hyper cube
play

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, - PowerPoint PPT Presentation

Dec 30, 2022 •153 likes •688 views

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wrner and Thorsten Holz Chair for Systems Security Ruhr-Universitt Bochum Motivation Hypervisor Motivation Hypervisor VM 1 VM 2

  1. Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner and Thorsten Holz Chair for Systems Security Ruhr-Universität Bochum

  2. Motivation Hypervisor

  3. Motivation Hypervisor VM 1 VM 2

  4. Motivation Hypervisor VM 1 VM 2 Malicious Guest (Privileged; Running in Ring-0)

  5. Motivation Hypervisor VM 1 VM 2 Local VM DoS (Crash or Deadlock)

  6. Motivation Hypervisor VM 1 VM 2

  7. Motivation Hypervisor VM 1 VM 2 Virtual Machine DoS (Crash or Deadlock)

  8. Motivation Hypervisor VM 1 VM 2 Virtual Machine Escape (Other Guest)

  9. Motivation Hypervisor VM 1 VM 2

  10. Motivation Hypervisor VM 1 VM 2 Host DoS (Kernel Panic or Deadlock)

  11. Motivation Hypervisor VM 1 VM 2 Virtual Machine Escape (Host)

  12. Motivation Hypervisor VM 1 VM 2

  13. Challenge

  14. Challenge Fuzzer of your Choice

  15. Challenge Fuzzer of your Choice Target Software

  16. Challenge Fuzzer of your Choice Target Software

  17. Challenge User Space Fuzzing

  18. Challenge Hypervisor Fuzzing

  19. Attack Surface

  20. ① ② Hypervisor Attack Surface Guest Hypervisor

  21. ① ② Hypervisor Attack Surface Guest Hypervisor

  22. Hypervisor Attack Surface Guest Hypervisor Code Privileged Instructions Hypervisor Core ... ① Emulation Request mov cr4, 0xAF ... ② Return to Guest

  23. ① ② Hypervisor Attack Surface

  24. Implementation

  25. Design Goals • x86 Hypervisor Agnostic • Blackbox Fuzzing with High Througput • High-Dimensional in Terms of ➤ Interfaces ➤ Operations

  26. ➤ ➤ Our Approach Hypervisor

  27. ➤ ➤ Our Approach Hypervisor VM

  28. ➤ ➤ Our Approach Hypervisor VM Hyper-Cube OS

  29. ➤ ➤ Our Approach Hypervisor VM Hyper-Cube OS Interface Enumeration

  30. ➤ ➤ Our Approach Hypervisor VM PCI Devices ISA Devices Hyper-Cube OS MSR Interface Enumeration Hypercalls PIC HPET APIC Chipset

  31. ➤ ➤ Our Approach Hypervisor VM PCI Devices ISA Devices Hyper-Cube OS MSR Hypercalls PIC Tesseract Interpreter HPET APIC Chipset

  32. Tesseract Handlers memset_mmio write_msr reads_io writes_io write_io kvm_hypercall memset_io read_io xor_io read_mmio write_mmio io_write_scratch_ptr reads_mmio writes_mmio xor_mmio vmport bruteforce_mmio mmio_write_scratch_ptr bruteforce_io

  33. Tesseract Interpreter PRNG Stream ... 0120: 2fff 1c27 ab47 5700 0128: adf2 3d60 092f 5488 0130: ec2d 9d1a 029d 56fd 0138: e0d1 a275 1f56 1d28 0140: ea78 a2fa db07 d60d 0148: 1288 3a5a 91f9 1756 0150: 1cae 31ad 9b9c 938e 0158: 2a33 f597 6615 e267 0160: 0117 1f16 b440 8a86 0168: 9154 5b55 e4ca 9e3d 0170: 9d19 ae79 efac e500 0178: 8cdf 8c00 9a83 df76 0180: 91fe d779 026c 2e2b 0188: 9137 1ef8 eea3 d29c 0190: 1789 5938 a36f 718a 0198: 81e4 678c 20f5 fa0b 01a0: 774d 07f1 cee3 62bc 01a8: ... d845 bc86 7631 6eac

