SlideShare a Scribd company logo

D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8086 mode

K
kbour23
Technology
1 of 77
Download to read offline
Jonathan Brossard CTO - P1 Code Security jonathan@p1sec.com endrazine@gmail.com
Agenda Virtualization : big picture Attack surface analysis The need for new tools Introducing Virtual 8086 mode • Practical fuzzing with vm86()
Virtualization : time to care ! Market shares Definitions
Virtualization : market shares Source : Forrester Research 2009 78% of companies have production servers virtualized. 20% only have virtualized servers.
Virtualization : market shares Source : Forrester Research 2009 VMWare is present in 98% of the companies. Microsoft virtualization products are used by 17%. Citrix/Xen is used by 10%.
Bottom line... Virtualization software are so widespread that they have become more attractive targets than say web, mail or dns servers ! There is a lower variety too !
Definitions
Virtualization : Definitions Virtualization Virtualization is the name given to the simulation with higher level components, of lower level components. NOTE: Virtualization of applications (as opposed to full Oses) is out of topic.
Virtualization : Definitions Virtual Machine A virtual machine (VM) is : "an efficient, isolated duplicate of a real machine". -- Gerald J. Popek and Robert P. Goldberg (1974). "Formal Requirements for Virtualizable Third Generation Architectures", Communications of the ACM.
Paravirtualization
Virtualization : Definitions Paravirtualization Requires the modification of the guest Oses (eg: Xen, UML, Qemu with kquemu, VMWare Workstation with VMWare Tools). Opposed to « full virtualization ».
Virtualization : Definitions There are two types of virtualizations : Virtual Machine Monitors (or Hypervisors) of type I and type II.
Type I Hypervisor
Virtualization : Definitions Hypervisors of type I Run on bare metal (eg: Xen, Hyper-V, VMWare ESX).
Type II hypervisor
Virtualization : Definitions Hypervizors of type II Run as a process inside a host OS to virtualize guests Oses (eg: Qemu, Virtualbox, VMWare Workstation, Parallels).
Hardware assisted virtualization
Hardware assisted virtualization - Takes advantage of AMD-V On Intel VT-x CPU extentions for virtualization. - x64 Only. - The hypervizor is running in « ring -1 ». - Much like the NX bit : requires the motherboard to support it and activation in the BIOS.
Virtualization : Definitions Isolation Isolation of the userland part of the OS to simulate independant machines (eg: Linux- Vservers, Solaris « Zones », BSD « jails », OpenVZ under GNU/Linux).
Isolation
Attack surface analysis Depending on your perspective... What are the risks ? Where to attack ?
Privilege escalation on the host VMware Tools HGFS Local Privilege Escalation Vulnerability (http://labs.idefense.com/intelligence/ vulnerabilities/display.php?id=712)
Privilege escalation on the Guest CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes
Attacking other guests Vmare workstation guest isolation weaknesses (clipboard transfer) http://www.securiteam.com/securitynews/ 5GP021FKKO.html
DoS (Host + Guests) CVE-2007-4591 CVE-2007-4593 (bad ioctls crashing the Host+Guests)
Escape to host Rafal Wojtczuk (Invisible things, BHUS 2008) IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744)
Attack surface analysis : usage Hosting two companies on the same hardware is very common (shared hosting). Getting a shell on the same machine as a given target may therefor be a matter of paying a few euros a month.
Attack surface : conclusion Owning the Host OS from the Guest is practical : security through virtualization is a failure. Seemingly minor bugs (local, DoS) do matter : virtualization amplifies consequences.
The need for dedicated methodologies and tools
The need for new tools : example How to dynamically test a virtual Hard Drive ?
How to dynamically test a virtual Hard Drive ? Naive approach Standard API : ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); This would mostly fuzz the kernel, not the Virtual Machine :( We need something (much) lower level.
