Preventing and Detecting Xen Hypervisor Subversions
Transcript of Preventing and Detecting Xen Hypervisor Subversions
![Page 1: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/1.jpg)
Preventing and Detecting Xen Hypervisor
SubversionsJoanna Rutkowska & Rafał Wojtczuk
Invisible Things Lab
Black Hat USA 2008, August 7th, Las Vegas, NV
![Page 2: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/2.jpg)
Xen 0wning Trilogy
Part Two
![Page 3: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/3.jpg)
Previously on Xen 0wning Trilogy...
![Page 4: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/4.jpg)
Part 1: “Subverting the Xen Hypervisor”by Rafal Wojtczuk (Invisible Things Lab)
Hypervisor attacks via DMA TG3 network card “manual” attack Generic attack using disk controller
“Xen Loadable Modules” framework :) Hypervisor backdooring
“DR” backdoor “Foreign” backdoor
![Page 5: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/5.jpg)
Now, in this part...
![Page 6: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/6.jpg)
Protecting the (Xen) hypervisor
... and how the protection fails
Checking (Xen) hypervisor integrity
... and challenges with integrity scanning
1
2
3
4
![Page 7: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/7.jpg)
Dealing with DMA attacks
![Page 8: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/8.jpg)
(Trusted) Hypervisor
OS
Hardware
Some driver
Some device
I/O: asks the device to setup a DMA transfer
Read/Write memory access!
![Page 9: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/9.jpg)
Xen and VT-d
![Page 10: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/10.jpg)
(Trusted) Hypervisor
OS
Hardware
IOMMU/VT-d
ring3/ring0separation
malicious DMA
ring 3 (x86_64)ring 1 (x86)
ring 0
blocked!
![Page 11: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/11.jpg)
![Page 12: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/12.jpg)
Rafal’s DMA attack (speech #1) will not work on Xen 3.3 running on Q35 chipset!
![Page 13: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/13.jpg)
Intel DQ35JO motherboard: First IOMMU for desktops!(available in shops since around October 2007)
Intel Core 2 Duo/Quad Up to 8GB RAM TPM 1.2 Q35 Express chipset VT-d (IOMMU)
![Page 14: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/14.jpg)
System hangs (VT-d prevented the attack)
![Page 15: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/15.jpg)
So, how to get around?
![Page 16: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/16.jpg)
Break ring3/ring0 separation?
Break VT-d protection?
So, how to get around?
(Trusted) Hypervisor
OS
Hardware
![Page 17: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/17.jpg)
None of them! :)
![Page 18: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/18.jpg)
The slide has been removed upon request from Intel.(it will be published after the patch is available from Intel)
![Page 19: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/19.jpg)
The slide has been removed upon request from Intel.(it will be published after the patch is available from Intel)
![Page 20: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/20.jpg)
The slide has been removed upon request from Intel.(it will be published after the patch is available from Intel)
![Page 21: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/21.jpg)
The slide has been removed upon request from Intel.(it will be published after the patch is available from Intel)
![Page 22: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/22.jpg)
The slide has been removed upon request from Intel.(it will be published after the patch is available from Intel)
![Page 23: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/23.jpg)
The slide has been removed upon request from Intel.(it will be published after the patch is available from Intel)
![Page 24: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/24.jpg)
Demo: modifying Xen 3.3 hypevisor from Dom0
![Page 25: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/25.jpg)
Demo
TODO
![Page 26: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/26.jpg)
This attack is not limited to Q35 chipsets only!
![Page 27: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/27.jpg)
This attack can also be used to modify SMM handler on the fly, without
reboot!
![Page 28: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/28.jpg)
So, whose fault it is?
![Page 29: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/29.jpg)
Xen’s fault?
• Allowing Dom0/Driver domains to access some chipset registers might be needed for some reasons... (Really?)
• But Xen cannot know everything about the chipset registers and features!
![Page 30: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/30.jpg)
Chipset’s fault?
• Maybe chipset should do some basic validation of XXX
The details have been removed upon
request from Intel.(it will be published after the patch is
available from Intel)
![Page 31: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/31.jpg)
BIOS’s fault?
• Intel told us that using a special lock mechanism is recommended in the Intel’s BIOS Specification (*)
• Obviously, we’re not talking about D_LCK!
• That lock should prevent our attack
• So, this seems to be the BIOS Writer’s fault in the end...
(*)This document is available only to Intel partners (i.e. BIOS vendors).