  34. Tesseract Interpreter PRNG Stream Opcode Handler ... vmport (0xbd4,0x10ea) 0120: 2fff 1c27 ab47 5700 0128: memset_io (0x426,0xce0,0x9dc,0xca8) adf2 3d60 092f 5488 0130: ec2d 9d1a 029d 56fd 0138: e0d1 a275 1f56 1d28 writes_mmio (0xec8,0xad,0x10ac,0x7e9) Robust 0140: ea78 a2fa db07 d60d bruteforce_mmio (0xce4,0xdfa,0xe31,0x322) 0148: 1288 3a5a 91f9 1756 Interpretation 0150: 1cae 31ad 9b9c 938e writes_io (0x4bb,0xb8,0xeb1,0x401) 0158: 2a33 f597 6615 e267 0160: 0117 1f16 b440 8a86 0168: 9154 5b55 e4ca 9e3d memset_mmio (0x128,0xa73,0x2b3,0xa84) 0170: 9d19 ae79 efac e500 0178: 8cdf 8c00 9a83 df76 read_mmio (0xbf3,0x907) 0180: 91fe d779 026c 2e2b bruteforce_io (0x5c4,0x49a,0x94f,0xb1c) 0188: 9137 1ef8 eea3 d29c 0190: 1789 5938 a36f 718a 0198: 81e4 678c 20f5 fa0b 01a0: 774d 07f1 cee3 62bc xor_mmio (0x54b,0xa00,0xb51) 01a8: ... d845 bc86 7631 6eac

  35. ≈ Evaluation

  36. ≈ Tested Hypervisors FreeBSD bhyve (12.0-RELEASE) VirtualBox (5.1.37_Ubuntu r122592) Parallels Desktop (14.1.3) KVM/QEMU (4.0.1-rc4) Intel ACRN (29360 Build) VMware Fusion (11.0.3)

  37. ≈ Results Assert Failures 25 Null-Pointer Dereferences 13 55 Memory-Corruptions 8 Bugs 5 Div-By-Zero (FP Exceptions) 4 Deadlocks

  38. ≈ Case Study: bhyve CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest

  39. ≈ Case Study: bhyve CVE-2019-12071 CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest FreeBSD Kernel Denial of Service via Privileged Guest

  40. ≈ Case Study: bhyve CVE-2019-12071 CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest FreeBSD Kernel Denial of Service via Privileged Guest Translates to

  41. ≈ Case Study: bhyve CVE-2019-12071 CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest FreeBSD Kernel Denial of Service via Privileged Guest

  42. ≈ Case Study: bhyve CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest

  51. Conclusion

  52. Conclusion • Novel Technique to Fuzz Hypervisors • Outperforms Coverage-Guided Fuzzers • Full-System Fuzzing

  53. Thank You! Q & A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
Hyper: Make VM Runs Like Container Xu Wang <xu@hyper.sh> Hyper HQ Agenda Lesson

Hyper: Make VM Runs Like Container Xu Wang <xu@hyper.sh> Hyper HQ Agenda Lesson

Hyper: Make VM Runs Like Container Xu Wang <xu@hyper.sh> Hyper HQ Agenda Lesson learned from docker Hyper: App-centric VM Hyper and Xen Next step Docker Seems to Beat VM Everywhere Docker announced in 2013 and release

531 views • 13 slides
S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

P UZZLE A, B, and C are each either knights or knaves. A says At least one of the three of us is a knight B says At least one

461 views • 19 slides
From HyPer to Hyper Integrating an academic DBMS into a leading analytics and business

From HyPer to Hyper Integrating an academic DBMS into a leading analytics and business

From HyPer to Hyper Integrating an academic DBMS into a leading analytics and business intelligence platform Tobias Muehlbauer, tmuehlbauer@tableau.com Jan Finis, jfinis@tableau.com The Story of Hyper 2020: Hyper as a general-purpose Database

747 views • 37 slides
Determinants Every n n matrix A has an associated scalar value called the determinant of A ,

Determinants Every n n matrix A has an associated scalar value called the determinant of A ,

2.1-2.3 Determinants P. Danziger Determinants Every n n matrix A has an associated scalar value called the determinant of A , denoted by det( A ) or | A | . The determinant gives the (hyper)volume of the unit (hyper)cube after it has been

491 views • 18 slides
Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use

Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use

Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use largest magnitude component R of R to determine face of cube Other 2 components give texture coordinates 1 Cube Map Layout Example R = (

