Hypervisor Memory Forensics



Similar documents
Under the Hood: How Actaeon Unveils Your Hypervisor

Y R O. Memory Forensics: A Volatility Primer M E M. Mariano Graziano. Security Day - Lille1 University January Lille, France

Hypervisor Memory Forensics

Nested Virtualization

Virtualization in Linux KVM + QEMU

Nested Virtualization

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

IOS110. Virtualization 5/27/2014 1

Compromise-as-a-Service

Hypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.

kvm: Kernel-based Virtual Machine for Linux

Nested Virtualization

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. !

Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Full and Para Virtualization

Intel Virtualization Technology Overview Yu Ke

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones May 2011

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Virtualization Technology. Zhiming Shen

Installing & Using KVM with Virtual Machine Manager COSC 495

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Virtualization for Cloud Computing

How To Create A Cloud Based System For Aaas (Networking)

A cure for Virtual Insanity: A vendor-neutral introduction to virtualization without the hype

Virtual machines and operating systems

OPEN SOURCE VIRTUALIZATION TRENDS. SYAMSUL ANUAR ABD NASIR Warix Technologies / Fedora Community Malaysia

Virtualization with Windows

CSE 501 Monday, September 09, 2013 Kevin Cleary

CS5460: Operating Systems. Lecture: Virtualization 2. Anton Burtsev March, 2013

9/26/2011. What is Virtualization? What are the different types of virtualization.

Virtualization Technologies

Attacking Hypervisors via Firmware and Hardware

Virtualization Forensics: Acquisition and analysis of a clustered VMware ESXi servers

Comparing Free Virtualization Products

Virtualization VMware Inc. All rights reserved

Definitions. Hardware Full virtualization Para virtualization Hosted hypervisor Type I hypervisor. Native (bare metal) hypervisor Type II hypervisor

Virtualization. Types of Interfaces

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Enabling Technologies for Distributed and Cloud Computing

Virtualization. Pradipta De

Hypervisors and Virtual Machines

Detection of virtual machine monitor corruptions

Enabling Technologies for Distributed Computing

Virtualization. Jukka K. Nurminen

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

matasano Hardware Virtualization Rootkits Dino A. Dai Zovi

Knut Omang Ifi/Oracle 19 Oct, 2015

Attacking Hypervisors via Firmware and Hardware

Clouds, Virtualization and Security or Look Out Below

Cloud Architecture and Virtualisation. Lecture 4 Virtualisation

Hyper-V R2: What's New?

Machine Virtualization: Efficient Hypervisors, Stealthy Malware

RED HAT ENTERPRISE VIRTUALIZATION & CLOUD COMPUTING

Introduction to Virtual Machines

AMD 64 Virtualization

Comparing Virtualization Technologies

Performance Comparison of VMware and Xen Hypervisor on Guest OS

Brian Walters VMware Virtual Platform. Linux J. 1999, 63es, Article 6 (July 1999).

RUNNING vtvax FOR WINDOWS

13.1 Backup virtual machines running on VMware ESXi / ESX Server

CLOUD COMPUTING & SECURITY -A PRACTICAL APPROACH

Virtualization Technology (or how my Windows computer gave birth to a bunch of Linux computers)

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

Cloud Computing CS

2010 Virtualization and Cloud Computing Survey

Virtual Machines. Virtual Machine (VM) Examples of Virtual Systems. Types of Virtual Machine

Virtual Machines. Virtualization

Beyond the Hypervisor

Kernel Virtual Machine

KVM KERNEL BASED VIRTUAL MACHINE

Anh Quach, Matthew Rajman, Bienvenido Rodriguez, Brian Rodriguez, Michael Roefs, Ahmed Shaikh

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Virtualizare sub Linux: avantaje si pericole. Dragos Manac

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

Data Centers and Cloud Computing

Virtualization. Jia Rao Assistant Professor in CS

Bluepilling the Xen Hypervisor

Cloud Computing #6 - Virtualization

Introduction to Virtualization & KVM

Options in Open Source Virtualization and Cloud Computing. Andrew Hadinyoto Republic Polytechnic

Virtual Machines. COMP 3361: Operating Systems I Winter

Operating Systems Virtualization mechanisms

Using Linux as Hypervisor with KVM

Security Challenges in Virtualized Environments

Virtualization. Michael Tsai 2015/06/08

Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Introduction...1 Overview of x86 Virtualization...2 CPU Virtualization...

