SlideShare a Scribd company logo

Breaking hardware enforced security with hypervisors

Priyanka Aash
Priyanka Aash

"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.  This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening." (Source: Black Hat USA 2016, Las Vegas)

Technology
1 of 27
Download to read offline
Breaking Hardware-Enforced Security with Hypervisors Joseph Sharkey, Ph.D. Chief Technology Officer / Vice President of Advanced Programs Siege Technologies www.siegetechnologies.com This work was sponsored in part by the Air Force Research Laboratory (AFRL) and Air Force Office of Scientific Research (AFOSR) under contracts FA8750-C-0235, FA9550-11-1-0267, and FA9550-14-C-0019
Presentation Content • Background on modern hardware-enforced security primitives for PC platforms • Compromising Intel TXT with a Hypervisor rootkit • Compromising AES-NI with a Hypervisor rootkit • Implications • Near Term Solutions: What can I do about it?
Trusted Boot (tBoot) tBoot is open source software that makes use of Intel’s TXT • Code written and released by Intel engineers • tBoot is the de facto standard code-base for DRTM leveraging Intel’s TXT extensions – Used by GRUB, Xen, VMWare ESXi, etc. • Launch Control Policies (LCP) handle failed measurement; are settable by system administrator – Halt policy prevents boot on invalid measurement – Continuation policy allows boot, but notifies system of invalid state
Dynamic Root of Trust Measurement (DRTM) • Establishment of trusted environment is delayed until some time after platform has booted – Eliminates the need to trust early boot software, no longer need to reboot to start a chain of trust – Completely remove BIOS & early bootloaders from the Trusted Computing Base • Atomic “measure and launch” operation ensures a clean initial state; TPM stores integrity measurements, and optionally sealed storage and remote attestation • Most popular for PC platforms; addresses challenges of Static Root of Trust approaches – Used by tBoot, Xen, VMWare ESXi, etc DRTM is common across PC/laptop/server platforms and is used by tboot, Xen, Vmware ESXi, etc.
DRTM Implementations Intel’s Trusted Execution Technology (TXT) • A set of hardware extensions and primitives – Safer Mode Extensions (SMX) in the CPU – Chipset support including VT-d, TPM v1.2, LPC Bus v1.1 • Provides a secure way to launch a measured environment – GETSEC[SENTER] instruction is used to atomically reset some chipset, TPM state, halt other cores and execute a trusted code module (SINIT) – SINIT module can then pass execution to a known/trusted kernel AMD’s Secure Virtual Machine (SVM) • Very similar to Intel’s TXT, small differences – SKINIT – “Secure Kernel Initialization” instruction – Chipset extensions and support Intel’s GETSEC Instruction Leaf Functions Intel’s TXT Overview
Trusted Platform Module (TPM) • Platform configuration registers (PCRs) • Hash accumulator used to track system configuration • PCRN’ = SHA-1 (PCRN | Value) • Computationally infeasible to set PCR to a specified value • (ext(A), ext(B)) ≠ (ext(B), ext(A)) • Some registers are used for SRTM (0 - 15 and others DRTM (17 – 23), 16 is a debug PCR • Services provided by the TPM include: • Platform Configuration Registers (PCRs) • Locality based access enforcement • Sealed Storage • Remote Attestation
Trusted Platform Module (TPM) • Sealed Storage – Binds data to system configuration – Secrets can only be accessed when the TPM PCRs are in the proper state • Remote Attestation – Challenge response protocol with nonce to eliminate replay – TPM performs a quote operation (reports PCR values) and signs it with a key held internally (key exchange happens at setup)
Summary of Previously Demonstrated Attacks • Invisible Things Lab, 2009: Malicious SMM [4] – System Management Mode (SMM) code is not included in TXT system measurement; malicious SMM code can subvert the root of trust – Intel has discussed a solution to address SMM in a TXT environment (STM), but does not yet have any commercial implementations available for testing or use in trusted platforms [1]. • Invisible Things Lab, 2009: TXT Chipset Misconfiguration [2] – A misconfiguration in chipset VT-d settings leave MLE vulnerable to DMA attack – Misconfiguration issue was subsequently patched by Intel via an updated sinit software module • Invisible Things Lab, 2011: Vulnerabilities in TXT AC module [5] – Buffer overflow in ACPI DMAR table allows attacker to gain code execution inside the signed executable – Bug was patched by Intel via updated SINIT module release • Johannes Winter, 2009, 2011: TPM hardware attacks – Showed an attacker can monitor [6] and/or manipulate TPM bus communications [3]
SENTER Emulation Attack with Hypervisor Rootkit • Approach: Launch thin hypervisor before tBoot (e.g. via GRUB loader) – Intercept and emulate the GETSEC[SENTER] & other SMX instructions – Intercept and emulate TPM interaction to fake local attestation – Intercept and emulate TXT heap, private memory regions, etc. • Results: Proof of Concept constructed against tBoot – tBoot thinks (and reports) that the system successfully boots into a trusted state – Undermines the security of tBoot DRTM with any policy, including the most restrictive “halt” policy SENTER emulation attack virtualizes the DRTM establishment process, and lies about the state of the system
