xenpwn
play

Xenpwn Breaking Paravirtualized Devices Felix Wilhelm www.ernw.de - PowerPoint PPT Presentation

Feb 02, 2024 •375 likes •908 views

Xenpwn Breaking Paravirtualized Devices Felix Wilhelm www.ernw.de #wh whoami Security Researcher @ ERNW Research Application and Virtualization Security Recent Research Security Appliances (Fireeye, Palo Alto) Hypervisors

  1. Xenpwn Breaking Paravirtualized Devices Felix Wilhelm www.ernw.de

  2. #wh whoami ¬ Security Researcher @ ERNW Research ¬ Application and Virtualization Security ¬ Recent Research ¬ Security Appliances (Fireeye, Palo Alto) ¬ Hypervisors (Xen) ¬ @_fel1x on Twitter #2 www.ernw.de 16.03.16

  3. Agenda ¬ Device Virtualization & Paravirtualized Devices ¬ Double Fetch Vulnerabilities ¬ Xenpwn: Architecture and Design ¬ Results ¬ Case Study: Exploiting xen-pciback #3 www.ernw.de 4/14/16

  4. De Device Virtualization ¬ Virtualized systems need access to virtual devices − Disk, Network, Serial, ... ¬ Traditionally: Device emulation − Emulate old and well supported hardware devices − Guest OS does not need special drivers − Installation with standard installation sources supported #4 www.ernw.de 4/14/16

  5. Paravirtualized Devices ¬ Most important downsides of emulated devices: − Hard to implement securely and correctly − Slow performance − No support for advanced features ¬ Solution: Paravirtualized Devices − Specialized device drivers for use in virtualized systems − Idea: Emulated devices are only used as fallback mechanism − Used by all major hypervisors #5 www.ernw.de 4/14/16

  6. Pa Paravirtualized ed Dev evices es ¬ Split Driver Model − Frontend runs in Guest system − Backend in Host/Management domain ¬ Terminology differs between hypervisors − VSC / VSP in Hyper-V − Virtio devices and drivers ¬ Implementations are quite similar #6 www.ernw.de 4/14/16

  7. Paravirtualized Pa ed Dev evices es ¬ PV devices are implemented on top of shared memory − Great Performance − Easy to implement − Zero copy algorithms possible ¬ Message protocols implemented on top − Xen, Hyper-V and KVM all use ring buffers ¬ Shared memory mappings can be constant or created on demand #7 www.ernw.de 4/14/16

  8. Security of PV Devices ¬ Backend runs in privileged context è Communication between frontend and backend is trust boundary ¬ Low level code + Protocol parsing è Bugs ¬ Examples − Heap based buffer overflow in KVM disk backend (CVE-2011-1750) − Unspecified BO in Hyper-V storage backend (CVE-2015- 2361) ¬ Not as scrutinized as emulated devices − Device and hypervisor specific protocols − Harder to fuzz #8 www.ernw.de 4/14/16

  9. Very interesting target on often done in user space ßà PV backend ¬ Device em emulation often in kernel for higher performance Compromise of kernel backend is instant win J − Co ¬ PV devices are becoming more important − More device types (USB, PCI pass-through, touch screens, 3D acceleration) − More features, optimizations ¬ Future development: Removal of emulated devices − see Hyper-V Gen2 VMs #9 www.ernw.de 4/14/16

  10. Research goal ¬ ”Efficient vulnerability discovery in Paravirtualized Devices” ¬ Core Idea: No published research on the use of sh shared me memo mory ry in the context of PV devices ¬ Bug class that only affect shared memory? è Double fetches! #10 www.ernw.de 4/14/16

  11. Double Fetch vulnerabilities ¬ Special type of TOCTTOU bug affecting shared memory. ¬ Simple definition: Same memory address is accessed multiple times with validation of the accessed data missing on at least one access ¬ Can introduce all kinds of vulnerabilities − Arbitrary Write/Read − Buffer overflows − Direct RIP control J #11 www.ernw.de 4/14/16

