SlideShare a Scribd company logo
1 of 29
Download to read offline
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Checklist of requirements to build
a protected virtualization fabric
Let the fabric attacks begin…
Gain an understanding of what it
takes to protect a virtualization fabric
from itself and its own admins
Gain an understanding of what the
fabric attack vectors look like
1. Compromised privileged accounts
2. Unpatched vulnerabilities
3. Phishing attacks
4. Malware infections
5. Compromised fabric exposes guest VMs
6. Easy to modify or copy VM without notice
7. Can’t protect VMs with gates, walls, locks, etc.
8. VMs can’t leverage H/W security (e.g. TPMs)
Attack the applications
and infrastructure
Attack the virtualization
fabric itself
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Here’s our fabric
• Highlight here in this
picture where the
potential artifacts exist,
e.g. where is the vHDX (on
a SAN), where is its
backup, et.
Hypervisors
Storage
File
Ethernet
switches
Backup
appliance
So who’s trusted, who’s not and who’s a
threat
• Fabric admin trusted to administer fabric
• This does not imply they’re trusted to administer the VMs
• <list out attack possible vectors for each cited admin?
Our cast of nefarious
evil-doers
“Ned” – the storage admin
A nasty piece of work to be sure
Possesses unfettered access to almost
all storage devices
Massively opinionated; and angry—
very angry… at everything and
everyone
Our cast of nefarious
evil-doers
“Taylor” - the fabric admin
Don’t let those boyish good looks fool
you – he’s a right piece of $#@%*
Endowed with permission to fully
administer any virtualization host
Easily swayed by an offer of
chocolate-covered thin mints
Attack #1
“Ned wants a raise.”
6 Ned brute-forces credentials for an HR-admin user, logs on to the
HR system and gives himself a raise
5
He then initiates a complex attack known as the “Double click
attack”, mounts the VHDX and steals the Active Directory database
(DIT) file
4 Ned triggers volume snapshot to ensure he gets a consistent copy
of the database
3
Attacking a domain controller allows Ned to obtain the credentials
of a privileged HR admin to adjust his salary in the accounting
system
2 Locates domain controller VM’s disk
1 Browses SAN filesystem looking for VM disks
Mitigations in place
• None (beyond native Windows
authentication and
authorization)
Encrypt the SAN volume using the virtualization
host’s native filesystem encryption technology.
Since the virtualization host is now encrypting the
filesystem on which the VMs reside, the VM disks
are written to the SAN pre-encrypted and
inaccessible (or useless) to Ned.
Attack #1
Mitigation(s)
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Attack #2
“Ned decides to collude
with Taylor and brings a
box of Thin Mints as a
peace offering.”
6 They succeed in obtaining credentials for the HR-admin user and
give themselves well-deserved raises
5 Ned and Taylor conduct a brute-force attack against the offline
Active Directory database
4 Once again, Ned initiates the complex “Double click attack”,
mounts the VHDX and steals the Active Directory database (DIT) file
3 Taylor copies off the VHDX containing the Active Directory domain
controller database to a USB stick and takes it home
2 Ned persuades Taylor that he, too, justifiably deserves a raise
1
Because, Taylor can logon to the virtualization host, he exists within
its filesystem encryption bubble, i.e. the SAN volume is
transparently decrypted from Taylor’s perspective
Mitigations in place
• Virtual disk files stored on
encrypted volumes
Fire both Ned and Taylor—this should be
considered ‘generally sound advice’.
Move the filesystem encryption inside the guest
operating system of the VM using a boot
passphrase in order to help protect the VM’s
logical disk from fabric attacks.
Attack #2
Mitigation(s)
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Attack #3
“Ned gives up but Taylor
likes his new car and
continues the attack.”
6 Taylor succeeds in obtaining credentials for the HR-admin and
gives himself a raise
5
TayLoader writes the passphrase to its own virtual disk and resumes
the natural boot process of the real OS automating entry of the
boot passphrase
4
As is usual, Taylor contacts the VM-owner who then connects to the
VM console and, unbeknownst to him, enters the passphrase into
TayLoader
3
During a regular maintenance window, the VM is rebooted into
TayLoader which bears a striking resemblance to the boot process
of the real disk
2 Taylor then takes a copy of the VM’s real virtual disk file
1
Taylor abuses his fabric admin permission and adds a new virtual
disk to the domain controller VM that contains a malicious boot
loader: TayLoader
Mitigations in place
• Virtual disk files are stored on
encrypted volumes
• VM’s are encrypting their own
volumes using unique keys that
are released using a boot
passphrase
Fire both Ned and Taylor—advice this good rarely
needs changing regardless of Ned’s apparent lack
of involvement.
