SlideShare a Scribd company logo

Back to the Future: A Radical Insecure Design of KVM on ARM

Priyanka Aash
Priyanka Aash

In ARM there are certain instructions that generates exception. Such instructions are typically executed to request a service from software that runs at a higher privilege level. From the OS kernel (EL1), software can call the Hypervisor (EL2) with the HVC instruction. The KVM Hypervisor is part of the Linux kernel and by default it is enabled on all supported ARM system. In ARM architecture KVM is implemented through split-mode virtualization and runs across different privileged CPU modes. This talk will discuss about the design and a security issue in a way Linux kernel initializes the KVM Hypervisor. An attacker having access to host EL1 can execute code in EL2. This security issue can be exploited by an attacker to install a Hypervisor root kit on ARM system.

Technology
1 of 18
Download to read offline
Back To The Future: A Radical Insecure Design of KVM on ARM Baibhav Singh Rahul Kashyap B. Sing - SRA 1
• Samsung Research America • Actively working on ARM system security *The opinion present are my own and not necessarily represent the opinion of my employer Introduction B. Sing - SRA 2
• Found this issue while doing some hypervisors research • On 25 Jan 2018, reported to Red Hat Product Security team Secalert@redhat.com provided detail report with exploit code • Multiple mail exchange to help them understand the problem • Still is not fixed • Decided to submit a BH paper (Thanks to Rahul, Michael Grace) • Thanks to BH for providing the platform Background B. Singh - SRA 3
ARM v8-A Architecture HVC HVC HVC Handler B. Singh - SRA 4
Exception Vector TableB. Sing - SRA 5 VBAR_EL2HVC 0x400 +
ARM Hypervisor executes in EL2 TYPE 1 • Bare Metal Hypervisor • Host is considered as VM • XEN is type 1 and runs in EL2 TYPE 2 • Hypervisor is extension of Host Kernel • Host is not considered as VM • KVM is type 2 and runs partial in EL2 ARM - Hypervisor B. Singh - SRA 6
Linux Start EL==2 1. Updates VBAR_EL2 to Install STUB Vector Table as EL2 Exception Vector Table 2. Switches back to EL1 Normal Boot Flow YES No Linux and KVM B. Singh - SRA 7
Handler in case HVC originating from 64 bit Kernel VBAR_EL2 Stub Vector Table Filename : linuxarcharm64kernelhyp- stub.s B. Sing - SRA 8
Checks if register X0 == 0 Updates VBAR_EL2 Stub HVC Handler Filename : linuxarcharm64kernelhyp-stub.s B. Singh - SRA 9
B. Singh - SRA 10 Linux Start STUB VECTOR TABLE CMD == HVC_SET_VECTO R KVM VECTOR TABLE VBAR_EL2 State Diagram 1
Filename : linuxarcharm64kernelhyp-entry.s Checks if HVC is from Host Checks if register x0 < 3 Calls _kvm_handle_stub_hvc KVM HVC Handler B. Singh - SRA 11
Checks register X0 == 2 Disables EL2 MMU Back to Stub Vector Filename : linuxarcharm64kvmhyphyp-entry.s KVM HVC Handler B. Singh - SRA 12
B. Singh - SRA 13 Linux Start STUB VECTOR TABLE CMD == HVC_SET_VECTO R KVM VECTOR TABLE HVC == HOST && CMD == HVC_RESET_VEC TOR VBAR_EL2 Attackers Vector Table State Diagram 2
X0 =2 ; //HVC_RESET_VECTORS KVM Vector TableStub Vector Table 1. Allocate physical continuous memory 2. Embed shellcode at an offset 0x400 (Exception handler) 3. Set X0 = 0 //HVC_SET_VECTOR 4. Set X1 = physical address of buffer Attacker Allocated Buffer Disables MMU Installs Installs HVC HVC HVC EL2 Shellcode Host EL1 EL2 Exploitation B. Singh - SRA 14
KVM Team Response “You're on the host, and you can break KVMby inserting a rogue kernel module. Big deal. You can also blast the page tables, corrupt file systems, and make sure the box is on fire” KVM Threat Model Assumption : HOST.EL1 == EL2 Security hole in privilege isolation boundary Host kernel compromise is End of the Game ! Real World : EL1 != EL2 For Attacker Beginning of a New Game.… J Attacker can exploit this issue to gain more privilege and will migrate to EL2 • Launch attack from isolated and unreachable memory. • Can configure EL2 to get code execution from various different places • A generic way to bypass security implemented in the kernel (LKRG),by escaping to EL2 • Attack the secure monitoring running in hypervisor mode • Gives attacker opportunity for Blue Pill for KVM on ARM Juicy target for attacker to perform highly sophisticated and stealthy attack B. Singh - SRA 15
Potentially bigger impact for mobile and IoT •Most of them are ARM based •Chances are high that it will boot in EL2 •Single Kernel Device (More Attack Surface) Affected Architecture: ARM v7-A and ARM v8-A with hardware virtualization Impact B. Singh - SRA 16
Mitigation My two cents… You’re likely vulnerable to this attack. Patch the system by making sure Linux starts in EL1 B. Singh - SRA 17
• https://static.docs.arm.com/ddi0487/ca/DDI0487C_a_armv8_arm.pd f • https://developer.arm.com/products/architecture/a- profile/docs/100942/latest/hypervisor-software • https://dl.acm.org/citation.cfm?id=2541946 • http://www.cs.columbia.edu/~cdall/pubs/atc17-dall.pdf • http://www.cs.columbia.edu/~cdall/pubs/sosp2017-neve.pdf • https://lwn.net/Articles/557132/ • http://lia.disi.unibo.it/Courses/som1516/materiale/VOSYS_BolognaK VMARM_2_12_2015.pdf Reference B. Singh - SRA 18

