SLIDE 1
Hyper-Cube
High-Dimensional Hypervisor Fuzzing
Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner and Thorsten Holz
Chair for Systems Security Ruhr-Universität Bochum
Hypervisor
Motivation
Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, - - PowerPoint PPT Presentation
Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, - - PowerPoint PPT Presentation
Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wrner and Thorsten Holz Chair for Systems Security Ruhr-Universitt Bochum Motivation Hypervisor Motivation Hypervisor VM 1 VM 2
SLIDE 2
SLIDE 3
VM 1 VM 2 Hypervisor
Motivation
SLIDE 4
VM 1 VM 2 Hypervisor
Motivation
Malicious Guest
(Privileged; Running in Ring-0)
SLIDE 5
VM 1 VM 2 Hypervisor
Motivation
Local VM DoS
(Crash or Deadlock)
SLIDE 6
VM 1 VM 2 Hypervisor
Motivation
SLIDE 7
VM 1 VM 2 Hypervisor
Motivation
Virtual Machine DoS
(Crash or Deadlock)
SLIDE 8
VM 1 VM 2 Hypervisor
Motivation
Virtual Machine Escape
(Other Guest)
SLIDE 9
VM 1 VM 2 Hypervisor
Motivation
SLIDE 10
VM 1 VM 2 Hypervisor
Motivation
Host DoS
(Kernel Panic or Deadlock)
SLIDE 11
VM 1 VM 2 Hypervisor
Motivation
Virtual Machine Escape
(Host)
SLIDE 12
VM 1 VM 2 Hypervisor
Motivation
SLIDE 13
Challenge
SLIDE 14
Challenge
Fuzzer of your Choice
SLIDE 15
Challenge
Fuzzer of your Choice Target Software
SLIDE 16
Challenge
Fuzzer of your Choice Target Software
SLIDE 17
Challenge
User Space Fuzzing
SLIDE 18
Challenge
Hypervisor Fuzzing
SLIDE 19
Attack Surface
SLIDE 20
Hypervisor Attack Surface
Guest Hypervisor
① ② SLIDE 21
Hypervisor Attack Surface
Guest Hypervisor
① ② SLIDE 22
Hypervisor Attack Surface
Guest Hypervisor Code
... mov cr4, 0xAF ...Hypervisor Core
Privileged Instructions
① Emulation Request ② Return to Guest SLIDE 23
Hypervisor Attack Surface
① ② SLIDE 24
Implementation
SLIDE 25
Design Goals
- Blackbox Fuzzing with High Througput
- High-Dimensional in Terms of
➤ Interfaces ➤ Operations
- x86 Hypervisor Agnostic
SLIDE 26
➤ ➤
Our Approach
Hypervisor
SLIDE 27
➤ ➤
Our Approach
Hypervisor VM
SLIDE 28
➤ ➤
Our Approach
Hypervisor VM
Hyper-Cube OS
SLIDE 29
➤ ➤
Our Approach
Hypervisor VM
Hyper-Cube OS
Interface
Enumeration
SLIDE 30
➤ ➤
Our Approach
Hypervisor VM
Hyper-Cube OS
Interface
Enumeration
PCI Devices ISA Devices HPET PIC APIC Chipset MSR Hypercalls
SLIDE 31
➤ ➤
Our Approach
Hypervisor VM
Hyper-Cube OS PCI Devices ISA Devices HPET PIC APIC Chipset MSR Hypercalls
Tesseract
Interpreter
SLIDE 32
Tesseract Handlers
write_mmio read_mmio vmport xor_mmio bruteforce_mmio memset_mmio writes_mmio reads_mmio mmio_write_scratch_ptr write_io read_io xor_io bruteforce_io memset_io writes_io reads_io io_write_scratch_ptr write_msr kvm_hypercall
SLIDE 33
Tesseract Interpreter
2fff 1c27 ab47 5700 adf2 3d60 092f 5488 ec2d 9d1a 029d 56fd e0d1 a275 1f56 1d28 ea78 a2fa db07 d60d 1288 3a5a 91f9 1756 1cae 31ad 9b9c 938e 2a33 f597 6615 e267 0117 1f16 b440 8a86 9154 5b55 e4ca 9e3d 9d19 ae79 efac e500 8cdf 8c00 9a83 df76 91fe d779 026c 2e2b 9137 1ef8 eea3 d29c 1789 5938 a36f 718a 81e4 678c 20f5 fa0b 774d 07f1 cee3 62bc d845 bc86 7631 6eac 0120: 0128: 0130: 0138: 0140: 0148: 0150: 0158: 0160: 0168: 0170: 0178: 0180: 0188: 0190: 0198: 01a0: 01a8:
... ...