Enough of this break:fix legacy drivel—time to
move to a modern hypervisor that offers modern
security capabilities to guest VMs such as UEFI
firmware with Secure Boot and support for secure
key-release mechanisms, e.g. synthetic TPMs
whose secrets are sealed to boot measurements
Attack #3
Mitigation(s)
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Attack #4
“Ned has been fired but
Taylor is still unscathed;
down but not beaten.”
5 Taylor succeeds in obtaining credentials for the HR-admin and
gives himself a raise
4 Taylor injects the FVEK and mounts the virtual disk
3 Once again, Taylor copies the VM’s virtual disk and take it home
2 Taylor cracks open the resulting dump file and uses a tool to locate
the OS’ BitLocker full-volume encryption key (FVEK)
1 Taylor triggers a dump of the virtual machine’s worker process
using a SysInternals’ tool called LiveKD
Mitigations in place
• Virtual disk files are stored on
encrypted volumes
• VM’s are encrypting their own
volumes
• Modern hypervisor that can
provide its VMs with secure
boot and TPM-backed key
release
Fire Taylor—it’s still solid advice.
Implement code integrity policies to block the use
of malicious tooling such as user-mode
debuggers.
Reduce the attack surface by removing
unnecessary/legacy VM devices.
Ensure the hypervisor employs reasonable
process-protection mechanisms such as Windows
Server’s protected process light (PPL).
Attack #4
Mitigation(s)
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Attack #5
“CI policy? Not for
Taylor!”
5 Taylor succeeds in obtaining credentials for the HR-admin and
gives himself a raise
4 Once complete, Taylor mounts the virtual disk
3 With his tools now permitted by the CI policy, he repeats attack #4
2 Taylor copies the new CI policy to the host and reboots to apply it
1 Taylor (ab)uses his admin privileges to create a new CI policy that
allows his debugger and other malicious tools to run
Mitigations in place
• Virtual disk files are stored on
encrypted volumes
• VM’s are encrypting their own
volumes
• Deploy modern hypervisors that
can provide their VMs with UEFI,
secure boot and TPM-backed key
release
• Restrictive code-integrity policies
are enforced
Sign and lock the legitimate, restrictive code
integrity policy to UEFI – the machine must be
reboot in order for the malicious CI policy to
become effective.
When the machine reboots, it will compare the
blessed policy signature locked in UEFI to the
current policy signature and blue screen if the
two do NOT match.
Attack #5
Mitigation(s)
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
Attack #6
“Taylor’s running out
of options and is ready
to take greater risks.”
5 Taylor once again succeeds in obtaining credentials for the HR-
admin and gives himself a raise
4 Taylor then injects the FVEK and mounts the virtual disk
3 The tool isolates the VM’s memory and locates the BitLocker full-
volume encryption key (FVEK)
2 As before, Taylor copies the crashdump off and cracks it open on
another machine that is not subject to locked CI policies
1 Taylor decides to trigger a memory dump on the virtualization host
(e.g. hibernate, crashdump)
Mitigations in place
• Virtual disk files are stored on
encrypted volumes
• VM’s are encrypting their own
volumes
• Deploy modern hypervisors that
can provide their VMs with UEFI,
secure boot and TPM-backed key
release
• Restrictive code-integrity policies
are enforced and locked to UEFI
secure variables
Configure the host to disallow or encrypt memory
dumps—both settings are measureable.
Introduce an external health attestation
component outside of Taylor’s realm of
administrative influence that attests to the
configuration of the virtualization host including
measuring the encryption key and attesting to it.
Tightly couple health attestation to the key
release process to ensure that sensitive VMs
cannot be decrypted, powered on or moved
without the host first being deemed “healthy”.
Attack #6
Mitigation(s)
1. Virtual disk files are stored on encrypted volumes
2. VM’s are encrypting their own volumes
3. Modern hypervisors are used to provide VMs with
UEFI, secure boot and TPM-backed key release
4. Restrictive code-integrity policies are enforced and
locked to UEFI secure variables
5. An external health attestation component outside of
fabric-admin influence attests to the configuration of
the virtualization host including measuring the
encryption key and attesting to it
6. Tightly couple health attestation to the key release
process to ensure that sensitive VMs cannot be
decrypted, powered on or moved without the host
first being deemed “healthy”
Review:
The set of
mitigations now
in force
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
A Hyper-V powered virtualization fabric capable of protecting
tenant workloads from inspection, theft and tampering from
malware and system administrators both at rest as well as in-
flight. These protected workloads are called “Shielded VMs”.
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector

More Related Content

What's hot

Red team upgrades using sccm for malware deployment
Red team upgrades   using sccm for malware deploymentRed team upgrades   using sccm for malware deployment
Red team upgrades using sccm for malware deploymentenigma0x3
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery  BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat Security Conference
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...BlueHat Security Conference
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for EveryoneNikhil Mittal
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 

What's hot (20)

Red team upgrades using sccm for malware deployment
Red team upgrades   using sccm for malware deploymentRed team upgrades   using sccm for malware deployment
Red team upgrades using sccm for malware deployment
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery  BlueHat v17 ||  Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Teensy Programming for Everyone
Teensy Programming for EveryoneTeensy Programming for Everyone
Teensy Programming for Everyone
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 

Similar to BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector

virtualization(1).pptx
virtualization(1).pptxvirtualization(1).pptx
virtualization(1).pptxAkashRajBehera
 
663187411-UNIT-III-Virtualization-System-Specific-Attacks-1.pdf
663187411-UNIT-III-Virtualization-System-Specific-Attacks-1.pdf663187411-UNIT-III-Virtualization-System-Specific-Attacks-1.pdf
663187411-UNIT-III-Virtualization-System-Specific-Attacks-1.pdfpivanon243
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Lucy Huh Kerner
 
10 Cloud Security.pptx
10 Cloud Security.pptx10 Cloud Security.pptx
10 Cloud Security.pptx2020kucp1072
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013The Linux Foundation
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
VMware Security
VMware SecurityVMware Security
VMware Securitysar_alex
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoNCCOMMS
 
V mware security
V mware securityV mware security
V mware securitysar_alex
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld
 
1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docxpaynetawnya
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Qualcomm Developer Network
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
ZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdfZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdftestslebew
 

Similar to BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector (20)

Virtualization
VirtualizationVirtualization
Virtualization
 
unit-2.pptx
unit-2.pptxunit-2.pptx
unit-2.pptx
 
virtualization.pptx
virtualization.pptxvirtualization.pptx
virtualization.pptx
 
Virtualization
VirtualizationVirtualization
Virtualization
 
virtualization(1).pptx
virtualization(1).pptxvirtualization(1).pptx
virtualization(1).pptx
 
663187411-UNIT-III-Virtualization-System-Specific-Attacks-1.pdf
663187411-UNIT-III-Virtualization-System-Specific-Attacks-1.pdf663187411-UNIT-III-Virtualization-System-Specific-Attacks-1.pdf
663187411-UNIT-III-Virtualization-System-Specific-Attacks-1.pdf
 
µ-Xen
µ-Xenµ-Xen
µ-Xen
 
µ-Xen
µ-Xenµ-Xen
µ-Xen
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...
 
10 Cloud Security.pptx
10 Cloud Security.pptx10 Cloud Security.pptx
10 Cloud Security.pptx
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Security
 
VMware Security
VMware SecurityVMware Security
VMware Security
 
CSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami LaihoCSF18 - BitLocker Deep Dive - Sami Laiho
CSF18 - BitLocker Deep Dive - Sami Laiho
 
V mware security
V mware securityV mware security
V mware security
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor Security
 
1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx1. Security and vulnerability assessment analysis tool - Microsoft.docx
1. Security and vulnerability assessment analysis tool - Microsoft.docx
 
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
Developing for Industrial IoT with Linux OS on DragonBoard™ 410c: Session 4
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
ZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdfZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdf
 

More from BlueHat Security Conference

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Security Conference
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Security Conference
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Security Conference
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Security Conference
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Security Conference
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Security Conference
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Security Conference
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Security Conference
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Security Conference
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat Security Conference
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat Security Conference
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat Security Conference
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat Security Conference
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 

More from BlueHat Security Conference (20)

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
 
BlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || KeynoteBlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || Keynote
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 