Standard (low level) attack vectors Ioports: outb, outw, outl, outsb, outsw, outsl, inb, inw, inl, insb, insw, insl, outb_p, outw_p, outl_p, inb_p, inw_p, inl_p Problems: sequence, multiple ports Ioctls: int ioctl(int d, int request, ...) Problems : arbitrary input size !
How did we used to do it « back in the days » ? MS Dos : direct access to the hardware (interrupts : BIOS, HD, Display, …) Can we get back to this ?
Introducing the Virtual 8086 mode
Introducing the Virtual 8086 mode Introduced with Intel 386 (1985)
Introducing the Virtual 8086 mode Intel x86 cpus support 3 modes - Protected mode - Real mode - System Management Mode (SMM)
Introducing the Virtual 8086 mode Protected mode This mode is the native state of the processor. Among the capabilities of protected mode is the ability to directly execute “real-address mode” 8086 software in a protected, multi-tasking environment. This feature is called virtual-8086 mode, although it is not actually a processor mode. Virtual-8086 mode is actually a protected mode attribute that can be enabled for any task.
Introducing the Virtual 8086 mode Real-address mode This mode implements the programming environment of the Intel 8086 processor with extensions (such as the ability to switch to protected or system management mode). The processor is placed in real-address mode following power-up or a reset.
Introducing the Virtual 8086 mode System management mode (SMM) This mode provides an operating system or executive with a transparent mechanism for implementing platform specific functions such as power management and system security. The processor enters SMM when the external SMM interrupt pin (SMI#) is activated or an SMI is received from the advanced programmable interrupt controller (APIC).
Nice things about Real mode / Virtual 8086 mode Direct access to hardware via interruptions !
example: Mov ah, 0x42 ; read sector from drive Mov ch, 0x01 ; Track Mov cl, 0x02 ; Sector Mov dh, 0x03 ; Head Mov dl, 0x80 ; Drive (here first HD) Mov bx, offset buff ; es:bx is destination Int 0x13 ; hard disk operation
Complexity ax*bx*cx*dx (per interruption) Id est: [0;65535]^4 ~ 1.8 * 10^19 => still huge => much better than ioctl()'s arbitrary input length !
Introducing the Virtual 8086 mode Problem is... is this even possible inside a virtual machine ?
Introducing the Virtual 8086 mode A closer look at the boot sequence...
Introducing the Virtual 8086 mode The kernel boots in (16b) real mode, and then switches to protected mode (32b). The cpu normally doesn't get back to real mode untill next reboot.
Introducing the Virtual 8086 mode Corollary The hypervisor could run under any mode. protected mode in practice (being it ring0, ring1 or ring3). All of the guests run only in protected mode.
Now how to swith to Virtual 8086 mode ? It this even possible ?
Leaving protected mode ? (Ascii Art : Courtesy of phrack 65) Setting the VM flag in CR0 under protected mode would get us to Virtual Mode Removing the PE flag from CR0 would get us back to real mode
Leaving protected mode ? linux-2.6.31/arch/x86/kernel/reboot.c: static const unsigned char real_mode_switch [] = { 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */ 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */ 0x66, 0x0d, 0x00, 0x00, 0x00, 0x60, /* orl $0x60000000,%eax */ 0x66, 0x0f, 0x22, 0xc0, /* movl %eax,%cr0 */ 0x66, 0x0f, 0x22, 0xd8, /* movl %eax,%cr3 */ 0x66, 0x0f, 0x20, 0xc3, /* movl %cr0,%ebx */ 0x66, 0x81, 0xe3, 0x00, 0x00, 0x00, 0x60, /* andl $0x60000000,%ebx */ 0x74, 0x02, /* jz f */ 0x0f, 0x09, /* wbinvd */ 0x24, 0x10, /* f: andb $0x10,al */ 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */ };
Trouble is... This obviously won't work inside a virtual machine ! Because CR[1-4] registers are themselves emulated
IS THIS « GAME OVER » ? Actually not quite ...
Truth is : we don't need to switch back to real mode/ virtual 8086 mode ! Most Operating systems offer a way to run 16b applications (eg: MS DOS) under protected mode by emulating a switch to Virtual 8086 Mode. Notably Windows (x86) and Linux (x86).
The Windows case NTVDM : ntvdm.exe « Windows 16b Virtual Machine »
