Attacks on Virtual Machine Emulators - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Attacks on Virtual Machine Emulators

Description:

Symantec Advanced Threat Research. Attack Types. Types of Virtual Machine Emulators ... Symantec Advanced Threat Research. Reduced-Privilege Guest VMEs ... – PowerPoint PPT presentation

Number of Views:216
Avg rating:3.0/5.0
Slides: 30
Provided by: peterf
Category:

less

Transcript and Presenter's Notes

Title: Attacks on Virtual Machine Emulators


1
Attacks on Virtual Machine Emulators
  • Peter Ferrie
  • Senior Principal Researcher
  • Symantec Security Response

5 December 2006
2
A G E N D A
  • Attack Types
  • Types of Virtual Machine Emulators
  • Detection of Hardware VMEs
  • Detection of Software VMEs
  • What can we do?
  • Q and A

3
Attack Types
  • DETECTION
  • DENIAL-OF-SERVICE
  • ESCAPE!

4
Attack Types Detection
5
Attack Types Detection
6
Attack Types Denial-of-Service
7
Attack Types Escape!
8
Attack Types Escape!
9
Types of Virtual Machine Emulators
Virtual Machine Emulators
Hardware-Bound Pure
Software
Hardware-Assisted Reduced-Privilege Guest
10
Reduced-Privilege Guest VMEs
  • Software-based virtualization of important data
    structures and registers
  • Guest runs at lower privilege level than before
  • No way to avoid notification of all CPU events

11
Examples of Reduced-Privilege Guest VMEs
  • VMware
  • Xen
  • Parallels
  • Virtuozzo (probably)

12
Hardware-Assisted VMEs
  • Uses CPU-specific instructions to place system
    into virtual mode
  • Guest privileges unchanged
  • Separate host and guest copies of important data
    structures and registers
  • Guest copies have no effect on the host
  • Host can request notification of specific CPU
    events

13
Examples of Hardware-Assisted VMEs
  • BluePill
  • Vitriol
  • Xen 3.x
  • Virtual Server 2005
  • Parallels
  • Virtuozzo (probably)

14
Detection of Hardware VMEs TSC Method
  • Physical Hardware Virtual Hardware
  • T1Instruction 1 T1...Instruction 1
  • T11...Instruction 2 T11..Instruction 2
  • T12...Instruction 3 T12..VM fault
  • T1N.Instruction 3
  • where N is a large number

15
Detection of Hardware VMEs TLB Method
1
  • T1read memory 1
  • T1X1read memory 2
  • T1X2read memory 3
  • T1X3read memory 4
  • FT (Fill Time) ((T1X3)-T1)/4
  • T2read memory 1
  • T2Y1read memory 2
  • T2Y2read memory 3
  • T2Y3read memory 4
  • CT (Cached Time) ((T2Y3)-T2)/4

2
16
Detection of Hardware VMEs TLB Method
3
  • Execute CPUID
  • T3read memory 1
  • T3Z1read memory 2
  • T3Z2read memory 3
  • T3Z3read memory 4
  • DT (Detect Time) ((T3Z3)-T3)/4
  • If DT CT, then physical
  • If DT FT, then virtual

4
5
17
Pure Software VMEs
  • CPU operation implemented entirely in software
  • Emulated CPU does not have to match physical CPU
  • Portable
  • Can optionally support multiple CPU generations
  • Examples
  • Hydra
  • Bochs
  • QEMU

18
Pure Software VMEs (Hybrid model)
  • Commonly used by anti-virus software
  • Emulates CPU and partial operating system
  • CPU operation implemented entirely in software
  • Examples
  • Atlantis
  • Sandbox

19
Malicious VMEs (SubVirt)
  • Reduced-privilege guest
  • Installs second operating system
  • Runs on Windows and Linux
  • Carries VirtualPC for Windows
  • Carries VMware for Linux
  • Difficult to detect compromised system

20
Detecting VMware
  • IDT/GDT at high memory address
  • Non-zero LDT
  • Port 5658h
  • Windows registry
  • Video and ROM BIOS text strings
  • Device names
  • MAC address ranges

21
Detecting VirtualPC
  • IDT/GDT at high memory address
  • Non-zero LDT
  • 0F 3F opcode
  • 0F C7 C8 opcode
  • Overly long instruction
  • Device names

22
Detecting Parallels
  • IDT/GDT at high memory address
  • Non-zero LDT
  • Device names

23
Detecting Bochs
  • WB INVD flushes TLBs
  • REP CMPS/SCAS flags
  • CPUID processor name
  • CPUID AMD K7 Easter Egg
  • 32-bit ARPL register corruption
  • 16-bit segment wraparound
  • Device names

24
Attacking Bochs
  • Bochs denial-of-service
  • Floppy with 18 sectors per track
  • Floppy with 512 bytes per sector
  • Non-ring0 SYSENTER CS MSR

25
Detecting Hydra
  • REP MOVS/SCAS integer overflow
  • 16-bit segment wraparound

26
Detecting QEMU
  • CPUID processor name
  • CPUID K7 Easter Egg
  • CMPXCHG8B memory write
  • Double-faulting CPU

27
Detecting Atlantis and Sandbox
  • Unimplemented APIs
  • Incorrectly-emulated APIs
  • Example Beep() in Windows 9x vs Windows NT
  • Unfortunately correct emulation
  • Example not crashing on corrupted WMFs

28
What can we do?
  • Reduced-privilege guests
  • Nothing
  • VirtualPC
  • Intercept SIDT
  • Check for maximum instruction length
  • Remove custom CPUID processor name
  • Bochs, Hydra, QEMU
  • Bug fixes
  • Full stealth should be possible

29
Questions?
  • Thank you.
  • e-mail peter_ferrie_at_symantec.com
Write a Comment
User Comments (0)
About PowerShow.com