SENTER Emulation Attack Discussion • Load a custom thin hypervisor rootkit first and then run tBoot inside the virtual machine container – Trap SMX instructions (e.g. GETSEC[SENTER]) • Emulate those instruction's, using the pseudo-code provided by Intel in the Developer’s Manual • Modified as desired of course  – AC module can either be skipped or run in the virtualized environment so the chipset is reinitialized to the specification • Again, modify/filter operations as desired of course  – Shadow memory is used to emulate TPM and provide falsified PCR measurements • No matter what policy tBoot is configured with (since GETSEC[SENTER] isn’t run, any Launch Control Policy can be ignored by the rootkit), it continues to boot and the txt-stat command reports “TXT measured launch: TRUE” – System thinks it is in a trusted state, even though a rogue hypervisor is running underneath the kernel! – Dumping PCR values from within Linux shows the same exact state as when TXT succeeds • Because it isn’t actually talking to the real TPM; it is talking to the hypervisor rootkit virtualized TPM
Should this type of attack succeed? • According to the documentation, NO! – TXT should prevent the launch of a measured environment if a system can not be measured and verified • Intel’s show-case example states that TXT is capable of detecting the presence of a hypervisor rootkit – This is only possible when sealed storage or remote attestation is used – tBoot (written & maintained by Intel developers as a TXT reference implementation) does not use sealed storage or remote attestation out-of-the- box!...it is left for the user to implement 11 * Whitepaper: Evolution of Integrity Checking with Intel® Trusted Execution Technology: an Intel IT Perspective http://www.intel.com/content/dam/doc/white-paper/intel-it-security-trusted-execution-technology-paper.pdf *
Fundamental Problem • DRTM implementations require a single atomic instruction to be executed to initiate the root of trust – How can you trust an untrusted system to execute even 1 single assembly instruction safely? • Both AMD and Intel implementations of DTRM allow a hypervisor to gain execution whenever a guest tries to execute a root-of-trust instructions – This prevents a guest operating system from ousting its underlying hypervisor by setting up an MLE of its own – UNFORTUNATLEY, this design also allows an attacker to setup a thin-hypervisor at boot time and virtualize/emulate all TXT instructions and TPM interactions Fundamental Tradeoff: Allow attacker to kick-out trusted hypervisor by executing GETSEC[SENTER]; OR Provide the mechanisms necessary for hypervisor rootkit to emulated GETSEC[SENTER]
AES-NI Instructions • Improve performance of cryptographic operations by adding support directly into the CPU (more than an order of magnitude faster in some cases!) • Use XMM (128-bit) / YMM (256-bit) CPU registers • Round keys & data are provided directly as a parameter to the instructions XMM/YMM registers provide the round keys as well as the data to encrypt/decrypt Applications using default crypto libraries (e.g. libcrypt & wincrypt) inherently use AES-NI when it is available whether they realize it or not
Compromising AES-NI: Summary • Leverage design features of x86/64 architecture to undermine AES-NI • Hypervisor configures the CPU to generate an exception anytime an AES-NI is executed • Hypervisor catches the exceptions, logs information • This generic approach is not tailored to a specific piece of software, and is not noticeable to the OS Use hypervisor to man-in-the-middle AES-NI operations, extracting both the encryption key as well as plain text data
Inducing VMExits • Unlike GETSEC, the hardware does not directly provide a way to force all AES-NI instructions to trap to the hypervisor – Need to get creative  – All AES-NI instructions use XMM/YMM registers, and can therefore generate “Exceptions Type 4” • Force all AES-NI instructions to trap to the hypervisor – Configure the CPU to trip one of the entries in the table to the right – Set VMCS to route the appropriate exception (#UD or #NM) to the hypervisor – Configure Hypervisor to catch the exception Exceptions Type 4, from the Instruction Set Reference Manual
Inducing VMExits (continued…) CR4.OSXSAVE/ CR4.OSXFXSR • Setting these bits forces all instructions using SSE/AVX to cause exceptions – When both bits are used together ensures legacy SSE instructions and VEX prefix generate traps • Allows the desired events (AES-NI) to be seen by the hypervisor, but also many other instructions – Hypervisor must look at the opcode that causes the trap to filter out which ones are AES-NI and which are not
Detailed Results Discussion Successfully used hypervisor to man-in-the-middle AES-NI operations, extracting both the encryption key as well as plain text Hypervisor Output OpenSSL Output ……… While OpenSSL is encrypting & decrypting data, the hypervisor sees all the cryptographic operations, and readily identifies the key and plain text
AES-NI Interception: What’s the Catch? • The hypervisor is able to extract the keys and grab clear text data in real time in a generic way that isn’t implementation dependent – Surely the hypervisor could also set a breakpoint on specific library functions, but that approach would be more tailored to a specific implementation • BUT…The devil is in the details – Our initial implementation incurs non- negligible performance impact (system is usable, but noticeably slower) – Implementation could be optimized, perhaps with some simplifying assumptions