![Page 32: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/32.jpg)
Related attacks
• Loic Duflot (2006) - jump to SMM and then to kernel from there (against OpenBSD securelevel). Now prevented by most BIOSes (thanks to the D_LCK bit set).
• Sun Bing (2007) - exploit TOP_SWAP feature of some Intel chipsets to load malicious code before the BIOS locks the SMM and get your code into SMM. But this requires reboot. Now prevented by BIOSes setting the BILD lock.
![Page 33: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/33.jpg)
Lesson: protecting hypervisor memory is hard!
![Page 34: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/34.jpg)
“Domain 0” Disaggregation
![Page 35: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/35.jpg)
Driver domains
![Page 36: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/36.jpg)
Hypervisor
DomU DomU Dom0
Driver
BackendFrontend Frontend
![Page 37: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/37.jpg)
Hypervisor
DomU DomU Dom0
Driver
BackendFrontend
![Page 38: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/38.jpg)
IOMMU/VT-d needed for delegating drivers to other domains (otherwise we can use DMA attacks from DomU)
![Page 39: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/39.jpg)
Advantage: compromise of a driver != Dom0 access
![Page 40: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/40.jpg)
Stub domains
![Page 41: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/41.jpg)
Hypervisor
HVM(e.g. XP)
Dom0
qemuIN/OUT
Usermode process that runs as root in Dom0 (Device Virtualization Model)
![Page 42: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/42.jpg)
Hypervisor
HVM(e.g. XP)
Dom0
qemuIN/OUT
“stub” domain
Now:qemu compromises != Dom0 comrpomise
![Page 43: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/43.jpg)
PyGRUB vs. PVGRUB
![Page 44: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/44.jpg)
Hypervisor
PV domain
Dom0
PyGRUB
Runs in Dom0 with root privileges and process the PV domain image (untrusted)
PV image
![Page 45: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/45.jpg)
Hypervisor
PV domain
Dom0
PVGRUB
PV image
![Page 46: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/46.jpg)
Xen vs. competition?
![Page 47: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/47.jpg)
Xen 3.3 Hyper-V (**) ESX
IOMMU/VT-d support?
Hypervisor protected from the Admin Domain
(including DMA attacks)?
Driver domains?
I/O Emulator placement? (Device Virtualization)
Trusted Boot support? (DRTM/SRTM)
Yes No ?
Yes No ?
Yes(drivers in unprivileged
domain)
No(drivers in the root domain)
No?Drivers in the
hypervisor?! (*)
Unprivileged Domain
(“stub domains”)
Unprivileged process
(vmwp.exe running as NETWORK_SERVICE in the root
domain)
?
YesXen tboot: DRTM via Intel
TXTNo ?
(*) based on the VMWare’s presentation by Oded Horovitz at CanSecWest, March 2008 (slide #3)(**) based on the information provided by Brandon Baker (Microsoft) via email, July 2008
![Page 48: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/48.jpg)
Ok, so does it really work?
![Page 49: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/49.jpg)
Yes! No doubt it’s a way to go!
![Page 50: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/50.jpg)
Xen is well done!
![Page 51: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/51.jpg)
but...
![Page 52: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/52.jpg)
Overflows in hypervisor :o
![Page 53: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/53.jpg)
So far, not a single overflow in Xen 3 hypervisor found!
![Page 54: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/54.jpg)
... until Rafal looked at it :)
![Page 55: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/55.jpg)
The FLASK bug
![Page 56: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/56.jpg)
What is FLASK?
![Page 57: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/57.jpg)
FLASK
• One of the implementation of XSM
• XSM = Xen Security Modules
• XSM is supposed to fine grain control over security decisions
• XSM based on LSM (Linux Security Modules)
![Page 58: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/58.jpg)
XSM
sHype (IBM) FLASK (NSA)
![Page 59: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/59.jpg)
FLASK is not compiled in by default into XEN
![Page 60: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/60.jpg)
Ok, so where are the bugs?
![Page 61: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/61.jpg)
Passed as hypercall arguments
page buffer is always 4096 bytes big!
![Page 62: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/62.jpg)
Passed as hypercall arguments
Yes this is sscanf()! Welcome back 90’s!
![Page 63: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/63.jpg)
So, how do we exploit it?
