exploiting live virtual machine migration
play

Exploiting Live Virtual Machine Migration Jon Oberheide University - PowerPoint PPT Presentation

Jul 17, 2023 •122 likes •441 views

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21, 2008 Black Hat DC - Game Plan Introduction to VM migration Live migration security Exploiting live migration Future attacks and

  1. Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21, 2008 Black Hat DC -

  2. Game Plan • Introduction to VM migration • Live migration security • Exploiting live migration • Future attacks and wrap-up Slide #2 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  3. Live VM Migration • Transfer of a VM from one physical machine to another with little or no service downtime High Availability Enhanced Mobility Dynamic Load Balancing Slide #3 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  4. Live Migration Methodology • Minimize service downtime • Minimize migration duration • Migration Types: • Stop-and-copy (S-C) • Demand-migration (D-M) • Iterative precopy (I-P) I-P D-M S-C High Downtime Hybrid Low Downtime Low Duration High Duration Slide #4 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  5. Stop and Copy • Stop source VM • Copy all pages over the network • Start destination VM Stop and Copy Longest Service Downtime Shortest Migration Duration Slide #5 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  6. Demand Migration • Copy over critical OS structures • Start destination VM • Page faults trigger network copy Demand Migration Shortest Service Downtime Longest Migration Duration Slide #6 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  7. Iterative Precopy • Iteratively copy pages over network • Keep copying dirtied pages until threshold • At threshold, stop source VM, copy remaining pages, start destination VM Iterative Precopy Balances Service Downtime and Migration Duration • Method used by VMware/Xen Slide #7 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  8. Game Plan • Introduction to VM migration • Live migration security • Exploiting live migration • Future attacks and wrap-up Slide #8 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  9. A Trip Down Memory Lane • Physical machines • Machine state protected by MMU/hardware • Physical attacks (firewire device DMA) • Virtual Machines • VM state protected by VMM/hypervisor • Software attacks (weak VMM isolation) Can we break any more isolation boundaries? Slide #9 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  10. A Trip Down Memory Lane Of course! Functionality always usurps security! • Migration-enabled VMs • Full VM state exposed to network • Trades off security for management capabilities • Authentication, confidentiality, isolation concerns Slide #10 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  11. VM Migration Security • Migration data plane • Network transit path over which migration occurs • Security of data plane • Unauthenticated, insecure migration data plane • Full access granted to VM state • OS/kernel memory • Application state • Sensitive data, passwords, keys, etc • VMware and Xen migrations vulnerable Slide #11 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  12. Breaching the Data Plane • Breach of data plane means game over • Entire virtual machine may be compromised • Kernel, userspace applications, data • Requirement for breach • Manipulate traffic along migration path between source and destination VMM • Need to perform MITM attack • ARP/DHCP spoofing • DNS spoofing/poisoning • IP/route hijacking Slide #12 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  13. Breaching the Data Plane • Passive Attacks • Snarf sensitive data, passwords, keys in memory • Active Attacks • Manipulate authentication services • sshd, /bin/login, pam, etc • Manipulate kernel structures • slip rootkits into memory Slide #13 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  14. Game Plan • Introduction to VM migration • Live migration security • Exploiting live migration • Future attacks and wrap-up Slide #14 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  15. Exploiting VM Migration • Xensploit • Non-weapons-grade proof-of-concept tool • Works against Xen and VMware migrations • Attack classes • VM application/userland exploits • OS/kernel exploits • VMM subversion Slide #15 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  16. VM Application Exploits • sshd authentication bypass • Identify pubkey authentication routines • Manipulate to allow unrestricted root