1 Bluepilling the Xen Hypervisor Joanna Rutkowska & Alexander Tereshkin Invisible Things Lab Black Hat USA 2008, August 7th, Las Vegas, NV
2 Xen 0wning Trilogy Part Three
3 Previously on Xen 0wning Trilogy...
4 Part 1: Subverting the Xen Hypervisor by Rafal Wojtczuk (Invisible Things Lab) Hypervisor attacks via DMA TG3 network card manual attack Generic attack using disk controller Xen Loadable Modules framework :) Hypervisor backdooring DR backdoor Foreign backdoor
5 Part II: Detecting and Preventing the Xen Hypervisor Subversions by Rafal Wojtczuk & Joanna Rutkowska Latest Xen security features How they fail: Q35 exploit How they fail: FLASK exploit The need for hypervisor integrity checks! Introducing HyperGuard!
6 Now, in this part...
7 1 Nested virtualization ( Matrix inside Matrix ) 2 BluePillBoot 3 XenBP: Bluepilling the Xen hypervisor on the fly! 4 Bluepilled Xen detection
21 Hypervisors expect to have GIF=1 when VMEXIT occurs... They might not be prepared to handle interrupts just after VMEXIT from guests!... but when we resume the nested hypervisor CPU sets GIF=1, because we do this via VMRUN, not VMEXIT...
22 Getting around the GIF Problem We need to emulate that GIF is 0 for the nested hypervisor We stop this emulation when: The nested hypervisor executes STGI The nested hypervisor executes VMRUN How do we emulate it?
23 GIF0 emulation VMCB 1.V_INTR_MASKING = 1 Host s RFLAGS.IF = 0 Intercept NMI, SMI, INIT, #DB and held (i.e. record and reinject) or discard until we stop the emulation
24 Additional details Need to also intercept VMLOAD/VMSAVE Need to virtualize VM_HSAVE_PA ASID conflicts
25 Hypervisor: ASID = 0 Conflicting ASIDs! Nested Hypervisor: ASID = 1 (but thinks that has ASID = 0) Nested Guest: ASID = 1 (assigned by the nested hypervisor)
26 But we can always reassign the ASID in the VMCB prim that we use to run the nested guest.
27 Performance Impact One additional #VMEXIT on every #VMEXIT that would occur in a nonnested scenario One additional #VMEXIT when the nested hypervisor executes: STGI, CLGI, VMLOAD, VMSAVE Lots of space for optimization though
28 Intel VT-x
29 Nested virtualization on VT-x No GIF bit - no need to emulate GIF0 for the nested hypervisor :) No Tagged TLB - No ASID conflicts :) However: VMX instructions can take memory operands - need to use complex operand parser No tagged TLB - potentially bigger performance impact
30 Nested VT-x: Status We have that working! The VT-x nesting code cannot be published though :(
31 Who else does Nested (hardware-based) Virtualization?
32 IBM z/vm hypervisor on IBM System z mainframe Running z/vm in a virtual machine (that is, z/vm as a guest of z/vm, also known as second-level z/vm) is functionally supported but is intended only for testing purposes for the secondlevel z/vm system and its guests (called third-level guests) hcsf8b22.pdf IBM System z10, source: ibm.com
51 We allocate a block of memory for XBP inside Xen hypervisor -- this memory is used for both the XBP s code and data and heap
52 Demo: Bluepilling the Xen on the fly...
54 On Xen 3.3 we need to use Q35 exploit instead of direct hdd (see the talk #2)
55 Bluepilled Xen: Detection
56 Detecting a VMM is now not enough...
57 ... as we know there is already one VMM in the system already (i.e. the Xen)...
