Your SlideShare is downloading. ×
0
Private & ConfidentialProperty of COSEINC
Who am I?• Senior Security Researcher at COSEINC• One of the developers of BluePill, a hardware-  based virtualization roo...
1. Review of the implementation methods for   virtualization of the x86 architecture.2. Show the complexity of using hardw...
The COSEINC Hypervisor FrameworkX86 VIRTUALIZATION                            Private & Confidential                      ...
• System Virtual Machines: VM able to run  multiple operating systems concurrently• The code responsible for the virtualiz...
Windows                            Linux                 guest                             guest                          ...
Windows                            Linux               guest                             guest                           V...
• When the guest VM uses the same Instruction  Set Architecture (ISA) of the host machine,  the guest instructions can be ...
• The VMM must read and interpret each guest  instruction• Can be implemented using code  interpretation or binary transla...
• The guest instructions are executed directly  on the CPU.• Great performance.• Some instructions still need to be emulat...
• Popek and Goldberg published a paper which  formally defines the requirements of an ISA  for the implementation of      ...
• Basically all the VMM detection methods are  based on violations of the Equivalence  property.                    Privat...
• Violation: VMM bug exploitation.                    Private & Confidential                    Property of COSEINC
• Depends on the features of the host ISA.• How to implement efficient virtual machines  on the x86 architecture?         ...
Private & ConfidentialProperty of COSEINC
• Innocuous instructions are instructions which  doesn’t change or affect system configuration or  resources.• A efficient...
• Sensitive instructions affect system resources or  behavior• The VMM must             the direct execution of  sensitive...
• All the VMM need now is a way to intercept  the execution of the sensitive instructions.• This is easy when the sensitiv...
SENSITIVE                                INNOCUOUSINSTRUCTION                               INSTRUCTIONS               KER...
Set CPL to RING 3  KERNEL code    and execute the                 code directly on                      the cpucmp eax, eb...
• Virtualization of guest instruction would be  very easy if all sensitive instructions generates  a fault in ring 3.• The...
• POPFD instruction writes a DWORD value in  the EFLAGS register.• It’s a sensitive instruction because it can be  used to...
• Problem: Executing POPFD in ring3 will not  generate a fault! The CPU just ignores the IF  flag modification attempt.• H...
• How VMware Player VMM is able to prevent  direct execution of non-privileged  instructions?• VMware Player is a Type II ...
ELF executable stored as  vmplayer.exe                            a PE resource                 vmware-vmx.exe            ...
• Solution: Scan all the guest code instructions  and search for non-privileged instructions.• Replace the non-privileged ...
1. Review x86 virtualization implementation   methods.2. Show how to use the Intel VT® to   implement virtual machines.3. ...
The COSEINC Hypervisor Framework                            Private & Confidential                            Property of ...
• Virtualizable ISA  – If all sensitive instructions of some ISA are    privileged, the processor is considered to be    ‘...
• Presentation focus on Intel VMX. AMD SVM  concepts are very similar.• New form of processor operation: the ‘VMX  operati...
• VMXON fails if virtualization is locked.• Locked by default in the BIOS for security  reasons• Ring -1.• There’s no more...
• 2 types of VMX operation:  – VMX root operation  – VMX non-root operation• VMX root operation  – New instructions availa...
• Transitions between VMX root operation and  VMX non-root operation are called ‘VMX  transitions’• Transition from the VM...
VM-ENTRY –                       vmresume/vmlaunch                                                     VIRTUAL    Hypervis...
Creating a VMM with Intel VT® - first               steps• Detection of Intel VMX instruction support. – CPUID• Enable VMX...
Creating a VMM with Intel VT® - first               steps• Enable VMX instructions (VMXON)• Create and configure the VMCS ...
VMCS• Virtual Machine Control Structure• Most important vmx data structure• One VMCS for each Virtual Machine and for  eac...
VMCS• VMM must not access the VMCS directly.• Read and write access to the VMCS via  VMREAD and VMWRITE instructions.• Int...
VMXON and VMCS areasVMXON region                      VMXON region   CPU A                             CPU B              ...
