Title: Attacks on Virtual Machine Emulators
1Attacks on Virtual Machine Emulators
- Peter Ferrie
- Senior Principal Researcher
- Symantec Security Response
5 December 2006
2A G E N D A
- Attack Types
- Types of Virtual Machine Emulators
- Detection of Hardware VMEs
- Detection of Software VMEs
- What can we do?
- Q and A
3Attack Types
- DETECTION
- DENIAL-OF-SERVICE
- ESCAPE!
4Attack Types Detection
5Attack Types Detection
6Attack Types Denial-of-Service
7Attack Types Escape!
8Attack Types Escape!
9Types of Virtual Machine Emulators
Virtual Machine Emulators
Hardware-Bound Pure
Software
Hardware-Assisted Reduced-Privilege Guest
10Reduced-Privilege Guest VMEs
- Software-based virtualization of important data
structures and registers - Guest runs at lower privilege level than before
- No way to avoid notification of all CPU events
11Examples of Reduced-Privilege Guest VMEs
- VMware
- Xen
- Parallels
- Virtuozzo (probably)
12Hardware-Assisted VMEs
- Uses CPU-specific instructions to place system
into virtual mode - Guest privileges unchanged
- Separate host and guest copies of important data
structures and registers - Guest copies have no effect on the host
- Host can request notification of specific CPU
events
13Examples of Hardware-Assisted VMEs
- BluePill
- Vitriol
- Xen 3.x
- Virtual Server 2005
- Parallels
- Virtuozzo (probably)
14Detection of Hardware VMEs TSC Method
- Physical Hardware Virtual Hardware
- T1Instruction 1 T1...Instruction 1
- T11...Instruction 2 T11..Instruction 2
- T12...Instruction 3 T12..VM fault
- T1N.Instruction 3
- where N is a large number
15Detection of Hardware VMEs TLB Method
1
- T1read memory 1
- T1X1read memory 2
- T1X2read memory 3
- T1X3read memory 4
- FT (Fill Time) ((T1X3)-T1)/4
- T2read memory 1
- T2Y1read memory 2
- T2Y2read memory 3
- T2Y3read memory 4
- CT (Cached Time) ((T2Y3)-T2)/4
2
16Detection of Hardware VMEs TLB Method
3
- Execute CPUID
- T3read memory 1
- T3Z1read memory 2
- T3Z2read memory 3
- T3Z3read memory 4
- DT (Detect Time) ((T3Z3)-T3)/4
- If DT CT, then physical
- If DT FT, then virtual
4
5
17Pure Software VMEs
- CPU operation implemented entirely in software
- Emulated CPU does not have to match physical CPU
- Portable
- Can optionally support multiple CPU generations
- Examples
- Hydra
- Bochs
- QEMU
18Pure Software VMEs (Hybrid model)
- Commonly used by anti-virus software
- Emulates CPU and partial operating system
- CPU operation implemented entirely in software
- Examples
- Atlantis
- Sandbox
19Malicious VMEs (SubVirt)
- Reduced-privilege guest
- Installs second operating system
- Runs on Windows and Linux
- Carries VirtualPC for Windows
- Carries VMware for Linux
- Difficult to detect compromised system
20Detecting VMware
- IDT/GDT at high memory address
- Non-zero LDT
- Port 5658h
- Windows registry
- Video and ROM BIOS text strings
- Device names
- MAC address ranges
21Detecting VirtualPC
- IDT/GDT at high memory address
- Non-zero LDT
- 0F 3F opcode
- 0F C7 C8 opcode
- Overly long instruction
- Device names
22Detecting Parallels
- IDT/GDT at high memory address
- Non-zero LDT
- Device names
23Detecting Bochs
- WB INVD flushes TLBs
- REP CMPS/SCAS flags
- CPUID processor name
- CPUID AMD K7 Easter Egg
- 32-bit ARPL register corruption
- 16-bit segment wraparound
- Device names
24Attacking Bochs
- Bochs denial-of-service
- Floppy with 18 sectors per track
- Floppy with 512 bytes per sector
- Non-ring0 SYSENTER CS MSR
25Detecting Hydra
- REP MOVS/SCAS integer overflow
- 16-bit segment wraparound
26Detecting QEMU
- CPUID processor name
- CPUID K7 Easter Egg
- CMPXCHG8B memory write
- Double-faulting CPU
27Detecting Atlantis and Sandbox
- Unimplemented APIs
- Incorrectly-emulated APIs
- Example Beep() in Windows 9x vs Windows NT
- Unfortunately correct emulation
- Example not crashing on corrupted WMFs
28What can we do?
- Reduced-privilege guests
- Nothing
- VirtualPC
- Intercept SIDT
- Check for maximum instruction length
- Remove custom CPUID processor name
- Bochs, Hydra, QEMU
- Bug fixes
- Full stealth should be possible
29Questions?
- Thank you.
- e-mail peter_ferrie_at_symantec.com