Recently uploaded

DS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfDS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfROWELL MARQUINA
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
IEEE Computer Society 2024 Technology Predictions Update
IEEE Computer Society 2024 Technology Predictions UpdateIEEE Computer Society 2024 Technology Predictions Update
IEEE Computer Society 2024 Technology Predictions UpdateHironori Washizaki
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Leveraging Mainframe Data in Near Real Time to Unleash Innovation With Cloud:...
Leveraging Mainframe Data in Near Real Time to Unleash Innovation With Cloud:...Leveraging Mainframe Data in Near Real Time to Unleash Innovation With Cloud:...
Leveraging Mainframe Data in Near Real Time to Unleash Innovation With Cloud:...Precisely
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...UiPathCommunity
 
Unleashing the power of AI in UiPath Studio with UiPath Autopilot.
Unleashing the power of AI in UiPath Studio with UiPath Autopilot.Unleashing the power of AI in UiPath Studio with UiPath Autopilot.
Unleashing the power of AI in UiPath Studio with UiPath Autopilot.DianaGray10
 
CHIPS Alliance_Object Automation Inc_workshop
CHIPS Alliance_Object Automation Inc_workshopCHIPS Alliance_Object Automation Inc_workshop
CHIPS Alliance_Object Automation Inc_workshopObject Automation
 
LLM Threats: Prompt Injections and Jailbreak Attacks
LLM Threats: Prompt Injections and Jailbreak AttacksLLM Threats: Prompt Injections and Jailbreak Attacks
LLM Threats: Prompt Injections and Jailbreak AttacksThien Q. Tran
 
ServiceNow Integration with MuleSoft.pptx
ServiceNow Integration with MuleSoft.pptxServiceNow Integration with MuleSoft.pptx
ServiceNow Integration with MuleSoft.pptxshyamraj55
 
Reference Domain Ontologies and Large Medical Language Models.pptx
Reference Domain Ontologies and Large Medical Language Models.pptxReference Domain Ontologies and Large Medical Language Models.pptx
Reference Domain Ontologies and Large Medical Language Models.pptxChimezie Ogbuji
 
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfMonitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfAna-Maria Mihalceanu
 
Plant tissue culture pharmacongosy-1 Semester 4
Plant tissue culture pharmacongosy-1 Semester 4Plant tissue culture pharmacongosy-1 Semester 4
Plant tissue culture pharmacongosy-1 Semester 4Nandakishor Deshmukh
 
AI-based audio transcription solutions (IDP)
AI-based audio transcription solutions (IDP)AI-based audio transcription solutions (IDP)
AI-based audio transcription solutions (IDP)KapilVaidya4
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Introducing Milvus and new features in 2.4 release
Introducing Milvus and new features in 2.4 releaseIntroducing Milvus and new features in 2.4 release
Introducing Milvus and new features in 2.4 releaseZilliz
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...James Anderson
 

Recently uploaded (20)

DS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdfDS Lesson 2 - Subsets, Supersets and Power Set.pdf
DS Lesson 2 - Subsets, Supersets and Power Set.pdf
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
IEEE Computer Society 2024 Technology Predictions Update
IEEE Computer Society 2024 Technology Predictions UpdateIEEE Computer Society 2024 Technology Predictions Update
IEEE Computer Society 2024 Technology Predictions Update
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Leveraging Mainframe Data in Near Real Time to Unleash Innovation With Cloud:...
Leveraging Mainframe Data in Near Real Time to Unleash Innovation With Cloud:...Leveraging Mainframe Data in Near Real Time to Unleash Innovation With Cloud:...
Leveraging Mainframe Data in Near Real Time to Unleash Innovation With Cloud:...
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
 
Unleashing the power of AI in UiPath Studio with UiPath Autopilot.
Unleashing the power of AI in UiPath Studio with UiPath Autopilot.Unleashing the power of AI in UiPath Studio with UiPath Autopilot.
Unleashing the power of AI in UiPath Studio with UiPath Autopilot.
 