Setting up Windows Phone 8 environment in VMWare

Course Title: Virtualization Security, 1st Edition

Virtualization and the U2 Databases

JOB ORIENTED VMWARE TRAINING INSTITUTE IN CHENNAI

Transcription:

Hypervisor Memory Forensics Mariano Graziano and Davide Balzarotti SANS DFIR EU SUMMIT October 2013 - Prague

S3 GROUP

S3 GROUP

Actaeon Memory forensics of virtualization environments Locate any Intel Hardware assisted Hypervisor Detect nested Virtualization Transparent Guest Introspection

Actaeon [Use Cases] Hypervisors are everywhere: Xen, KVM, VirtualBox, Vmware, Hyper-V, bhyve Cloud (Amazon, Microsoft, Google, Apple) Domestic use (Running multiple operating systems) Security Solutions (Sandboxes, DeepDefender, Bromium etc) POC Malware (BluePill, Vitriol) The forensics community needs tools for digital investigations of virtual environments

What Actaeon is NOT Real time hypervisor detector Physical memory dumper Hypervisor-based malware detector

Actaeon framework VMCS memory layout dumper Hyperls Volatility patch for guest introspection

VMCS Dumper [Theory] Intel gives process level support for virtualization There are 2 main VMX operations: root and non root *From the Intel Manual

VMCS Dumper [VMCS] Virtual Machine Control Structure VMCS controls both VMX non root operation and VMX transitions The format to store the VMCS data is implementation specific Every field is associated with a 32 bit value (its encoding) used by VMREAD/VMWRITE instructions The VMCS data is divided in 6 groups

VMCS Dumper [Reversing] Custom Hypervisor initialization code (based on HyperDbg) : VMCS memory region allocation Fill the region with an 16 bit incremental counter Perform VMREAD operations Same approach valid for nested VMCS structures

VMCS Dumper [Demo] DEMO

Hyperls [Scanning] Memory scanner looking for VMCS structures We use selected VMCS fields: REVISION_ID VMX_ABORT_INDICATOR VMCSLINKPOINTER HOST_CR4 These fields cannot be obfuscated

Hyperls [Validation] HOST_CR3 property: The HOST_CR3 register points to the hypervisor page tables The page tables need to map the page containing the VMCS For every VMCS candidate we extract the HOST_CR3 We walk the entire page tables We obtain all the allocated physical pages The VMCS is validated if and only if it is in the set of the allocated physical pages

Hyperls [Validation]

Hyperls [DEMO] DEMO 1

Hyperls [Nested] A guest virtual machine can run an hypervisor In x86 only one hypervisor is in root mode

Hyperls [DEMO NESTED] DEMO 2

Guest Introspection [EPT] Extended Page Tables (EPT): New Intel Hardware feature Address translation from Guest Physical Addresses (GPA) to Host Physical Addresses (HPA) It has different stages (very similar to IA-32e)

Guest Introspection [Algorithm] We extract the EPT_POINTER from the VMCS We translate, when required, all the GPA to HPA through the EPT table We patched Volatility to use this pointer during the address translation

Guest Introspection [DEMO] DEMO

Limitations Actaeon supports only Intel hardware assisted hypervisors (No AMD support, no paravirtualization) Actaeon supports EPT (no shadow page tables) Dump is not our concern (VT-d disabled)

Future Works We are working to support: Hyper-V Introspection for Linux Guests VMCS Shadowing VMWare ESXi AMD

Questions? Mariano Graziano graziano at eurecom dot fr @emd3l Davide Balzarotti balzarotti at eurecom dot fr @balzarot

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information