security challenges in virtualized environments · 2019-07-14 · • targets desktop/laptop...
TRANSCRIPT
![Page 1: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/1.jpg)
Security Challenges in Virtualized Environments
Joanna Rutkowska,Invisible Things Lab
RSA Conference, San Francisco, April 8th 2008
![Page 2: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/2.jpg)
Virtualization-based MALWARE
Using Virtual Machines for ISOLATION
NESTED virtualization
1
2
3
![Page 3: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/3.jpg)
Virtualization-based MALWARE
![Page 4: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/4.jpg)
Hardware
OS
Hardware
OS
Blue Pill
Hardware
AMD-VIntel VTx
![Page 5: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/5.jpg)
Blue Pill Characteristics
NO HOOKS! Cannot be detected using any integrity scanner
On the fly installation No boot/BIOS/etc modifications necessary
No I/O virtualizationNegligible performance impact (your brand new 3D card will still work!)
![Page 6: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/6.jpg)
Blue Pill detection
![Page 7: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/7.jpg)
Blue Pill detection
Detecting a VMM Detecting virtualization based
malware
![Page 8: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/8.jpg)
VMM detection
Direct timing analysis
Blue Chicken
CPU specific behavior
TLB profiling
Guest time virtualizationHPET timers
![Page 9: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/9.jpg)
VMM detection?
• Everything is going to be virtualized!
• Thus the information that “there is a hypervisor in the system”...
• ...would be pretty much useless...
![Page 10: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/10.jpg)
Detecting virtualized malware?
![Page 11: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/11.jpg)
No Hooks!
Search for code Detect activity(e.g. network packets)
• Stealth by Design concept• Covert channels
Won’t workNested Page Tables (hardware SPT)
By PatternHeuristics
Simple Obfuscation
0day malware“Massive” malware
![Page 12: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/12.jpg)
But why we can’t use obfuscation for “classic” malware?Because it leaves hooks anyways!
And we can always find those hooks, no matter how obfuscated the classic malware is!
![Page 13: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/13.jpg)
The whole big deal about Blue Pill is:
NO HOOKS in the system!
![Page 14: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/14.jpg)
Blue Pill prevention
![Page 15: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/15.jpg)
Disable virtualization?
![Page 16: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/16.jpg)
How about also disabling your network card so you never got
infected from the Internet?
![Page 17: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/17.jpg)
Install a trusted hypervisor first?
![Page 18: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/18.jpg)
Installing trusted hypervisor
Static Root of Trust Measurement
Dynamic Root of Trust Measurement
BIOS > MBR > VMMe.g. MS Bitlocker
SENTER (Intel TXT)SKINIT (AMD SVM)
![Page 19: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/19.jpg)
Trusted vs. Secure?
• SRTM and DRTM only assures that what we load is trusted...
• ...at the moment of loading!
• 3 sec later... it could be exploited and get compromised!
![Page 20: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/20.jpg)
Trusted != Secure (e.g. flawless)
![Page 21: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/21.jpg)
E.g. #1: The famous DMA problem
![Page 22: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/22.jpg)
(Trusted) Hypervisor
OS
Hardware
Some driver
Some device
I/O: asks the device to setup a DMA transfer
Read/Write memory access!
![Page 23: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/23.jpg)
IOMMU
• Solution to the problem of “DMA attacks”
• Intel calls it: VT-d
• Not much PC hardware supports it yet
• Expected to change soon
• No THIN HYPERVISORS without IOMMU!
![Page 24: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/24.jpg)
Other problems with VMMs?Stay tuned...
![Page 25: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/25.jpg)
All in all: it’s not trivial to have a trusted & secure hypervisor installed...
... but for sure this is the proper way to go...
![Page 26: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/26.jpg)
Virtualization-based MALWARE
Using Virtual Machines for ISOLATION
NESTED virtualization
1
2
3
![Page 27: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/27.jpg)
Using Virtual Machines for ISOLATION
![Page 28: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/28.jpg)
Originally ISOLATION was supposed to be provided by Operating Systems...