58 We can only try direct timing analysis to see if #VMEXITs will take longer time to execute... (then on non-bluepilled Xen)
59 Impact on PV domains
60 BluePill hypervisor #GP, not #VMEXIT! ring 3 PV domains #GP VMRUN Dom0 We don t need to intercept anything besides VMRUN (and optionally VMLOAD, VMSAVE, STGI, CLGI) -- all those instructions cause #GP when executed in PV guests (including Dom0)
61 On AMD! 0 On Intel we have obligatory intercepts (CPUID, INVD, MOV CR3).
62 Impact on HVM domains
63 HVM domains: impact on #vmexit time (RDMSR intercept on AMD) kcycles Full Nested Virtualization - VMCB rewriting - CLGI/STGI interception - VMLOAD/ VMSAVE interception Native Xen (baseline)
Attacking Intel Trusted Execution Technology Rafal Wojtczuk firstname.lastname@example.org Joanna Rutkowska email@example.com ---===[ Invisible Things Lab ]===--- Abstract In this paper we present
Hardware Virtualization Rootkits Dino A. Dai Zovi Agenda Introductions Virtualization (Software and Hardware) Intel VT-x (aka Vanderpool ) VM Rootkits Implementing a VT-x based Rootkit Detecting Hardware-VM
Attacking Hypervisors via Firmware and Hardware Alex Matrosov (@matrosov), Mikhail Gorobets, Oleksandr Bazhaniuk (@ABazhaniuk), Andrew Furtak, Yuriy Bulygin (@c7zero) Advanced Threat Research Agenda Hypervisor
V i r t u a l m a c h i n e s a n d o p e r a t i n g s y s t e m s Virtual machines and operating systems Krzysztof Lichota firstname.lastname@example.org A g e n d a Virtual machines and operating systems interactions
Full and Para Virtualization Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF x86 Hardware Virtualization The x86 architecture offers four levels
Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research Agenda Hypervisor based isolation Firmware rootkit
Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960 s: first track of virtualization Time and resource sharing on expensive mainframes IBM VM/370 Late 1970 s and early 1980 s: became
A Hypervisor IPS based on Hardware assisted Virtualization Technology 1. Introduction Junichi Murakami (email@example.com) Fourteenforty Research Institute, Inc. Recently malware has become more
AMD 64 Virtualization AMD India Developer s Conference Bangalore, David O BrienO Senior Systems Software Engineer Advanced Micro Devices, Inc. Virtual Machine Approaches Carve a System into Many Virtual
Subverting the Xen hypervisor Rafał Wojtczuk Invisible Things Lab Black Hat USA 2008, August 7th, Las Vegas, NV Xen 0wning Trilogy Part One Known virtulizationbased rootkits Bluepill and Vitriol They install
Hardware Based Virtualization Technologies Elsie Wahlig firstname.lastname@example.org Platform Software Architect Outline What is Virtualization? Evolution of Virtualization AMD Virtualization AMD s IO Virtualization
s COMP 3361: Operating Systems I Winter 2015 http://www.cs.du.edu/3361 1 Virtualization! Create illusion of multiple machines on the same physical hardware! Single computer hosts multiple virtual machines
Kernel Virtual Machine Shashank Rachamalla Indian Institute of Technology Dept. of Computer Science November 24, 2011 Abstract KVM(Kernel-based Virtual Machine) is a full virtualization solution for x86
Implementation of a Purely Hardware-assisted VMM for x86 Architecture Saidalavi Kalady, Dileep P G, Krishanu Sikdar, Sreejith B S, Vinaya Surya, Ezudheen P Abstract Virtualization is a technique for efficient
Basics of Virtualisation Volker Büge Institut für Experimentelle Kernphysik Universität Karlsruhe Die Kooperation von The x86 Architecture Why do we need virtualisation? x86 based operating systems are
Implements BIOS emulation support for BHyVe: A BSD Hypervisor Abstract Current BHyVe only supports FreeBSD/amd6 as a GuestOS. One of the reason why BHyVe cannot support other OSes is lack of BIOS support.
