1 / 18

TechTalk Abusing The Hypervisor

TechTalk Abusing The Hypervisor. By: Piotr T. Zbiegiel. Introduction. What is a Hypervisor?. A Hypervisor is a piece of software that exists between the physical hardware and the virtual machines on a system. It mediates access from the VMs to the underlying hardware.

Download Presentation

TechTalk Abusing The Hypervisor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TechTalkAbusing The Hypervisor By: Piotr T. Zbiegiel

  2. Introduction

  3. What is a Hypervisor? • A Hypervisor is a piece of software that exists between the physical hardware and the virtual machines on a system. It mediates access from the VMs to the underlying hardware. • Generally two types of hypervisors exist: • Type 1 – The hypervisor runs directly on the hardware (aka bare metal). • Type 2 – The system runs a standard operating system and the hypervisor is loaded within the context of that operating system. • Some hypervisors don’t easily fit into one classification or the other. Type 1 Hypervisor VM 1 VM 2 App 1 App 2 App 2 App 1 OS OS Hypervisor Hardware

  4. Physical -> Virtual • VMs possess virtual components and associated drivers that mirror physical counterparts. • Displays • Memory • Disk • Network • These all present potential attack surfaces for exploiting the hypervisor or host operating system.

  5. New *AND* Improved 0days? • Before we dive into theoretical (and not so theoretical) hypervisor attacks it pays to talk about Duqu. • Duquexploited the font parsing engine in Windows to elevate privileges and execute code. • Microsoft’s temporary workaround entailed disabling access to the TrueType font DLL. • But how did the bad guys know to try this vector? Could it be that the font parsing engine had been patched before by Microsoft?

  6. New *AND* Improved 0days? Cont’d • Once a vulnerability is discovered in a given piece of software you can bet many more researchers will be looking for similar vulnerabilities elsewhere in the code. • Depending on how (in)effective a vendor may be at patching, this could lead to numerous related vulnerabilities and attacks being discovered. Variations on a theme, if you will.

  7. New *AND* Improved 0days? Cont’d So what does this discussion of Duqu and zero-days have to do with hypervisor security? It demonstrates two key points we should remember about securing kernels/hypervisors. • The less a kernel does the less target area there is to attack. (Why was the Windows kernel parsing fonts?) • Previously discovered vulnerabilities may be a good indication of future vulnerabilities. It may be prudent to limit access to modules compromised in the past if at all possible.

  8. Low-level Intercept • An attack theory where the malware would shim itself below an operating system in between the system software and hardware. • A malware hypervisor? • The operating system would have no way to detect the infection since it wouldn’t exist within the universe of the operating system. Consider that similar malware already exists. • Kernel-level rootkits can hide from the operating system but are more akin to mind-control parasites that take over the host’s brain. Ophiocordycepsunilateralis

  9. Virtual CPU & Memory

  10. KVM breakout? Or Xen vulnerability

  11. Blue Pill • In 2006 Joanna Rutkowksa debuted new malware that slipped below the target OS and virtualized it. • Because the malware controlled all access to the underlying hardware it could “lie” to the operating system. • Kernel-level root kits previously relied on modifying the kernel in an attempt to hide. • Blue pill did not need to modify the operating system and could infect a running system. • Joanna insisted that this new class of malware was undetectable.

  12. A Hard Pill to Swallow • Other security researcher had a problem with Joanna’s claim that the malware was undetectable. • They claimed detection would be trivial using a timing attack. • Debate on the subject raged on until the next year when a group of researchers challenged Joanna to a showdown at Black Hat 2007.

  13. Red vs. Blue (Pills) • Joanna would secretly install her rootkit on one of two laptops. • The researchers would then install their detection software and attempt to detect the malware. • After some wrangling, including Joanna demanding up-front payment for her work on Blue Pill (to the tune of ~$400k)…the challenge never happened. Today blue-pill type malware has never been detected in the wild. • Because it doesn’t exist… • Or because it is so undetectable? (The mystery continues…)

  14. New Tech?

  15. Old Attack Surfaces are New

  16. Network Topology

  17. Jails, Sandboxes, ???

  18. Conclusion

More Related