• Separate processes/address spaces,• User accounts & ACLs...
![Page 29: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/29.jpg)
But in practice current OSes simply
fail at providing isolation!
![Page 30: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/30.jpg)
Why OSes fail?
• Kernel bugs!
• Kernel bugs!!
• Kernel bugs!!!
• Bad design, e.g.:
• XP and “all runs as admin” assumption
• Vista’s UAC assumes admin rights should be granted to every installer program!
![Page 31: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/31.jpg)
VMMs for the rescue!
![Page 32: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/32.jpg)
Vista(work projects)
Linux + Firefox(“random”
surfing)
Linux + Firefox(online banking)
MacOSX(“home”, e.g.
pics, music, etc)
trusted & secure hypervisor
![Page 33: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/33.jpg)
Challenges
• Performance
• Why is VMM/hypervisor going to be more secure then OS’s kernel?
![Page 34: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/34.jpg)
VMM bugs?
![Page 35: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/35.jpg)
VMM Bugs
Bugs in hypervisors Bugs in additional infrastructure
![Page 36: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/36.jpg)
E.g. #1: CVE-2007-4496
• VMWare ESX 3.0.1• http://www.vmware.com/support/vi3/doc/esx-8258730-patch.html
• Found by Rafal Wojtczuk (McAfee)
• September 2007
• Guest OS can cause memory corruption on the host and potentially allow for arbitrary code execution on the host
![Page 37: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/37.jpg)
E.g. #2: CVE-2007-0948
• Microsoft Virtual Server 2005 R2• http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx
• Found by Rafal Wojtczuk (McAfee)
• August 2007
• Heap-based buffer overflow allows guest OS to execute arbitrary code on the host OS
![Page 38: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/38.jpg)
E.g. #3: CVE-2007-4993
• Xen 3.0.3• http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1068
• Found by Joris van Rantwijk
• September 2007
• By crafting a grub.conf file, the root user in a guest domain can trigger execution of arbitrary Python code in domain 0.
![Page 39: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/39.jpg)
E.g. #4: Various Bugs
• Paper by Tavis Ormandy (Google)• http://taviso.decsystem.org/virtsec.pdf
• April 2007
• Disclosed bugs in VMWare, XEN, Bochs, Virtual PC, Prallels
• A simple fuzzers for:
• Instruction parsing by VMMs
• I/O device emulation by VMMs
![Page 40: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/40.jpg)
As you see current VMMs are far from being flawless...
![Page 41: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/41.jpg)
To make VMMs more secure we need to keep them
ultra-thin and small!
![Page 42: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/42.jpg)
Phoenix HyperSpace
![Page 43: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/43.jpg)
![Page 44: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/44.jpg)
![Page 45: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/45.jpg)
HyperCore:the type I hypervisor used for HyperSpace
![Page 46: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/46.jpg)
HyperCore
Vista (HVM) AppSpace #1 (DomU PV)
ManageSpace (Dom0 PV)
Device Model
Virtualizer/Drivers(DomU)
Hardware
AppSpace #2(DomU PV)
![Page 47: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/47.jpg)
The HyperCore
• Targets desktop/laptop systems
• Guest OS execute at near-native performance (including fancy graphics)
• Support for full ACPI (Power Management)
• Integrity: loaded via SecureCore BIOS (Static Root of Trust Measurement)
• Very thin - easy to audit!
