搜索
SecurityChallengesinVirtualizedEnvironmentsJoannaRutkowska,InvisibleThingsLabRSAConference,SanFrancisco,April8th2008Virtualization-basedMALWAREUsingVirtualMachinesforISOLATIONNESTEDvirtualization123Virtualization-basedMALWAREHardwareOSHardwareOSBluePillHardwareAMD-VIntelVTxBluePillCharacteristicsNOHOOKS!CannotbedetectedusinganyintegrityscannerOntheflyinstallationNoboot/BIOS/etcmodificationsnecessaryNoI/OvirtualizationNegligibleperformanceimpact(yourbrandnew3Dcardwillstillwork!)BluePilldetectionBluePilldetectionDetectingaVMMDetectingvirtualizationbasedmalwareVMMdetectionDirecttiminganalysisBlueChickenCPUspecificbehaviorTLBprofilingGuesttimevirtualizationHPETtimersVMMdetection?•Everythingisgoingtobevirtualized!•Thustheinformationthat“thereisahypervisorinthesystem”...•...wouldbeprettymuchuseless...Detectingvirtualizedmalware?NoHooks!SearchforcodeDetectactivity(e.g.networkpackets)•StealthbyDesignconcept•CovertchannelsWon’tworkNestedPageTables(hardwareSPT)ByPatternHeuristicsSimpleObfuscation0daymalware“Massive”malwareButwhywecan’tuseobfuscationfor“classic”malware?Becauseitleaveshooksanyways!Andwecanalwaysfindthosehooks,nomatterhowobfuscatedtheclassicmalwareis!ThewholebigdealaboutBluePillis:NOHOOKSinthesystem!BluePillpreventionDisablevirtualization?HowaboutalsodisablingyournetworkcardsoyounevergotinfectedfromtheInternet?Installatrustedhypervisorfirst?InstallingtrustedhypervisorStaticRootofTrustMeasurementDynamicRootofTrustMeasurementBIOSMBRVMMe.g.MSBitlockerSENTER(IntelTXT)SKINIT(AMDSVM)Trustedvs.Secure?•SRTMandDRTMonlyassuresthatwhatweloadistrusted...•...atthemomentofloading!•3seclater...itcouldbeexploitedandgetcompromised!Trusted!=Secure(e.g.flawless)E.g.#1:ThefamousDMAproblem(Trusted)HypervisorOSHardwareSomedriverSomedeviceI/O:asksthedevicetosetupaDMAtransferRead/Writememoryaccess!IOMMU•Solutiontotheproblemof“DMAattacks”•Intelcallsit:VT-d•NotmuchPChardwaresupportsityet•Expectedtochangesoon•NoTHINHYPERVISORSwithoutIOMMU!OtherproblemswithVMMs?Staytuned...Allinall:it’snottrivialtohaveatrusted&securehypervisorinstalled......butforsurethisistheproperwaytogo...Virtualization-basedMALWAREUsingVirtualMachinesforISOLATIONNESTEDvirtualization123UsingVirtualMachinesforISOLATIONOriginallyISOLATIONwassupposedtobeprovidedbyOperatingSystems...•Separateprocesses/addressspaces,•Useraccounts&ACLs...ButinpracticecurrentOSessimplyfailatprovidingisolation!WhyOSesfail?•Kernelbugs!•Kernelbugs!!•Kernelbugs!!!•Baddesign,e.g.:•XPand“allrunsasadmin”assumption•Vista’sUACassumesadminrightsshouldbegrantedtoeveryinstallerprogram!VMMsfortherescue!Vista(workprojects)Linux+Firefox(“random”surfing)Linux+Firefox(onlinebanking)MacOSX(“home”,e.g.pics,music,etc)trusted&securehypervisorChallenges•Performance•WhyisVMM/hypervisorgoingtobemoresecurethenOS’skernel?VMMbugs?VMMBugsBugsinhypervisorsBugsinadditionalinfrastructureE.g.#1:CVE-2007-4496•VMWareESX3.0.1••FoundbyRafalWojtczuk(McAfee)•September2007•GuestOScancausememorycorruptiononthehostandpotentiallyallowforarbitrarycodeexecutiononthehostE.g.#2:CVE-2007-0948•MicrosoftVirtualServer2005R2••FoundbyRafalWojtczuk(McAfee)•August2007•Heap-basedbufferoverflowallowsguestOStoexecutearbitrarycodeonthehostOSE.g.#3:CVE-2007-4993•Xen3.0.3•=1068•FoundbyJorisvanRantwijk•September2007•Bycraftingagrub.conffile,therootuserinaguestdomaincantriggerexecutionofarbitraryPythoncodeindomain0.E.g.#4:VariousBugs•PaperbyTavisOrmandy(Google)••April2007•DisclosedbugsinVMWare,XEN,Bochs,VirtualPC,Prallels•Asimplefuzzersfor:•InstructionparsingbyVMMs•I/OdeviceemulationbyVMMsAsyouseecurrentVMMsarefarfrombeingflawless...TomakeVMMsmoresecureweneedtokeepthemultra-thinandsmall!PhoenixHyperSpaceHyperCore:thetypeIhypervisorusedforHyperSpaceHyperCoreVista(HVM)AppSpace#1(DomUPV)ManageSpace(Dom0PV)DeviceModelVirtualizer/Drivers(DomU)HardwareAppSpace#2(DomUPV)TheHyperCore•Targetsdesktop/laptopsystems•GuestOSexecuteatnear-nativeperformance(includingfancygraphics)•SupportforfullACPI(PowerManagement)•Integrity:loadedviaSecureCoreBIOS(StaticRootofTrustMeasurement)•Verythin-easytoaudit!Speedingthingsup•Passthroughformostdevices•SPT:1-1mappingformostpagesforthePrimaryOSPowerManagement•ACPItablesexposedtothePrimaryOS,sothattheoverallpowerperformanceisoptimized•EfficientinterceptsforpowermanagementcontrolIntegrity•StaticRTMviaPhoenix’sSecureCoreBIOS•DynamicRTMviaIntel’sTXT/AMD’sSKINIT•SMM-basedwatchdogforHyperCorecodeVirtualization-basedMALWAREUsingVirtualMachinesforISOLATIONNESTEDvirtualization123NESTEDvirtualizationWhatifauserwantstorune.g.VirtualPChere?VM1VM2(NestedHypervisor)Hypervisor(Primary)VM21VM3VM22VM4VM221VM222Ideaofhowtohandlethissituation...HypervisorVM1VM2VM3VM21VM22VM221VM222HypervisorVM1VM2VM3VM21VM22VM221VM222Now,letslookattheactualdetails:)Let’sstartwithAMD-V...VMRUNVMCB0VMRUNRDMSRVMCB0VMCB0VMRUNVMCB0VMRUN?VMCB1VMRUNVMCB0VMRUNVM