1 / 29

Attacks on Virtual Machine Emulators

Attacks on Virtual Machine Emulators. Peter Ferrie Senior Principal Researcher Symantec Security Response. 5 December 2006. 1. 2. 3. 4. 5. 6. Attack Types Types of Virtual Machine Emulators Detection of Hardware VMEs Detection of Software VMEs What can we do? Q and A. A G E N D A.

bettywilson
Download Presentation

Attacks on Virtual Machine Emulators

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Attacks on Virtual Machine Emulators Peter Ferrie Senior Principal Researcher Symantec Security Response 5 December 2006

  2. 1 2 3 4 5 6 Attack Types Types of Virtual Machine Emulators Detection of Hardware VMEs Detection of Software VMEs What can we do? Q and A A G E N D A

  3. Attack Types • DETECTION • DENIAL-OF-SERVICE • ESCAPE!

  4. Attack Types : Detection

  5. Attack Types : Detection

  6. Attack Types : Denial-of-Service

  7. Attack Types : Escape!

  8. Attack Types : Escape!

  9. Types of Virtual Machine Emulators Virtual Machine Emulators Hardware-Bound Pure Software Hardware-Assisted Reduced-Privilege Guest

  10. Reduced-Privilege Guest VMEs • Software-based virtualization of important data structures and registers • Guest runs at lower privilege level than before • No way to avoid notification of all CPU events

  11. Examples of Reduced-Privilege Guest VMEs • VMware • Xen • Parallels • Virtuozzo (probably)

  12. Hardware-Assisted VMEs • Uses CPU-specific instructions to place system into virtual mode • Guest privileges unchanged • Separate host and guest copies of important data structures and registers • Guest copies have no effect on the host • Host can request notification of specific CPU events

  13. Examples of Hardware-Assisted VMEs • BluePill • Vitriol • Xen 3.x • Virtual Server 2005 • Parallels • Virtuozzo (probably)

  14. Detection of Hardware VMEs : TSC Method Physical Hardware Virtual Hardware T1……Instruction 1 T1.……..Instruction 1 T1+1...Instruction 2 T1+1…..Instruction 2 T1+2...Instruction 3 T1+2…..[VM fault] T1+N….Instruction 3 where N is a large number

  15. Detection of Hardware VMEs : TLB Method 1 T1………read memory 1 T1+X1…read memory 2 T1+X2…read memory 3 T1+X3…read memory 4 FT (Fill Time) = ((T1+X3)-T1)/4 T2………read memory 1 T2+Y1…read memory 2 T2+Y2…read memory 3 T2+Y3…read memory 4 CT (Cached Time) = ((T2+Y3)-T2)/4 2

  16. Detection of Hardware VMEs : TLB Method 3 Execute CPUID T3………read memory 1 T3+Z1…read memory 2 T3+Z2…read memory 3 T3+Z3…read memory 4 DT (Detect Time) = ((T3+Z3)-T3)/4 If DT ~= CT, then physical If DT ~= FT, then virtual 4 5

  17. Pure Software VMEs • CPU operation implemented entirely in software • Emulated CPU does not have to match physical CPU • Portable • Can optionally support multiple CPU generations • Examples • Hydra • Bochs • QEMU

  18. Pure Software VMEs (Hybrid model) • Commonly used by anti-virus software • Emulates CPU and partial operating system • CPU operation implemented entirely in software • Examples • Atlantis • Sandbox

  19. Malicious VMEs (SubVirt) • Reduced-privilege guest • Installs second operating system • Runs on Windows and Linux • Carries VirtualPC for Windows • Carries VMware for Linux • Difficult to detect compromised system

  20. Detecting VMware • IDT/GDT at high memory address • Non-zero LDT • Port 5658h • Windows registry • Video and ROM BIOS text strings • Device names • MAC address ranges

  21. Detecting VirtualPC • IDT/GDT at high memory address • Non-zero LDT • 0F 3F opcode • 0F C7 C8 opcode • Overly long instruction • Device names

  22. Detecting Parallels • IDT/GDT at high memory address • Non-zero LDT • Device names

  23. Detecting Bochs • [WB] INVD flushes TLBs • REP CMPS/SCAS flags • CPUID processor name • CPUID AMD K7 Easter Egg • 32-bit ARPL register corruption • 16-bit segment wraparound • Device names

  24. Attacking Bochs • Bochs denial-of-service • Floppy with >18 sectors per track • Floppy with >512 bytes per sector • Non-ring0 SYSENTER CS MSR

  25. Detecting Hydra • REP MOVS/SCAS integer overflow • 16-bit segment wraparound

  26. Detecting QEMU • CPUID processor name • CPUID K7 Easter Egg • CMPXCHG8B memory write • Double-faulting CPU

  27. Detecting Atlantis and Sandbox • Unimplemented APIs • Incorrectly-emulated APIs • Example: Beep() in Windows 9x vs Windows NT • Unfortunately correct emulation • Example: not crashing on corrupted WMFs

  28. What can we do? • Reduced-privilege guests • Nothing • VirtualPC • Intercept SIDT • Check for maximum instruction length • Remove custom CPUID processor name • Bochs, Hydra, QEMU • Bug fixes • Full stealth should be possible

  29. Questions? Thank you. e-mail: peter_ferrie@symantec.com

More Related