TechTalkAbusing The HypervisorBy: Piotr T. Zbiegiel

Introduction

VM 1

What is a Hypervisor?• A Hypervisor is a piece of software that

exists between the physical hardware and the virtual machines on a system. It mediates access from the VMs to the underlying hardware.

• Generally two types of hypervisors exist:

• Type 1 – The hypervisor runs directly on the hardware (aka bare metal).

• Type 2 – The system runs a standard operating system and the hypervisor is loaded within the context of that operating system.

• Some hypervisors don’t easily fit into one classification or the other.

Hardware

Hypervisor

OS

App 1

App 2

VM 2

OS

App 1

App 2

Type 1 Hypervisor

Physical -> Virtual• VMs possess virtual components and associated drivers that mirror

physical counterparts.

• Displays

• Memory

• Disk

• Network

• These all present potential attack surfaces for exploiting the hypervisor or host operating system.

New *AND* Improved 0days?• Before we dive into theoretical (and not so theoretical) hypervisor

attacks it pays to talk about Duqu.

• Duqu exploited the font parsing engine in Windows to elevate privileges and execute code.

• Microsoft’s temporary workaround entailed disabling access to the TrueType font DLL.

• But how did the bad guys know to try this vector? Could it be that the font parsing engine had been patched before by Microsoft?

New *AND* Improved 0days? Cont’d• Once a vulnerability is discovered in a given piece of software you

can bet many more researchers will be looking for similar vulnerabilities elsewhere in the code.

• Depending on how (in)effective a vendor may be at patching, this could lead to numerous related vulnerabilities and attacks being discovered. Variations on a theme, if you will.

New *AND* Improved 0days? Cont’d

So what does this discussion of Duqu and zero-days have to do with hypervisor security?

It demonstrates two key points we should remember about securing kernels/hypervisors.

1. The less a kernel does the less target area there is to attack. (Why was the Windows kernel parsing fonts?)

2. Previously discovered vulnerabilities may be a good indication of future vulnerabilities. It may be prudent to limit access to modules compromised in the past if at all possible.

Low-level Intercept• An attack theory where the malware would shim itself

below an operating system in between the system software and hardware.

• A malware hypervisor?

• The operating system would have no way to detect the infection since it wouldn’t exist within the universe of the operating system.

Consider that similar malware already exists.

• Kernel-level rootkits can hide from the operating system but are more akin to mind-control parasites that take over the host’s brain. Ophiocordyceps

unilateralis

Virtual CPU & Memory

KVM breakout? Or Xen vulnerability

Blue Pill • In 2006 Joanna Rutkowksa debuted new malware that slipped below

the target OS and virtualized it.

• Because the malware controlled all access to the underlying hardware it could “lie” to the operating system.

• Kernel-level root kits previously relied on modifying the kernel in an attempt to hide.

• Blue pill did not need to modify the operating system and could infect a running system.

• Joanna insisted that this new class of malware was undetectable.

A Hard Pill to Swallow• Other security researcher had a problem with Joanna’s claim that

the malware was undetectable.

• They claimed detection would be trivial using a timing attack.

• Debate on the subject raged on until the next year when a group of researchers challenged Joanna to a showdown at Black Hat 2007.

Red vs. Blue (Pills)• Joanna would secretly install her rootkit on one of two laptops.

• The researchers would then install their detection software and attempt to detect the malware.

• After some wrangling, including Joanna demanding up-front payment for her work on Blue Pill (to the tune of ~$400k)…the challenge never happened.

Today blue-pill type malware has never been detected in the wild.

• Because it doesn’t exist…

• Or because it is so undetectable? (The mystery continues…)

New Tech?

Old Attack Surfaces are New

Network Topology

Jails, Sandboxes, ???

Conclusion