Who is affected? • A variety of systems – Laptops, desktops, workstations, servers • Especially those relying on TXT for trusted boot & AES-NI for encryption – Cloud computing infrastructure • What if someone compromises the trusted hypervisor (e.g. via VM breakout; or malicious employee, etc.), bypasses the DRTM, and starts sniffing AES-NI operations? They can compromise SSL, VPN, disk encryption, etc. – many of the technologies that are supposed to keep you “safe” in the cloud – Not Operating System specific – these issues are inherent in the architecture and can be realized on any OS
Will I know if I’m affected? • Probably not – Many sysadmins (and even software developers writing the code!) don’t know if they are relying on AES-NI currently • Generally because they rely on library calls and don’t know how the library implementation is done. Most libraries now use AES-NI by default when it is available. – TXT is quite complex; key elements for a single implementation a modern PC platform is defined by nine specifications and encompasses hardware implementations from at least three hardware vendors and eight software components • Staggering complexity leaves the system administrator responsible to make configuration decisions for options that are not completely understood
NEAR-TERM SOLUTIONS: HOW CAN WE PROTECT OURSELVES?
I want to encrypt data in the cloud – is it hopeless?! • Initial experimentation indicates significant performance implications imposed by this hypervisor approach – Could make it less practical for wide-scale use – Although implementation optimizations might be able to overcome this challenge • To be safe, you can always use a software-only implementation of AES (not relying on the AES-NI instructions) to avoid compromise – This would make it harder for a hypervisor rootkit to identify AES operations
Hide in the Noise VS • Hypervisor rootkit has the privilege to see all guest operations, but must somehow find what its looking for within all the bits & bytes of the system (“semantic gap”) – This semantic gap is the biggest challenge for hypervisor rootkits, and we can take advantage of it! Using AES-NIUsing a software AES implementation
Sealed Storage!! • The attack succeeds when sealed storage and remote attestation are not implemented – Attack bypasses a default installation of tBoot that does not leverage sealed storage or remote attestation • There aren’t even optional tBoot configurations to use sealed storage. – There are Linux command line utilities to seal/unseal secrets against the TPM, but you are on your own to script something out using them • CONCLUSION: Sealed storage should not be optional!! – If something unique is locked (sealed) in the TPM, the attacker can lie about PCR state but will ultimately fail to produce the secret value during an unseal operation Sealed storage and remote attestation are the ONLY mechanisms that provide trusted mechanisms to report state
Sealed Storage: Challenges • Even if sealed storage is used, there are some pitfalls to be aware of: – Make sure you don’t rely on a sealed secret that can be predicted or possibly obtained by an attacker at runtime • If so, the attacker can report the predicted/captured value during an emulated TPM unseal operation, without ever actually having had access to the TPM!! – Make sure you extend PCRs after unsealing your secrets • Otherwise an attacker can just re-unseal your secrets at runtime! – Ensure your sealed secret doesn’t stay resident outside of the TPM at runtime – Be careful how you verify the sealed secrets at boot time • EXAMPLE: Use disk encryption, seal the key in the TPM, and assume we are safe if our disk gets mounted properly (if TPM unseal fails we won’t be able to decrypt the disk) • PITFALL: Attacker at runtime can grab the disk key from memory, and then just report it in the right place/time during boot If an attacker can predict or obtain/access your sealed secrets, then they can emulate the unseal operation, bypassing even the protections afforded by sealed storage!!
Sealed storage: Recommendations • You really need to seal a value that is displayed to the user ONLY to verify trusted state during boot – Can be text, a photo, etc. – something the system displays to the user early in the boot process – After the user acknowledges the “secret” (e.g. hits enter to continue) the secrets need to be scrubbed, the PCRs extended, and then the system can continue boot • Remote attestation can be used to accomplish this for a server/headless configuration – Rather than attesting state to the user, state is attested to a remote server – The same process as above should be utilized: Perform attestation, scrub secrets, extend PCRs, continue boot
Thank You! Questions / Comments? References: • [1] http://invisiblethingslab.com/resources/misc09/Quest%20To%20The%20Core%20(public).pdf • [2] http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf • [3] Johannes Winter, “A Hijacker's Guide to the LPC bus”, https://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=59565 • [4] http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • [5] http://www.invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf • [6] Johannes Winter, “Eavesdropping Trusted Platform Module Communication” Joseph Sharkey @sharkey_joe https://www.linkedin.com/in/joseph-sharkey-45aa0b8

