CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
-
Upload
cansecwest -
Category
Internet
-
view
693 -
download
5
Transcript of CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security
Dig into qemu security
Qiang Li & Zhibin Hu & Mei Wang /Qihoo 360 Gear Team CanSecWest 2017
About us
2
l Qihoo360l OneofthemostfamoussecuritycompanyinChina
l GearTeaml Mainlyfocusonthecloudsecurityl Xen,QEMU,OpenSSL,NTP,Firefox,etcl Veryyoungandpassionalteaml 100+CVElastyearl Especially70+CVEfromQEMU
Agenda
3
l QEMUintroducKonl QEMUaLacksurfacesl ALackfrominternall ALackfromexternall ThoughtsinQEMUsecuritystudy
4
QEMU introduction
QEMU introduction
5
l Qemuiswidelyusedemulator,itcandoFullsystem/UsermodeemulaKon
l ImplementinSoRware
l AcceleratedbyKVM/XEN
QEMU introduction
6
l QEMUisanormalusermodeprocess
l QEMU’svirtualaddressspaceisusedasguest’sRAM
l QEMU’sthreadactasguestvCPU
QEMU introduction
7
l Qemucommunicatewithkvmthroughkvmchardevicel Generallyguestcodecandirectlyrunon
naKvecpul WhenrunningsensiKveinstrucKons,itwilltrapintokvmbyvm-exitinstrucKon,codecontroltransferfromqemutokvml IftheexiteventisIOevent,itwillthendispatchtoqemu
8
QEMU attack surfaces
QEMU attack surfaces
9
l Mostsecurityissueiscausedbyhandlinguntrusteddataincorrectly
l Importantthingisthedataflowandwhatdatawecancontrol
l Datafrominternal,mainlyfromtheguests,mostfromguest’sdeviceemulator
l Datafromexternal,vnc/spice/qmp,etc
QEMU attack surfaces - from internal
10
l DeviceemulaKonofqemuhaslotsofvulnerabiliKesincludesomecriKcalones
l FullemulaKonisdiscussedalot,butvirKoisnot,
virKoisveryusefulforimprovingperformance,wewilltalkaboutvirKolater
l Forconvenience,mostvirtualizaKonproduct
installaagentintheguest,qemuhasitsguestagent(qga),notpowerfulasvmwaretoolsandlessvulnerable
QEMU attack surfaces - from external
11
l VNCisusedforremotedesktopaccess,notonlyusedinVMs
l Spiceislikevnc,butusuallyusedforremoteaccesstoVMs,containsfourparts:protocol,client,server,guest
l QEMUMachineProtocol(QMP),lightweighttext
basedprotocol,allowsapplicaKoninteractwithQEMU
l Maliciousimage
12
Attack from internal
Attack from internal - device emulation
13
l QemudeviceemulatorsarethebiggestsourceofvulnerabiliKes
l FullvirtualizaKon/paravirtualizaKon
l The3rdlibrarydrivers,likevirglrenderer
Attack from internal - device emulation
14
l MostofthedevicesarebasedonsoRwareemulaKon
l GuestisunawareoftheunderlyingvirtualizaKonenvironment,soqemuwilldolotsofworktoimplementit
l Therearemanydevicesshouldbeemulated,suchasdifferentkindsofdisk,networkcard,etc
Attack from internal - device emulation
15
l PCIdevicesexposeBAR(BaseAddressRegister)toOS,soOScaninteractwithdevices,QEMUshouldprovidethislayerindeviceemulaKonaswell
l TheguestOSinteractswiththedevicebyreadingandwriKngtotheBARsregisteredbythedevice,thisoperaKonstrapintotheKVManddispatchbacktoQEMUcallbackhandlerswhichareregisteredwhiledeviceiniKalizing�
Attack from internal - device emulation
16
l Ifwedon’tconsideraboutKVM,justregarditasasimpleproxy
l Guestdataisuntrustedandcanbemalicious,itwillcausevulnerabiliKesinQEMU
l Dataflowwouldbesimplify:Guest->QEMU
Attack from internal - device emulation
17
l TwotypesofBARs:IOport&MMIO
l Wecanread/writeIOport/MMIOtotriggerflawsinQEMU
l MaliciouskernelmodulecanactasadevicedriverbyreadingorwriKngitsBARS
Attack from internal - example
18
l WefoundaflawinCirrusVGAdriver
l WhenVGAcopydatabyBitbltinbackwardmodewilltriggerthisbug
l WecanuseittodoOOBread/write
Attack from internal - example
19
Itisthepatchforthisbug,whencalculateminvariable,itforgetstodecreases->cirrus_blt_widthandcausetheOOBread/write�
ItistheexecuKonflow,whenguestwritetovgaioport,kvmdispatchtheioeventtoqemucirrusvgadriver �
Attack from internal - virtio
20
l VirKoisforioparavirtualizaKon
l Ithasfront-endinguest,back-endinqemu
l Theydodataexchangebyvringmechanism
