TechTalk Abusing The Hypervisor
-
Upload
calista-kennedy -
Category
Documents
-
view
100 -
download
4
description
Transcript of TechTalk Abusing The Hypervisor
![Page 1: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/1.jpg)
TechTalkAbusing The HypervisorBy: Piotr T. Zbiegiel
![Page 2: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/2.jpg)
Introduction
![Page 3: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/3.jpg)
VM 1
What is a Hypervisor?• A Hypervisor is a piece of software that
exists between the physical hardware and the virtual machines on a system. It mediates access from the VMs to the underlying hardware.
• Generally two types of hypervisors exist:
• Type 1 – The hypervisor runs directly on the hardware (aka bare metal).
• Type 2 – The system runs a standard operating system and the hypervisor is loaded within the context of that operating system.
• Some hypervisors don’t easily fit into one classification or the other.
Hardware
Hypervisor
OS
App 1
App 2
VM 2
OS
App 1
App 2
Type 1 Hypervisor
![Page 4: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/4.jpg)
Physical -> Virtual• VMs possess virtual components and associated drivers that mirror
physical counterparts.
• Displays
• Memory
• Disk
• Network
• These all present potential attack surfaces for exploiting the hypervisor or host operating system.
![Page 5: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/5.jpg)
New *AND* Improved 0days?• Before we dive into theoretical (and not so theoretical) hypervisor
attacks it pays to talk about Duqu.
• Duqu exploited the font parsing engine in Windows to elevate privileges and execute code.
• Microsoft’s temporary workaround entailed disabling access to the TrueType font DLL.
• But how did the bad guys know to try this vector? Could it be that the font parsing engine had been patched before by Microsoft?
![Page 6: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/6.jpg)
New *AND* Improved 0days? Cont’d• Once a vulnerability is discovered in a given piece of software you
can bet many more researchers will be looking for similar vulnerabilities elsewhere in the code.
• Depending on how (in)effective a vendor may be at patching, this could lead to numerous related vulnerabilities and attacks being discovered. Variations on a theme, if you will.
![Page 7: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/7.jpg)
New *AND* Improved 0days? Cont’d
So what does this discussion of Duqu and zero-days have to do with hypervisor security?
It demonstrates two key points we should remember about securing kernels/hypervisors.
1. The less a kernel does the less target area there is to attack. (Why was the Windows kernel parsing fonts?)
2. Previously discovered vulnerabilities may be a good indication of future vulnerabilities. It may be prudent to limit access to modules compromised in the past if at all possible.
![Page 8: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/8.jpg)
Low-level Intercept• An attack theory where the malware would shim itself
below an operating system in between the system software and hardware.
• A malware hypervisor?
• The operating system would have no way to detect the infection since it wouldn’t exist within the universe of the operating system.
Consider that similar malware already exists.
• Kernel-level rootkits can hide from the operating system but are more akin to mind-control parasites that take over the host’s brain. Ophiocordyceps
unilateralis
![Page 9: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/9.jpg)
Virtual CPU & Memory
![Page 10: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/10.jpg)
KVM breakout? Or Xen vulnerability
![Page 11: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/11.jpg)
Blue Pill • In 2006 Joanna Rutkowksa debuted new malware that slipped below
the target OS and virtualized it.
• Because the malware controlled all access to the underlying hardware it could “lie” to the operating system.
• Kernel-level root kits previously relied on modifying the kernel in an attempt to hide.
• Blue pill did not need to modify the operating system and could infect a running system.
• Joanna insisted that this new class of malware was undetectable.
![Page 12: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/12.jpg)
A Hard Pill to Swallow• Other security researcher had a problem with Joanna’s claim that
the malware was undetectable.
• They claimed detection would be trivial using a timing attack.
• Debate on the subject raged on until the next year when a group of researchers challenged Joanna to a showdown at Black Hat 2007.
![Page 13: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/13.jpg)
Red vs. Blue (Pills)• Joanna would secretly install her rootkit on one of two laptops.
• The researchers would then install their detection software and attempt to detect the malware.
• After some wrangling, including Joanna demanding up-front payment for her work on Blue Pill (to the tune of ~$400k)…the challenge never happened.
Today blue-pill type malware has never been detected in the wild.
• Because it doesn’t exist…
• Or because it is so undetectable? (The mystery continues…)
![Page 14: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/14.jpg)
New Tech?
![Page 15: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/15.jpg)
Old Attack Surfaces are New
![Page 16: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/16.jpg)
Network Topology
![Page 17: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/17.jpg)
Jails, Sandboxes, ???
![Page 18: TechTalk Abusing The Hypervisor](https://reader036.fdocuments.net/reader036/viewer/2022081501/56813255550346895d98dcd4/html5/thumbnails/18.jpg)
Conclusion