Compromise-as-a-Service

Similar documents
Virtualization. Pradipta De

Full and Para Virtualization

Attacking Hypervisors via Firmware and Hardware

Virtualization. Types of Interfaces

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Enabling Technologies for Distributed and Cloud Computing

Cloud Computing #6 - Virtualization

Enabling Technologies for Distributed Computing

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Distributed Systems. Virtualization. Paul Krzyzanowski

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

Virtualization Technology. Zhiming Shen

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones May 2011

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Virtualization System Security

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Hypervisors and Virtual Machines

COS 318: Operating Systems. Virtual Machine Monitors

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Virtualization. Jukka K. Nurminen

IOS110. Virtualization 5/27/2014 1

Virtualization Technologies (ENCS 691K Chapter 3)

The Art of Virtualization with Free Software

Virtualization. Dr. Yingwu Zhu

Virtualization Technologies

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Virtualization and the U2 Databases

Windows Server Virtualization & The Windows Hypervisor

Chapter 5 Cloud Resource Virtualization

Nested Virtualization

Enterprise-Class Virtualization with Open Source Technologies

Virtualization. Michael Tsai 2015/06/08

VIRTUALIZATION 101. Brainstorm Conference 2013 PRESENTER INTRODUCTIONS

Virtualization with Windows

Knut Omang Ifi/Oracle 19 Oct, 2015

Chapter 2 Addendum (More on Virtualization)

Cloud Computing CS

Basics of Virtualisation

Comparing Free Virtualization Products

Cloud Computing. Dipl.-Wirt.-Inform. Robert Neumann

Building Docker Cloud Services with Virtuozzo

Intel Virtualization Technology Overview Yu Ke

From Hypervisors to Clouds

COM 444 Cloud Computing

Intro to Virtualization

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

Virtualization. Jia Rao Assistant Professor in CS

9/26/2011. What is Virtualization? What are the different types of virtualization.

Chapter 14 Virtual Machines

Virtual Machine Security

GUEST OPERATING SYSTEM BASED PERFORMANCE COMPARISON OF VMWARE AND XEN HYPERVISOR

Stephen Coty Director, Threat Research

Survey On Hypervisors

Data Centers and Cloud Computing

Virtual Machines. COMP 3361: Operating Systems I Winter

Virtual machines and operating systems

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

Introduction to Virtual Machines

A quantitative comparison between xen and kvm

IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Hyper-V Server Agent Version Fix Pack 2.

Jukka Ylitalo Tik TKK, April 24, 2006

CS 695 Topics in Virtualization and Cloud Computing. More Introduction + Processor Virtualization

Hypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. !

Intel Virtualization Technology (VT) in Converged Application Platforms

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

Thomas Fahrig Senior Developer Hypervisor Team. Hypervisor Architecture Terminology Goals Basics Details

Introduction to Virtualization & KVM

Virtualization for Cloud Computing

Attacking Hypervisors via Firmware and Hardware

Virtualization and Other Tricks.

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

A cure for Virtual Insanity: A vendor-neutral introduction to virtualization without the hype

Distributed System Monitoring and Failure Diagnosis using Cooperative Virtual Backdoors

Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Introduction...1 Overview of x86 Virtualization...2 CPU Virtualization...

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

Distributed and Cloud Computing

matasano Hardware Virtualization Rootkits Dino A. Dai Zovi

CSE 501 Monday, September 09, 2013 Kevin Cleary

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Virtualization in Linux KVM + QEMU

Hybrid Virtualization The Next Generation of XenLinux

A Survey on Virtual Machine Security

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Brian Walters VMware Virtual Platform. Linux J. 1999, 63es, Article 6 (July 1999).