Attack from internal - virtio
21
l Theguestadddatatovring’sinbuffer,whenthedataisready,itwilltriggerakicktonoKceQEMU
l QEMUreceivethenoKceandpullthedatafromguestandprocessit
l ARerQEMUcompletelyhandletherequest,itwillpushtheresulttovring’soutbuffer
l Maliciousguestcanwritecorruptdatatoqemuthroughvring
Attack from internal - virtio
22
l EveryvirKodevicehasoneormorevqueues,andeveryvqueuehasahandlertoprocessdata
l DuringdevicecreaKon,itregisterthehandlertothevqueue
l Inthecallback,itwillpoptherequestfromguestandthenprocess
l EveryvirKodevicehasthesamedataprocessingmodel
Attack from internal - example
23
l VirtFSisaparavirtualizedfilesystem,usedtosharefilesbetweenhostandguest
l ItusesvirKomodel,wecanseev9fsclientintheguestandv9fsserverintheqemu,theyexchangedatathroughvring
Attack from internal - example
24
l V9fshasavqueuehandlerforeveryrequest,likev9fs_readfuncKon
l Itwillunmarshaltheargumentsfromguest,andmostimportantthingistheargumentsaretotallycontrolledbyguest
l Vulnerabilitywouldoccurifthehandlerfailedtodosanitycheckingcarefully
Attack from internal - example
25 Wefoundaflawinv9fsdriver,itisaintegeroverflowbug,write_countissignedinteger,butoffandcountisunsigned,whentheydosubtracKon,itwillcauseintegeroverflow,andthentriggerbufferoverflowviamemcpy�
Attack from internal - third party library
26
l QEMUusessomethirdpartylibraries,likegpuvirKodevice
l Virglrendererisathirdpartylibrary,andQEMUgpudeviceusesittoaccelerate3Drendering
l AlotofvulnerabiliKeswefoundinthislibCVE-2017-6386,CVE-2017-6355,CVE-2017-6317,CVE-2017-6210,CVE-2017-6209,CVE-2017-5994,CVE-2017-5993,CVE-2017-5957,CVE-2017-5956,CVE-2016-10214,CVE-2017-5937,CVE-2016-10163,CVE-2017-5580
Attack from internal - third party library
27
FuncKonsintheredboxhavebeenfoundvulnerabiliKes,becausetheyfailedtocheckdatacarefully�
LetusrecalltheframeworkofvirKointheleRpicture�
28
Attack from external
Attack from external - vnc
29
l VNCisfordesktopsharingsystembasedonRFBprotocol
l QEMUhasabuilt-invncserver
l SeveralvulnerabiliKeshasbeenfoundinthismodule
Attack from external - example
30 WefoundaDOSbuginVNCmodule.Whenwesetred_maxtozero,itwillcrashtheqemuviadividebyzero �
Attack from external - spice
31
l Spiceisananotherwayforremoteaccessingtoguest
l Ithasfourparts:Protocol,Client,Serverandguest
l VulnerabiliKescanexistinsomewhere:
qxldriveringuest->deviceinQEMUspiceclient->spiceserverinQEMU
Attack from external - example
32
Wediscoverthisissuealone,butsomeonehasbeenalreadyfoundit.Thisissuecanbetriggeredbyremoteclient.WhenclientconnecttospiceserverinQEMU,itwillcallreds_handle_read_link_donefuncKon,thelink_messvariableisthepacketpointer,andnum_channel_capsandnum_common_capsareallcontrolledbyremoteclient,itcantriggeraintegeroverflowbug,andthencausememorycorrupt�
Attack from external - qmp
33
l HMP/QMPisusedtointeractwithQEMU
l Lightweight,text-baseddataformat
l Veryuseful,suchascapabiliKesnegoKaKon,device(un)hotplug…
Attack from external - example
34
Wefoundaflawinhmpmodule,ittriggersarrayoutofrangeaccess,thencausememorycorrupt�
35
ThoughtsinQEMUsecuritystudy
Thoughts in QEMU security study
36
l Auditcodebysomepeopleviz.codereview-limitbyenergy,brainmemory,associaKveability…
l Fuzzing-limitbycomprehendingprogrambehavior…
l Bothwayshaveshortcomings
Thoughts in QEMU security study
37
l Fuzzingisusingamodelrepeatedlytryingandlearning
l SomeKmeswecan’testablishthemodelorimplementit
l Sowewouldsay“Thisflawcannotbefoundbyfuzzing”
�
Thoughts in QEMU security study
38
l Themostefficientwaytofindbugsis:Knowledge+fuzzingl AFLjustknowsaliLlemoreaboutprogramrunning,butitisfarmoreefficientthandumbfuzzersl Knowledgeisimportant,fuzzingisefficient,combinaKoniscomplex:we’reconKnueimprovingourmethodstofindbugs,andmaysharenewstudiesinthefurture�
39
Thank you Qiang Li && Zhibin Hu && Mei Wang
Gear Team, Qihoo 360 Inc