Recommended

Defense
DefenseDefense
DefenseTawfiq Shah
 
Demystifying Secure enclave processor
Demystifying Secure enclave processorDemystifying Secure enclave processor
Demystifying Secure enclave processorPriyanka Aash
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt IntroductionLogic Solutions, Inc.
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overviewSajid Marwat
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
Trusted Computing Base
Trusted Computing BaseTrusted Computing Base
Trusted Computing BaseVasily Sartakov
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
Intel Trusted eXecution Technology
Intel Trusted eXecution TechnologyIntel Trusted eXecution Technology
Intel Trusted eXecution TechnologyBibhu Biswal
 

Recommended

Defense
DefenseDefense
DefenseTawfiq Shah
 
Demystifying Secure enclave processor
Demystifying Secure enclave processorDemystifying Secure enclave processor
Demystifying Secure enclave processorPriyanka Aash
 
Txt Introduction
Txt IntroductionTxt Introduction
Txt IntroductionLogic Solutions, Inc.
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overviewSajid Marwat
 
[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted Computing[Wroclaw #3] Trusted Computing
[Wroclaw #3] Trusted ComputingOWASP
 
Trusted Computing Base
Trusted Computing BaseTrusted Computing Base
Trusted Computing BaseVasily Sartakov
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
Intel Trusted eXecution Technology
Intel Trusted eXecution TechnologyIntel Trusted eXecution Technology
Intel Trusted eXecution TechnologyBibhu Biswal
 
Introduction to Trusted Computing
Introduction to Trusted ComputingIntroduction to Trusted Computing
Introduction to Trusted ComputingMaksim Djackov
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsSamsung Open Source Group
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
Digital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing BaseDigital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing BaseSajid Marwat
 
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustProtecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustDan Griffin
 
The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architectureG Prachi
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLinaro
 
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerNETWAYS
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reporthidenorly
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 Linaro
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsThe Linux Foundation
 
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureRaahul Raghavan
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMTamas K Lengyel
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Device drivers and interrupt service mechanism
Device drivers and interrupt service mechanismDevice drivers and interrupt service mechanism
Device drivers and interrupt service mechanismVijay Kumar
 
Os introduction
Os introductionOs introduction
Os introductionRavi Ramchandani
 
Os introduction
Os introductionOs introduction
Os introductionKanika Garg
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsAbdullah Deeb
 
Hardware_root_trust_x86.pptx
Hardware_root_trust_x86.pptxHardware_root_trust_x86.pptx
Hardware_root_trust_x86.pptxAtul Vaish
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 

More Related Content

What's hot

Introduction to Trusted Computing
Introduction to Trusted ComputingIntroduction to Trusted Computing
Introduction to Trusted ComputingMaksim Djackov
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutmentoresd
 
Digital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing BaseDigital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing BaseSajid Marwat
 
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustProtecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustDan Griffin
 
The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architectureG Prachi
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016Kuniyasu Suzaki
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLinaro
 
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerNETWAYS
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reporthidenorly
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 Linaro
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsThe Linux Foundation
 
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureRaahul Raghavan
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMTamas K Lengyel
 
Device drivers and interrupt service mechanism
Device drivers and interrupt service mechanismDevice drivers and interrupt service mechanism
Device drivers and interrupt service mechanismVijay Kumar
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsAbdullah Deeb
 

What's hot (20)

Introduction to Trusted Computing
Introduction to Trusted ComputingIntroduction to Trusted Computing
Introduction to Trusted Computing
 
Integrity Protection for Embedded Systems
Integrity Protection for Embedded SystemsIntegrity Protection for Embedded Systems
Integrity Protection for Embedded Systems
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangout
 
Digital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing BaseDigital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing Base
 
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of TrustProtecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust
 
