SlideShare a Scribd company logo

2014.08.30 Virtual Machine Threat 세미나

Download as PPTX, PDF
용환 노
용환 노

Threats around virtual machine

Software
1 of 27
Hardware-assisted Virtual Machine 노용환 (a.k.a. somma) fixbrain@gmail.com
system utilization consolidation management cost isolation trusted environment resource aggregation GRID system MPP (Massively Parallel Processing) resource access control mobility emulation
1960 1970 1999 2006 현재 System/370, IBM x86 virtualization, VMWare CP-40, IBM, Cambridge Scientific Center full virtualization application virtualization (application streaming) x86,x64, ARM, … Storage, Network … VMWare, Virtual Box, Xen… … OpenStack, CloudStack,… … Amazon, Google…
Guest OS Guest OS Memory and I/O Virtualization Shared Device VMM Physical H/W Control CPU CPU MEMORY virtualized h/w physical h/w VMM must … - support same hardware interface - can control guest OS when accessing H/W resources.
Types of operation… mov eax mov ebx … Direct Execution eflags control registers MSR privileged instructions ????
Full Virtualization - No OS modification - Emulating, Binary translation, Trace cache,… - VMware ESX server - QEMU Para Virtualization - Need OS modification - Hypercall - Xen - Bochs
Hardware Assisted Virtualization Virtualize… CPU - AMD-V , VT-x IOMMU - AMD-Vi, VT-d Network - VT-c VMX operation VMX root operation VMX non-root operation
Hardware Assisted Virtualization Trap based development for VirtualMachine - handle_cupid_instruction() - handle_mov_crX() - handle_read_msr() - handle_write_msr() - … HW based Hypervisor programming = VMEXIT handler programming
VMX (Intel Virtual Machine Extension) VMXON VMCLEAR VMPTRLD VMWRITE VMLAUNCH GUEST Exit VMREAD VMRESUME VMXOFF
VMX – new instructions, new data structure VMXON Region - created per logical processor - used by VMX instructions VMCS Region - created per virtual CPU for guest OS - used by CPU and VMM - 4Kb aligned - PHYSICAL_ADDRESS == typedef LARGE_INTEGER - …
VMM (Virtual Machine Monitor) programming summary check VMX support allocate VMXON region execute VMXON execute VMPTRLD execute VMCLEAR allocate VMCS region initialize VMCS data host-state area fields VM-exit control fields VM-entry control fields VM-execution control fields guest-state area fields execute VMLAUNCH handling various VM-exits
VMCS data organization #1 Guest state fields - saved on VM exits, loaded on VM entries #2 Host state fields - loaded on VM exits #3 Execution control fields - control VMX-non root operations #4 Exit control fields - control VM exits #5 Entry control fields - control VM entries #6 VM Exit info - saved VM exits information on VM exits pin-based controls processor-based controls exception-bitmap address I/O bitmap address Timestamp counter offset CR0/CR4 guest/host masks CR3 targets MSR bitmaps
Accessing VMCS data VMREAD VMWRITE virtual address / physical address READ virtual address / physical address WRITE
Accessing VMCS data
Initialize VMM and Run VMM
Handling VM exits #6 VM Exit info
Handling VM exits
Virtual Machine Threat
Attacks on Binary Translator CVE-2009-1542 - VirtualPC instruction decoding • wbinvd (write back and invalidate cache), clts (clear task-switched flag in cr0) CVE-2008-4915 - VMware, Trap Flag Set by IRET Not Cleared for CCh Instruction CVE-2009-2267 - VMware Mishandled Exception on Page Faults … Attacks on Para-virtualization CVE-2008-4279 - VMware, Interrupt Can Occur at NonCanonical RIP After Indirect Jump CVE-2012-0217 - Advanced Exploitation of Xen Hypervisor Sysret VM Escape Vulnerability ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php ) … Attacks on Device Emulation / Acceleration CVE-2012-0217 ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php )
Attacks on HVM CVE-2009-3827 - Virtual PC VMExit Event Confusion • exit reason MOV_CR, MOV_DR • MOV_CR : check guest cpl == 0 • MOV_DR : !! • ring3 에서 DR 레지스터를 조작가능 !? DoS ?! CVE-2009-3722 - KVM VMExit Event Confusion • CVE-2009-3827 와 동일한 버그 더 자세한 내용은 http://www.cr0.org/paper/jt-to-virtualisation_security.pdf 를 참고하세요.
VM Detection 너무 많다!
HVM base rootkit 최초의 가상머신 기반 루트킷 ( http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf )
HVM base rootkit – keylogger PS/2 Port 0x60 Keyboard Controller Keyboard Mouse CPU Port 0x64 CPU 가상화 HVM rootkit • CPU 의 특권 명령을 가로챔 (e.g. IN, OUT) • PORT I/O 를 OS 보다 먼저 하드웨어 레벨에서 처리
Attack Hypervisor ?! or Another Attack Surface OS / Device Drivers Hypervisor BIOS Chipset OS Level HVM rootkit rootkit code in SMM / ACPI / UEFI / PCI CPU CPU bugs ? Micro code update ?
http://leaksource.files.wordpress.com/2013/12/nsa-ant-souffletrough.jpg
감사합니다. 연락은 fixbrain@gmail.com 으로…