![Page 48: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/48.jpg)
Speeding things up
• Pass through for most devices
• SPT: 1-1 mapping for most pages for the Primary OS
![Page 49: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/49.jpg)
Power Management
• ACPI tables exposed to the Primary OS, so that the overall power performance is optimized
• Efficient intercepts for power management control
![Page 50: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/50.jpg)
Integrity
• Static RTM via Phoenix’s SecureCore BIOS
• Dynamic RTM via Intel’s TXT/AMD’s SKINIT
• SMM-based watchdog for HyperCore code
![Page 51: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/51.jpg)
![Page 52: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/52.jpg)
Virtualization-based MALWARE
Using Virtual Machines for ISOLATION
NESTED virtualization
1
2
3
![Page 53: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/53.jpg)
NESTED virtualization
![Page 54: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/54.jpg)
What if a user wants to run e.g. Virtual PC
here?
![Page 55: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/55.jpg)
VM1VM2 (Nested Hypervisor)
Hypervisor (Primary)
VM21
VM3
VM22
VM4
VM221 VM222
![Page 56: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/56.jpg)
Idea of how to handle this situation...
![Page 57: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/57.jpg)
Hypervisor
VM1 VM2 VM3
VM21 VM22
VM221 VM222
Hypervisor
VM1 VM2 VM3VM21 VM22 VM221 VM222
![Page 58: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/58.jpg)
Now, lets look at the actual details :)
![Page 59: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/59.jpg)
Let’s start with AMD-V...
![Page 60: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/60.jpg)
VMRUN
VMCB0
VMRUN
RDMSR
VMCB0VMCB0
![Page 61: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/61.jpg)
VMRUN
VMCB0
VMRUN ?VMCB1
![Page 62: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/62.jpg)
VMRUN
VMCB0
VMRUN
VMCB1
VMRUN
VMCB1’
RDMSR ?
VMCB0
![Page 63: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/63.jpg)
VMRUN
VMCB1
VMRUN
RDMSR
VMRUN
VMCB1’ VMCB0
VMCB1
RAX
VMCB1’
![Page 64: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/64.jpg)
Looks convincing but won’t work with more complex hypervisors...
![Page 65: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/65.jpg)
VMRUN
VMCB0
VMRUN
RDMSR
VMCB0VMCB0
GIF=0
GIF=1 GIF=1
![Page 66: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/66.jpg)
RDMSR
VMRUN
Nested Hypervisor
Nested Guest
Hypervisor
GIF=1
GIF=0
![Page 67: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/67.jpg)
• Hypervisors expect to have GIF=1 when VMEXIT occurs...
• They might not be prepared to handle interrupts just after VMEXIT from guests!
• ... but when we resume the nested hypervisor CPU sets GIF=1, because we do this via VMRUN, not VMEXIT...
![Page 68: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/68.jpg)
Getting around the “GIF Problem”
• We need to “emulate” that GIF is 0 for the nested hypervisor
• We stop this emulation when:
• The nested hypervisor executes STGI
• The nested hypervisor executes VMRUN
• How do we emulate it?
![Page 69: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/69.jpg)
GIF0 emulation
• VMCB1’.V_INTR_MASKING = 1
• Host’s RFLAGS.IF = 0
• Intercept NMI, SMI, INIT, #DB and held (i.e. record and reinject) or discard until we stop the emulation
![Page 70: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/70.jpg)
Additional details
• Need to also intercept VMLOAD/VMSAVE
• Need to virtualize VM_HSAVE_PA
• ASID conflicts
![Page 71: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/71.jpg)
Hypervisor: ASID = 0
Nested Hypervisor: ASID = 1(but thinks that has ASID = 0)
Nested Guest: ASID = 1(assigned by the nested hypervisor)
Conflicting ASIDs!
![Page 72: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/72.jpg)
But we can always reassign the ASID in the VMCB “prim” that we use to run the nested guest.
![Page 73: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/73.jpg)
Performance Impact
• One additional #VMEXIT on every #VMEXIT that would occur in a non-nested scenario
• One additional #VMEXIT when the nested hypervisor executes: STGI, CLGI, VMLOAD, VMSAVE
• Lots of space for optimization though
![Page 74: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/74.jpg)
![Page 76: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/76.jpg)
How AMD could help?