The Linux case The linux kernel provides an emulation of real mode in the form of two syscalls: #define __NR_vm86old 113 #define __NR_vm86 166
The Linux case #include <sys/vm86.h> int vm86old(struct vm86_struct *info); int vm86(unsigned long fn, struct vm86plus_struct *v86);
struct vm86_struct { struct vm86_regs regs; unsigned long flags; unsigned long screen_bitmap; unsigned long cpu_type; struct revectored_struct int_revectored; struct revectored_struct int21_revectored; };
The Linux case linux-2.6.31/arch/x86/include/asm/vm86.h: struct vm86_regs { long ebx; long ecx; long edx; long esi; long edi; long ebp; long eax; (…) unsigned short es, __esh; unsigned short ds, __dsh; unsigned short fs, __fsh; unsigned short gs, __gsh; };
In a nutshell - The switch to Virtual mode is entirely emulated by the kernel (this will work inside a VM) - We can still program using old school interruptions (easy !) - Those interruptions are delivered to the hardware (id est: either the emulated one, or the real one). => We just got a « bare metal (possibly virtualized) hardware interface »
The x64 case...
The x64 case X64 cpus in 64b long mode can't swith to Virtual mode. That's too bad : we'd like to fuzz latest Vmware ESX or Microsoft HyperV (necessarily under x64). But under virtualization, the switch to VM86 mode is being emulated by the kernel...
The x64 case Using kernel patches, we can add VM86 capabilities to a x64 GNU/Linux kernel. EG: http://v86-64.sourceforge.net to run Dosemu under x64. What's not possible in real hardware becomes possible under a virtualized environment !
Practical use : Fuzzing using vm86()
Practical use : Fuzzing using vm86() Looking at the IVT allows us to fuzz all the hardware know after BIOS Post, efficently (no calls to empty/ dummy interrupts).
Practical use : Fuzzing using vm86() Exemple bugs !
Practical use : Fuzzing using vm86() Bugs in hypervizors...
Virtualbox 00:21:13.603 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 00:21:13.603 !! 00:21:13.603 !! Guru Meditation -2403 (VERR_TRPM_DONT_PANIC) 00:21:13.603 !! 00:21:13.603 !! TRAP=0e ERRCD=0000000000000000 CR2=00000000000c0000 EIP=ff215e33 Type=0 00:21:13.603 !! EIP in VMMGC.gc (ff1dd000) at rva 38e33 near symbols: 00:21:13.603 !! ff215df0 rva 00038df0 off 00000043 _ZL10disCoreOneP12_DISCPUSTATEyPj 00:21:13.603 !! ff216040 rva 00039040 off -0000020d DISCoreOneEx 00:21:13.603 !! fff8:ff215e33 0f b6 10 movzx edx, byte [eax] 00:21:13.603 !! 00:21:13.603 !! 00:21:13.603 !! 00:21:13.603 Hypervisor CPUM state: se 00:21:13.603 .eax=000c0000 .ebx=fed69cfc .ecx=00000000 .edx=00000000 .esi=00000001 .edi=fec0 1000
Virtualbox (take 2) 00:02:51.129 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 00:02:51.129 !! 00:02:51.129 !! Guru Meditation -2403 (VERR_TRPM_DONT_PANIC) 00:02:51.129 !! 00:02:51.129 !! TRAP=0e ERRCD=0000000000000000 CR2=00000000000ab000 EIP=ff215e33 Type=0 00:02:51.129 !! EIP in VMMGC.gc (ff1dd000) at rva 38e33 near symbols: 00:02:51.129 !! ff215df0 rva 00038df0 off 00000043 _ZL10disCoreOneP12_DISCPUSTATEyPj 00:02:51.129 !! ff216040 rva 00039040 off -0000020d DISCoreOneEx 00:02:51.129 !! fff8:ff215e33 0f b6 10 movzx edx, byte [eax] 00:02:51.129 !! 00:02:51.129 !! 00:02:51.129 !! 00:02:51.129 Hypervisor CPUM state: se 00:02:51.129 .eax=000ab000 .ebx=fed69cfc .ecx=00000000 .edx=00000000 .esi=00000001 .edi=fec0 1000 00:02:51.129 .eip=ff215e33 .esp=fed69c7c .ebp=fed69cc4 .iopl=0 rf nv up di nt zr ac pe cy
More (guest) bugs
Virtual PC
Parallels (Guest) -------------- Guest processor state --------------- Inhibit Mask=0 CS=FF63 [0000FFFF 0000F30F] V=1 SS=FFD3 [0000FFFF 00CF9300] V=1 DS=0018 [0000FFFF 00CFF300] V=1 ES=0018 [0000FFFF 00CFF300] V=1 FS=FF9B [0000FFFF 00CF9300] V=1 GS=0018 [0000FFFF 00CF9300] V=1 EAX=000000A9 EBX=00005148 ECX=0000F686 EDX=0000000B ESI=00002D72 EDI=000007E4 EBP=00002E99 ESP=00000FFA EIP=0000FE96 EFLAGS=00023202
What about x64 ?
Attacking Microsoft HyperV
DEMOS
DEMO Adding layers of virtualization is actually a bad idea : the only way is to secure the software is to properly test it for security bugs...
Thank you for coming Questions ?