The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
 
LCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solutionLCA14: LCA14-502: The way to a generic TrustZone® solution
LCA14: LCA14-502: The way to a generic TrustZone® solution
 
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner FischerOSMC 2014: Server Hardware Monitoring done right | Werner Fischer
OSMC 2014: Server Hardware Monitoring done right | Werner Fischer
 
Android 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation reportAndroid 5.0 Lollipop platform change investigation report
Android 5.0 Lollipop platform change investigation report
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64 BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
BUD17-209: Reliability, Availability, and Serviceability (RAS) on ARM64
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ Processors
 
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_ArchitectureARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
ARM® Cortex™ M Bootup_CMSIS_Part_3_3_Debug_Architecture
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Device drivers and interrupt service mechanism
Device drivers and interrupt service mechanismDevice drivers and interrupt service mechanism
Device drivers and interrupt service mechanism
 
Os introduction
Os introductionOs introduction
Os introduction
 
Os introduction
Os introductionOs introduction
Os introduction
 
Reconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatformsReconfigurable trust forembeddedcomputingplatforms
Reconfigurable trust forembeddedcomputingplatforms
 

Similar to Breaking hardware enforced security with hypervisors

Hardware_root_trust_x86.pptx
Hardware_root_trust_x86.pptxHardware_root_trust_x86.pptx
Hardware_root_trust_x86.pptxAtul Vaish
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Riscure
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
 
Advanced debugging on ARM Cortex devices such as STM32, Kinetis, LPC, etc.
Advanced debugging on ARM Cortex devices such as STM32, Kinetis, LPC, etc.Advanced debugging on ARM Cortex devices such as STM32, Kinetis, LPC, etc.
Advanced debugging on ARM Cortex devices such as STM32, Kinetis, LPC, etc.Atollic
 
Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible DefconRussia
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware
 
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Michelle Holley
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxssusere142fe
 
Platform Security Presentation
Platform Security PresentationPlatform Security Presentation
Platform Security PresentationTyson Key
 
IBM MQ Appliance - Administration simplified
IBM MQ Appliance - Administration simplifiedIBM MQ Appliance - Administration simplified
IBM MQ Appliance - Administration simplifiedAnthony Beardsmore
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 

Similar to Breaking hardware enforced security with hypervisors (20)

Hardware_root_trust_x86.pptx
Hardware_root_trust_x86.pptxHardware_root_trust_x86.pptx
Hardware_root_trust_x86.pptx
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...Secure initialization of Trusted Execution Environments: When Secure Boot fal...
Secure initialization of Trusted Execution Environments: When Secure Boot fal...
 
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortEuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls short
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
Advanced debugging on ARM Cortex devices such as STM32, Kinetis, LPC, etc.
Advanced debugging on ARM Cortex devices such as STM32, Kinetis, LPC, etc.Advanced debugging on ARM Cortex devices such as STM32, Kinetis, LPC, etc.
Advanced debugging on ARM Cortex devices such as STM32, Kinetis, LPC, etc.
 
Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible Gal Diskin - Virtually Impossible
Gal Diskin - Virtually Impossible
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
 
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
 
EC8791-U5-PPT.pptx
EC8791-U5-PPT.pptxEC8791-U5-PPT.pptx
EC8791-U5-PPT.pptx
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Platform Security Presentation
Platform Security PresentationPlatform Security Presentation
Platform Security Presentation
 
IBM MQ Appliance - Administration simplified
IBM MQ Appliance - Administration simplifiedIBM MQ Appliance - Administration simplified
IBM MQ Appliance - Administration simplified
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium Emulation
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