  12. Do Double Fetch vu vuln lnerabili lities ¬ Term “double fetch” was coined by Fermin J. Serna in 2008 But bug class was well known before that − ¬ Some interesting research published in 2007/2008 Usenix 2007 “Exploiting Concurrency − Vulnerabilities in System Call Wrappers” - Robert N. M. Watson CCC 2007: “From RING 0 to UID 0” and Phrack − #64 file 6 – twiz, sgrakkyu ¬ First example I could find is sendmsg() linux bug reported in 2005 Happy to hear about more J − #12 www.ernw.de 4/14/16

  13. Ex Example: se sendmsg sg() () #13 www.ernw.de 4/14/16

  14. Bo Bochspwn ¬ “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns” (2013) − by j00ru and Gynvael Coldwind ¬ Uses extended version of Bochs CPU emulator to trace all memory access from kernel to user space. #14 www.ernw.de 4/14/16

  15. Bochspwn ¬ Resulted in significant number of Windows bugs (and a Pwnie) − but not much published follow-up research ¬ Whitepaper contains detailed analysis on exploitability of double fetches − On multi core system even extremely short races are exploitable ¬ Main inspiration for this research. #15 www.ernw.de 4/14/16

  16. Example: Bo Ex Bochspwn nt!ApphelpCacheLooku pEntry #16 www.ernw.de 4/14/16

  17. Xenpwn ¬ Adapt memory access tracing approach used by Bochspwn for analyzing PV device communication. ¬ Why not simply use Bochspwn? − Extremely slow − Passive overhead (no targeted tracing) − Compatibility issues − Dumping traces to text files does not scale ¬ Idea: Implement memory access tracing on top of hardware assisted virtualization #17 www.ernw.de 4/14/16

  18. #18 www.ernw.de 4/14/16

  19. Xe Xenpwn Ar Architecture ¬ Nested virtualization − Target hypervisor (L1) runs on top of base hypervisor (L0) ¬ Analysis components run in user space of L1 management domain. − No modification to hypervisor required − Bugs in these components do not crash whole system ¬ L0 hypervisor is Xen #19 www.ernw.de 4/14/16

  20. Li LibVMI ¬ Great library for virtual machine introspection (VMI) − Hypervisor agnostic (Xen and KVM) − User-space wrapper around hypervisor APIs ¬ Allows access to and manipulation of guest state (memory, CPU registers) ¬ Xen version supports memory events #20 www.ernw.de 4/14/16

  21. Li LibVMI Memory Ev Events ¬ Trap on access to a guest physical address ¬ Implemented on top of Extended Page Tables (EPT) − Disallow access to GPA − Access triggers EPT violation and VM exit − VM exit is forwarded to libvmi handler #21 www.ernw.de 4/14/16

  22. Memory Access Tracing Me wi with li libVMI Find shared memory pages 1. Register memory event handlers 2. Analyze memory event, extract 3. needed information and store in trace storage. Run analysis algorithms (can 4. happen much later) #22 www.ernw.de 4/14/16

  23. Trace Collector ¬ Use libvmi to inspect memory and identify shared memory pages − Target specific code. − Identify data structures used by PV frontend/backend and addresses of shared pages ¬ Registers memory event handlers ¬ Main work is done in callback handler − Disassemble instructions using Capstone #23 www.ernw.de 4/14/16

  24. Callback handler Ca #24 www.ernw.de 4/14/16

  25. Trace Storage ¬ Storage needs to be fast and persistent − Minimize tracing overhead − Allow for offline analysis ¬ Nice to have: Efficient compression − Allows for very long traces ¬ Tool that fulfills all these requirements: Simutrace − simutrace.org #25 www.ernw.de 4/14/16

  26. Si Simutrace ¬ Open source project by the Operation System Group at the Karlsruhe Institute of Technology ¬ Designed for full system memory tracing All memory accesses including their content − ¬ C++ daemon + client library Highly efficient communication over shared − memory pages ¬ Uses specialized compression algorithm optimized for memory traces High compression rate + high speed − ¬ Highly recommended! #26 www.ernw.de 4/14/16

  27. Trace Entries For every unique instruction: For every memory access: #27 www.ernw.de 4/14/16

  28. Do Double Fetch Al Algorithm Simplified version (Ignores overlapping accesses and interweaved read/writes) #28 www.ernw.de 4/14/16

