crashos: hypervisor testing tool...2 crashos presentation 3 vulnerability research and results...
TRANSCRIPT
CrashOS: Hypervisor testing tool
ISSRE 2017
Anaïs GANTET - Airbus Digital Security
October 2017
CrashOS: Hypervisor testing tool
Outline
1 Why CrashOS?
2 CrashOS presentation
3 Vulnerability research and results
October 2017 2 ISSRE
CrashOS: Hypervisor testing tool
Outline
1 Why CrashOS?
2 CrashOS presentation
3 Vulnerability research and results
October 2017 3 ISSRE
CrashOS: Hypervisor testing tool
Project context
GoalTest the robustness of virtualization solutions
ScopeTargeted architecture: Intel x86
Initial targeted software: Ramooflax(https://github.com/airbus-seclab/ramooflax)
Other targeted software: VMware, Xen, etc.
October 2017 4 ISSRE
CrashOS: Hypervisor testing tool
Virtualization in a nutshell
Aim: allow several Operating Systems (OS) to share hardware resources
October 2017 5 ISSRE
CrashOS: Hypervisor testing tool
Virtualization in a nutshell
Aim: allow several Operating Systems (OS) to share hardware resources
October 2017 5 ISSRE
CrashOS: Hypervisor testing tool
Hypervisor role
To provide an equivalent environment to a physical machineProcessor virtualization
Let directly execute non-sensitive instructionsTrap and virtualize sensitive instructions
Memory access virtualization
Device virtualization
Hypervisors areComplex programs
Operating at low level
October 2017 6 ISSRE
CrashOS: Hypervisor testing tool
Security issues
Without virtualization:physical isolation
With virtualization:software isolation(implemented by hypervisors)
October 2017 7 ISSRE
CrashOS: Hypervisor testing tool
Security issues
Without virtualization:physical isolation
With virtualization:software isolation(implemented by hypervisors)
ProblemAre hypervisors reliable?
October 2017 7 ISSRE
CrashOS: Hypervisor testing tool
Our approach
Behaviour analysisBuild a testing VMImagine tests involving the hypervisor
Be aware of known hypervisor weak points (CVE)Instruction disassemblySensitive instruction emulationUnusual CPU configurationDevice virtualizationetc.
Launch them and observe hypervisor behaviour
October 2017 8 ISSRE
CrashOS: Hypervisor testing tool
Outline
1 Why CrashOS?
2 CrashOS presentation
3 Vulnerability research and results
October 2017 9 ISSRE
CrashOS: Hypervisor testing tool
Our way to build a malicious VM
Potential candidates?Windows, Linux: only partial control of hardwarecommunication
Simple Operating System, OSv, etc.: not appropriatefor vulnerability research
VESPA: Only part targeting device virtualization ispublished
October 2017 10 ISSRE
CrashOS: Hypervisor testing tool
Our way to build a malicious VM
Potential candidates?Windows, Linux: only partial control of hardwarecommunication
Simple Operating System, OSv, etc.: not appropriatefor vulnerability research
VESPA: Only part targeting device virtualization ispublished
Our choice: develop our own OS dedicated to test hypervisors
October 2017 10 ISSRE
CrashOS: Hypervisor testing tool
October 2017 11 ISSRE
CrashOS: Hypervisor testing tool
How does CrashOS work?
October 2017 12 ISSRE
CrashOS: Hypervisor testing tool
CrashOS test format
Init functionSave the current machine stateDefine the desired context
Test functionExecute instructionPrint adapted logs
Restore functionReinit the saved machine state
October 2017 13 ISSRE
CrashOS: Hypervisor testing tool
CrashOS: Core and libraries
System featuresPhysical memory access
Memory protection mechanisms
Interrupt handling
Device communication
Paravirtualization support
Example:
October 2017 14 ISSRE
CrashOS: Hypervisor testing tool
CrashOS: Core and libraries
System featuresPhysical memory access
Memory protection mechanisms
Interrupt handling
Device communication
Paravirtualization support
Example:
Other interesting featuresPrinting logs on the screen
Printing logs on the serial port
October 2017 14 ISSRE
CrashOS: Hypervisor testing tool
Outline
1 Why CrashOS?
2 CrashOS presentation
3 Vulnerability research and results
October 2017 15 ISSRE
CrashOS: Hypervisor testing tool
Attack approach
PrerequisitesAdvanced understanding of Intel processormechanisms
Good knowledge of hypervisor role
Elaboration of relevant testsNot only fuzz all instructionsAlways involve a specific hypervisor handling
Sensitive instructionsMemory managementDevice emulationetc.
October 2017 16 ISSRE
CrashOS: Hypervisor testing tool
A first example: write a ’big’ buffer on serial port COM 1
October 2017 17 ISSRE
CrashOS: Hypervisor testing tool
A first example: write a ’big’ buffer on serial port COM 1
October 2017 17 ISSRE
CrashOS: Hypervisor testing tool
A first example: write a ’big’ buffer on serial port COM 1
Buffer overflow and memory corruption of Ramooflax data (including VMCS)
October 2017 18 ISSRE
CrashOS: Hypervisor testing tool
A first example: write a ’big’ buffer on serial port COM 1
Buffer overflow in Ramooflax causes a VMware crash
October 2017 19 ISSRE
CrashOS: Hypervisor testing tool
A second example: Privilege changing (FAR JMP)
Our test caseLaunch FAR JMP from high level to low level (not allowed - segmentation fault mustoccur)
What is FAR JMP instruction?Changes the current execution context to a new one
Can modify the current privilege level
Why to test this instruction?FAR JMP success: only if parameters meet about 20 conditions
Sensitive instruction, intercepted and handled by hypervisors
Test based on CVE-2014-8595 - Xen HVM
October 2017 20 ISSRE
CrashOS: Hypervisor testing tool
A second example: Privilege changing (FAR JMP)
Xen (HVM):
October 2017 21 ISSRE
CrashOS: Hypervisor testing tool
A second example: Privilege changing (FAR JMP)
VMware:
October 2017 22 ISSRE
CrashOS: Hypervisor testing tool
CrashOS: Some test cases
October 2017 23 ISSRE
CrashOS: Hypervisor testing tool
Results and discussions
Vmware:Monitor panic VERIFYMonitor panic NOT_IMPLEMENTEDMonitor panic NOT_REACHEDMonitor panic EPT Misconfiguration
Contact: VMware Security Response CenterXen
Bad emulation of far jmp and far call instructions reportedOngoing to be fixed (https://lists.xenproject.org/archives/html/xen-devel/2017-09/msg03701.html)
RamooflaxAll bugs fixed
October 2017 24 ISSRE
CrashOS: Hypervisor testing tool
Conclusion and future outlook
CrashOS todayOpensource
Configurable minimal OS
Simplified framework to write attacks on hypervisors
First results on VMware, Xen and Ramooflax
Future outlookElaborate new tests
Implement new CrashOS features (64 bit support, nested virtualization, etc.)
Test other hypervisors (Xen PV, KVM, Virtualbox, etc.)
October 2017 25 ISSRE
CrashOS: Hypervisor testing tool
Thanks for your attention
Questions?
https://github.com/airbus-seclab/crashos
French paper: https://www.sstic.org/media/SSTIC2017/SSTIC-actes/crashos/SSTIC2017-Article-crashos-gantet.pdf
October 2017 26 ISSRE