Breaking hardware enforced security with hypervisors

  • 1. Breaking Hardware-Enforced Security with Hypervisors Joseph Sharkey, Ph.D. Chief Technology Officer / Vice President of Advanced Programs Siege Technologies www.siegetechnologies.com This work was sponsored in part by the Air Force Research Laboratory (AFRL) and Air Force Office of Scientific Research (AFOSR) under contracts FA8750-C-0235, FA9550-11-1-0267, and FA9550-14-C-0019
  • 2. Presentation Content • Background on modern hardware-enforced security primitives for PC platforms • Compromising Intel TXT with a Hypervisor rootkit • Compromising AES-NI with a Hypervisor rootkit • Implications • Near Term Solutions: What can I do about it?
  • 3. Trusted Boot (tBoot) tBoot is open source software that makes use of Intel’s TXT • Code written and released by Intel engineers • tBoot is the de facto standard code-base for DRTM leveraging Intel’s TXT extensions – Used by GRUB, Xen, VMWare ESXi, etc. • Launch Control Policies (LCP) handle failed measurement; are settable by system administrator – Halt policy prevents boot on invalid measurement – Continuation policy allows boot, but notifies system of invalid state
  • 4. Dynamic Root of Trust Measurement (DRTM) • Establishment of trusted environment is delayed until some time after platform has booted – Eliminates the need to trust early boot software, no longer need to reboot to start a chain of trust – Completely remove BIOS & early bootloaders from the Trusted Computing Base • Atomic “measure and launch” operation ensures a clean initial state; TPM stores integrity measurements, and optionally sealed storage and remote attestation • Most popular for PC platforms; addresses challenges of Static Root of Trust approaches – Used by tBoot, Xen, VMWare ESXi, etc DRTM is common across PC/laptop/server platforms and is used by tboot, Xen, Vmware ESXi, etc.
  • 5. DRTM Implementations Intel’s Trusted Execution Technology (TXT) • A set of hardware extensions and primitives – Safer Mode Extensions (SMX) in the CPU – Chipset support including VT-d, TPM v1.2, LPC Bus v1.1 • Provides a secure way to launch a measured environment – GETSEC[SENTER] instruction is used to atomically reset some chipset, TPM state, halt other cores and execute a trusted code module (SINIT) – SINIT module can then pass execution to a known/trusted kernel AMD’s Secure Virtual Machine (SVM) • Very similar to Intel’s TXT, small differences – SKINIT – “Secure Kernel Initialization” instruction – Chipset extensions and support Intel’s GETSEC Instruction Leaf Functions Intel’s TXT Overview
  • 6. Trusted Platform Module (TPM) • Platform configuration registers (PCRs) • Hash accumulator used to track system configuration • PCRN’ = SHA-1 (PCRN | Value) • Computationally infeasible to set PCR to a specified value • (ext(A), ext(B)) ≠ (ext(B), ext(A)) • Some registers are used for SRTM (0 - 15 and others DRTM (17 – 23), 16 is a debug PCR • Services provided by the TPM include: • Platform Configuration Registers (PCRs) • Locality based access enforcement • Sealed Storage • Remote Attestation
  • 7. Trusted Platform Module (TPM) • Sealed Storage – Binds data to system configuration – Secrets can only be accessed when the TPM PCRs are in the proper state • Remote Attestation – Challenge response protocol with nonce to eliminate replay – TPM performs a quote operation (reports PCR values) and signs it with a key held internally (key exchange happens at setup)
  • 8. Summary of Previously Demonstrated Attacks • Invisible Things Lab, 2009: Malicious SMM [4] – System Management Mode (SMM) code is not included in TXT system measurement; malicious SMM code can subvert the root of trust – Intel has discussed a solution to address SMM in a TXT environment (STM), but does not yet have any commercial implementations available for testing or use in trusted platforms [1]. • Invisible Things Lab, 2009: TXT Chipset Misconfiguration [2] – A misconfiguration in chipset VT-d settings leave MLE vulnerable to DMA attack – Misconfiguration issue was subsequently patched by Intel via an updated sinit software module • Invisible Things Lab, 2011: Vulnerabilities in TXT AC module [5] – Buffer overflow in ACPI DMAR table allows attacker to gain code execution inside the signed executable – Bug was patched by Intel via updated SINIT module release • Johannes Winter, 2009, 2011: TPM hardware attacks – Showed an attacker can monitor [6] and/or manipulate TPM bus communications [3]
  • 9. SENTER Emulation Attack with Hypervisor Rootkit • Approach: Launch thin hypervisor before tBoot (e.g. via GRUB loader) – Intercept and emulate the GETSEC[SENTER] & other SMX instructions – Intercept and emulate TPM interaction to fake local attestation – Intercept and emulate TXT heap, private memory regions, etc. • Results: Proof of Concept constructed against tBoot – tBoot thinks (and reports) that the system successfully boots into a trusted state – Undermines the security of tBoot DRTM with any policy, including the most restrictive “halt” policy SENTER emulation attack virtualizes the DRTM establishment process, and lies about the state of the system