Recommended

Hypervisor seminar
Hypervisor seminarHypervisor seminar
Hypervisor seminar
용환 노
 
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN Yocto Project meta-acrn layer introductionProject ACRN Yocto Project meta-acrn layer introduction
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look ForwardACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
Project ACRN
 
Hypervisors
HypervisorsHypervisors
Hypervisors
Inzemamul Haque
 
Project ACRN Device Passthrough Introduction
Project ACRN Device Passthrough IntroductionProject ACRN Device Passthrough Introduction
Project ACRN Device Passthrough Introduction
Project ACRN
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor Framework
Edgar Barbosa
 
Virtualization
VirtualizationVirtualization
Virtualization
Edris Nasihat Kon
 
Introduction to Virtualization, Virsh and Virt-Manager
Introduction to Virtualization, Virsh and Virt-ManagerIntroduction to Virtualization, Virsh and Virt-Manager
Introduction to Virtualization, Virsh and Virt-Manager
walkerchang
 

Recommended

Hypervisor seminar
Hypervisor seminarHypervisor seminar
Hypervisor seminar
용환 노
 
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN Yocto Project meta-acrn layer introductionProject ACRN Yocto Project meta-acrn layer introduction
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look ForwardACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
Project ACRN
 
Hypervisors
HypervisorsHypervisors
Hypervisors
Inzemamul Haque
 
Project ACRN Device Passthrough Introduction
Project ACRN Device Passthrough IntroductionProject ACRN Device Passthrough Introduction
Project ACRN Device Passthrough Introduction
Project ACRN
 
Hypervisor Framework
Hypervisor FrameworkHypervisor Framework
Hypervisor Framework
Edgar Barbosa
 
Virtualization
VirtualizationVirtualization
Virtualization
Edris Nasihat Kon
 
Introduction to Virtualization, Virsh and Virt-Manager
Introduction to Virtualization, Virsh and Virt-ManagerIntroduction to Virtualization, Virsh and Virt-Manager
Introduction to Virtualization, Virsh and Virt-Manager
walkerchang
 
Memory Virtualization
Memory VirtualizationMemory Virtualization
Memory Virtualization
Tsuyoshi OZAWA
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
Project ACRN
 
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
ACRN vMeet-Up EU 2021 - hypervisor new platform enablingACRN vMeet-Up EU 2021 - hypervisor new platform enabling
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
Project ACRN
 
Project ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN Device Model architecture introduction
Project ACRN Device Model architecture introduction
Project ACRN
 
Virtualization Technology Overview
Virtualization Technology OverviewVirtualization Technology Overview
Virtualization Technology Overview
OpenCity Community
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
Virtualization basics
Virtualization basics Virtualization basics
Virtualization basics
Chandrani Ray Chowdhury
 
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification planACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
Project ACRN
 
ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot
ACRN vMeet-Up EU 2021 - Boot Process and Secure BootACRN vMeet-Up EU 2021 - Boot Process and Secure Boot
ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot
Project ACRN
 
ACRN vMeet-Up EU 2021 - installation and configuration introduction
ACRN vMeet-Up EU 2021 - installation and configuration introductionACRN vMeet-Up EU 2021 - installation and configuration introduction
ACRN vMeet-Up EU 2021 - installation and configuration introduction
Project ACRN
 