![Page 64: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/64.jpg)
struct xmalloc_hdr{ size_t size; struct list_head freelist;} __cacheline_aligned;
struct list_head { struct list_head *next, *prev;};
![Page 65: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/65.jpg)
Step 1: flask_user (buf, 8192)
![Page 66: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/66.jpg)
the page buffer (4k)
xmalloc_hdr
the user buffer (8k)
8192
1638
4
xmalloc_hdr
We set: buf[8192-hdr_sz]=999Then buf overwrites page...... and user hdr’s size field gets a new value!
size = 999After freeing buf xmalloc will put it
on a list of small free chunks and use for the next allocation of a small chunk!
‘999’ is a cosmic constant that satisfies the requirement: sizeof (struct xenoprof) < 999 < 4096
“Small” chunks: chunks for buffers that are less then 4096 byteshi
gher
add
ress
es
![Page 67: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/67.jpg)
Step 2: flask_relabel (buf, 8192)
![Page 68: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/68.jpg)
the tcon buffer (8k)
xmalloc_hdr
xenoprof
xmalloc_hdr
1638
4
some pointers that are later nullified by xenoprof_reset_buf()...
... so if we write addr there, then...
we will get (long)0 written at addr :)
![Page 69: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/69.jpg)
Step 3: freeing xenoprof buffer
![Page 70: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/70.jpg)
xenoprof_enable_virq();
![Page 71: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/71.jpg)
What we got?A write-zero-to-arbitrary-address primitive
![Page 72: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/72.jpg)
What to overwrite with zero?How about the upper half of some hypercall address?
This way we will redirect it to usermode!
![Page 73: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/73.jpg)
Demo: Escape from DomU using the FLASK bug
![Page 74: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/74.jpg)
![Page 75: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/75.jpg)
The bug has been patched on July 21st, 2008:
changeset: 18096:fa66b33f975auser: Keir Fraser <[email protected]>date: Mon Jul 21 09:41:36 2008 +0100summary: [XSM][FLASK] Argument handling bugs in XSM:FLASK
BTW, note the lack of the “security” word in the patch description ;)
![Page 76: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/76.jpg)
No Planet 0wning!
![Page 77: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/77.jpg)
Can we get rid of all bugs in the hypervisor?
![Page 78: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/78.jpg)
Xen hypervisor complexity
![Page 79: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/79.jpg)
0
80,000
160,000
240,000
320,000
Xen 3.0.4 Xen 3.1.4 Xen 3.2.1 Xen 3.3-unstable(**)
Lines-of-Code in Xen 3 hypervisors in ring 0 (*)
*Calculated using: find xen/ -name "*.[chsS]" -print0 | xargs -0 cat | wc -l**Retrieved from the Xen unstable mercurial on July 24th, 2008
![Page 80: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/80.jpg)
Trend a bit disturbing...Xen hypervisor grows over time,
instead of shrinking :(
![Page 81: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/81.jpg)
0
100,000
200,000
300,000
400,000
Xen 3.3-unstable Hyper-V(*)
Lines-of-Code: Xen 3.3 vs. Hyper-V
(*) based on the information provided by Brandon Baker (Microsoft) via email, July 2008
![Page 82: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/82.jpg)
Lessons learnt
![Page 83: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/83.jpg)
• Hypervisors are not special!
• Hypervisor can be compromised too!
• Computer systems are complex!
• Prevention is not enough!
![Page 84: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/84.jpg)
Prevention not enough!
![Page 85: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/85.jpg)
Ensuring Hypervisor Integrity
![Page 86: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/86.jpg)
Integrity Scanning
![Page 87: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/87.jpg)
Integrity Scanning
Ensure the hypervisor’s code & data are intact
Ensure no untrusted code in hypervisor
![Page 88: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/88.jpg)
hypervisor code data
datadata
data
data
datahy
perv
isor
Code is easy to verify...... but data is not!
![Page 89: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/89.jpg)
hypervisor code data
datadata
data
data
datahy
perv
isor
XXX
Executable page with untrusted code
![Page 90: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/90.jpg)
Ensuring no untrusted code in the hypervisor
![Page 91: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/91.jpg)
1. Read hypervisor’s CR3
2. Parse Page Tables and find all pages that are marked as executable and supervisor in their PTEs
3. Verify the hashes of those code pages remain the same as during the initialization phase
4. Also: ensure some system wide registers were not modified (CR4, CR0, etc)
![Page 92: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/92.jpg)
To make it work...
