/97
Integrity
Static RTM via Phoenixs SecureCore BIOS Dynamic RTM via Intels TXT/AMDs SKINIT
SMM-based watchdog for HyperCore code
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
51/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
52/97
NESTED virtualization3
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
53/97
NESTED virtualization
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
54/97
What if auser wantsto run e.g.
Virtual PChere?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
55/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
56/97
Idea of how to handle this situation...
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
57/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
58/97
Now, lets look at the actual details :)
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
59/97
Lets start with AMD-V...
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
60/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
61/97
?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
62/97
?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
63/97
RAX
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
64/97
Looks convincing but wont work with more complexhypervisors...
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
65/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
66/97
Nested Hypervisor
Nested Guest
Hypervisor
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
67/97
Hypervisors expect to have GIF=1 whenVMEXIT occurs...
They might not be prepared to handle
interrupts just after VMEXIT from guests!
... but when we resume the nestedhypervisor CPU sets GIF=1, because we do
this via VMRUN, not VMEXIT...
Gettin aro nd the
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
68/97
Getting around the
GIF Problem We need to emulate that GIF is 0 for the
nested hypervisor
We stop this emulation when: The nested hypervisor executes STGI
The nested hypervisor executes VMRUN
How do we emulate it?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
69/97
GIF0 emulation
VMCB1.V_INTR_MASKING = 1 Hosts RFLAGS.IF = 0 Intercept NMI, SMI, INIT, #DB and held (i.e. record
and reinject) or discard until we stop theemulation
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
70/97
Additional details
Need to also intercept VMLOAD/VMSAVE
Need to virtualize VM_HSAVE_PA
ASID conflicts
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
71/97
Conflicting ASIDs!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
72/97
But we can always reassign the ASID in the VMCB primthat we use to run the nested guest.
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
73/97
Performance Impact
One additional #VMEXIT on every#VMEXIT that would occur in a non-
nested scenario
One additional #VMEXIT when the nestedhypervisor executes: STGI, CLGI,
VMLOAD, VMSAVE
Lots of space for optimization though
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
74/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
75/97
http://bluepillproject.org
http://bluepillproject.org/http://bluepillproject.org/ -
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
76/97
How AMD could help?
AMD could add an additional field to VMCB:EmulateGif0ForGuest
Additionally: virtualize STGI and CLGI whenthe above field is set to improve
performance Seems simple to do: just a few additional
lines in the microcode... :)
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
77/97
Further thinking...
Virtualizing DEV for the nested hypervisorthat makes use of DEV?
Virtualizing IOMMU for the IOMMU-awarenested hypervisor?
Virtualizing Nested Paging mechanism forthe NP-aware nested hypervisor?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
78/97
How about Intel VT-x?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
79/97
Nested virtualization on VT-x
No GIF bit - no need to emulate GIF0 forthe nested hypervisor :)
No Tagged TLB - No ASID conflicts :) However:
VMX instructions can take memory operands -need to use complex operand parser
No tagged TLB - potentially bigger performanceimpact
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
80/97
Nested VT-x: Status
We pretty much have that working already Code is messy and should be rewritten
e.g. the operand parser
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
81/97
What Intel could do?
Extend info provided by:VMCS.VMX_INSTRUCTION_INFO
So that we dont need to parse memory
operand manually
Tagged TLB for better performance Other optimization?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
82/97
Who else does Nested (hardware-based) Virtualization?
IBM z/VM hypervisor on
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
83/97
IBM z/VM hypervisor on
IBM System z mainframeRunning z/VM in a virtual
machine (that is, z/VM as a
guest of z/VM, also known
as second-level z/VM) isfunctionally supported but
is intended only for testing
purposes for the second-
level z/VM system and its
guests (called third-level
guests).
-- http://www.vm.ibm.com/pubs/
hcsf8b22.pdfIBM System z10, source: ibm.com
http://www.vm.ibm.com/pubs/hcsf8b22.pdfhttp://www.vm.ibm.com/pubs/hcsf8b22.pdfhttp://www.vm.ibm.com/pubs/hcsf8b22.pdfhttp://www.vm.ibm.com/pubs/hcsf8b22.pdfhttp://www.vm.ibm.com/pubs/hcsf8b22.pdf -
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
84/97
Confusion
AMD Nested Page Tables != Nested Virtualization!
NPT is a hardware alternative to Shadow PageTables (a good thing, BTW)
NPT is also called: Rapid Virtualization Indexing
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
85/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
86/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
87/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
88/97
Solution: ensure hypervisor integrity via SRTM or DRTM
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
89/97
SRTM/
DRTM
SRTM/DRTM do not protect the already loadedhypervisor, from being exploited if it is buggy!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
90/97
Keep hypervisors very slim!Do not put drivers there!
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
91/97
Nested Virtualization:Useful Applications
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
92/97
What if auser wantsto run e.g.
Virtual PChere?
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
93/97
Phoenix Technologies has supported the research onnested hypervisors since Fall 2007
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
94/97
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
95/97
Summary
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
96/97
Virtualization technology could be used toimprove security on desktop systems
However there are non-trivial challenges inmaking this all working well...
... and not to introduce security problemsinstead...
Virtualization is cool ;)
-
8/3/2019 Joanna Rutkowska- Security Challenges in Virtualized Environments
97/97
Invisible Things Labhttp://invisiblethingslab.com
http://invisiblethingslab.com/http://invisiblethingslab.com/