ACRN Kata Container on ACRN
ACRN Kata Container on ACRNACRN Kata Container on ACRN
ACRN Kata Container on ACRN
Project ACRN
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
The Linux Foundation
 
Project ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config tool
Project ACRN
 
Qemu
QemuQemu
Qemu
Koganti Ravikumar
 
Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...
Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...
Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...
Hann Yu-Ju Huang
 
Project ACRN system debug
Project ACRN system debugProject ACRN system debug
Project ACRN system debug
Project ACRN
 
How to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceHow to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
StarWind Software
 
Dave Gilbert - KVM and QEMU
Dave Gilbert - KVM and QEMUDave Gilbert - KVM and QEMU
Dave Gilbert - KVM and QEMU
Danny Abukalam
 
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVM
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVMHypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVM
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVM
vwchu
 
2. OS vs. VMM
2. OS vs. VMM2. OS vs. VMM
2. OS vs. VMM
Hwanju Kim
 
Virtualizare si SCVMM2008
Virtualizare si SCVMM2008Virtualizare si SCVMM2008
Virtualizare si SCVMM2008
Tudor Damian
 
Hardware supports for Virtualization
Hardware supports for VirtualizationHardware supports for Virtualization
Hardware supports for Virtualization
Yoonje Choi
 

More Related Content

What's hot

What's hot (20)

Memory Virtualization
Memory VirtualizationMemory Virtualization
Memory Virtualization
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
ACRN vMeet-Up EU 2021 - hypervisor new platform enablingACRN vMeet-Up EU 2021 - hypervisor new platform enabling
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
 
Project ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN Device Model architecture introduction
Project ACRN Device Model architecture introduction
 
Virtualization Technology Overview
Virtualization Technology OverviewVirtualization Technology Overview
Virtualization Technology Overview
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
 
Virtualization basics
Virtualization basics Virtualization basics
Virtualization basics
 
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification planACRN vMeet-Up EU 2021 - functional safety design and certification plan
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
 
ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot
ACRN vMeet-Up EU 2021 - Boot Process and Secure BootACRN vMeet-Up EU 2021 - Boot Process and Secure Boot
ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot
 
ACRN vMeet-Up EU 2021 - installation and configuration introduction
ACRN vMeet-Up EU 2021 - installation and configuration introductionACRN vMeet-Up EU 2021 - installation and configuration introduction
ACRN vMeet-Up EU 2021 - installation and configuration introduction
 
ACRN Kata Container on ACRN
ACRN Kata Container on ACRNACRN Kata Container on ACRN
ACRN Kata Container on ACRN
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
 
Project ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config toolProject ACRN configuration scenarios and config tool
Project ACRN configuration scenarios and config tool
 
Qemu
QemuQemu
Qemu
 
Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...
Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...
Building a KVM-based Hypervisor for a Heterogeneous System Architecture Compl...
 
Project ACRN system debug
Project ACRN system debugProject ACRN system debug
Project ACRN system debug
 
How to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double PerformanceHow to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
How to Optimize Microsoft Hyper-V Failover Cluster and Double Performance
 
Dave Gilbert - KVM and QEMU
Dave Gilbert - KVM and QEMUDave Gilbert - KVM and QEMU
Dave Gilbert - KVM and QEMU
 
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVM
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVMHypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVM
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVM
 
2. OS vs. VMM
2. OS vs. VMM2. OS vs. VMM
2. OS vs. VMM
 

Similar to 2014.08.30 Virtual Machine Threat 세미나

Hardware supports for Virtualization
Hardware supports for VirtualizationHardware supports for Virtualization
Hardware supports for Virtualization
Yoonje Choi
 
Chapter 5 – Cloud Resource Virtua.docx
Chapter 5 – Cloud Resource Virtua.docxChapter 5 – Cloud Resource Virtua.docx
Chapter 5 – Cloud Resource Virtua.docx
madlynplamondon
 
Chapter 5 – Cloud Resource Virtua.docx
Chapter 5 – Cloud Resource Virtua.docxChapter 5 – Cloud Resource Virtua.docx
Chapter 5 – Cloud Resource Virtua.docx
gertrudebellgrove
 