833 views • 40 slides
Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV

Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV

Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV Michel Mi chele Sel e Selva vaggi ggi (CP3) (CP3) An Andr drew w Lar Larko koski ski (MIT), Fabi abio Mal altoni (CP CP3) Flavo vor

623 views • 31 slides
Explorations of the Rubiks Cube Group Zeb Howell May 2016 Explorations of the Rubiks Cube

Explorations of the Rubiks Cube Group Zeb Howell May 2016 Explorations of the Rubiks Cube

Explorations of the Rubiks Cube Group Zeb Howell May 2016 Explorations of the Rubiks Cube Group Whats the Deal with Rubiks Cubes? One Cube made up of twenty six subcubes called cubelets. Each cubelet has one, two, or

246 views • 10 slides
CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye

CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye

CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye Bhm June 12, 2018 What weve seen so far 1 CBV/CBN reduction strategies 2 Simulating CBN in a CBV language Wrap each argument in an extra x .

321 views • 19 slides
Hyper-Resolution AUTOMATED REASONING Hyper-resolution is the strategy employed (electron) in the

Hyper-Resolution AUTOMATED REASONING Hyper-resolution is the strategy employed (electron) in the

8ai Hyper-Resolution AUTOMATED REASONING Hyper-resolution is the strategy employed (electron) in the widely used Otter family of provers. SLIDES 8: {Px,Qx,Rx} {Qa,C} Hyper-resolution generalises ``bottom- (nucleus) up reasoning

343 views • 7 slides
Outreach for Hyper-Kamiokande Jost Migenda (they/them) for the Hyper-Kamiokande

Outreach for Hyper-Kamiokande Jost Migenda (they/them) for the Hyper-Kamiokande

Outreach for Hyper-Kamiokande Jost Migenda (they/them) for the Hyper-Kamiokande Proto-Collaboration @JostMigenda TAUP 2019 2019-09-11 Disclaimer This talk is not exhaustive! Personal, subjective selection Thanks to the whole

576 views • 20 slides
1 Cube geometry (for pillars) Cube Geometry (separate Color) Cube geometry (for pillars) Cube

1 Cube geometry (for pillars) Cube Geometry (separate Color) Cube geometry (for pillars) Cube

To Do To Do Foundations of Computer Graphics Foundations of Computer Graphics Continue working on HW 2. Can be difficult (Spring 2012) (Spring 2012) Class lectures, programs primary source CS 184, Lecture 8: OpenGL 2 Can leverage

337 views • 7 slides
Quotient Cube: How to Summarize the Semantics of a Data Cube Laks V.S. Lakshmanan (Univ. of

Quotient Cube: How to Summarize the Semantics of a Data Cube Laks V.S. Lakshmanan (Univ. of

Quotient Cube: How to Summarize the Semantics of a Data Cube Laks V.S. Lakshmanan (Univ. of British Columbia) * Jian Pei (State Univ. of New York at Buffalo) * Jiawei Han (Univ. of Illinois at Urbana-Champaign) + * The work is partially supported

798 views • 44 slides
bluecube V 4 . 3 1 Blue Cube CMS V4.3 by Digitalcube TABLE OF CONTENTS Introduction Discover

bluecube V 4 . 3 1 Blue Cube CMS V4.3 by Digitalcube TABLE OF CONTENTS Introduction Discover

Content Management System bluecube V 4 . 3 1 Blue Cube CMS V4.3 by Digitalcube TABLE OF CONTENTS Introduction Discover CMS Blue Cube Modules Customers 2 BLUE CUBE CMS V4.3 by Digitalcube Blue Cube CMS V4.3 by Digitalcube CMS without bugs

316 views • 28 slides
Status of the Hyper- Kamiokande Experiment Erin OSullivan, on behalf of the Hyper-Kamiokande

Status of the Hyper- Kamiokande Experiment Erin OSullivan, on behalf of the Hyper-Kamiokande

Status of the Hyper- Kamiokande Experiment Erin OSullivan, on behalf of the Hyper-Kamiokande proto-collaboration Stockholm University NuFACT 2017 Hyper-Kamiokande collaboration Proto-collaboration formed in 2015 ~ 300 members from 14

