Download - TechTalk Abusing The Hypervisor
TechTalkAbusing The HypervisorBy: Piotr T. Zbiegiel
Introduction
VM 1
What is a Hypervisor?• A Hypervisor is a piece of software that
exists between the physical hardware and the virtual machines on a system. It mediates access from the VMs to the underlying hardware.
• Generally two types of hypervisors exist:
• Type 1 – The hypervisor runs directly on the hardware (aka bare metal).
• Type 2 – The system runs a standard operating system and the hypervisor is loaded within the context of that operating system.
• Some hypervisors don’t easily fit into one classification or the other.
Hardware
Hypervisor
OS
App 1
App 2
VM 2
OS
App 1
App 2
Type 1 Hypervisor
Physical -> Virtual• VMs possess virtual components and associated drivers that mirror
physical counterparts.
• Displays
• Memory
• Disk
• Network
• These all present potential attack surfaces for exploiting the hypervisor or host operating system.
New *AND* Improved 0days?• Before we dive into theoretical (and not so theoretical) hypervisor
attacks it pays to talk about Duqu.
• Duqu exploited the font parsing engine in Windows to elevate privileges and execute code.
• Microsoft’s temporary workaround entailed disabling access to the TrueType font DLL.
• But how did the bad guys know to try this vector? Could it be that the font parsing engine had been patched before by Microsoft?
New *AND* Improved 0days? Cont’d• Once a vulnerability is discovered in a given piece of software you
can bet many more researchers will be looking for similar vulnerabilities elsewhere in the code.
• Depending on how (in)effective a vendor may be at patching, this could lead to numerous related vulnerabilities and attacks being discovered. Variations on a theme, if you will.
New *AND* Improved 0days? Cont’d
So what does this discussion of Duqu and zero-days have to do with hypervisor security?
It demonstrates two key points we should remember about securing kernels/hypervisors.
1. The less a kernel does the less target area there is to attack. (Why was the Windows kernel parsing fonts?)
2. Previously discovered vulnerabilities may be a good indication of future vulnerabilities. It may be prudent to limit access to modules compromised in the past if at all possible.
Low-level Intercept• An attack theory where the malware would shim itself
below an operating system in between the system software and hardware.
• A malware hypervisor?
• The operating system would have no way to detect the infection since it wouldn’t exist within the universe of the operating system.
Consider that similar malware already exists.
• Kernel-level rootkits can hide from the operating system but are more akin to mind-control parasites that take over the host’s brain. Ophiocordyceps
unilateralis
Virtual CPU & Memory
KVM breakout? Or Xen vulnerability
Blue Pill • In 2006 Joanna Rutkowksa debuted new malware that slipped below
the target OS and virtualized it.
• Because the malware controlled all access to the underlying hardware it could “lie” to the operating system.
• Kernel-level root kits previously relied on modifying the kernel in an attempt to hide.
• Blue pill did not need to modify the operating system and could infect a running system.
• Joanna insisted that this new class of malware was undetectable.
A Hard Pill to Swallow• Other security researcher had a problem with Joanna’s claim that
the malware was undetectable.
• They claimed detection would be trivial using a timing attack.
• Debate on the subject raged on until the next year when a group of researchers challenged Joanna to a showdown at Black Hat 2007.
Red vs. Blue (Pills)• Joanna would secretly install her rootkit on one of two laptops.
• The researchers would then install their detection software and attempt to detect the malware.
• After some wrangling, including Joanna demanding up-front payment for her work on Blue Pill (to the tune of ~$400k)…the challenge never happened.
Today blue-pill type malware has never been detected in the wild.
• Because it doesn’t exist…
• Or because it is so undetectable? (The mystery continues…)
New Tech?
Old Attack Surfaces are New
Network Topology
Jails, Sandboxes, ???
Conclusion