access • Access wide-open after migration completes • Cron daemon shellcode injection • Privileged, inconspicuous daemon • Inject HTTP GET + execve shellcode • Payload fetch/exec on next find_jobs invocation Slide #16 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  17. Exploitation Example sshd authentication bypass • Before migration: • attacker denied access to VM • During migration • Xensploit manipulates the in-memory object code of sshd as it crosses the wire • After migration • attacker achieves unrestricted root access to VM Slide #17 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  18. Before Migration • Attacker attempts to gain root access to the target virtual machine via ssh • Attacker is denied access to the VM Slide #18 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  19. sshd Authentication Code • Source code from OpenSSH's auth2-pubkey.c: Slide #19 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  20. During Migration • Xensploit manipulates the object code of sshd's authentication routines as it crosses the wire • Xensploit injects a mov $0x1,%eax instruction into user_key_allowed2, returning 1 (true) Slide #20 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  21. After Migration • Attacker again attempts to gain root access via ssh on the target virtual machine • No authentication is necessary as sshd's routines have been manipulated by Xensploit • Root access is granted to the attacker Slide #21 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  22. VM Kernel Exploits • Kernel manipulation • Direct access to in-memory kernel image • More complexity but more power • Leverage all your DMA attack payloads • Stealthy backdoor drop • network/syscall/ioctl trigger • Full-blown VMBR hoisting Slide #22 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  23. VMBR Hoisting • Virtual Machine-Based Rootkits • Slip in extra virt layer a la SubVirt/Blue Pill/Vitriol Slide #23 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  24. Subverting the VMM • Mangle migration payload • Exploit a vulnerability and subvert VMM • Leverage Xen dom0 vulns • Present in Xen daemon migration routines • <= 3.1.0 release vulnerable • Undoubtedly more... • Instantly own all hosted VMs • And all future migrated VMs! Slide #24 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  25. Subverting the VMM • Xen's libxc/xc_domain_restore.c: • No check for signed integer j < 0 • Stack overflow of region_pfn_type in Xen VMM Slide #25 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  26. Game Plan • Introduction to VM migration • Live migration security • Exploiting live migration • Future attacks and wrap-up Slide #26 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  27. Additional Attacks Lots more juice in the migration orange! • Fraudulent migration requests • Owned VMMs snarfing up VMs • False resource advertising • Migration-enabled load balancing • Future attacks inevitable • Increased functionality • Increased complexity • Increased security risk Slide #27 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  28. Just Encrypt It, Stupid! • Encryption goes a long way! • Fingerprinting migrations • Reconnaissance / targeting • Enabled by iterative-precopy method • Similar to VBR attacks • Increased complexity • Full PKI adds considerable deployment complexity • Not currently implemented! Slide #28 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  29. Vendor Response • VMware • Use separate network for migration paths • Use hardware-based crypto cards • VMotion/Virtual Infrastructure 3 vulnerable • XenSource • Consult vendor/distribution for security fixes • Latest open-source release still at risk • Unsure of migration status in XenServer4 • Microsoft Hyper-V • Will they get it right? Slide #29 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  30. The Big Picture • VM migration paradigm • VERY useful functionality • Awareness of security risk necessary • Better isolation, access control, authentication • Until then... • Severe weaknesses exist in extensively deployed systems • Valuable weapon for pentester/attacker Slide #30 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  31. Questions? QUESTIONS? • Contact info: • Jon Oberheide <jonojono@umich.edu> • PhD student, University of Michigan • Advisor: Farnam Jahanian • Research Group: http://www.eecs.umich.edu/fjgroup/ Slide #31 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual Machine Migration Pierre Riteau University of Rennes 1, IRISA Inria Rennes - Bretagne