789 views • 31 slides
THE COSO INTEGRATED CONTROL CUBE THE COSO I NTEGRATED CONTROL CUBE 1 COSO Definition of I

THE COSO INTEGRATED CONTROL CUBE THE COSO I NTEGRATED CONTROL CUBE 1 COSO Definition of I

THE COSO INTEGRATED CONTROL CUBE THE COSO I NTEGRATED CONTROL CUBE 1 COSO Definition of I nternal Control Internal control is a process, effected by an entitys Board of Directors, management and other personnel, designed to provide

208 views • 16 slides
Verifying Hyperproperties of Hardware Systems Bernd Finkbeiner Markus N. Rabe Saarland

Verifying Hyperproperties of Hardware Systems Bernd Finkbeiner Markus N. Rabe Saarland

Verifying Hyperproperties of Hardware Systems Bernd Finkbeiner Markus N. Rabe Saarland University UC Berkeley based on joint work with Michael R. Clarkson, Christopher Hahn, Masoud Koleini, Kristopher K. Micinski, and Csar Snchez

1.33k views • 93 slides
Logics for Hyperproperties Martin Zimmermann Saarland University May, 19th 2017 Centre

Logics for Hyperproperties Martin Zimmermann Saarland University May, 19th 2017 Centre

Logics for Hyperproperties Martin Zimmermann Saarland University May, 19th 2017 Centre Fdr en Vrification, Brussels, Belgium Martin Zimmermann Saarland University Logics for Hyperproperties 1/40 Hyperproperties I secret O secret S

1.11k views • 110 slides
HyperPCTL: A Temporal Logic for Probabilistic Hyperproperties Erika am 1 Borzoo Bonakdarpour 2

HyperPCTL: A Temporal Logic for Probabilistic Hyperproperties Erika am 1 Borzoo Bonakdarpour 2

Motivation HyperPCTL Syntax and Semantics HyperPCTL in Action HyperPCTL Model Checking Conclusion HyperPCTL: A Temporal Logic for Probabilistic Hyperproperties Erika am 1 Borzoo Bonakdarpour 2 Abrah RWTH Aachen, Germany 1 Iowa State

721 views • 71 slides
COMPUTING WITH HYPERVECTORS Pentti Kanerva Redwood Center for Theoretical Neuroscience UC

COMPUTING WITH HYPERVECTORS Pentti Kanerva Redwood Center for Theoretical Neuroscience UC

COMPUTING WITH HYPERVECTORS Pentti Kanerva Redwood Center for Theoretical Neuroscience UC Berkeley What are Hypervectors? . High-dimensional, e.g., vectors of 10,000 - bits or - integers or - reals or - complex numbers (phase angles) .

814 views • 22 slides
Scalable Hyperparameter Transfer learning Valerio Perrone , Rodolphe Jenatton , C edric

Scalable Hyperparameter Transfer learning Valerio Perrone , Rodolphe Jenatton , C edric

Scalable Hyperparameter Transfer learning Valerio Perrone , Rodolphe Jenatton , C edric Archambeau , Matthias Seeger AWS AI /Amazon Research , Berlin Co-authors R. Jenatton C. Archambeau M. Seeger Most of the material

690 views • 51 slides
PDE-Constrained Optimization Using Hyper-Reduced Models Matthew J. Zahr and Charbel Farhat

PDE-Constrained Optimization Using Hyper-Reduced Models Matthew J. Zahr and Charbel Farhat

PDE-Constrained Optimization HROM-Constrained Optimization Numerical Experiment PDE-Constrained Optimization Using Hyper-Reduced Models Matthew J. Zahr and Charbel Farhat Institute for Computational and Mathematical Engineering Farhat

389 views • 26 slides
Hypertrees and the pure symmetric automorphism group Jon McCammond U.C. Santa Barbara 1 Big

Hypertrees and the pure symmetric automorphism group Jon McCammond U.C. Santa Barbara 1 Big

Hypertrees and the pure symmetric automorphism group Jon McCammond U.C. Santa Barbara 1 Big Picture Let X be a finite K ( G, 1), so the cohomology of X is the cohomology of G . The cohomology of X is rather dull, but H ( X ) = 2

479 views • 29 slides
Tom Spyrou

Tom Spyrou

Tom Spyrou Distinguished Architect

418 views • 25 slides

More recommend