Recommended

[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 modeMoabi.com
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitCarlos Eduardo
 
GOD MODE Unlocked: Hardware backdoors in x86 CPUs
GOD MODE Unlocked: Hardware backdoors in x86 CPUsGOD MODE Unlocked: Hardware backdoors in x86 CPUs
GOD MODE Unlocked: Hardware backdoors in x86 CPUsPriyanka Aash
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Linux: the first second
Linux: the first secondLinux: the first second
Linux: the first secondAlison Chaiken
 

Recommended

[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 modeMoabi.com
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitCarlos Eduardo
 
GOD MODE Unlocked: Hardware backdoors in x86 CPUs
GOD MODE Unlocked: Hardware backdoors in x86 CPUsGOD MODE Unlocked: Hardware backdoors in x86 CPUs
GOD MODE Unlocked: Hardware backdoors in x86 CPUsPriyanka Aash
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Linux: the first second
Linux: the first secondLinux: the first second
Linux: the first secondAlison Chaiken
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Device tree
Device treeDevice tree
Device treeRouyun Pan
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeFrancesco Gadaleta
 
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache PoisoningBind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoningchrist1an
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIAnne Nicolas
 
Sun fire x2250 technical training presentation
Sun fire x2250 technical training presentationSun fire x2250 technical training presentation
Sun fire x2250 technical training presentationxKinAnx
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linuxChih-Min Chao
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Handout2o
Handout2oHandout2o
Handout2oShahbaz Sidhu
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 
Remote code execution in restricted windows environments
Remote code execution in restricted windows environmentsRemote code execution in restricted windows environments
Remote code execution in restricted windows environmentsBorja Merino
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzerDmitry Vyukov
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware
 

More Related Content

What's hot

Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeFrancesco Gadaleta
 
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache PoisoningBind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoningchrist1an
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIAnne Nicolas
 
Sun fire x2250 technical training presentation
Sun fire x2250 technical training presentationSun fire x2250 technical training presentation
Sun fire x2250 technical training presentationxKinAnx
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linuxChih-Min Chao
 

What's hot (7)

Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
Device tree
Device treeDevice tree
Device tree
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
 
Bind 8 Dns Cache Poisoning
Bind 8 Dns Cache PoisoningBind 8 Dns Cache Poisoning
Bind 8 Dns Cache Poisoning
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
 
Sun fire x2250 technical training presentation
Sun fire x2250 technical training presentationSun fire x2250 technical training presentation
Sun fire x2250 technical training presentation
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linux
 

Similar to D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8086 mode

[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
 
Remote code execution in restricted windows environments
Remote code execution in restricted windows environmentsRemote code execution in restricted windows environments
Remote code execution in restricted windows environmentsBorja Merino
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzerDmitry Vyukov
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsJan Seidl
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat Security Conference
 
NetBSD on Google Compute Engine (en)
NetBSD on Google Compute Engine (en)NetBSD on Google Compute Engine (en)
NetBSD on Google Compute Engine (en)Ryo ONODERA
 

Similar to D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8086 mode (20)

[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Handout2o
Handout2oHandout2o
Handout2o
 
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...
 
Remote code execution in restricted windows environments
Remote code execution in restricted windows environmentsRemote code execution in restricted windows environments
Remote code execution in restricted windows environments
 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
 
syzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzersyzkaller: the next gen kernel fuzzer
syzkaller: the next gen kernel fuzzer
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Reducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutionsReducing attack surface on ICS with Windows native solutions
Reducing attack surface on ICS with Windows native solutions
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
NetBSD on Google Compute Engine (en)
NetBSD on Google Compute Engine (en)NetBSD on Google Compute Engine (en)
NetBSD on Google Compute Engine (en)
 