Installing & Using KVM with Virtual Machine Manager COSC 495

NoHype: Virtualized Cloud Infrastructure without the Virtualization

Anh Quach, Matthew Rajman, Bienvenido Rodriguez, Brian Rodriguez, Michael Roefs, Ahmed Shaikh

The Microsoft Windows Hypervisor High Level Architecture

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Cloud Architecture and Virtualisation. Lecture 4 Virtualisation

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

Hardware Based Virtualization Technologies. Elsie Wahlig Platform Software Architect

Development of Type-2 Hypervisor for MIPS64 Based Systems

Virtual Machines. Virtualization

RUNNING vtvax FOR WINDOWS

Best Practices for Virtualised SharePoint

Networking for Caribbean Development

Transcription:

ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg 3/31/14 Compromise-as-a-Service Our PleAZURE Felix Wilhelm & Matthias Luft {fwilhelm, mluft}@ernw.de

ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg Agenda Azure & Hyper-V: The research project Clouds & Hypervisors: A taxonomy of attack vectors Hyper-V: Architecture & research

Azure & Hyper-V

#4 Background Government research project - together with http:/www.thinktecture.com/ - Thanks, guys! Scope: Overall security posture of the Azure Cloud - Network security - VM Isolation - - Management interfaces

#5 Security Objectives Technical objectives, ignoring privacy here Availability Isolation! - Or, in a more classical way, safeguarding the confidentiality and integrity of clients against each other.

#6 Taxonomy of Technical Cloud Attack Vectors Runtime Breakout Cloud infrastructure!= hosted environments - Covering CPU, memory, devices. See later. Storage breakout - Think: Directory traversal/weak ACLs on backend storage. Network isolation failure - Think: Eavesdropping on traffic of other VMs. Management interfaces - Think: BO/SQLi in web service, weak passwords. Scope of this talk: Runtime breakouts ;)

#7 Fabric Utility Fabric Controller [ ] Datacenter Routers

#8 Cluster Fabric Controller Rack 1 Rack x Aggregation Router & Load Balancer 3826-6045- 3133-9860- 9051 Rack 20

#9 Rack Node 1 Node x Node 50

#10 Compute Node Compute Node root OS Fabric Agent Guest VM Host Agent Virtual Hard Drive [...] Guest VM Host Agent Virtual Hard Drive Azure Hypervisor Hardware CPU (cores), RAM, local hard drive,...

#11 the Cloud?

Hypervisor > * Or: Runtime Breakouts

Type 1 vs. Type 2 Source: Wikipedia 3/31/14 #13

#14 Full vs. Para vs. HW Full Virtualization - A.k.a. Binary Translation Trap privileged call Translate (VMM) Execute Para-Virtualization Direct call to VMM from Guest OS VMM hands over to Host OS ExecuLon Hardware-assisted Virtualization Hardware Trap privileged call Handover to VMM Execute

#15 Parts of an Hypervisor Device virtualization Memory management & isolation CPU scheduling & isolation Management interfaces Additional APIs

ERNW GmbH Carl-Bosch-Str. 4 D- 69115 Heidelberg #16 Vulnerability History Hypervisor Breakout 2007: VMftp 2009: VMware Cloudburst 2011: Virtunoid KVM Breakout 2012: VMSA-12-009 2012: VMDK Has Left The Building 2012: Xen SYSRET 2013: MS13-092 2014: VirtualBox HGCM 2014: VirtualBox Chromium Breakout

Virtual Air Gap VMware isn't an additional security layer: It's just another layer to find bugs in Kostya Kortchinsky/Immunity/Cloudburst, 2009 3/31/14 #17

#18 SCNR ;-)

#19 Taxonomy As for Hypervisors Instruction set - Full support of x86 necessary which is difficult! - What about processor errata? Management & additional channels - Look at the previous examples Monitoring & Caches - Lots of side channels Memory management & devices - Ever looked at the QEMU CVE history? ;-)

Hyper-V Seriously, there is just no Hyper-V Logo available.

#21 Why Hyper-V? Supposedly, very little research so far - Only one DoS bug in 2009, reverse engineered from a patch. Used in a variety of corporate environments. - Including Azure!

#22 5386-1314- 9433-4777- 3077 Azure Hypervisor A.k.a. Hyper-V?

#23 Versions Azure Hypervisor Hyper-V

#24 Hyper-V Type 1 hypervisor - Bare metal VMs are called partitions - Root Partition performs management duties. - Creation, Configuration, Destruction - Logging Uses Intel VT instruction set for hardware based virtualization Support for unenlightened + englightened systems - Enlightened = Explicit support for Hyper-V. Requires guest modification.

Source: hnp://msdn.microsor.com/de- de/library/cc768520(en- us).aspx 3/31/14 #25!