VMCS logical groups                                Guest-state area4K-aligned physical      address                   Host...
Guest-state area• Area of the VMCS where guest context information is  stored.• On #VMEXIT, guest processor state is saved...
Guest-state area• Non-register state  – Activity State  – Interruptibility state  – VMCS link pointer     • For future exp...
Host-state area• Contains information about the host (VMM)• Processor stated is loaded from this area after  each #VMEXIT•...
VM-execution control fields• Controls how the VM will be executed.• The instructions that the hypervisor wants to intercep...
VM-entry control fields• Controls the behavior of VM entries.• Includes information about SMM, debug  registers and some M...
VM-exit fields• `VM-exit control fields` which controls the  behavior of VM exits.• VM-exit information fields:  – Read-on...
Interception• After configuring the VMCS, the hypervisor  can launch the virtual machine and wait for a  VMEXIT event.• Wh...
VMLAUNCH   VMM                                       mov eax, 23                                               inc edx    ...
1. Review x86 virtualization implementation   methods.2. Show how to use the Intel VT® to implement   virtual machines.3. ...
• Creating a VMM using these new hardware  virtualization ISA is complex   – More complex features always comming: EPT for...
• The COSEINC Hypervisor Framework, referred  from now as just the ‘framework’, enables  you to easily create a Hosted Vir...
• 2 versions:   – 32-bits Windows device driver   – 64-bits Windows device driver• API exported methods:   – Export table ...
Features• Automatic detection of the virtualization  instruction sets.• SMP support• Evaluation of the lock bit• Detailed ...
ArchitectureUser applications                             Ring 3Operating System    Kernel                                ...
API• The full documentation of the API will be  released with the framework.• Preliminary documentation. Subject to change...
Virtual Machine management• VMSTATUS  CreateVirtualMachine (      IN VMINFO *vminfo      );• This function creates a new v...
VMINFO data structure• Most important framework data structure• Contains all the information needed to create  and control...
VMINFO data structure                  Virtual Machine                                                            Control ...
Interception Event management• VMSTATUS  VirtualMachineExec (     IN VMINFO *vminfo     );• This function controls the exe...
VM creation and execution                                               VM Framework    Client   CreateVirtualMachine( )  ...
Framework – Client communication           Virtual Machine            VM message              handler       VM Event      ...
Root guest VM• One of the best features of the framework:  – Automatic conversion of the host operating    system into a v...
1. Review x86 virtualization implementation   methods.2. Show how to use the Intel VT® to implement   virtual machines.3. ...
The COSEINC Hypervisor Framework                            Private & Confidential                            Property of ...
Applications of the framework• Specially useful for education and research  purposes• Can abe used to create any type of s...
Process VM• Whole virtualization of a process or a thread  is possible with the framework.• Normally achieved by intercept...
Syscall hooking• A great number of system monitoring and  security tools are implemented using system  call hooking method...
Syscall mechanism - illustration                                                        Windows                   Ntdll.dl...
Syscall hooking• Syscall hooking methods includes:  – Patching syscall handler  – Patching of IDT table  – Patching the SY...
Syscall interception•   Syscall interception using the root guest VM•   No need to hook SSDT•   No need to patch/modify gu...
Instrumentation• Instrumentation is also easy to implement  using the Interruptibility controls in the VMCS.• Performance ...
Nested virtualization• The framework doesn’t provide support for  nested virtualization• But it is possible to add this fe...
1. Review x86 virtualization implementation   methods.2. Show how to use the Intel VT® to implement   virtual machines.3. ...
64-bits• The framework and the plugins must be  digitally signed to run in 64-bit versions of  Windows.                   ...
• MSR IA32_FEATURE_CONTROL (Index 3Ah)• Controls:  – SMX – Safer Mode eXtensions• Disabled by default in the BIOS         ...
• “There is no software-visible bit whose setting  indicates whether a logical processor is in VMX  non-root operation. Th...
QUESTIONS?
THANK YOU FOR  YOUR TIME!