Recently uploaded

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8086 mode

  • 1. Jonathan Brossard CTO - P1 Code Security jonathan@p1sec.com endrazine@gmail.com
  • 2. Agenda Virtualization : big picture Attack surface analysis The need for new tools Introducing Virtual 8086 mode • Practical fuzzing with vm86()
  • 3. Virtualization : time to care ! Market shares Definitions
  • 4. Virtualization : market shares Source : Forrester Research 2009 78% of companies have production servers virtualized. 20% only have virtualized servers.
  • 5. Virtualization : market shares Source : Forrester Research 2009 VMWare is present in 98% of the companies. Microsoft virtualization products are used by 17%. Citrix/Xen is used by 10%.
  • 6. Bottom line... Virtualization software are so widespread that they have become more attractive targets than say web, mail or dns servers ! There is a lower variety too !
  • 8. Virtualization : Definitions Virtualization Virtualization is the name given to the simulation with higher level components, of lower level components. NOTE: Virtualization of applications (as opposed to full Oses) is out of topic.
  • 9. Virtualization : Definitions Virtual Machine A virtual machine (VM) is : "an efficient, isolated duplicate of a real machine". -- Gerald J. Popek and Robert P. Goldberg (1974). "Formal Requirements for Virtualizable Third Generation Architectures", Communications of the ACM.
  • 11. Virtualization : Definitions Paravirtualization Requires the modification of the guest Oses (eg: Xen, UML, Qemu with kquemu, VMWare Workstation with VMWare Tools). Opposed to « full virtualization ».
  • 12. Virtualization : Definitions There are two types of virtualizations : Virtual Machine Monitors (or Hypervisors) of type I and type II.
  • 14. Virtualization : Definitions Hypervisors of type I Run on bare metal (eg: Xen, Hyper-V, VMWare ESX).
  • 16. Virtualization : Definitions Hypervizors of type II Run as a process inside a host OS to virtualize guests Oses (eg: Qemu, Virtualbox, VMWare Workstation, Parallels).
  • 17. Hardware assisted virtualization
  • 18. Hardware assisted virtualization - Takes advantage of AMD-V On Intel VT-x CPU extentions for virtualization. - x64 Only. - The hypervizor is running in « ring -1 ». - Much like the NX bit : requires the motherboard to support it and activation in the BIOS.
  • 19. Virtualization : Definitions Isolation Isolation of the userland part of the OS to simulate independant machines (eg: Linux- Vservers, Solaris « Zones », BSD « jails », OpenVZ under GNU/Linux).
  • 21. Attack surface analysis Depending on your perspective... What are the risks ? Where to attack ?
  • 22. Privilege escalation on the host VMware Tools HGFS Local Privilege Escalation Vulnerability (http://labs.idefense.com/intelligence/ vulnerabilities/display.php?id=712)
  • 23. Privilege escalation on the Guest CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes
  • 24. Attacking other guests Vmare workstation guest isolation weaknesses (clipboard transfer) http://www.securiteam.com/securitynews/ 5GP021FKKO.html
  • 25. DoS (Host + Guests) CVE-2007-4591 CVE-2007-4593 (bad ioctls crashing the Host+Guests)
  • 26. Escape to host Rafal Wojtczuk (Invisible things, BHUS 2008) IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744)
  • 27. Attack surface analysis : usage Hosting two companies on the same hardware is very common (shared hosting). Getting a shell on the same machine as a given target may therefor be a matter of paying a few euros a month.
  • 28. Attack surface : conclusion Owning the Host OS from the Guest is practical : security through virtualization is a failure. Seemingly minor bugs (local, DoS) do matter : virtualization amplifies consequences.
  • 29. The need for dedicated methodologies and tools
  • 30. The need for new tools : example How to dynamically test a virtual Hard Drive ?
  • 31. How to dynamically test a virtual Hard Drive ? Naive approach Standard API : ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); This would mostly fuzz the kernel, not the Virtual Machine :( We need something (much) lower level.