Highload Frank Kohler
Highload Frank KohlerHighload Frank Kohler
Highload Frank Kohler
Ontico
 
Xenserver Highload Frank Kohler
Xenserver Highload Frank KohlerXenserver Highload Frank Kohler
Xenserver Highload Frank Kohler
Ontico
 
Using Virtualization To Improve Development And Testing
Using Virtualization To Improve Development And TestingUsing Virtualization To Improve Development And Testing
Using Virtualization To Improve Development And Testing
elliando dias
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2
vivekbhat
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualization
rsnarayanan
 
Xen Euro Par07
Xen Euro Par07Xen Euro Par07
Xen Euro Par07
congvc
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2
vivekbhat
 
virtualization and hypervisors
virtualization and hypervisorsvirtualization and hypervisors
virtualization and hypervisors
Gaurav Suri
 
V mware admin interview questions
V mware admin interview questionsV mware admin interview questions
V mware admin interview questions
Praveen Raut
 

Similar to 2014.08.30 Virtual Machine Threat 세미나 (20)

Virtualizare si SCVMM2008
Virtualizare si SCVMM2008Virtualizare si SCVMM2008
Virtualizare si SCVMM2008
 
Hardware supports for Virtualization
Hardware supports for VirtualizationHardware supports for Virtualization
Hardware supports for Virtualization
 
Esx.sc.quickref
Esx.sc.quickrefEsx.sc.quickref
Esx.sc.quickref
 
Chapter 5 – Cloud Resource Virtua.docx
Chapter 5 – Cloud Resource Virtua.docxChapter 5 – Cloud Resource Virtua.docx
Chapter 5 – Cloud Resource Virtua.docx
 
Chapter 5 – Cloud Resource Virtua.docx
Chapter 5 – Cloud Resource Virtua.docxChapter 5 – Cloud Resource Virtua.docx
Chapter 5 – Cloud Resource Virtua.docx
 
Highload Frank Kohler
Highload Frank KohlerHighload Frank Kohler
Highload Frank Kohler
 
Xenserver Highload Frank Kohler
Xenserver Highload Frank KohlerXenserver Highload Frank Kohler
Xenserver Highload Frank Kohler
 
Using Virtualization To Improve Development And Testing
Using Virtualization To Improve Development And TestingUsing Virtualization To Improve Development And Testing
Using Virtualization To Improve Development And Testing
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2
 
Intro to virtualization
Intro to virtualizationIntro to virtualization
Intro to virtualization
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualization
 
Xen Euro Par07
Xen Euro Par07Xen Euro Par07
Xen Euro Par07
 
VMWARE ESX
VMWARE ESXVMWARE ESX
VMWARE ESX
 
Usenix Invited Talk
Usenix Invited TalkUsenix Invited Talk
Usenix Invited Talk
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2
 
Live VM Migration
Live VM MigrationLive VM Migration
Live VM Migration
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
 
virtualization and hypervisors
virtualization and hypervisorsvirtualization and hypervisors
virtualization and hypervisors
 
V mware admin interview questions
V mware admin interview questionsV mware admin interview questions
V mware admin interview questions
 

Recently uploaded

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Recently uploaded (20)

Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 

2014.08.30 Virtual Machine Threat 세미나

  • 1. Hardware-assisted Virtual Machine 노용환 (a.k.a. somma) fixbrain@gmail.com
  • 2. system utilization consolidation management cost isolation trusted environment resource aggregation GRID system MPP (Massively Parallel Processing) resource access control mobility emulation
  • 3. 1960 1970 1999 2006 현재 System/370, IBM x86 virtualization, VMWare CP-40, IBM, Cambridge Scientific Center full virtualization application virtualization (application streaming) x86,x64, ARM, … Storage, Network … VMWare, Virtual Box, Xen… … OpenStack, CloudStack,… … Amazon, Google…
  • 4. Guest OS Guest OS Memory and I/O Virtualization Shared Device VMM Physical H/W Control CPU CPU MEMORY virtualized h/w physical h/w VMM must … - support same hardware interface - can control guest OS when accessing H/W resources.
  • 5. Types of operation… mov eax mov ebx … Direct Execution eflags control registers MSR privileged instructions ????
  • 6. Full Virtualization - No OS modification - Emulating, Binary translation, Trace cache,… - VMware ESX server - QEMU Para Virtualization - Need OS modification - Hypercall - Xen - Bochs
  • 7. Hardware Assisted Virtualization Virtualize… CPU - AMD-V , VT-x IOMMU - AMD-Vi, VT-d Network - VT-c VMX operation VMX root operation VMX non-root operation
  • 8. Hardware Assisted Virtualization Trap based development for VirtualMachine - handle_cupid_instruction() - handle_mov_crX() - handle_read_msr() - handle_write_msr() - … HW based Hypervisor programming = VMEXIT handler programming
  • 9. VMX (Intel Virtual Machine Extension) VMXON VMCLEAR VMPTRLD VMWRITE VMLAUNCH GUEST Exit VMREAD VMRESUME VMXOFF
  • 10. VMX – new instructions, new data structure VMXON Region - created per logical processor - used by VMX instructions VMCS Region - created per virtual CPU for guest OS - used by CPU and VMM - 4Kb aligned - PHYSICAL_ADDRESS == typedef LARGE_INTEGER - …
  • 11. VMM (Virtual Machine Monitor) programming summary check VMX support allocate VMXON region execute VMXON execute VMPTRLD execute VMCLEAR allocate VMCS region initialize VMCS data host-state area fields VM-exit control fields VM-entry control fields VM-execution control fields guest-state area fields execute VMLAUNCH handling various VM-exits
  • 12. VMCS data organization #1 Guest state fields - saved on VM exits, loaded on VM entries #2 Host state fields - loaded on VM exits #3 Execution control fields - control VMX-non root operations #4 Exit control fields - control VM exits #5 Entry control fields - control VM entries #6 VM Exit info - saved VM exits information on VM exits pin-based controls processor-based controls exception-bitmap address I/O bitmap address Timestamp counter offset CR0/CR4 guest/host masks CR3 targets MSR bitmaps
  • 13. Accessing VMCS data VMREAD VMWRITE virtual address / physical address READ virtual address / physical address WRITE
  • 16. Handling VM exits #6 VM Exit info
  • 19. Attacks on Binary Translator CVE-2009-1542 - VirtualPC instruction decoding • wbinvd (write back and invalidate cache), clts (clear task-switched flag in cr0) CVE-2008-4915 - VMware, Trap Flag Set by IRET Not Cleared for CCh Instruction CVE-2009-2267 - VMware Mishandled Exception on Page Faults … Attacks on Para-virtualization CVE-2008-4279 - VMware, Interrupt Can Occur at NonCanonical RIP After Indirect Jump CVE-2012-0217 - Advanced Exploitation of Xen Hypervisor Sysret VM Escape Vulnerability ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php ) … Attacks on Device Emulation / Acceleration CVE-2012-0217 ( http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php )
  • 20. Attacks on HVM CVE-2009-3827 - Virtual PC VMExit Event Confusion • exit reason MOV_CR, MOV_DR • MOV_CR : check guest cpl == 0 • MOV_DR : !! • ring3 에서 DR 레지스터를 조작가능 !? DoS ?! CVE-2009-3722 - KVM VMExit Event Confusion • CVE-2009-3827 와 동일한 버그 더 자세한 내용은 http://www.cr0.org/paper/jt-to-virtualisation_security.pdf 를 참고하세요.
  • 22. HVM base rootkit 최초의 가상머신 기반 루트킷 ( http://www.invisiblethingslab.com/resources/bh07/IsGameOver.pdf )
  • 23. HVM base rootkit – keylogger PS/2 Port 0x60 Keyboard Controller Keyboard Mouse CPU Port 0x64 CPU 가상화 HVM rootkit • CPU 의 특권 명령을 가로챔 (e.g. IN, OUT) • PORT I/O 를 OS 보다 먼저 하드웨어 레벨에서 처리
  • 24.
  • 25. Attack Hypervisor ?! or Another Attack Surface OS / Device Drivers Hypervisor BIOS Chipset OS Level HVM rootkit rootkit code in SMM / ACPI / UEFI / PCI CPU CPU bugs ? Micro code update ?