Recommended

HKG15-400: Next steps in KVM enablement on ARM
HKG15-400: Next steps in KVM enablement on ARMHKG15-400: Next steps in KVM enablement on ARM
HKG15-400: Next steps in KVM enablement on ARMLinaro
 
SFO15-407: Performance Overhead of ARM Virtualization
SFO15-407: Performance Overhead of ARM VirtualizationSFO15-407: Performance Overhead of ARM Virtualization
SFO15-407: Performance Overhead of ARM VirtualizationLinaro
 
BKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationBKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationLinaro
 
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...The Linux Foundation
 
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403Linaro
 
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...The Linux Foundation
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
 

Recommended

HKG15-400: Next steps in KVM enablement on ARM
HKG15-400: Next steps in KVM enablement on ARMHKG15-400: Next steps in KVM enablement on ARM
HKG15-400: Next steps in KVM enablement on ARMLinaro
 
SFO15-407: Performance Overhead of ARM Virtualization
SFO15-407: Performance Overhead of ARM VirtualizationSFO15-407: Performance Overhead of ARM Virtualization
SFO15-407: Performance Overhead of ARM VirtualizationLinaro
 
BKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationBKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationLinaro
 
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...The Linux Foundation
 
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403Linaro
 
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...The Linux Foundation
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...The Linux Foundation
 
A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt DeliveryA Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt DeliveryCheng-Chun William Tu
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4月锋 李
 
XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15The Linux Foundation
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsThe Linux Foundation
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technologySZ Lin
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...The Linux Foundation
 
XPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, IntelXPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, IntelThe Linux Foundation
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataMike Chafin
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the LineThe Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
 
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...The Linux Foundation
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)The Linux Foundation
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
Q2.12: Power Management Across OSs
Q2.12: Power Management Across OSsQ2.12: Power Management Across OSs
Q2.12: Power Management Across OSsLinaro
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT IsolationLinuxCon ContainerCon CloudOpen China
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 

More Related Content

What's hot

A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt DeliveryA Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt DeliveryCheng-Chun William Tu
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelThe Linux Foundation
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4月锋 李
 
XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15The Linux Foundation
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsThe Linux Foundation
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technologySZ Lin
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...The Linux Foundation
 
XPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, IntelXPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, IntelThe Linux Foundation
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataMike Chafin
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the LineThe Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLinaro
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
 