1. John Scott Robin and Cynthia E. Irvine   (2000). "Analysis of the Intel Pentiums   Ability to Support a Secure Virtual ...
Upcoming SlideShare
Loading in...5
×

Hypervisor Framework

1,885

Published on

SyScan 2009 talk about hypervisors.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,885
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
66
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Hypervisor Framework"

  1. 1. Private & ConfidentialProperty of COSEINC
  2. 2. Who am I?• Senior Security Researcher at COSEINC• One of the developers of BluePill, a hardware- based virtualization rootkit.• Creator of one of the most effective methods to detect virtualization rootkits.• Experience with systems programming (kernel, device drivers) and reverse engineering for x86/x64 architectures. Private & Confidential Property of COSEINC
  3. 3. 1. Review of the implementation methods for virtualization of the x86 architecture.2. Show the complexity of using hardware supported virtualization instructions to implement virtual machines.3. Present a framework that makes easy the task of creation of hypervisors.4. Applications of the framework5. Security aspects Private & Confidential Property of COSEINC
  4. 4. The COSEINC Hypervisor FrameworkX86 VIRTUALIZATION Private & Confidential Property of COSEINC
  5. 5. • System Virtual Machines: VM able to run multiple operating systems concurrently• The code responsible for the virtualization is called (VMM).• Provides isolation between the guest OS• Physical hardware resources are shared between the multiple virtual machines Private & Confidential Property of COSEINC
  6. 6. Windows Linux guest guest VMM IA-32 processor1. Type I (native) The VMM runs directly on the host’s hardware. Hardware resources controlled by the VMM. Examples: VMware ESX, Microsoft Hyper-V Private & Confidential Property of COSEINC
  7. 7. Windows Linux guest guest VMM Operating System IA-32 processor• Type II – Hosted The VMM runs as an application. Hardware resources controlled by the host OS. The COSEINC hypervisor framework creates a Type-II VMM. Examples: VMware Workstation. Private & Confidential Property of COSEINC
  8. 8. • When the guest VM uses the same Instruction Set Architecture (ISA) of the host machine, the guest instructions can be executed in 2 ways: – Emulation – Direct native execution Private & Confidential Property of COSEINC
  9. 9. • The VMM must read and interpret each guest instruction• Can be implemented using code interpretation or binary translation• Performance penalty Private & Confidential Property of COSEINC
  10. 10. • The guest instructions are executed directly on the CPU.• Great performance.• Some instructions still need to be emulated.• How to decide which instructions can be used for direct native execution? Private & Confidential Property of COSEINC
  11. 11. • Popek and Goldberg published a paper which formally defines the requirements of an ISA for the implementation of virtual machines.• The VMMs must have 3 properties: – 1. Equivalence – 2. Resource control – 3. Efficiency Private & Confidential Property of COSEINC
  12. 12. • Basically all the VMM detection methods are based on violations of the Equivalence property. Private & Confidential Property of COSEINC
  13. 13. • Violation: VMM bug exploitation. Private & Confidential Property of COSEINC
  14. 14. • Depends on the features of the host ISA.• How to implement efficient virtual machines on the x86 architecture? Private & Confidential Property of COSEINC
  15. 15. Private & ConfidentialProperty of COSEINC
  16. 16. • Innocuous instructions are instructions which doesn’t change or affect system configuration or resources.• A efficient VMM allows the direct execution of innocuous instructions.• Examples: – mov eax, 00204012h – shr ebx, 03 – xor eax, eax – cmp ebx, ecx Private & Confidential Property of COSEINC
  17. 17. • Sensitive instructions affect system resources or behavior• The VMM must the direct execution of sensitive instructions!• The IA-32 instruction set contains 17 sensitive instructions [2]• Examples: – wrmsr – mov CR3, eax – out dx, eax Private & Confidential Property of COSEINC