  29. Advantages & Limitations ¬ Good: − Low passive overhead − Largely target independent − only Trace collector requires adaption − Easy to extend and develop ¬ Bad − High active overhead − VM exits are expensive − Re Reliance on nested virtualization #29 www.ernw.de 4/14/16

  30. Nested Virtualization on Xen ¬ Xen Doku: Nested HVM on Intel CPUs, as of Xen 4.4, is considered "tech preview". For many common cases, it should work reliably and with low overhead ¬ Reality: − Xen on Xen works − KVM on Xen works (most of the time) − Hyper-V on Xen does not work L ¬ For this reason, all of the following results are from Xen − .. but still hopeful for Server 2016 Hyper-V #30 www.ernw.de 4/14/16

  31. Results ¬ Tracing runs for two L1 targets: ¬ Differences in supported PV devices − SCSI, USB #31 www.ernw.de 4/14/16

  32. Results ¬ Main Problem: Getting good coverage − No automated way to exercise device functionality implemented ¬ In the following: Interesting bugs found with default compiler settings − Full thesis contains more statistic about instruction types and attack surface #32 www.ernw.de 4/14/16

  33. QEM EMU xe xen_disk Normally not exploitable thanks to compiler optimizations #33 www.ernw.de 4/14/16

  34. xe xen-bl blkba back OOB Read/Write #34 www.ernw.de 4/14/16

  35. xen-pciback #35 www.ernw.de 4/14/16

  36. xen-pciback: xen_pcibk_do_op #36 www.ernw.de 4/14/16

  37. xe xen-pc pciba back ¬ switch statement is compiled into jump table ¬ op->cmd == $r13+0x4 ¬ Points into shared memory ¬ Range check and jump use two different memory accesses ¬ Valid compiler optimization − op is not marked as volatile #37 www.ernw.de 4/14/16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner

Docker meets Python A look on the Docker SDK for Python pip install docker Jan Wagner Data Science Consultant accantec group | Alstertor 17 | 20095 Hamburg | Tel.: +49 (40) 67 59 59 0 | Fax.: +49 (40) 67 59 59 29 | www.accantec.de |

664 views • 29 slides
Orthogonal labelings in de Bruijn graphs Luca Mariot L.Mariot@tudelft.nl IWOCA 2020 Open

Orthogonal labelings in de Bruijn graphs Luca Mariot L.Mariot@tudelft.nl IWOCA 2020 Open

Artificial Intelligence and Security Lab Cyber Security Research Group Delft University of Technology Orthogonal labelings in de Bruijn graphs Luca Mariot L.Mariot@tudelft.nl IWOCA 2020 Open Problems Session De Bruijn graphs and

531 views • 10 slides
Ali Al-Shabibi, Marc De Leenheer, Ma2eo Gerola, Ayaka

Ali Al-Shabibi, Marc De Leenheer, Ma2eo Gerola, Ayaka

Ali Al-Shabibi, Marc De Leenheer, Ma2eo Gerola, Ayaka Koshibe, Guru Parulkar, William Snow Network VirtualizaBon Killer App for SDN Enables

366 views • 8 slides
Unlocking the High Yield Bond Market Martin Fridson CEO FridsonVision LLC Presented to the

Unlocking the High Yield Bond Market Martin Fridson CEO FridsonVision LLC Presented to the

Unlocking the High Yield Bond Market Martin Fridson CEO FridsonVision LLC Presented to the Midwest Finance Association March 16 2013 Is There a Bubble in High Yield Bonds? 2 Exhibit 1 Yield-To-Worst : High Yield Master II Index and

458 views • 19 slides
De Dictionariis Dynamicis Pauco Spatio Utentibus ( lat. On Dynamic Dictionaries Using Little Space)

De Dictionariis Dynamicis Pauco Spatio Utentibus ( lat. On Dynamic Dictionaries Using Little Space)

De Dictionariis Dynamicis Pauco Spatio Utentibus ( lat. On Dynamic Dictionaries Using Little Space) Erik D. Demaine 1 Friedhelm Meyer auf der Heide 2 Rasmus Pagh 3 cu 1 Mihai P atras 1 MIT 2 University of Paderborn 3 IT University of