  • 32. Standard (low level) attack vectors Ioports: outb, outw, outl, outsb, outsw, outsl, inb, inw, inl, insb, insw, insl, outb_p, outw_p, outl_p, inb_p, inw_p, inl_p Problems: sequence, multiple ports Ioctls: int ioctl(int d, int request, ...) Problems : arbitrary input size !
  • 33. How did we used to do it « back in the days » ? MS Dos : direct access to the hardware (interrupts : BIOS, HD, Display, …) Can we get back to this ?
  • 35. Introducing the Virtual 8086 mode Introduced with Intel 386 (1985)
  • 36. Introducing the Virtual 8086 mode Intel x86 cpus support 3 modes - Protected mode - Real mode - System Management Mode (SMM)
  • 37. Introducing the Virtual 8086 mode Protected mode This mode is the native state of the processor. Among the capabilities of protected mode is the ability to directly execute “real-address mode” 8086 software in a protected, multi-tasking environment. This feature is called virtual-8086 mode, although it is not actually a processor mode. Virtual-8086 mode is actually a protected mode attribute that can be enabled for any task.
  • 38. Introducing the Virtual 8086 mode Real-address mode This mode implements the programming environment of the Intel 8086 processor with extensions (such as the ability to switch to protected or system management mode). The processor is placed in real-address mode following power-up or a reset.
  • 39. Introducing the Virtual 8086 mode System management mode (SMM) This mode provides an operating system or executive with a transparent mechanism for implementing platform specific functions such as power management and system security. The processor enters SMM when the external SMM interrupt pin (SMI#) is activated or an SMI is received from the advanced programmable interrupt controller (APIC).
  • 40. Nice things about Real mode / Virtual 8086 mode Direct access to hardware via interruptions !
  • 41. example: Mov ah, 0x42 ; read sector from drive Mov ch, 0x01 ; Track Mov cl, 0x02 ; Sector Mov dh, 0x03 ; Head Mov dl, 0x80 ; Drive (here first HD) Mov bx, offset buff ; es:bx is destination Int 0x13 ; hard disk operation
  • 42. Complexity ax*bx*cx*dx (per interruption) Id est: [0;65535]^4 ~ 1.8 * 10^19 => still huge => much better than ioctl()'s arbitrary input length !
  • 43. Introducing the Virtual 8086 mode Problem is... is this even possible inside a virtual machine ?
  • 44. Introducing the Virtual 8086 mode A closer look at the boot sequence...
  • 45.
  • 46. Introducing the Virtual 8086 mode The kernel boots in (16b) real mode, and then switches to protected mode (32b). The cpu normally doesn't get back to real mode untill next reboot.
  • 47. Introducing the Virtual 8086 mode Corollary The hypervisor could run under any mode. protected mode in practice (being it ring0, ring1 or ring3). All of the guests run only in protected mode.
  • 48. Now how to swith to Virtual 8086 mode ? It this even possible ?
  • 49. Leaving protected mode ? (Ascii Art : Courtesy of phrack 65) Setting the VM flag in CR0 under protected mode would get us to Virtual Mode Removing the PE flag from CR0 would get us back to real mode
  • 50. Leaving protected mode ? linux-2.6.31/arch/x86/kernel/reboot.c: static const unsigned char real_mode_switch [] = { 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */ 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */ 0x66, 0x0d, 0x00, 0x00, 0x00, 0x60, /* orl $0x60000000,%eax */ 0x66, 0x0f, 0x22, 0xc0, /* movl %eax,%cr0 */ 0x66, 0x0f, 0x22, 0xd8, /* movl %eax,%cr3 */ 0x66, 0x0f, 0x20, 0xc3, /* movl %cr0,%ebx */ 0x66, 0x81, 0xe3, 0x00, 0x00, 0x00, 0x60, /* andl $0x60000000,%ebx */ 0x74, 0x02, /* jz f */ 0x0f, 0x09, /* wbinvd */ 0x24, 0x10, /* f: andb $0x10,al */ 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */ };
  • 51. Trouble is... This obviously won't work inside a virtual machine ! Because CR[1-4] registers are themselves emulated
  • 52. IS THIS « GAME OVER » ? Actually not quite ...
  • 53. Truth is : we don't need to switch back to real mode/ virtual 8086 mode ! Most Operating systems offer a way to run 16b applications (eg: MS DOS) under protected mode by emulating a switch to Virtual 8086 Mode. Notably Windows (x86) and Linux (x86).
  • 54. The Windows case NTVDM : ntvdm.exe « Windows 16b Virtual Machine »
