2. system utilization
consolidation
management cost
isolation
trusted environment resource aggregation
GRID system
MPP (Massively Parallel Processing)
resource access control
mobility
emulation
3. 1960 1970 1999 2006 현재
System/370, IBM
x86 virtualization, VMWare
CP-40, IBM,
Cambridge Scientific Center
full virtualization
application virtualization
(application streaming)
x86,x64, ARM, …
Storage,
Network
…
VMWare, Virtual Box, Xen…
…
OpenStack, CloudStack,…
…
Amazon, Google…
4. Guest OS Guest OS
Memory and I/O
Virtualization
Shared Device
VMM
Physical H/W
Control
CPU CPU MEMORY
virtualized h/w
physical h/w
VMM must …
- support same hardware interface
- can control guest OS when accessing H/W resources.
5. Types of operation…
mov eax
mov ebx
…
Direct Execution
eflags
control registers
MSR
privileged instructions
????
6. Full Virtualization
- No OS modification
- Emulating, Binary translation, Trace cache,…
- VMware ESX server
- QEMU
Para Virtualization
- Need OS modification
- Hypercall
- Xen
- Bochs
10. VMX – new instructions, new data structure
VMXON Region
- created per logical processor
- used by VMX instructions
VMCS Region
- created per virtual CPU for guest OS
- used by CPU and VMM
- 4Kb aligned
- PHYSICAL_ADDRESS == typedef LARGE_INTEGER
- …
11. VMM (Virtual Machine Monitor) programming summary
check VMX support allocate VMXON region execute VMXON
execute VMPTRLD execute VMCLEAR allocate VMCS region
initialize VMCS data
host-state area fields
VM-exit control fields
VM-entry control fields
VM-execution control fields
guest-state area fields
execute VMLAUNCH handling various VM-exits
12. VMCS data organization
#1 Guest state fields
- saved on VM exits, loaded on VM entries
#2 Host state fields
- loaded on VM exits
#3 Execution control fields
- control VMX-non root operations
#4 Exit control fields
- control VM exits
#5 Entry control fields
- control VM entries
#6 VM Exit info
- saved VM exits information on VM exits
pin-based controls
processor-based controls
exception-bitmap address
I/O bitmap address
Timestamp counter offset
CR0/CR4 guest/host masks
CR3 targets
MSR bitmaps
19. Attacks on Binary Translator
CVE-2009-1542 - VirtualPC instruction decoding
• wbinvd (write back and invalidate cache), clts (clear task-switched flag in cr0)
CVE-2008-4915 - VMware, Trap Flag Set by IRET Not Cleared for CCh Instruction
CVE-2009-2267 - VMware Mishandled Exception on Page Faults
…
Attacks on Para-virtualization
CVE-2008-4279 - VMware, Interrupt Can Occur at NonCanonical RIP After Indirect Jump
CVE-2012-0217 - Advanced Exploitation of Xen Hypervisor Sysret VM Escape Vulnerability
( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php )
…
Attacks on Device Emulation / Acceleration
CVE-2012-0217 ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php )
20. Attacks on HVM
CVE-2009-3827 - Virtual PC VMExit Event Confusion
• exit reason MOV_CR, MOV_DR
• MOV_CR : check guest cpl == 0
• MOV_DR : !!
• ring3 에서 DR 레지스터를 조작가능 !? DoS ?!
CVE-2009-3722 - KVM VMExit Event Confusion
• CVE-2009-3827 와 동일한 버그
더 자세한 내용은 http://www.cr0.org/paper/jt-to-virtualisation_security.pdf 를 참고하세요.
22. HVM base rootkit
최초의 가상머신 기반 루트킷 ( http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf )
23. HVM base rootkit – keylogger
PS/2
Port 0x60
Keyboard Controller
Keyboard
Mouse
CPU
Port 0x64
CPU 가상화
HVM rootkit
• CPU 의 특권 명령을 가로챔 (e.g. IN, OUT)
• PORT I/O 를 OS 보다 먼저 하드웨어 레벨에서 처리
24.
25. Attack Hypervisor ?! or Another Attack Surface
OS / Device Drivers
Hypervisor
BIOS
Chipset
OS Level
HVM rootkit
rootkit code in SMM / ACPI / UEFI / PCI
CPU CPU bugs ? Micro code update ?