495 views • 33 slides
Random Regular Graph & Generalized De Bruijn Graph with k -shortest Path Routing Peyman

Random Regular Graph & Generalized De Bruijn Graph with k -shortest Path Routing Peyman

Random Regular Graph & Generalized De Bruijn Graph with k -shortest Path Routing Peyman Faizian , Md Atiqul Mollah, Xin Yuan Scott Pakin, Michael Lang Florida State University Los Alamos National Laboratory Where it All Started Random

523 views • 23 slides
Folkert-Jan de Groot Research & Datamanagement Services Utrecht University Achieving

Folkert-Jan de Groot Research & Datamanagement Services Utrecht University Achieving

Folkert-Jan de Groot Research & Datamanagement Services Utrecht University Achieving organizational goals with iRods 6 years ago today Not taken serious Valued partner No impact on research process Clear contributions to UU

491 views • 12 slides
Clojure and Android Daniel Solano Gmez Sattvik Software & T echnology Resources, Ltd. Co.

Clojure and Android Daniel Solano Gmez Sattvik Software & T echnology Resources, Ltd. Co.

Clojure and Android Daniel Solano Gmez Sattvik Software & T echnology Resources, Ltd. Co. Clojure/conj 2011 Clojure in Small Places Daniel Solano Gmez Sattvik Software & T echnology Resources, Ltd. Co. Clojure/conj 2011 Clojure

906 views • 88 slides
Better offline experience Boyan Mihaylov @boyanio Internet speed worldwide SLOWEST FASTEST

Better offline experience Boyan Mihaylov @boyanio Internet speed worldwide SLOWEST FASTEST

Better offline experience Boyan Mihaylov @boyanio Internet speed worldwide SLOWEST FASTEST @boyanio https://telegraphtravelmaps.carto.com/viz/b0a43e76-40bf-11e5-bfd4-0e6e1df11cbf/public_map @boyanio @boyanio Working while travelling

511 views • 35 slides
The 2019 Heckerling Institute on Estate Planning Handout materials are available for download or

The 2019 Heckerling Institute on Estate Planning Handout materials are available for download or

2/13/2019 The 2019 Heckerling Institute on Estate Planning Handout materials are available for download or printing on the HANDOUT TAB on the gotowebinar console. If the tab is not open click on that tab to open it and view the materials. 1

715 views • 42 slides
When en Shou ould a a Trustee ee Go Go to C o Cou ourt? OCTOBER 24, 2017 DANIEL F.

When en Shou ould a a Trustee ee Go Go to C o Cou ourt? OCTOBER 24, 2017 DANIEL F.

When en Shou ould a a Trustee ee Go Go to C o Cou ourt? OCTOBER 24, 2017 DANIEL F. HAYWARD JUDGE ABIGAIL M. LEGROW SHAWN P. WILSON I. Introduction/Overview Overview of topics to be covered Modification (including in the

351 views • 16 slides
MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice

MySQL Group Replication & MySQL InnoDB Cluster Production Ready? Kenny Gryp MySQL Practice Manager Table of Contents Group Replication MySQL Shell (AdminAPI) MySQL Group Replication MySQL Router Best Practices Limitations Production?

993 views • 72 slides
FY2015 Financial Results 12 October 2015 Disclaimer This presentation is for information only

FY2015 Financial Results 12 October 2015 Disclaimer This presentation is for information only

FY2015 Financial Results 12 October 2015 Disclaimer This presentation is for information only and does not constitute an invitation or offer to acquire, purchase or subscribe for units in SPH REIT (Units) . The value of Units and the

433 views • 25 slides
Year End Tax Planning Conference November 29, 2018 Todays Schedule Introductions Susan F.

Year End Tax Planning Conference November 29, 2018 Todays Schedule Introductions Susan F.