PRNG Stream
SLIDE 34
Tesseract Interpreter
2fff 1c27 ab47 5700 adf2 3d60 092f 5488 ec2d 9d1a 029d 56fd e0d1 a275 1f56 1d28 ea78 a2fa db07 d60d 1288 3a5a 91f9 1756 1cae 31ad 9b9c 938e 2a33 f597 6615 e267 0117 1f16 b440 8a86 9154 5b55 e4ca 9e3d 9d19 ae79 efac e500 8cdf 8c00 9a83 df76 91fe d779 026c 2e2b 9137 1ef8 eea3 d29c 1789 5938 a36f 718a 81e4 678c 20f5 fa0b 774d 07f1 cee3 62bc d845 bc86 7631 6eac 0120: 0128: 0130: 0138: 0140: 0148: 0150: 0158: 0160: 0168: 0170: 0178: 0180: 0188: 0190: 0198: 01a0: 01a8:
... ...
PRNG Stream
Robust Interpretation
vmport(0xbd4,0x10ea) memset_io(0x426,0xce0,0x9dc,0xca8) writes_mmio(0xec8,0xad,0x10ac,0x7e9) bruteforce_mmio(0xce4,0xdfa,0xe31,0x322) writes_io(0x4bb,0xb8,0xeb1,0x401) memset_mmio(0x128,0xa73,0x2b3,0xa84) read_mmio(0xbf3,0x907) bruteforce_io(0x5c4,0x49a,0x94f,0xb1c) xor_mmio(0x54b,0xa00,0xb51)
Opcode Handler
SLIDE 35
Evaluation
≈ SLIDE 36
Tested Hypervisors
KVM/QEMU Intel ACRN VMware Fusion Parallels Desktop (14.1.3) FreeBSD bhyve VirtualBox
(12.0-RELEASE) (5.1.37_Ubuntu r122592) (4.0.1-rc4) (29360 Build) (11.0.3)
≈ SLIDE 37
Results
Assert Failures 25 Null-Pointer Dereferences 13 Memory-Corruptions 8 Div-By-Zero (FP Exceptions) 5 Deadlocks 4
55
Bugs
≈ SLIDE 38
Case Study: bhyve CVE-2019-12071
FreeBSD Kernel Denial of Service via Privileged Guest
≈ SLIDE 39
Case Study: bhyve CVE-2019-12071
FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071
FreeBSD Kernel Denial of Service via Privileged Guest
≈ SLIDE 40
Case Study: bhyve CVE-2019-12071
FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071
FreeBSD Kernel Denial of Service via Privileged Guest
Translates to
≈ SLIDE 41
Case Study: bhyve CVE-2019-12071
FreeBSD Kernel Denial of Service via Privileged Guest
CVE-2019-12071
FreeBSD Kernel Denial of Service via Privileged Guest
≈ SLIDE 42
Case Study: bhyve CVE-2019-12071
FreeBSD Kernel Denial of Service via Privileged Guest
≈ SLIDE 43 ≈
SLIDE 44 ≈
SLIDE 45 ≈
SLIDE 46 ≈
SLIDE 47 ≈
SLIDE 48 ≈
SLIDE 49 ≈
SLIDE 50 ≈
SLIDE 51
Conclusion
SLIDE 52
Conclusion
- Outperforms Coverage-Guided Fuzzers
- Full-System Fuzzing
- Novel Technique to Fuzz Hypervisors
SLIDE 53
Thank You!