• AMD could add an additional field to VMCB: “EmulateGif0ForGuest”
• Additionally: virtualize STGI and CLGI when the above field is set to improve performance
• Seems simple to do: just a few additional lines in the microcode... :)
![Page 77: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/77.jpg)
Further thinking...
• Virtualizing DEV for the nested hypervisor that makes use of DEV?
• Virtualizing IOMMU for the IOMMU-aware nested hypervisor?
• Virtualizing Nested Paging mechanism for the NP-aware nested hypervisor?
![Page 78: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/78.jpg)
How about Intel VT-x?
![Page 79: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/79.jpg)
Nested virtualization on VT-x
• No GIF bit - no need to emulate “GIF0” for the nested hypervisor :)
• No Tagged TLB - No ASID conflicts :)
• However:
• VMX instructions can take memory operands - need to use complex operand parser
• No tagged TLB - potentially bigger performance impact
![Page 80: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/80.jpg)
Nested VT-x: Status
• We “pretty much” have that working already
• Code is messy and should be rewritten
• e.g. the operand parser
![Page 81: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/81.jpg)
What Intel could do?
• Extend info provided by:
VMCS.VMX_INSTRUCTION_INFO
So that we don’t need to parse memory operand manually
• Tagged TLB for better performance
• Other optimization?
![Page 82: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/82.jpg)
Who else does Nested (hardware-based) Virtualization?
![Page 83: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/83.jpg)
IBM z/VM hypervisor on IBM System z™ mainframe
“Running z/VM in a virtual machine (that is, z/VM as a guest of z/VM, also known as “second-level” z/VM) is functionally supported but is intended only for testing purposes for the second-level z/VM system and its guests (called “third-level” guests).”-- http://www.vm.ibm.com/pubs/hcsf8b22.pdf
IBM System z10, source: ibm.com
![Page 84: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/84.jpg)
Confusion
• AMD Nested Page Tables != Nested Virtualization!
• NPT is a hardware alternative to Shadow Page Tables (a good thing, BTW)
• NPT is also called: Rapid Virtualization Indexing
![Page 85: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/85.jpg)
Nested Virtualization:Security Implications
![Page 86: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/86.jpg)
VM1 VM1 VM1Management
Domain
hypervisor
MBR/BIOS
![Page 87: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/87.jpg)
VM1 VM1 VM1Management
Domain
Type I hypervisor
MBR/BIOS
Blue Pill :)
![Page 88: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/88.jpg)
Solution: ensure hypervisor integrity via SRTM or DRTM
![Page 89: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/89.jpg)
VM1 VM1 VM1Management
Domain
hypervisor
MBR/BIOS
SRTM/DRTM
Blue Pill :)
SRTM/DRTM do not protect the already loaded hypervisor, from being exploited if it is buggy!
![Page 90: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/90.jpg)
Keep hypervisors very slim!Do not put drivers there!
![Page 91: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/91.jpg)
Nested Virtualization:Useful Applications
![Page 92: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/92.jpg)
What if a user wants to run e.g. Virtual PC
here?
![Page 93: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/93.jpg)
Phoenix Technologies has supported the research on nested hypervisors since Fall 2007
![Page 94: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/94.jpg)
Virtualization-based MALWARE
Using Virtual Machines for ISOLATION
NESTED virtualization
1
2
3
![Page 95: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/95.jpg)
Summary
![Page 96: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/96.jpg)
• Virtualization technology could be used to improve security on desktop systems
• However there are non-trivial challenges in making this all working well...
• ... and not to introduce security problems instead...
• Virtualization is cool ;)
![Page 97: Security Challenges in Virtualized Environments · 2019-07-14 · • Targets desktop/laptop systems • Guest OS execute at near-native performance (including fancy graphics) •](https://reader034.vdocument.in/reader034/viewer/2022042416/5f3246b42688f94a7b48e5fb/html5/thumbnails/97.jpg)
Invisible Things Labhttp://invisiblethingslab.com