  • 55.
  • 56. The Linux case The linux kernel provides an emulation of real mode in the form of two syscalls: #define __NR_vm86old 113 #define __NR_vm86 166
  • 57. The Linux case #include <sys/vm86.h> int vm86old(struct vm86_struct *info); int vm86(unsigned long fn, struct vm86plus_struct *v86);
  • 58. struct vm86_struct { struct vm86_regs regs; unsigned long flags; unsigned long screen_bitmap; unsigned long cpu_type; struct revectored_struct int_revectored; struct revectored_struct int21_revectored; };
  • 59. The Linux case linux-2.6.31/arch/x86/include/asm/vm86.h: struct vm86_regs { long ebx; long ecx; long edx; long esi; long edi; long ebp; long eax; (…) unsigned short es, __esh; unsigned short ds, __dsh; unsigned short fs, __fsh; unsigned short gs, __gsh; };
  • 60. In a nutshell - The switch to Virtual mode is entirely emulated by the kernel (this will work inside a VM) - We can still program using old school interruptions (easy !) - Those interruptions are delivered to the hardware (id est: either the emulated one, or the real one). => We just got a « bare metal (possibly virtualized) hardware interface »
  • 62. The x64 case X64 cpus in 64b long mode can't swith to Virtual mode. That's too bad : we'd like to fuzz latest Vmware ESX or Microsoft HyperV (necessarily under x64). But under virtualization, the switch to VM86 mode is being emulated by the kernel...
  • 63. The x64 case Using kernel patches, we can add VM86 capabilities to a x64 GNU/Linux kernel. EG: http://v86-64.sourceforge.net to run Dosemu under x64. What's not possible in real hardware becomes possible under a virtualized environment !
  • 64. Practical use : Fuzzing using vm86()
  • 65. Practical use : Fuzzing using vm86() Looking at the IVT allows us to fuzz all the hardware know after BIOS Post, efficently (no calls to empty/ dummy interrupts).
  • 66. Practical use : Fuzzing using vm86() Exemple bugs !
  • 67. Practical use : Fuzzing using vm86() Bugs in hypervizors...
  • 68. Virtualbox 00:21:13.603 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 00:21:13.603 !! 00:21:13.603 !! Guru Meditation -2403 (VERR_TRPM_DONT_PANIC) 00:21:13.603 !! 00:21:13.603 !! TRAP=0e ERRCD=0000000000000000 CR2=00000000000c0000 EIP=ff215e33 Type=0 00:21:13.603 !! EIP in VMMGC.gc (ff1dd000) at rva 38e33 near symbols: 00:21:13.603 !! ff215df0 rva 00038df0 off 00000043 _ZL10disCoreOneP12_DISCPUSTATEyPj 00:21:13.603 !! ff216040 rva 00039040 off -0000020d DISCoreOneEx 00:21:13.603 !! fff8:ff215e33 0f b6 10 movzx edx, byte [eax] 00:21:13.603 !! 00:21:13.603 !! 00:21:13.603 !! 00:21:13.603 Hypervisor CPUM state: se 00:21:13.603 .eax=000c0000 .ebx=fed69cfc .ecx=00000000 .edx=00000000 .esi=00000001 .edi=fec0 1000
  • 69. Virtualbox (take 2) 00:02:51.129 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 00:02:51.129 !! 00:02:51.129 !! Guru Meditation -2403 (VERR_TRPM_DONT_PANIC) 00:02:51.129 !! 00:02:51.129 !! TRAP=0e ERRCD=0000000000000000 CR2=00000000000ab000 EIP=ff215e33 Type=0 00:02:51.129 !! EIP in VMMGC.gc (ff1dd000) at rva 38e33 near symbols: 00:02:51.129 !! ff215df0 rva 00038df0 off 00000043 _ZL10disCoreOneP12_DISCPUSTATEyPj 00:02:51.129 !! ff216040 rva 00039040 off -0000020d DISCoreOneEx 00:02:51.129 !! fff8:ff215e33 0f b6 10 movzx edx, byte [eax] 00:02:51.129 !! 00:02:51.129 !! 00:02:51.129 !! 00:02:51.129 Hypervisor CPUM state: se 00:02:51.129 .eax=000ab000 .ebx=fed69cfc .ecx=00000000 .edx=00000000 .esi=00000001 .edi=fec0 1000 00:02:51.129 .eip=ff215e33 .esp=fed69c7c .ebp=fed69cc4 .iopl=0 rf nv up di nt zr ac pe cy
  • 72. Parallels (Guest) -------------- Guest processor state --------------- Inhibit Mask=0 CS=FF63 [0000FFFF 0000F30F] V=1 SS=FFD3 [0000FFFF 00CF9300] V=1 DS=0018 [0000FFFF 00CFF300] V=1 ES=0018 [0000FFFF 00CFF300] V=1 FS=FF9B [0000FFFF 00CF9300] V=1 GS=0018 [0000FFFF 00CF9300] V=1 EAX=000000A9 EBX=00005148 ECX=0000F686 EDX=0000000B ESI=00002D72 EDI=000007E4 EBP=00002E99 ESP=00000FFA EIP=0000FE96 EFLAGS=00023202
  • 75. DEMOS
  • 76. DEMO Adding layers of virtualization is actually a bad idea : the only way is to secure the software is to properly test it for security bugs...
  • 77. Thank you for coming Questions ?