BHyVe BSD Hypervisor Neel Natu Peter Grehan 1 Introduction BHyVe stands for BSD Hypervisor Pronounced like beehive Type 2 Hypervisor (aka hosted hypervisor) FreeBSD is the Host OS Availability NetApp is
Virtualization Jia Rao Assistant Professor in CS http://cs.uccs.edu/~jrao/ What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This
Virtual Machines Uses for Virtual Machines Virtual machine technology, often just called virtualization, makes one computer behave as several computers by sharing the resources of a single computer between
x86 Virtualization Hardware Support Pla$orm Virtualiza.on Hide the physical characteris.cs of computer resources from the applica.ons Not a new idea: IBM s CP- 40 1967, CP/CMS, VM Full Virtualiza.on Simulate
Starting Point: A Physical Machine Virtualization Based on materials from: Introduction to Virtual Machines by Carl Waldspurger Understanding Intel Virtualization Technology (VT) by N. B. Sahgal and D.
Cloud^H^H^H^H^H Virtualization Technology Andrew Jones (email@example.com) May 2011 Outline Promise to not use the word Cloud again...but still give a couple use cases for Virtualization Emulation it's
Virtualization Clothing the Wolf in Wool Virtual Machines Began in 1960s with IBM and MIT Project MAC Also called open shop operating systems Present user with the view of a bare machine Execute most instructions
Performance tuning Xen Roger Pau Monné firstname.lastname@example.org Madrid 8th of November, 2013 Xen Architecture Control Domain NetBSD or Linux device model (qemu) Hardware Drivers toolstack netback blkback Paravirtualized
Cloud Computing CS 15-319 Virtualization Case Studies : Xen and VMware Lecture 20 Majd F. Sakr, Mohammad Hammoud and Suhail Rehman 1 Today Last session Resource Virtualization Today s session Virtualization
SUBVERTING LINUX ON-THE-FLY USING HARDWARE VIRTUALIZATION TECHNOLOGY A Thesis Presented to The Academic Faculty by Manoj B. Athreya In Partial Fulfillment of the Requirements for the Degree Master of Science
kvm: Kernel-based Virtual Machine for Linux 1 Company Overview Founded 2005 A Delaware corporation Locations US Office Santa Clara, CA R&D - Netanya/Poleg Funding Expertise in enterprise infrastructure
Virtualization Based on materials from: Introduction to Virtual Machines by Carl Waldspurger Understanding Intel Virtualization Technology (VT) by N. B. Sahgal and D. Rodgers Intel Virtualization Technology
Virtualization Technology A Manifold Arms Race Michael H. Warfield Senior Researcher and Analyst email@example.com 2008 IBM Corporation Food for Thought Is Virtual Reality an oxymoron or is it the
KVM KERNEL BASED VIRTUAL MACHINE BACKGROUND Virtualization has begun to transform the way that enterprises are deploying and managing their infrastructure, providing the foundation for a truly agile enterprise,
Securing Your Cloud with Xen Project s Advanced Security Features Russell Pavlicek, Xen Project Evangelist CloudOpen North America 2013 Who is the Old, Fat Geek Up Front? Xen Project Evangelist Employed
Introduction to Virtualization & KVM By Zahra Moezkarimi ICT Research Institute Software Platform Laboratory Outline Virtualization History Overview Advantages and Limitations Types of virtualization Virtualization
Technische Universität München Fakultät für Informatik Bachelorarbeit in Informatik Analysis and detection of virtualization-based rootkits Hagen Fritsch Technische Universität München Fakultät für Informatik
Software Security Memory Virtualization Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 jan (sect) Software Security SoSe 2016 1 / 27 Virtualization (Recap) assume
Using Linux as Hypervisor with KVM Qumranet Inc. Andrea Arcangeli firstname.lastname@example.org (some slides from Avi Kivity) CERN - Geneve 15 Sep 2008 Agenda Overview/feature list KVM design vs other virtualization