  • 10. SENTER Emulation Attack Discussion • Load a custom thin hypervisor rootkit first and then run tBoot inside the virtual machine container – Trap SMX instructions (e.g. GETSEC[SENTER]) • Emulate those instruction's, using the pseudo-code provided by Intel in the Developer’s Manual • Modified as desired of course  – AC module can either be skipped or run in the virtualized environment so the chipset is reinitialized to the specification • Again, modify/filter operations as desired of course  – Shadow memory is used to emulate TPM and provide falsified PCR measurements • No matter what policy tBoot is configured with (since GETSEC[SENTER] isn’t run, any Launch Control Policy can be ignored by the rootkit), it continues to boot and the txt-stat command reports “TXT measured launch: TRUE” – System thinks it is in a trusted state, even though a rogue hypervisor is running underneath the kernel! – Dumping PCR values from within Linux shows the same exact state as when TXT succeeds • Because it isn’t actually talking to the real TPM; it is talking to the hypervisor rootkit virtualized TPM
  • 11. Should this type of attack succeed? • According to the documentation, NO! – TXT should prevent the launch of a measured environment if a system can not be measured and verified • Intel’s show-case example states that TXT is capable of detecting the presence of a hypervisor rootkit – This is only possible when sealed storage or remote attestation is used – tBoot (written & maintained by Intel developers as a TXT reference implementation) does not use sealed storage or remote attestation out-of-the- box!...it is left for the user to implement 11 * Whitepaper: Evolution of Integrity Checking with Intel® Trusted Execution Technology: an Intel IT Perspective http://www.intel.com/content/dam/doc/white-paper/intel-it-security-trusted-execution-technology-paper.pdf *
  • 12. Fundamental Problem • DRTM implementations require a single atomic instruction to be executed to initiate the root of trust – How can you trust an untrusted system to execute even 1 single assembly instruction safely? • Both AMD and Intel implementations of DTRM allow a hypervisor to gain execution whenever a guest tries to execute a root-of-trust instructions – This prevents a guest operating system from ousting its underlying hypervisor by setting up an MLE of its own – UNFORTUNATLEY, this design also allows an attacker to setup a thin-hypervisor at boot time and virtualize/emulate all TXT instructions and TPM interactions Fundamental Tradeoff: Allow attacker to kick-out trusted hypervisor by executing GETSEC[SENTER]; OR Provide the mechanisms necessary for hypervisor rootkit to emulated GETSEC[SENTER]
  • 13. AES-NI Instructions • Improve performance of cryptographic operations by adding support directly into the CPU (more than an order of magnitude faster in some cases!) • Use XMM (128-bit) / YMM (256-bit) CPU registers • Round keys & data are provided directly as a parameter to the instructions XMM/YMM registers provide the round keys as well as the data to encrypt/decrypt Applications using default crypto libraries (e.g. libcrypt & wincrypt) inherently use AES-NI when it is available whether they realize it or not
  • 14. Compromising AES-NI: Summary • Leverage design features of x86/64 architecture to undermine AES-NI • Hypervisor configures the CPU to generate an exception anytime an AES-NI is executed • Hypervisor catches the exceptions, logs information • This generic approach is not tailored to a specific piece of software, and is not noticeable to the OS Use hypervisor to man-in-the-middle AES-NI operations, extracting both the encryption key as well as plain text data
  • 15. Inducing VMExits • Unlike GETSEC, the hardware does not directly provide a way to force all AES-NI instructions to trap to the hypervisor – Need to get creative  – All AES-NI instructions use XMM/YMM registers, and can therefore generate “Exceptions Type 4” • Force all AES-NI instructions to trap to the hypervisor – Configure the CPU to trip one of the entries in the table to the right – Set VMCS to route the appropriate exception (#UD or #NM) to the hypervisor – Configure Hypervisor to catch the exception Exceptions Type 4, from the Instruction Set Reference Manual
  • 16. Inducing VMExits (continued…) CR4.OSXSAVE/ CR4.OSXFXSR • Setting these bits forces all instructions using SSE/AVX to cause exceptions – When both bits are used together ensures legacy SSE instructions and VEX prefix generate traps • Allows the desired events (AES-NI) to be seen by the hypervisor, but also many other instructions – Hypervisor must look at the opcode that causes the trap to filter out which ones are AES-NI and which are not
  • 17. Detailed Results Discussion Successfully used hypervisor to man-in-the-middle AES-NI operations, extracting both the encryption key as well as plain text Hypervisor Output OpenSSL Output ……… While OpenSSL is encrypting & decrypting data, the hypervisor sees all the cryptographic operations, and readily identifies the key and plain text
  • 18. AES-NI Interception: What’s the Catch? • The hypervisor is able to extract the keys and grab clear text data in real time in a generic way that isn’t implementation dependent – Surely the hypervisor could also set a breakpoint on specific library functions, but that approach would be more tailored to a specific implementation • BUT…The devil is in the details – Our initial implementation incurs non- negligible performance impact (system is usable, but noticeably slower) – Implementation could be optimized, perhaps with some simplifying assumptions
