1. Hardware-assisted Virtual Machine (a.k.a. somma) fixbrain@gmail.com

2. Virtualization system utilization management cost consolidation isolation trusted environment resource aggregation GRID system MPP (Massively Parallel Processing)resource access control mobility emulation

3. History 1960 1970 1999 2006 CP-40, IBM, Cambridge Scientific Center full virtualization System/370, IBM x86 virtualization, VMWare application virtualization (application streaming) x86,x64, ARM, Storage, Network VMWare, Virtual Box, Xen OpenStack, CloudStack, Amazon, Google

4. Virtualization techniques Shared Device Memory and I/O Virtualization VMM CPU CPU MEMORY Physical H/W Control Guest OS Guest OS physical h/w virtualized h/w VMM must - support same hardware interface - can control guest OS when accessing H/W resources.

5. Virtualization techniques Full Virtualization - No OS modification - Binary translation, Trace cache, - VMware ESX server Para Virtualization - Need OS modification - Hypercall - Xen Direct execution eflags, control registers, MSR registers, port I/O, privileged instructions,

6. HVM (Hardware-assisted Virtual Machine) Virtualize CPU - AMD-V , VT-x IOMMU - AMD-Vi, VT-d Network - VT-c VMX operation VMX root operation VMX non-root operation

7. HVM (Hardware-assisted Virtual Machine)

8. HVM new instructions

9. HVM instruction execution order VMXON VMCLEAR VMPTRLD VMWRITE VMLAUNCH GUEST Exit VMREAD VMRESUME VMXOFF

10. HVM data VMXON Region - created per logical processor - used by VMX instructions VMCS Region - created per virtual CPU for guest OS - used by CPU and VMM - 4Kb aligned - PHYSICAL_ADDRESS == typedef LARGE_INTEGER -

11. HVM VMM programming summary check VMX support allocate VMXON region execute VMXON allocate VMCS regionexecute VMCLEARexecute VMPTRLD initialize VMCS data host-state area fields VM-exit control fields VM-entry control fields VM-execution control fields guest-state area fields execute VMLAUNCH handling various VM-exits

12. HVM VMCS data organization #1 Guest state fields - saved on VM exits, loaded on VM entries #2 Host state fields - loaded on VM exits #3 Execution control fields - control VMX-non root operations #4 Exit control fields - control VM exits #5 Entry control fields - control VM entries #6 VM Exit info - saved VM exits information on VM exits pin-based controls processor-based controls exception-bitmap address I/O bitmap address Timestamp counter offset CR0/CR4 guest/host masks CR3 targets MSR bitmaps

13. HVM VMCS data organization

14. HVM accessing VMCS data VMWRITE VMREAD virtual address / physical address READ virtual address / physical address WRITE

15. HVM accessing VMCS data

16. HVM accessing VMCS data

17. HVM initialize and run VMM

18. HVM handling VM exits #6 VM Exit info

19. HVM handling VM exits

20. Q & A

21. HVM Blue Pill

22. HVM related works Hypersight - Northsecuritylabs( http://northsecuritylabs.com/ ) - 2011 McAfee DeepSAFE Microsoft - Countering Kernel Rootkits with Lightweight Hook Protection

23. HVM related works HyperDbg - SoftIce - HVM

24. DEMO & Q & A