Virtual Machine Migration Pierre Riteau University of Rennes 1, IRISA Inria Rennes - Bretagne

Hardware Virtualization Migration Live Migration Techniques Live Migration in WANs Live Migration Optimizations Conclusion Virtual Machine Migration Pierre Riteau University of Rennes 1, IRISA Inria Rennes - Bretagne Atlantique October 21,

585 views • 42 slides
Power Consumption of Virtual Machine Live Migration in Clouds Anusha Karur Manar Alqarni

Power Consumption of Virtual Machine Live Migration in Clouds Anusha Karur Manar Alqarni

Power Consumption of Virtual Machine Live Migration in Clouds Anusha Karur Manar Alqarni Muhannad Alghamdi Content Introduction Contribution Related Work Background Experiment &amp; Result Conclusion Future Work

750 views • 30 slides
On Selecting the Right Optimizations for Virtual Machine Migration Senthil Nathan N , Umesh

On Selecting the Right Optimizations for Virtual Machine Migration Senthil Nathan N , Umesh

On Selecting the Right Optimizations for Virtual Machine Migration Senthil Nathan N , Umesh Bellur, Purushottam Kulkarni Systems and Networks Group (SynerG) Department of Computer Science and Engineering Indian Institute of Technology Bombay

682 views • 27 slides
CloudNet : Dynamic Pooling of Cloud Resources by Live WAN Migration of Virtual Machines Timothy

CloudNet : Dynamic Pooling of Cloud Resources by Live WAN Migration of Virtual Machines Timothy

CloudNet : Dynamic Pooling of Cloud Resources by Live WAN Migration of Virtual Machines Timothy Wood , Prashant Shenoy University of Massachusetts Amherst K.K. Ramakrishnan, and Jacobus Van der Merwe AT&amp;T Labs - Research VEE 2011

1.17k views • 24 slides
Multi-Agent Negotiation of Virtual Machine Migration Using the Lightweight Coordination Calculus

Multi-Agent Negotiation of Virtual Machine Migration Using the Lightweight Coordination Calculus

KES AMSTA 2012 Multi-Agent Negotiation of Virtual Machine Migration Using the Lightweight Coordination Calculus Paul Anderson &lt;dcspaul@ed.ac.uk&gt; Shahriar Bijani &lt;S.Bijani@sms.ed.ac.uk&gt; Alexandros Vichos Friday, 22 June 2012

388 views • 17 slides
Joint Virtual Machine Placement and Migration in Dynamic Policy-Driven Data Centers Hugo Flores

Joint Virtual Machine Placement and Migration in Dynamic Policy-Driven Data Centers Hugo Flores

Joint Virtual Machine Placement and Migration in Dynamic Policy-Driven Data Centers Hugo Flores J Lucas California State University Dominguez Hills Department of Computer Science 1 Presentation Overview 1. Introduction 2. Related Works

853 views • 48 slides
Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization) Software to simulate hardware Independent Separate Use one piece of hardware to simulate many computers Topics What are

519 views • 22 slides
KVM Live Migration Optimization Li, Liang Zhang, Yang Aug 2015 1 Agenda Background

KVM Live Migration Optimization Li, Liang Zhang, Yang Aug 2015 1 Agenda Background

KVM Live Migration Optimization Li, Liang Zhang, Yang Aug 2015 1 Agenda Background Problems Solutions Performance Work in progress 2 Background Live migration usage in cloud computing facilitate maintenance

461 views • 18 slides
Machine Placement and Migration in Cloud Datacenters Authors: Liuhua Chen, Haiying Shen and

Machine Placement and Migration in Cloud Datacenters Authors: Liuhua Chen, Haiying Shen and

Cache Contention Aware Virtual Machine Placement and Migration in Cloud Datacenters Authors: Liuhua Chen, Haiying Shen and Stephen Platt Presenter: Haiying Shen IEEE ICNP November 8-11, 2016 Singapore 2 Objective An effective VM allocation

411 views • 20 slides
An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li,

An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li,

IC2E18 An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li, Niannian Ji, Baochun Li Virtual Machine Placement Select the most suitable physical machine (PM) to host each virtual machine (VM).

417 views • 13 slides
Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms

L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms

L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms using an integrated lecture capture and delivery service Matteo Bertazzo - CINECA InterUniversity Consortium 3 rd TF-Media Task Force meeting,

521 views • 21 slides
CSCI 2270: Advanced Topics in Database Management Zephyr : Live Migration In Shared Nothing

CSCI 2270: Advanced Topics in Database Management Zephyr : Live Migration In Shared Nothing

CSCI 2270: Advanced Topics in Database Management Zephyr : Live Migration In Shared Nothing Databases For Elastic Cloud Platforms &quot;Cut Me Some Slack&quot; : Latency-Aware Live Migration For Databases Yang Zou yang@cs.brown.edu 1