  18. 18. • All the VMM need now is a way to intercept the execution of the sensitive instructions.• This is easy when the sensitive instruction is privileged!• A sensitive instruction is if it traps if the machine is executing in user mode and does not trap in system mode.• In the x86 architecture, system mode = CPL zero (ring 0) Private & Confidential Property of COSEINC
  19. 19. SENSITIVE INNOCUOUSINSTRUCTION INSTRUCTIONS KERNEL code cmp eax, ebx jnz 8c0dab00 xor edx, edx mov eax, 030h wrmsr cmp eax, 020Fh jnz 08000bc00 shr eax, 8 Private & Confidential Property of COSEINC
  20. 20. Set CPL to RING 3 KERNEL code and execute the code directly on the cpucmp eax, ebxjnz 8c0dab00xor edx, edxmov eax, 030h #GENERAL wrmsr PROTECTION FAULTcmp eax, 020Fh jnz 08000bc00 VMM trap handler shr eax, 8 routine (emulation) Private & Confidential Property of COSEINC
  21. 21. • Virtualization of guest instruction would be very easy if all sensitive instructions generates a fault in ring 3.• There are sensitive but non-privileged instructions in the x86 architecture!• A sensitive non-privileged instruction will not generate an exception in ring 3! Private & Confidential Property of COSEINC
  22. 22. • POPFD instruction writes a DWORD value in the EFLAGS register.• It’s a sensitive instruction because it can be used to set the IF flag.• The IF (Interrupt Flag) controls the hardware external interrupt mechanism. Private & Confidential Property of COSEINC
  23. 23. • Problem: Executing POPFD in ring3 will not generate a fault! The CPU just ignores the IF flag modification attempt.• How to virtualize sensitive non-privileged instructions? Private & Confidential Property of COSEINC
  24. 24. • How VMware Player VMM is able to prevent direct execution of non-privileged instructions?• VMware Player is a Type II VMM• The hypervisor is stored as a PE resource inside the vmware-vmx.exe executable.• ELF executable loaded directly inside the Windows kernel memory by the vmx86.sys device driver Private & Confidential Property of COSEINC
  25. 25. ELF executable stored as vmplayer.exe a PE resource vmware-vmx.exe Vmware HypervisorUSER MODEKERNEL MODE vmx86.sys ntoskrnl.exe Private & Confidential Property of COSEINC
  26. 26. • Solution: Scan all the guest code instructions and search for non-privileged instructions.• Replace the non-privileged instructions by a privileged instruction.• VMM handles the faults and emulates the execution of the non-privileded instruction. Private & Confidential Property of COSEINC
  27. 27. 1. Review x86 virtualization implementation methods.2. Show how to use the Intel VT® to implement virtual machines.3. Present a framework to make easy the task of creation of hypervisors.4. Applications of the framework5. Security and detection discussion Private & Confidential Property of COSEINC
  28. 28. The COSEINC Hypervisor Framework Private & Confidential Property of COSEINC
  29. 29. • Virtualizable ISA – If all sensitive instructions of some ISA are privileged, the processor is considered to be ‘virtualizable’ [3]• IA-32 is obviously not-virtualizable.• New instruction sets created by Intel and AMD – Intel Virtual Machine eXtensions (VMX) – AMD Secure Virtual Machine (SVM) Private & Confidential Property of COSEINC
  30. 30. • Presentation focus on Intel VMX. AMD SVM concepts are very similar.• New form of processor operation: the ‘VMX operation mode’• VMX mode – activated by the VMXON instruction. Private & Confidential Property of COSEINC
  31. 31. • VMXON fails if virtualization is locked.• Locked by default in the BIOS for security reasons• Ring -1.• There’s no more need to move kernel guest code from ring 0 to ring 3. Guest kernel code can run directly in ring 0. Private & Confidential Property of COSEINC
  32. 32. • 2 types of VMX operation: – VMX root operation – VMX non-root operation• VMX root operation – New instructions available (VMX instructions) – Used by the VMM (hypervisor)• VMX non-root operation – Restricted mode of operation – Certain instructions and events are intercepted to facilitate virtualization. Private & Confidential Property of COSEINC
  33. 33. • Transitions between VMX root operation and VMX non-root operation are called ‘VMX transitions’• Transition from the VMM to the guest: VM- ENTRY.• Transition from the Guest VM to the VMM: VMEXIT Private & Confidential Property of COSEINC
