qinghai tang, pacsec english-version-final
TRANSCRIPT
![Page 1: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/1.jpg)
1
Speaker: Qinghao Tang �
Title:360 Marvel Team Leader
Vulnerabilities mining technology of Cloud and Virtualization platform
![Page 2: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/2.jpg)
2
360 Marvel Team As the first virtualization security team in China, 360 marvel team focus on attack and
defence technology on virtualization and cloud platforms, aiming to lead the reaearch on
vulnerability mining and defecing on these platform, providing tools and solutions for mian
stream hypervisors:
● Virtualization fuzz framework.
● Guest OS escape tools.
-Support Docker, Xen,KVM,VMware
● Hypervisor strengthen solutions
-block Guest OS escape
-Scan Guest OS agentless
![Page 3: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/3.jpg)
3
Agenda
• Brief intruduction of hypervisor security
• Fuzzing framework
• Analysis of network device vulnerability
![Page 4: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/4.jpg)
4
Brief intruduction of hypervisor
security
![Page 5: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/5.jpg)
5
Hypervisor
Major
Xen
Kvm
Vmware
Functions
Quantitative distribution
Flexible scheduling
![Page 6: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/6.jpg)
6
Cloud Computing
![Page 7: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/7.jpg)
7
Distinction
OS
Physical Devices
Guest OS
Device emulator
Hypervisor
Physical Devices
Guest OS
Device emulator
Normal Server Virtualization Server
![Page 8: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/8.jpg)
8
Escape form Guest OS
![Page 9: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/9.jpg)
9
• Typical virtualization security vulnerability
• Can cause the virtual machine escape
• Exist in floppy device emulator Code
• More Venoms? Yes!
Venom
![Page 10: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/10.jpg)
10
Fuzzing Framework
![Page 11: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/11.jpg)
11
• More underlying target
• More Particular of Test Data
Features of Virtualization Vulnerability Mining
IE
flash
server
System Kernel �
Hypervisor �
![Page 12: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/12.jpg)
12
• Unconventional method
HOOK Driver function
Change Kernel files.
• Relate to the context
Test Pocess of Emulation Device
![Page 13: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/13.jpg)
13
Features
• Commonness of hypervisors
• Features of solution
Coding Langurage
Operating System Type
Coding Style
![Page 14: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/14.jpg)
14
os
Control Center
Architecture
Hypervisor Hypervisor
os os os os os
![Page 15: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/15.jpg)
15
Fuzzing-Collect device information
![Page 16: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/16.jpg)
16
• Device IO Methods
• Controller Data Structure
• Device State Machine
Test - Integrated Test Data
![Page 17: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/17.jpg)
17
Fuzzing-Attack emulation device
kernel_agent
fuzz_client
• User Space
• Kernel Space
![Page 18: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/18.jpg)
18
Feedback
• No effect
• Blue Screen
• Implicit Result
• Crash
![Page 19: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/19.jpg)
19
Feedback-VM manage automation
• Snapshot
• Reboot
• Virtual Device Edit
• Debugging Mode on Start
• Load Debugging Plugin
![Page 20: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/20.jpg)
20
Feedback- Monitoring technology
• Dynamic
• Static
![Page 21: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/21.jpg)
コントロール センター
テスト フィード
バック
解析
21
Control Center-Process
Step 2
Step 1 Step 3 �
![Page 22: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/22.jpg)
22
Control Center-Statistics&Optimization
• Total test count
• Fuzz coverage
• Optimize test data
![Page 23: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/23.jpg)
23
Achievement
• 120 days
• 2 platforms
• 10 vulnerabilities
![Page 24: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/24.jpg)
24
Analysis of network
device vulnerability
![Page 25: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/25.jpg)
25
Principle of QEMU
User Space • Send
Kernel Space
• Syscall • tcp_* • ip_* • dev_* • e1000_*
Device Emulator
• Network devices • hub • slirp
APP
APP
APP
Network Devices
Kernel
![Page 26: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/26.jpg)
26
• Initialization Port Allocation,Address Mapping
Device Status Setting, Resource Allocation
• Data Transfer 'Write Command' to device TDT register
process of descriptor
3 types descripror:context,data,legacy
data xfer
set status,wait for next instruction
• Processing Details Circular Memory
TSO:tcp segmentation/flow control.
Principle of Network Device
![Page 27: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/27.jpg)
27
• Qemu e1000 Network Device • Vmware e1000 Network Device
E1000 vulnerability analysis
![Page 28: Qinghai Tang, pacsec english-version-final](https://reader031.vdocument.in/reader031/viewer/2022021815/58ee97e81a28ab6a288b45ad/html5/thumbnails/28.jpg)
28
Summary
Pay continuous attention to virtualization security and follow Marvel Team