![Page 93: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/93.jpg)
• Hypervisor must strictly apply the NX bit (only code pages do not have NX bit set)
• No self-modifying code in the hypervisor
• Hypervisor’s code not pageable
![Page 94: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/94.jpg)
Xen hypervisor can meet those requirements with just few cosmetic
workarounds
Hyper-V already meets all those requirements!
(Brandon Baker, Microsoft)
![Page 95: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/95.jpg)
... but, there are traps!
![Page 96: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/96.jpg)
Trap #1Rootkit might keep its code in the usermode pages - CPU would still
execute them from ring0...
Hypervisor
DomU DomU Dom0
XXX XXX XXX
xxx
![Page 97: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/97.jpg)
CPU should refuse to execute code from usermode pages when running in ring0
Marketing name: “NX+” or “XD+” :)
Talks with Intel in progress...
![Page 98: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/98.jpg)
Trap #2Code-less backdoors!
‘jmp rdi’ or more advanced ret-into-libc stuff(don’t think ret-into-libc not possible on x64!)
xxx
codejmp rdi
IDT
Anybody who can issue INT XX can now get their code executed
in ring0 in the hypervisor!
![Page 99: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/99.jpg)
There only few structures (function pointers) that could be used to plant such backdoor!
This is few comparing with lots of if we were to check all possible function pointers
Examples for Xen: IDT, hypercall_table, exception_table
![Page 100: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/100.jpg)
Hypervisor should provide a sanity function that would be part of the code (static path) that would check those few
structures.
HyperGuard doesn’t need to know about those few structures.
![Page 101: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/101.jpg)
Trap #3We only check integrity at the very moment...
when we check integrity...What happens in between?
When should we do the checks?
time
chec
k
chec
k
chec
k
chec
k
??? ??? ???
![Page 102: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/102.jpg)
Solution?
Oh, come on, we need to leave a few aces up in our sleeves ;)
![Page 103: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/103.jpg)
Introducing HyperGuard...
![Page 104: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/104.jpg)
HyperGuard is a project done in cooperation with Phoenix Technologies
![Page 105: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/105.jpg)
hypervisor code
data
data
data
hype
rvis
ordo
mai
ns
SMMhandler
HyperGuard
Phoenix BIOS
![Page 106: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/106.jpg)
Why in SMM?
![Page 107: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/107.jpg)
SMM handler
PCI device Chipset
tamper proof?
access to CPU state (e.g. registers)
reliable access to DRAM
should be :)(depends very
much on the BIOS -- see the Q35 bug)
yes yes
yes no no
yesno
(e.g. IOMMU, other redirecting tricks)
yes(can deal with
IOMMU)
![Page 108: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/108.jpg)
Combining chipset-based scanner (see Yuriy Bulygin’s presentation) with SMM-based scanner
seems like a good mixture...
![Page 109: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/109.jpg)
![Page 110: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/110.jpg)
dele
gate
mem
ory
hash
ing
hypervisor code
data
data
data
hype
rvis
ordo
mai
ns
SMMhandler
HyperGuard
Phoenix BIOS
Chipset
ensu
re in
tegr
ity
![Page 111: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/111.jpg)
Combining SMM + chipset integrity scanning
![Page 112: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/112.jpg)
SMM handler
PCI device
Chipset SMM + chipset
tamper proof?
access to CPU state (e.g. registers)
reliable access to DRAM
should be :) yes yes yes
yes no no yes
yes no yes yes
![Page 113: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/113.jpg)
Additionally chipset could provide fast hash calculation service to the HyperGuard
![Page 114: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/114.jpg)
But we should keep the chipset based scanner as simple as possible!
The deeper we are the simpler we are!
![Page 115: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/115.jpg)
Talks with Intel in progress...
![Page 116: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/116.jpg)
HyperGuard might also be used in the future to verify integrity of normal OS kernels (e.g. Windows or Linux)
![Page 117: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/117.jpg)
Slides available at:http://invisiblethingslab.com/bh08
Demos and code will be available from the same address after Intel releases the patch.
![Page 118: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/118.jpg)
Credits
• Brandon Baker (Microsoft), for providing lots of information about Hyper-V (that we haven’t played with ourselves yet)
![Page 119: Preventing and Detecting Xen Hypervisor Subversions](https://reader031.fdocuments.in/reader031/viewer/2022012505/617ff8f78a883f51c556d0ec/html5/thumbnails/119.jpg)
Thank you!
Xen 0wning Trilogy to be continued in:
“Bluepilling The Xen Hypervisor”
by Invisible Things Lab