  34. 34. VM-ENTRY – vmresume/vmlaunch VIRTUAL Hypervisor MACHINE(vmx root operation) (vmx non-root operation) VM-EXIT event interception Private & Confidential Property of COSEINC
  35. 35. Creating a VMM with Intel VT® - first steps• Detection of Intel VMX instruction support. – CPUID• Enable VMX (CR4) – VMXE bit• Check status of the Lock bit (rdmsr) – More about in the security section• Setup of the VMXON region Private & Confidential Property of COSEINC
  36. 36. Creating a VMM with Intel VT® - first steps• Enable VMX instructions (VMXON)• Create and configure the VMCS region of each guest VM.• Launch the guest VM with VMLAUNCH instruction• Wait for VM-exit events Private & Confidential Property of COSEINC
  37. 37. VMCS• Virtual Machine Control Structure• Most important vmx data structure• One VMCS for each Virtual Machine and for each CPU core.• It controls the behavior of VMX transitions Private & Confidential Property of COSEINC
  38. 38. VMCS• VMM must not access the VMCS directly.• Read and write access to the VMCS via VMREAD and VMWRITE instructions.• Internal structure undocumented but reverse engineering it is easy. Private & Confidential Property of COSEINC
  39. 39. VMXON and VMCS areasVMXON region VMXON region CPU A CPU B VM Windows VMCS #1A VMCS #1B VMCS #2A VMCS #2B VM Linux CPU A CPU B Private & Confidential Property of COSEINC
  40. 40. VMCS logical groups Guest-state area4K-aligned physical address Host-state area VM-execution control fields 6 logical areas VM-exit control fields VM-entry control fields VM-exit information fields Private & Confidential Property of COSEINC
  41. 41. Guest-state area• Area of the VMCS where guest context information is stored.• On #VMEXIT, guest processor state is saved in this area.• On VMENTRY this information is loaded.• Register state: – Control Registers – Debug Registers – RSP, RIP, RFLAGS – LDTR, GDTR, IDTR – Segment selectors – Model Specific Registers Private & Confidential Property of COSEINC
  42. 42. Guest-state area• Non-register state – Activity State – Interruptibility state – VMCS link pointer • For future expansions Private & Confidential Property of COSEINC
  43. 43. Host-state area• Contains information about the host (VMM)• Processor stated is loaded from this area after each #VMEXIT• Registers: – RIP (Entry-point address of the hypervisor routine responsible for handling #VMEXIT events) – RSP, RFLAGS – MSR Private & Confidential Property of COSEINC
  44. 44. VM-execution control fields• Controls how the VM will be executed.• The instructions that the hypervisor wants to intercept are specified in these control fields. – Example: HLT, INVLPG, MWAIT, RDPMC, RDTSC, MOV-DR• Exception bitmap – Bitmap which controls interception of CPU interrupts like page faults, debug exceptions, #GP, ...• I/O bitmap – Can be used to control interception of I/O ports• MSR bitmap – Interception of Model Specific Registers• Some instructions wil unconditionally result in VMEXIT Private & Confidential Property of COSEINC
  45. 45. VM-entry control fields• Controls the behavior of VM entries.• Includes information about SMM, debug registers and some MSRs.• Guest Event Injection: – It’s possible to inject virtual interrupt or exception in the guest – Types of interrupts allowed: • External, NMI, Hardware exceptions, software interrupt. Private & Confidential Property of COSEINC
  46. 46. VM-exit fields• `VM-exit control fields` which controls the behavior of VM exits.• VM-exit information fields: – Read-only fields with information about the most recent VM exit – Exit reason – Exit qualification Private & Confidential Property of COSEINC
  47. 47. Interception• After configuring the VMCS, the hypervisor can launch the virtual machine and wait for a VMEXIT event.• When a instruction is intercepted in the guest, the processor will: – Save the VM-exit reason information in the VMCS – Save guest context information – Load the host-state area – Transfer control to the hypervisor Private & Confidential Property of COSEINC