279 views • 16 slides
Transparent migration of virtual Transparent migration of virtual infrastructures in large

Transparent migration of virtual Transparent migration of virtual infrastructures in large

Transparent migration of virtual Transparent migration of virtual infrastructures in large datacenters for infrastructures in large datacenters for Cloud Computing Cloud Computing Workshop on Management of Cloud Systems ( Workshop on

489 views • 23 slides
Container Live Migration Adrian Reber FOSDEM 2020, February 01 Red Hat Blog: Container

Container Live Migration Adrian Reber FOSDEM 2020, February 01 Red Hat Blog: Container

Container Live Migration Adrian Reber FOSDEM 2020, February 01 Red Hat Blog: Container migration with Podman on RHEL https://www.redhat.com/en/blog/container-migration-podman-rhel 2 FOSDEM 2020 Definition: Container Live Migration 3

789 views • 47 slides
Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on

Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on

Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on migration available at: } www.migrationscotland.org.uk } Leaflets with direct web address Today } Celebrate the launch of the toolkit }

339 views • 12 slides
Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi IEEE Transactions on Mobile

Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi IEEE Transactions on Mobile

Stealthy Attacks in Wireless Ad Hoc Networks: Detection and Countermeasure Issa Khalil, Saurabh Bagchi IEEE Transactions on Mobile Computing, 2011 Presented by Yang Chen 1 CS6204 Mobile Computing Khalil-TMC11 Outline Background and

1k views • 43 slides
2018 Investor Presentation Thursday, 17 May 2018 Link Group Investor Presentation 17 May 2018

2018 Investor Presentation Thursday, 17 May 2018 Link Group Investor Presentation 17 May 2018

2018 Investor Presentation Thursday, 17 May 2018 Link Group Investor Presentation 17 May 2018 Link Group 1 Important notice This presentation has been prepared by Link Administration Holdings Limited ( Company ) together with its related

1.08k views • 74 slides
RWEPAC January 9, 2018 WELCOME Introductions Name Organization New Years

RWEPAC January 9, 2018 WELCOME Introductions Name Organization New Years

RWEPAC January 9, 2018 WELCOME Introductions Name Organization New Years Resolution BeWaterSmart.info BE WATER SMART Agenda Welcome and Introductions November 2017 Meeting Notes Program Updates QWEL

704 views • 36 slides
Trees Lenny Wells UGA Horticulture Keys to Young Tree Growth In order to get optimal tree

Trees Lenny Wells UGA Horticulture Keys to Young Tree Growth In order to get optimal tree

Management of Young Pecan Trees Lenny Wells UGA Horticulture Keys to Young Tree Growth In order to get optimal tree growth of newly established orchards: Nutritional Management How much? What method? What to apply?

565 views • 24 slides
Techniques for detecting compromised IoT devices Ivo van der Elzen, Jeroen van Heugten RP1

Techniques for detecting compromised IoT devices Ivo van der Elzen, Jeroen van Heugten RP1

Introduction Research questions Research Results Conclusion Questions Techniques for detecting compromised IoT devices Ivo van der Elzen, Jeroen van Heugten RP1 Presentation February 6, 2017 RIoT Van der Elzen, Van Heugten Introduction

456 views • 22 slides
OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering C. Dillon, M. Berkelaar OpenFlow DDoS Mitigation Introduction Distributed Denial of Service attacks Types of attacks Application

358 views • 18 slides
Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem

Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem

Formal Security Analysis of Smart Embedded Systems Farid Farid Molazem Molazem Tabrizi Tabrizi Karthik Pattabiraman Karthik Pattabiraman http://blogs.ubc.ca/karthik/ 1 IoT Systems 2 Security Attacks

224 views • 20 slides
Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for

Adversarial Attacks and Defenses in Deep Learning Hang Su suhangss@tsinghua.edu.cn Institute for Artificial Intelligence Dept. of Computer Science &amp; Technology Tsinghua University 1 Background Artificial intelligence (AI) is a

917 views • 63 slides

More recommend