Year End Tax Planning Conference November 29, 2018 Todays Schedule Introductions Susan F. Matz, CPA TCJA Tax Reform Updates Jonathan W. Huckabay, MST, CPA Retirement Plans for Small Businesses Michael Agresti, CPA Charitable Giving

2.05k views • 145 slides
Lecture 10: FP, Performance Metrics Todays topics: IEEE 754 representations FP

Lecture 10: FP, Performance Metrics Todays topics: IEEE 754 representations FP

Lecture 10: FP, Performance Metrics Todays topics: IEEE 754 representations FP arithmetic Evaluating a system Reminder: assignment 4 due in a week start early! 1 Examples Final representation: (-1) S x (1 + Fraction) x

332 views • 20 slides
Decimal Transcendentals via Binary John Harrison, Intel Corporation ARITH-19, Portland OR June

Decimal Transcendentals via Binary John Harrison, Intel Corporation ARITH-19, Portland OR June

Decimal Transcendentals via Binary John Harrison, Intel Corporation ARITH-19, Portland OR June 10, 2009 (11:0011:30) 0 Why decimal transcendentals? Intel is distributing a portable open-source library supporting the decimal formats in the

367 views • 21 slides
CS6220: DATA MINING TECHNIQUES 2: Data Pre-Processing Instructor: Yizhou Sun yzsun@ccs.neu.edu

CS6220: DATA MINING TECHNIQUES 2: Data Pre-Processing Instructor: Yizhou Sun yzsun@ccs.neu.edu

CS6220: DATA MINING TECHNIQUES 2: Data Pre-Processing Instructor: Yizhou Sun yzsun@ccs.neu.edu September 10, 2013 2: Data Pre-Processing Getting to know your data Basic Statistical Descriptions of Data Data Visualization Data

421 views • 41 slides
CS6220: DATA MINING TECHNIQUES Chapter 3: Data Preprocessing Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Chapter 3: Data Preprocessing Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Chapter 3: Data Preprocessing Instructor: Yizhou Sun yzsun@ccs.neu.edu January 15, 2013 Chapter 3: Data Preprocessing Data Preprocessing: An Overview Data Quality Major Tasks in Data Preprocessing

901 views • 61 slides
7th Grade Percents 2015-11-30 www.njctl.org Slide 3 / 157 Slide 3 (Answer) / 157 Table of

7th Grade Percents 2015-11-30 www.njctl.org Slide 3 / 157 Slide 3 (Answer) / 157 Table of

Slide 1 / 157 Slide 2 / 157 7th Grade Percents 2015-11-30 www.njctl.org Slide 3 / 157 Slide 3 (Answer) / 157 Table of Contents Table of Contents Click on the topic to go to that section Click on the topic to go to that section Relating

714 views • 43 slides
Graph Algorithms Matching Algorithm Theory WS 2012/13 Fabian Kuhn Circulation: Demands and Lower

Graph Algorithms Matching Algorithm Theory WS 2012/13 Fabian Kuhn Circulation: Demands and Lower

Chapter 5 Graph Algorithms Matching Algorithm Theory WS 2012/13 Fabian Kuhn Circulation: Demands and Lower Bounds Given: Directed network , with Edge capacities 0 and lower bounds for

876 views • 33 slides
Introduction to Verilog Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . .

Introduction to Verilog Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . .

9 Introduction to Verilog Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. Lexical Tokens . . . . . . . . . . . .

867 views • 31 slides
Integration and Automation of Data Preparation and Data Mining Yanhui Geng Huawai Technologies

Integration and Automation of Data Preparation and Data Mining Yanhui Geng Huawai Technologies

Integration and Automation of Data Preparation and Data Mining Yanhui Geng Huawai Technologies Agenda Introduction Karma Data Modeling and Integration Prediction Task Data collection Preparing the mode of transportation

652 views • 34 slides
Efficient Programming in Stata and Mata II: Obtaining Non-Standard Distributions for a

Efficient Programming in Stata and Mata II: Obtaining Non-Standard Distributions for a

Efficient Programming in Stata and Mata II: Obtaining Non-Standard Distributions for a Cointegration Test via Simulation Sebastian Kripfganz University of Exeter Business School Daniel C. Schneide r Max Planck Institute for Demographic

484 views • 25 slides
If processes are fundamental, what does this tell us about the nature of time? Antony Galton

If processes are fundamental, what does this tell us about the nature of time? Antony Galton

If processes are fundamental, what does this tell us about the nature of time? Antony Galton Department of Computer Science University of Exeter, UK Process Biology Conference London, UK March 21st23rd 2018 I will not argue that processes

675 views • 44 slides

More recommend