  • 19. Who is affected? • A variety of systems – Laptops, desktops, workstations, servers • Especially those relying on TXT for trusted boot & AES-NI for encryption – Cloud computing infrastructure • What if someone compromises the trusted hypervisor (e.g. via VM breakout; or malicious employee, etc.), bypasses the DRTM, and starts sniffing AES-NI operations? They can compromise SSL, VPN, disk encryption, etc. – many of the technologies that are supposed to keep you “safe” in the cloud – Not Operating System specific – these issues are inherent in the architecture and can be realized on any OS
  • 20. Will I know if I’m affected? • Probably not – Many sysadmins (and even software developers writing the code!) don’t know if they are relying on AES-NI currently • Generally because they rely on library calls and don’t know how the library implementation is done. Most libraries now use AES-NI by default when it is available. – TXT is quite complex; key elements for a single implementation a modern PC platform is defined by nine specifications and encompasses hardware implementations from at least three hardware vendors and eight software components • Staggering complexity leaves the system administrator responsible to make configuration decisions for options that are not completely understood
  • 21. NEAR-TERM SOLUTIONS: HOW CAN WE PROTECT OURSELVES?
  • 22. I want to encrypt data in the cloud – is it hopeless?! • Initial experimentation indicates significant performance implications imposed by this hypervisor approach – Could make it less practical for wide-scale use – Although implementation optimizations might be able to overcome this challenge • To be safe, you can always use a software-only implementation of AES (not relying on the AES-NI instructions) to avoid compromise – This would make it harder for a hypervisor rootkit to identify AES operations
  • 23. Hide in the Noise VS • Hypervisor rootkit has the privilege to see all guest operations, but must somehow find what its looking for within all the bits & bytes of the system (“semantic gap”) – This semantic gap is the biggest challenge for hypervisor rootkits, and we can take advantage of it! Using AES-NIUsing a software AES implementation
  • 24. Sealed Storage!! • The attack succeeds when sealed storage and remote attestation are not implemented – Attack bypasses a default installation of tBoot that does not leverage sealed storage or remote attestation • There aren’t even optional tBoot configurations to use sealed storage. – There are Linux command line utilities to seal/unseal secrets against the TPM, but you are on your own to script something out using them • CONCLUSION: Sealed storage should not be optional!! – If something unique is locked (sealed) in the TPM, the attacker can lie about PCR state but will ultimately fail to produce the secret value during an unseal operation Sealed storage and remote attestation are the ONLY mechanisms that provide trusted mechanisms to report state
  • 25. Sealed Storage: Challenges • Even if sealed storage is used, there are some pitfalls to be aware of: – Make sure you don’t rely on a sealed secret that can be predicted or possibly obtained by an attacker at runtime • If so, the attacker can report the predicted/captured value during an emulated TPM unseal operation, without ever actually having had access to the TPM!! – Make sure you extend PCRs after unsealing your secrets • Otherwise an attacker can just re-unseal your secrets at runtime! – Ensure your sealed secret doesn’t stay resident outside of the TPM at runtime – Be careful how you verify the sealed secrets at boot time • EXAMPLE: Use disk encryption, seal the key in the TPM, and assume we are safe if our disk gets mounted properly (if TPM unseal fails we won’t be able to decrypt the disk) • PITFALL: Attacker at runtime can grab the disk key from memory, and then just report it in the right place/time during boot If an attacker can predict or obtain/access your sealed secrets, then they can emulate the unseal operation, bypassing even the protections afforded by sealed storage!!
  • 26. Sealed storage: Recommendations • You really need to seal a value that is displayed to the user ONLY to verify trusted state during boot – Can be text, a photo, etc. – something the system displays to the user early in the boot process – After the user acknowledges the “secret” (e.g. hits enter to continue) the secrets need to be scrubbed, the PCRs extended, and then the system can continue boot • Remote attestation can be used to accomplish this for a server/headless configuration – Rather than attesting state to the user, state is attested to a remote server – The same process as above should be utilized: Perform attestation, scrub secrets, extend PCRs, continue boot
  • 27. Thank You! Questions / Comments? References: • [1] http://invisiblethingslab.com/resources/misc09/Quest%20To%20The%20Core%20(public).pdf • [2] http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf • [3] Johannes Winter, “A Hijacker's Guide to the LPC bus”, https://online.tugraz.at/tug_online/voe_main2.getvolltext?pCurrPk=59565 • [4] http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf • [5] http://www.invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf • [6] Johannes Winter, “Eavesdropping Trusted Platform Module Communication” Joseph Sharkey @sharkey_joe https://www.linkedin.com/in/joseph-sharkey-45aa0b8