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...The Linux Foundation
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)The Linux Foundation
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
Q2.12: Power Management Across OSs
Q2.12: Power Management Across OSsQ2.12: Power Management Across OSs
Q2.12: Power Management Across OSsLinaro
 

What's hot (20)

A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt DeliveryA Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
 
XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ Processors
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
 
XPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, IntelXPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, Intel
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and Exadata
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project Hypervisor
 
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
 
Q2.12: Power Management Across OSs
Q2.12: Power Management Across OSsQ2.12: Power Management Across OSs
Q2.12: Power Management Across OSs
 

Similar to Back to the Future: A Radical Insecure Design of KVM on ARM

Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VRISC-V International
 
Gernot heiser unsw sydney and se l4 foundation
Gernot heiser unsw sydney and se l4 foundationGernot heiser unsw sydney and se l4 foundation
Gernot heiser unsw sydney and se l4 foundationRISC-V International
 
KVM/ARM Nested Virtualization Support and Performance - SFO17-410
KVM/ARM Nested Virtualization Support and Performance - SFO17-410KVM/ARM Nested Virtualization Support and Performance - SFO17-410
KVM/ARM Nested Virtualization Support and Performance - SFO17-410Linaro
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxseed4mexyz
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012Jonathan Sinclair
 
Virtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVMVirtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVMNelson Elhage
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Diveconfluent
 
Linaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARMLinaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARMThe Linux Foundation
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Linaro
 
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKSAzure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKSazuredayit
 
Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareKernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareAnne Nicolas
 
LAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
LAS16-500: The Rise and Fall of Assembler and the VGIC from HellLAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
LAS16-500: The Rise and Fall of Assembler and the VGIC from HellLinaro
 
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingYue Chen
 
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Linaro
 
Implementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationImplementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationYan Vugenfirer
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentAndy Lee
 

Similar to Back to the Future: A Radical Insecure Design of KVM on ARM (20)

Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
 
Gernot heiser unsw sydney and se l4 foundation
Gernot heiser unsw sydney and se l4 foundationGernot heiser unsw sydney and se l4 foundation
Gernot heiser unsw sydney and se l4 foundation
 
KVM/ARM Nested Virtualization Support and Performance - SFO17-410
KVM/ARM Nested Virtualization Support and Performance - SFO17-410KVM/ARM Nested Virtualization Support and Performance - SFO17-410
KVM/ARM Nested Virtualization Support and Performance - SFO17-410
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
 
5 kvm arm
5 kvm arm5 kvm arm
5 kvm arm
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012
 
Virtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVMVirtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVM
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
 
Linaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARMLinaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARM
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
 
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKSAzure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
 
Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareKernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
 
LAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
LAS16-500: The Rise and Fall of Assembler and the VGIC from HellLAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
LAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
 
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live Patching
 
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
 
Implementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationImplementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migration
 
17-virtualization.pptx
17-virtualization.pptx17-virtualization.pptx
17-virtualization.pptx
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized Environment
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfOverkill Security
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiRaviKumarDaparthi
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 

Recently uploaded (20)

الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 

Back to the Future: A Radical Insecure Design of KVM on ARM

  • 1. Back To The Future: A Radical Insecure Design of KVM on ARM Baibhav Singh Rahul Kashyap B. Sing - SRA 1
  • 2. • Samsung Research America • Actively working on ARM system security *The opinion present are my own and not necessarily represent the opinion of my employer Introduction B. Sing - SRA 2
  • 3. • Found this issue while doing some hypervisors research • On 25 Jan 2018, reported to Red Hat Product Security team Secalert@redhat.com provided detail report with exploit code • Multiple mail exchange to help them understand the problem • Still is not fixed • Decided to submit a BH paper (Thanks to Rahul, Michael Grace) • Thanks to BH for providing the platform Background B. Singh - SRA 3
  • 4. ARM v8-A Architecture HVC HVC HVC Handler B. Singh - SRA 4
  • 5. Exception Vector TableB. Sing - SRA 5 VBAR_EL2HVC 0x400 +
  • 6. ARM Hypervisor executes in EL2 TYPE 1 • Bare Metal Hypervisor • Host is considered as VM • XEN is type 1 and runs in EL2 TYPE 2 • Hypervisor is extension of Host Kernel • Host is not considered as VM • KVM is type 2 and runs partial in EL2 ARM - Hypervisor B. Singh - SRA 6
  • 7. Linux Start EL==2 1. Updates VBAR_EL2 to Install STUB Vector Table as EL2 Exception Vector Table 2. Switches back to EL1 Normal Boot Flow YES No Linux and KVM B. Singh - SRA 7
  • 8. Handler in case HVC originating from 64 bit Kernel VBAR_EL2 Stub Vector Table Filename : linuxarcharm64kernelhyp- stub.s B. Sing - SRA 8
  • 9. Checks if register X0 == 0 Updates VBAR_EL2 Stub HVC Handler Filename : linuxarcharm64kernelhyp-stub.s B. Singh - SRA 9
  • 10. B. Singh - SRA 10 Linux Start STUB VECTOR TABLE CMD == HVC_SET_VECTO R KVM VECTOR TABLE VBAR_EL2 State Diagram 1
  • 11. Filename : linuxarcharm64kernelhyp-entry.s Checks if HVC is from Host Checks if register x0 < 3 Calls _kvm_handle_stub_hvc KVM HVC Handler B. Singh - SRA 11
  • 12. Checks register X0 == 2 Disables EL2 MMU Back to Stub Vector Filename : linuxarcharm64kvmhyphyp-entry.s KVM HVC Handler B. Singh - SRA 12
  • 13. B. Singh - SRA 13 Linux Start STUB VECTOR TABLE CMD == HVC_SET_VECTO R KVM VECTOR TABLE HVC == HOST && CMD == HVC_RESET_VEC TOR VBAR_EL2 Attackers Vector Table State Diagram 2
  • 14. X0 =2 ; //HVC_RESET_VECTORS KVM Vector TableStub Vector Table 1. Allocate physical continuous memory 2. Embed shellcode at an offset 0x400 (Exception handler) 3. Set X0 = 0 //HVC_SET_VECTOR 4. Set X1 = physical address of buffer Attacker Allocated Buffer Disables MMU Installs Installs HVC HVC HVC EL2 Shellcode Host EL1 EL2 Exploitation B. Singh - SRA 14
  • 15. KVM Team Response “You're on the host, and you can break KVMby inserting a rogue kernel module. Big deal. You can also blast the page tables, corrupt file systems, and make sure the box is on fire” KVM Threat Model Assumption : HOST.EL1 == EL2 Security hole in privilege isolation boundary Host kernel compromise is End of the Game ! Real World : EL1 != EL2 For Attacker Beginning of a New Game.… J Attacker can exploit this issue to gain more privilege and will migrate to EL2 • Launch attack from isolated and unreachable memory. • Can configure EL2 to get code execution from various different places • A generic way to bypass security implemented in the kernel (LKRG),by escaping to EL2 • Attack the secure monitoring running in hypervisor mode • Gives attacker opportunity for Blue Pill for KVM on ARM Juicy target for attacker to perform highly sophisticated and stealthy attack B. Singh - SRA 15
  • 16. Potentially bigger impact for mobile and IoT •Most of them are ARM based •Chances are high that it will boot in EL2 •Single Kernel Device (More Attack Surface) Affected Architecture: ARM v7-A and ARM v8-A with hardware virtualization Impact B. Singh - SRA 16
  • 17. Mitigation My two cents… You’re likely vulnerable to this attack. Patch the system by making sure Linux starts in EL1 B. Singh - SRA 17
  • 18. • https://static.docs.arm.com/ddi0487/ca/DDI0487C_a_armv8_arm.pd f • https://developer.arm.com/products/architecture/a- profile/docs/100942/latest/hypervisor-software • https://dl.acm.org/citation.cfm?id=2541946 • http://www.cs.columbia.edu/~cdall/pubs/atc17-dall.pdf • http://www.cs.columbia.edu/~cdall/pubs/sosp2017-neve.pdf • https://lwn.net/Articles/557132/ • http://lia.disi.unibo.it/Courses/som1516/materiale/VOSYS_BolognaK VMARM_2_12_2015.pdf Reference B. Singh - SRA 18