Hybrid Virtualization The Next Generation of XenLinux Jun Nakajima Principal Engineer Intel Open Source Technology Center Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL
Windows 7 XP Mode for HP Business PCs Table of Contents: Introduction...1 Disclaimer...1 Main features and benefits... 2 Hardware Requirements...2 Minimum Hardware Requirements... 3 Recommended Hardware
RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY Syamsul Anuar Abd Nasir Fedora Ambassador Malaysia 1 ABOUT ME Technical Consultant for Warix Technologies - www.warix.my Warix is a Red Hat partner Offers
www.xensource.com Virtualization benefits Introduction to XenSource How Xen is changing virtualization The Xen hypervisor architecture Xen paravirtualization Interoperable virtualization The XenEnterprise*
Technical White Paper LINUX OPERATING SYSTEMS www.novell.com SUSE Linux Enterprise 10 SP2: Virtualization Technology Support Content and modifications. The contents of this document are not part of the
Chapter 2 Technical Background, Preliminaries and Assumptions Putting a computer in front of a child and expecting it to teach him is like putting a book under his pillow, only more expensive. Joseph Weizenbaum,
Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D. Chisnall The definitive guide to Xen Hypervisor G. Kesden Lect. 25 CS 15-440 G. Heiser UNSW/NICTA/OKL Virtualization is a technique
Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 - Prague S3 GROUP S3 GROUP Actaeon Memory forensics of virtualization environments Locate any Intel Hardware
Enterprise-Class Virtualization with Open Source Technologies Alex Vasilevsky CTO & Founder Virtual Iron Software June 14, 2006 Virtualization Overview Traditional x86 Architecture Each server runs single
Qubes OS Architecture Version 0.3 January 2010 Joanna Rutkowska Invisible Things Lab email@example.com Rafal Wojtczuk Invisible Things Lab firstname.lastname@example.org This pre-release version
Virtdbg Using virtualization features for debugging the Windows 7 kernel Damien Aumaitre Recon 2011 D. Aumaitre Virtdbg 2/42 Roadmap How it began Designing a kernel debugger Debugging Windows 7 x64 1 How
atsec information security corporation 9130 Jollyville Road, Suite 260 Austin, TX 78759 Tel: 512-349-7525 Fax: 512-349-7933 www.atsec.com KVM Security Comparison a t s e c i n f o r m a t i o n s e c u
Nested Virtualization Introduction and improvements Bandan Das Karen Noel 2 Outline Introduction When things don't work Note on AMD Speeding up Wrap-up References 3 Introduction Nested Virtualization Linux
1 / 16 Virtualization P. A. Wilsey The text highlighted in green in these slides contain external hyperlinks. 2 / 16 Conventional System Viewed as Layers This illustration is a common presentation of the
12 January 2010 Virtualization Technologies Alex Landau (email@example.com) IBM Haifa Research Lab What is virtualization? Virtualization is way to run multiple operating systems and user applications on
VMware Server 2.0 Essentials Virtualization Deployment and Management . This PDF is provided for personal use only. Unauthorized use, reproduction and/or distribution strictly prohibited. All rights reserved.
Operating System and Hypervisor Support for IOMMUs Muli Ben-Yehuda IBM Haifa Research Lab firstname.lastname@example.org p. 1/3 Table of Contents The what and why of IOMMUs. How much does it cost? What can we do about
Taming Hosted Hypervisors with (Mostly) Deprivileged Execution Chiachih Wu, Zhi Wang *, Xuxian Jiang North Carolina State University, * Florida State University Virtualization is Widely Used 2 There are
Poacher turned gamekeeper: Lessons learned from eight years of breaking hypervisors Rafal Wojtczuk email@example.com 27 Jul 2014 Summary Hypervisors have become a key element of both cloud and client computing.