  48. 48. VMLAUNCH VMM mov eax, 23 inc edx xor ebx, edx sub ecx #VMEXIT mov cr3, ebx#VMEXIT event handler cmp eax, 1 jnz c080df00 retn #VMRESUMEVMX ROOT-MODE VMX NON-ROOT RING 0 RING 0 Private & Confidential Property of COSEINC
  49. 49. 1. Review x86 virtualization implementation methods.2. Show how to use the Intel VT® to implement virtual machines.3. Present a framework to make easy the task of creation of hypervisors.4. Applications of the framework5. Security and detection discussion Private & Confidential Property of COSEINC
  50. 50. • Creating a VMM using these new hardware virtualization ISA is complex – More complex features always comming: EPT for nested paging• Very hard to find and to fix bugs• No debugger• Intel VT error codes not very useful – Code 33 = “VM-entry failure due to invalid guest state” – What’s exactly invalid in the guest state? – More than 40 suspects! Private & Confidential Property of COSEINC
  51. 51. • The COSEINC Hypervisor Framework, referred from now as just the ‘framework’, enables you to easily create a Hosted Virtual Machine Monitor (Type II VMM) using the Windows Operating System.• Simple and easy-to-use API exported• Abstraction over the different hardware virtualization instruction sets (VMX-SVM) Private & Confidential Property of COSEINC
  52. 52. • 2 versions: – 32-bits Windows device driver – 64-bits Windows device driver• API exported methods: – Export table – IOCTL codes for user-mode communication• Initial version only for Windows, but porting to Mac/Linux should not be difficult.• Release date: very soon!  Private & Confidential Property of COSEINC
  53. 53. Features• Automatic detection of the virtualization instruction sets.• SMP support• Evaluation of the lock bit• Detailed error-status codes• Plugin-like architecture Private & Confidential Property of COSEINC
  54. 54. ArchitectureUser applications Ring 3Operating System Kernel Ring 0 Framework Client Framework Ring -1 Private & Confidential Property of COSEINC
  55. 55. API• The full documentation of the API will be released with the framework.• Preliminary documentation. Subject to change.• Function categories: – Virtual Machine management functions • Creation and deletion of Virtual Machines. • Executing and resuming a virtual machine. – Interception Events functions • The framework call the registered client function callbacks. – Root guest VM. Private & Confidential Property of COSEINC
  56. 56. Virtual Machine management• VMSTATUS CreateVirtualMachine ( IN VMINFO *vminfo );• This function creates a new virtual machine in the system.• Fails if virtualization MSR is locked by the BIOS. Private & Confidential Property of COSEINC
  57. 57. VMINFO data structure• Most important framework data structure• Contains all the information needed to create and control a VM: – all the GUEST context information – GDT, LDT, Page Tables, Control Registers, ... – Interception handler function callback address. – Contains Event Injection information – VMEXIT information Private & Confidential Property of COSEINC
  58. 58. VMINFO data structure Virtual Machine Control Registers Debug GUEST_INFO Segments Model Specific Descriptor Tables I/O Interception InterruptsCONTROL_INFO Event Injection MSR VMEXIT info Extra info Private & Confidential Property of COSEINC
  59. 59. Interception Event management• VMSTATUS VirtualMachineExec ( IN VMINFO *vminfo );• This function controls the execution of the virtual machine. It can be called after the creation of the VM and to resume the execution of the VM after an intercept event.• If the VMM must inject some event in the guest VM, the information is provided in the VMINFO data structure. Private & Confidential Property of COSEINC
  60. 60. VM creation and execution VM Framework Client CreateVirtualMachine( ) (VMM VirtualMachineExec( ) plugin) Intercept Intercept Event Message event Framework handler VirtualMachineExec( ) x Private & Confidential Property of COSEINC
  61. 61. Framework – Client communication Virtual Machine VM message handler VM Event VM Router Scheduler Timer interrupt VM Event Manager Hypervisor
  62. 62. Root guest VM• One of the best features of the framework: – Automatic conversion of the host operating system into a virtual machine in runtime!• This guest VM is called ‘root VM’• The creation of the root VM is optional and controlled by the api.• Root VM is shared between all loaded plugins. Private & Confidential Property of COSEINC