#26 Attack Surface

#27 Attack Surface Concentrated on mapping the attack surface Three interesting attack vectors: - VM Exits - Hypercalls - VMBus

Hyper V Hardwareassisted Virtualization Intel version is based on Intel VMX (virtual-machine extensions) Adds an additional privilege ring - VMX root vs. VMX non root Transitions between hypervisor and guest system - VM exits - VM entries 3/31/14 #28

#29 VM Exits Can be triggered on purpose - VMCALL Or as effect of executing privileged instructions - Which instructions are considered privileged depends on the hypervisor - Access to system registers - VMX instructions - RDRAND And much more.. - Interrupts - APIC

#30 VM Exits VM Exits need to be transparent to guest - Requires emulation of privileged instructions Enlightenment requires way to query Hyper-V version and features - Implemented using cpuid instruction - Return values contain Hyper-V version + guest permissions

#31 Hypercalls 1747-8640- 2533-9505- 2870 Like system calls but for communication between VM kernel and hypervisor Documented interface - And known security boundary Used by enlightened partitions to improve performance Root partition manages other partition using hypercalls

#32 VMBus Message bus for communication between partitions Default configuration: - Only communication to and from root partition allowed Memory pages that are mapped for multiple partitions - Heavily used for performance critical tasks in enlightened partitions - Think network devices Large attack surfaces

#33 Attack Surface VMBus as a very promising target - But, possibly large differences between Azure and Normal implementation VM Exit handling - Especially special cases and error conditions - Requires high insight into processor internals - We are not Gal Diskin J Hypercalls - Documented API - Isolated functions - Low hanging fruits J

#34 Expectations Minimal feature set inside Hypervisor itself - Small code base (2MB) - Around 60k lines of C + assembly code - Compared to 50M LOC in Windows Server Only 1 serious (public) vulnerability until 2013 - VMBus Denial-of-Service

#35 Formal verification

#36 Microsoft SDL

#37 à Low Expectations

#38.. two days later J

#39 Root cause analysis Crashing was easy - Understanding the bug is the hard part Hyper-V is mainly implemented Hvix64.exe (Intel) and Hvax64.exe (AMD) Unfortunately no public debugging symbols available L However some symbols can be ported from winload.exe and hvloader.exe - Networking Code, USB Stack, Debugger implementation - Full credit to Gerhart from securitylab.ru for this idea!

Debugging Debugging via WinDBG is supported - Serial Port, Firewire, Ethernet Fortunately no dedicated hardware is needed - Vmware supports nested virtualization Hyper-V specific functionality requires hvexts.dll - Not publicly available - Have a copy? Drop us a mail J 3/31/14 #40

#41 The Bug Hypercall interface: - VM executes vmcall instruction - Arguments are passed in registers (for slowcalls): - RCX = Hypercall number - RDX = Guest Physical Address of Input Data - R8 = Guest Physical Address of Output Data Multiple checks before hypercall handler is called - Valid hypercall number - Alignment of GPA addresses - Hypercall comes from Ring0 -.

#42 The Bug Check upper boundary of Input GPA Error condition will result in execution of EPT error handler

#43 The Bug Input address is used as index into the extended page table. Classic Out-of-Boundary access The trigger? - hypercall(0xxy, input_address = 0x4141414141414141...)

#44 Fixed with MS13-092 Denial of Service of complete hypervisor Potentially privilege escalation to other virtual machines Azure affected!

#45 Privilege Escalation / Breakout? Can not be used to get memory write corruption - We tried L However, exploitation of logic errors seems to be possible - Unfortunately nothing presentable (yet)

#46 Demo

#47 Conclusions Hypervisor security & research is not hard. Hypervisor security & research is hard. Even verified code contains bugs which can easily be exploited. Still traversing the layers there is lot of fun to be explored. Virtualization is an additional layer to exploit hypervisors gain features, but not security! Make the theoretical practical.

There s never enough time THANK YOU...for yours! Felix Wilhelm fwilhelm@ernw.de @_fel1x Matthias Luft mluft@ernw.de @uchi_mata

Sources & Mentions Gal Diskin, Virtually Impossible Gerhart, http://www.securitylab.ru/contest/ 444112.php Hypervisor Functional Specification, Microsoft 3/31/14 #49

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information