CSE 501 Monday, September 09, 2013 Kevin Cleary firstname.lastname@example.org What is Virtualization? Practical Uses What can be virtualized Popular virtualization products Demo Question, answer, discussion Can
Horst Görtz Institute for IT-Security, Chair for System Security VMRay GmbH Hypervisor-Based, Hardware-Assisted System Monitoring VB2013 October 2-4, 2013 Berlin Carsten Willems, Ralf Hund, Thorsten Holz
Hypervisors and Virtual Machines Implementation Insights on the x86 Architecture DON REVELLE Don is a performance engineer and Linux systems/kernel programmer, specializing in high-volume UNIX, Web, virtualization,
Attacking Intel TXT via SINIT code execution hijacking Rafal Wojtczuk email@example.com Joanna Rutkowska firstname.lastname@example.org November 2011 Abstract We present a software attack against
Software and hardware support for Network Virtualization Knut Omang Ifi/Oracle 19 Oct, 2015 Motivation Goal: Introduction to challenges in providing fast networking to virtual machines Prerequisites: What
Virtualization Pradipta De email@example.com Today s Topic Virtualization Basics System Virtualization Techniques CSE506: Ext Filesystem 2 Virtualization? A virtual machine (VM) is an emulation
Contents Introduction...1 Overview of x86 Virtualization...2 CPU Virtualization...3 The Challenges of x86 Hardware Virtualization...3 Technique 1 - Full Virtualization using Binary Translation...4 Technique
Memory Forensics using Virtual Machine Introspection for Cloud Computing Tobias Zillner, BSc MSc MSc About Me Tobias Zillner, BSc MSc MSc Vienna, Austria Founder of Zillner IT-Security Independent Security
HP Technology Forum & Expo 2009 Produced in cooperation with: 2972 Linux Options and Best Practices for Scaleup Virtualization Thomas Sjolshagen Linux Product Planner June 17 th, 2009 2009 Hewlett-Packard
Tom Eastep Linuxfest NW April 26-27, 2008 Bellingham, Washington 1. Introduction to Virtualization Techniques 2. Pros and Cons 3. Where does KVM fit in 4. QEMU-kvm 5. Creating a virtual disk 6. Installing
Virtualizing a Virtual Machine Azeem Jiva Shrinivas Joshi AMD Java Labs TS-5227 Learn best practices for deploying Java EE applications in virtualized environment 2008 JavaOne SM Conference java.com.sun/javaone
Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform diversity
Cloud@Ceid Seminars Intro to Virtualization Christos Alexakos Computer Engineer, MSc, PhD C. Sysadmin at Pattern Recognition Lab 1 st Seminar 19/3/2014 Contents What is virtualization How it works Hypervisor
CS 695 Topics in Virtualization and Cloud Computing More Introduction + Processor Virtualization (source for all images: Virtual Machines: Versatile Platforms for Systems and Processes Morgan Kaufmann;
SOLARIS OPERATING SYSTEM HARDWARE VIRTUALIZATION PRODUCT ARCHITECTURE Chien-Hua Yen, ISV Engineering firstname.lastname@example.org Sun BluePrints On-Line November 2007 Part No 820-3703-10 Revision 1.0, 11/27/07 Edition:
CSE 501 Monday, September 26, 2011 Kevin Cleary email@example.com What is Virtualization? What are the different types of virtualization. Practical Uses Popular virtualization products Demo Question,
COS 318: Operating Systems Virtual Machine Monitors Kai Li and Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall13/cos318/ Introduction u Have
ISSN (Online) : 2278-1021 A technical review on comparison of Xen and KVM hypervisors: An analysis of technologies Ms Jayshri Damodar Pagare 1, Dr. Nitin A Koli 2 Research Scholar, Sant Gadge Baba Amravati
Virtualization Jukka K. Nurminen 23.9.2015 Virtualization Virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms,
Virtualization System Security Bryan Williams, IBM X-Force Advanced Research Tom Cross, Manager, IBM X-Force Security Strategy 2009 IBM Corporation Overview Vulnerability disclosure analysis Vulnerability
DETECTING HARDWARE-ASSISTED HYPERVISOR ROOTKITS WITHIN NESTED VIRTUALIZED ENVIRONMENTS THESIS Daniel B. Morabito, Captain, USAF AFIT/GCO/ENG/12-20 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE
Following the White Rabbit: Software attacks against Intel (R) VT-d technology Rafal Wojtczuk firstname.lastname@example.org Joanna Rutkowska email@example.com ---===[ Invisible Things Lab ]===---