  63. 63. 1. Review x86 virtualization implementation methods.2. Show how to use the Intel VT® to implement virtual machines.3. Present a framework to make easy the task of creation of hypervisors.4. Applications of the framework5. Security and detection discussion Private & Confidential Property of COSEINC
  64. 64. The COSEINC Hypervisor Framework Private & Confidential Property of COSEINC
  65. 65. Applications of the framework• Specially useful for education and research purposes• Can abe used to create any type of small and fast VM. Not only system VMs.• The best features are available when using the root guest VM. Private & Confidential Property of COSEINC
  66. 66. Process VM• Whole virtualization of a process or a thread is possible with the framework.• Normally achieved by interception of system calls.• Additional functions will be added to the API for better memory virtualization.• No support for EPT in the first version. Private & Confidential Property of COSEINC
  67. 67. Syscall hooking• A great number of system monitoring and security tools are implemented using system call hooking methods.• Old Windows OS uses INT 2eh• Linux and newer Windows OS uses SYSENTER instructions Private & Confidential Property of COSEINC
  68. 68. Syscall mechanism - illustration Windows Ntdll.dll mov edx, esp OS syscall sysenter mechanismSYSENTER_EIP MSR mov ecx, 23h push 30h nt!KiFastCallEntrySYSENTER_CS MSR pop fs ... Private & Confidential Property of COSEINC
  69. 69. Syscall hooking• Syscall hooking methods includes: – Patching syscall handler – Patching of IDT table – Patching the SYSENTER Model Specific registers Private & Confidential Property of COSEINC
  70. 70. Syscall interception• Syscall interception using the root guest VM• No need to hook SSDT• No need to patch/modify guest kernel code• Virtualization of the SYSENTER MSR• Plugin (framework) – VMINFO->ControlInfo->Interception->MSR• Can also be applied to Linux guests• Virtualized IDTR for old guest operating systems using INT xx instructions for syscall implementation. Private & Confidential Property of COSEINC
  71. 71. Instrumentation• Instrumentation is also easy to implement using the Interruptibility controls in the VMCS.• Performance registers are also virtualizable• Tools: – Optimization tools – System statistics Private & Confidential Property of COSEINC
  72. 72. Nested virtualization• The framework doesn’t provide support for nested virtualization• But it is possible to add this feature via a VMM plugin.• Also, a virtualization debugger could be implemented! Private & Confidential Property of COSEINC
  73. 73. 1. Review x86 virtualization implementation methods.2. Show how to use the Intel VT® to implement virtual machines.3. Present a framework to make easy the task of creation of hypervisors.4. Applications of the framework5. Security and detection discussion Private & Confidential Property of COSEINC
  74. 74. 64-bits• The framework and the plugins must be digitally signed to run in 64-bit versions of Windows. Private & Confidential Property of COSEINC
  75. 75. • MSR IA32_FEATURE_CONTROL (Index 3Ah)• Controls: – SMX – Safer Mode eXtensions• Disabled by default in the BIOS Private & Confidential Property of COSEINC
  76. 76. • “There is no software-visible bit whose setting indicates whether a logical processor is in VMX non-root operation. This fact may allow a VMM to prevent guest software from determining that it is running in a virtual machine.” – Intel manual 3 – 19.3• VMX transitions are cpu-expensive operations.• Thousand of cycles just for a simple VMEXIT.• SyScan 2007 – Detecting BluePill Private & Confidential Property of COSEINC
  77. 77. QUESTIONS?
  78. 78. THANK YOU FOR YOUR TIME!
  79. 79. 1. John Scott Robin and Cynthia E. Irvine (2000). "Analysis of the Intel Pentiums Ability to Support a Secure Virtual Machine Monitor". Proc. 9th USENIX Security Symposium.2. Virtual Machines: Versatile Platforms for System and Processes – Jim Smith, Ravi Nair – Morgan Kaufmann - 20053. Intel manuals (www.intel.com)
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×