290 likes | 306 Views
Attacks on Virtual Machine Emulators. Peter Ferrie Senior Principal Researcher Symantec Security Response. 5 December 2006. 1. 2. 3. 4. 5. 6. Attack Types Types of Virtual Machine Emulators Detection of Hardware VMEs Detection of Software VMEs What can we do? Q and A. A G E N D A.
E N D
Attacks on Virtual Machine Emulators Peter Ferrie Senior Principal Researcher Symantec Security Response 5 December 2006
1 2 3 4 5 6 Attack Types Types of Virtual Machine Emulators Detection of Hardware VMEs Detection of Software VMEs What can we do? Q and A A G E N D A
Attack Types • DETECTION • DENIAL-OF-SERVICE • ESCAPE!
Types of Virtual Machine Emulators Virtual Machine Emulators Hardware-Bound Pure Software Hardware-Assisted Reduced-Privilege Guest
Reduced-Privilege Guest VMEs • Software-based virtualization of important data structures and registers • Guest runs at lower privilege level than before • No way to avoid notification of all CPU events
Examples of Reduced-Privilege Guest VMEs • VMware • Xen • Parallels • Virtuozzo (probably)
Hardware-Assisted VMEs • Uses CPU-specific instructions to place system into virtual mode • Guest privileges unchanged • Separate host and guest copies of important data structures and registers • Guest copies have no effect on the host • Host can request notification of specific CPU events
Examples of Hardware-Assisted VMEs • BluePill • Vitriol • Xen 3.x • Virtual Server 2005 • Parallels • Virtuozzo (probably)
Detection of Hardware VMEs : TSC Method Physical Hardware Virtual Hardware T1……Instruction 1 T1.……..Instruction 1 T1+1...Instruction 2 T1+1…..Instruction 2 T1+2...Instruction 3 T1+2…..[VM fault] T1+N….Instruction 3 where N is a large number
Detection of Hardware VMEs : TLB Method 1 T1………read memory 1 T1+X1…read memory 2 T1+X2…read memory 3 T1+X3…read memory 4 FT (Fill Time) = ((T1+X3)-T1)/4 T2………read memory 1 T2+Y1…read memory 2 T2+Y2…read memory 3 T2+Y3…read memory 4 CT (Cached Time) = ((T2+Y3)-T2)/4 2
Detection of Hardware VMEs : TLB Method 3 Execute CPUID T3………read memory 1 T3+Z1…read memory 2 T3+Z2…read memory 3 T3+Z3…read memory 4 DT (Detect Time) = ((T3+Z3)-T3)/4 If DT ~= CT, then physical If DT ~= FT, then virtual 4 5
Pure Software VMEs • CPU operation implemented entirely in software • Emulated CPU does not have to match physical CPU • Portable • Can optionally support multiple CPU generations • Examples • Hydra • Bochs • QEMU
Pure Software VMEs (Hybrid model) • Commonly used by anti-virus software • Emulates CPU and partial operating system • CPU operation implemented entirely in software • Examples • Atlantis • Sandbox
Malicious VMEs (SubVirt) • Reduced-privilege guest • Installs second operating system • Runs on Windows and Linux • Carries VirtualPC for Windows • Carries VMware for Linux • Difficult to detect compromised system
Detecting VMware • IDT/GDT at high memory address • Non-zero LDT • Port 5658h • Windows registry • Video and ROM BIOS text strings • Device names • MAC address ranges
Detecting VirtualPC • IDT/GDT at high memory address • Non-zero LDT • 0F 3F opcode • 0F C7 C8 opcode • Overly long instruction • Device names
Detecting Parallels • IDT/GDT at high memory address • Non-zero LDT • Device names
Detecting Bochs • [WB] INVD flushes TLBs • REP CMPS/SCAS flags • CPUID processor name • CPUID AMD K7 Easter Egg • 32-bit ARPL register corruption • 16-bit segment wraparound • Device names
Attacking Bochs • Bochs denial-of-service • Floppy with >18 sectors per track • Floppy with >512 bytes per sector • Non-ring0 SYSENTER CS MSR
Detecting Hydra • REP MOVS/SCAS integer overflow • 16-bit segment wraparound
Detecting QEMU • CPUID processor name • CPUID K7 Easter Egg • CMPXCHG8B memory write • Double-faulting CPU
Detecting Atlantis and Sandbox • Unimplemented APIs • Incorrectly-emulated APIs • Example: Beep() in Windows 9x vs Windows NT • Unfortunately correct emulation • Example: not crashing on corrupted WMFs
What can we do? • Reduced-privilege guests • Nothing • VirtualPC • Intercept SIDT • Check for maximum instruction length • Remove custom CPUID processor name • Bochs, Hydra, QEMU • Bug fixes • Full stealth should be possible
Questions? Thank you. e-mail: peter_ferrie@symantec.com