Attacks on Virtual Machine Emulators - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Attacks on Virtual Machine Emulators

Description:

Symantec Advanced Threat Research. Attack Types. Types of Virtual Machine Emulators ... Symantec Advanced Threat Research. Reduced-Privilege Guest VMEs ... – PowerPoint PPT presentation

Number of Views:216
Avg rating:3.0/5.0
Slides: 30
Provided by: peterf
Category:

less

Transcript and Presenter's Notes

Title: Attacks on Virtual Machine Emulators


1
Attacks on Virtual Machine Emulators
  • Peter Ferrie
  • Senior Principal Researcher
  • Symantec Security Response

5 December 2006
2
A G E N D A
  • Attack Types
  • Types of Virtual Machine Emulators
  • Detection of Hardware VMEs
  • Detection of Software VMEs
  • What can we do?
  • Q and A

3
Attack Types
  • DETECTION
  • DENIAL-OF-SERVICE
  • ESCAPE!

4
Attack Types Detection
5
Attack Types Detection
6
Attack Types Denial-of-Service
7
Attack Types Escape!
8
Attack Types Escape!
9
Types of Virtual Machine Emulators
Virtual Machine Emulators
Hardware-Bound Pure
Software
Hardware-Assisted Reduced-Privilege Guest
10
Reduced-Privilege Guest VMEs
  • Software-based virtualization of important data
    structures and registers
  • Guest runs at lower privilege level than before
  • No way to avoid notification of all CPU events

11
Examples of Reduced-Privilege Guest VMEs
  • VMware
  • Xen
  • Parallels
  • Virtuozzo (probably)

12
Hardware-Assisted VMEs
  • Uses CPU-specific instructions to place system
    into virtual mode
  • Guest privileges unchanged
  • Separate host and guest copies of important data
    structures and registers
  • Guest copies have no effect on the host
  • Host can request notification of specific CPU
    events

13
Examples of Hardware-Assisted VMEs
  • BluePill
  • Vitriol
  • Xen 3.x
  • Virtual Server 2005
  • Parallels
  • Virtuozzo (probably)

14
Detection of Hardware VMEs TSC Method
  • Physical Hardware Virtual Hardware
  • T1Instruction 1 T1...Instruction 1
  • T11...Instruction 2 T11..Instruction 2
  • T12...Instruction 3 T12..VM fault
  • T1N.Instruction 3
  • where N is a large number

15
Detection of Hardware VMEs TLB Method
1
  • T1read memory 1
  • T1X1read memory 2
  • T1X2read memory 3
  • T1X3read memory 4
  • FT (Fill Time) ((T1X3)-T1)/4
  • T2read memory 1
  • T2Y1read memory 2
  • T2Y2read memory 3
  • T2Y3read memory 4
  • CT (Cached Time) ((T2Y3)-T2)/4

2
16
Detection of Hardware VMEs TLB Method
3
  • Execute CPUID
  • T3read memory 1
  • T3Z1read memory 2
  • T3Z2read memory 3
  • T3Z3read memory 4
  • DT (Detect Time) ((T3Z3)-T3)/4
  • If DT CT, then physical
  • If DT FT, then virtual

4
5
17
Pure Software VMEs
  • CPU operation implemented entirely in software
  • Emulated CPU does not have to match physical CPU
  • Portable
  • Can optionally support multiple CPU generations
  • Examples
  • Hydra
  • Bochs
  • QEMU

18
Pure Software VMEs (Hybrid model)
  • Commonly used by anti-virus software
  • Emulates CPU and partial operating system
  • CPU operation implemented entirely in software
  • Examples
  • Atlantis
  • Sandbox

19
Malicious VMEs (SubVirt)
  • Reduced-privilege guest
  • Installs second operating system
  • Runs on Windows and Linux
  • Carries VirtualPC for Windows
  • Carries VMware for Linux
  • Difficult to detect compromised system

20
Detecting VMware
  • IDT/GDT at high memory address
  • Non-zero LDT
  • Port 5658h
  • Windows registry
  • Video and ROM BIOS text strings
  • Device names
  • MAC address ranges

21
Detecting VirtualPC
  • IDT/GDT at high memory address
  • Non-zero LDT
  • 0F 3F opcode
  • 0F C7 C8 opcode
  • Overly long instruction
  • Device names

22
Detecting Parallels
  • IDT/GDT at high memory address
  • Non-zero LDT
  • Device names

23
Detecting Bochs
  • WB INVD flushes TLBs
  • REP CMPS/SCAS flags
  • CPUID processor name
  • CPUID AMD K7 Easter Egg
  • 32-bit ARPL register corruption
  • 16-bit segment wraparound
  • Device names

24
Attacking Bochs
  • Bochs denial-of-service
  • Floppy with 18 sectors per track
  • Floppy with 512 bytes per sector
  • Non-ring0 SYSENTER CS MSR

25
Detecting Hydra
  • REP MOVS/SCAS integer overflow
  • 16-bit segment wraparound

26
Detecting QEMU
  • CPUID processor name
  • CPUID K7 Easter Egg
  • CMPXCHG8B memory write
  • Double-faulting CPU

27
Detecting Atlantis and Sandbox
  • Unimplemented APIs
  • Incorrectly-emulated APIs
  • Example Beep() in Windows 9x vs Windows NT
  • Unfortunately correct emulation
  • Example not crashing on corrupted WMFs

28
What can we do?
  • Reduced-privilege guests
  • Nothing
  • VirtualPC
  • Intercept SIDT
  • Check for maximum instruction length
  • Remove custom CPUID processor name
  • Bochs, Hydra, QEMU
  • Bug fixes
  • Full stealth should be possible

29
Questions?
  • Thank you.
  • e-mail peter_ferrie_at_symantec.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Attacks on Virtual Machine Emulators" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!