CHIPS Alliance_Object Automation Inc_workshop
CHIPS Alliance_Object Automation Inc_workshopCHIPS Alliance_Object Automation Inc_workshop
CHIPS Alliance_Object Automation Inc_workshop
 
LLM Threats: Prompt Injections and Jailbreak Attacks
LLM Threats: Prompt Injections and Jailbreak AttacksLLM Threats: Prompt Injections and Jailbreak Attacks
LLM Threats: Prompt Injections and Jailbreak Attacks
 
ServiceNow Integration with MuleSoft.pptx
ServiceNow Integration with MuleSoft.pptxServiceNow Integration with MuleSoft.pptx
ServiceNow Integration with MuleSoft.pptx
 
Reference Domain Ontologies and Large Medical Language Models.pptx
Reference Domain Ontologies and Large Medical Language Models.pptxReference Domain Ontologies and Large Medical Language Models.pptx
Reference Domain Ontologies and Large Medical Language Models.pptx
 
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfMonitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
 
Plant tissue culture pharmacongosy-1 Semester 4
Plant tissue culture pharmacongosy-1 Semester 4Plant tissue culture pharmacongosy-1 Semester 4
Plant tissue culture pharmacongosy-1 Semester 4
 
AI-based audio transcription solutions (IDP)
AI-based audio transcription solutions (IDP)AI-based audio transcription solutions (IDP)
AI-based audio transcription solutions (IDP)
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Introducing Milvus and new features in 2.4 release
Introducing Milvus and new features in 2.4 releaseIntroducing Milvus and new features in 2.4 release
Introducing Milvus and new features in 2.4 release
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
GDG Cloud Southlake 31: Santosh Chennuri and Festus Yeboah: Empowering Develo...
 

BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector

  • 2. Checklist of requirements to build a protected virtualization fabric Let the fabric attacks begin… Gain an understanding of what it takes to protect a virtualization fabric from itself and its own admins Gain an understanding of what the fabric attack vectors look like
  • 3. 1. Compromised privileged accounts 2. Unpatched vulnerabilities 3. Phishing attacks 4. Malware infections 5. Compromised fabric exposes guest VMs 6. Easy to modify or copy VM without notice 7. Can’t protect VMs with gates, walls, locks, etc. 8. VMs can’t leverage H/W security (e.g. TPMs) Attack the applications and infrastructure Attack the virtualization fabric itself
  • 5. Here’s our fabric • Highlight here in this picture where the potential artifacts exist, e.g. where is the vHDX (on a SAN), where is its backup, et. Hypervisors Storage File Ethernet switches Backup appliance
  • 6. So who’s trusted, who’s not and who’s a threat • Fabric admin trusted to administer fabric • This does not imply they’re trusted to administer the VMs • <list out attack possible vectors for each cited admin?
  • 7. Our cast of nefarious evil-doers “Ned” – the storage admin A nasty piece of work to be sure Possesses unfettered access to almost all storage devices Massively opinionated; and angry— very angry… at everything and everyone
  • 8. Our cast of nefarious evil-doers “Taylor” - the fabric admin Don’t let those boyish good looks fool you – he’s a right piece of $#@%* Endowed with permission to fully administer any virtualization host Easily swayed by an offer of chocolate-covered thin mints
  • 9. Attack #1 “Ned wants a raise.” 6 Ned brute-forces credentials for an HR-admin user, logs on to the HR system and gives himself a raise 5 He then initiates a complex attack known as the “Double click attack”, mounts the VHDX and steals the Active Directory database (DIT) file 4 Ned triggers volume snapshot to ensure he gets a consistent copy of the database 3 Attacking a domain controller allows Ned to obtain the credentials of a privileged HR admin to adjust his salary in the accounting system 2 Locates domain controller VM’s disk 1 Browses SAN filesystem looking for VM disks Mitigations in place • None (beyond native Windows authentication and authorization)
  • 10. Encrypt the SAN volume using the virtualization host’s native filesystem encryption technology. Since the virtualization host is now encrypting the filesystem on which the VMs reside, the VM disks are written to the SAN pre-encrypted and inaccessible (or useless) to Ned. Attack #1 Mitigation(s)
  • 12. Attack #2 “Ned decides to collude with Taylor and brings a box of Thin Mints as a peace offering.” 6 They succeed in obtaining credentials for the HR-admin user and give themselves well-deserved raises 5 Ned and Taylor conduct a brute-force attack against the offline Active Directory database 4 Once again, Ned initiates the complex “Double click attack”, mounts the VHDX and steals the Active Directory database (DIT) file 3 Taylor copies off the VHDX containing the Active Directory domain controller database to a USB stick and takes it home 2 Ned persuades Taylor that he, too, justifiably deserves a raise 1 Because, Taylor can logon to the virtualization host, he exists within its filesystem encryption bubble, i.e. the SAN volume is transparently decrypted from Taylor’s perspective Mitigations in place • Virtual disk files stored on encrypted volumes
  • 13. Fire both Ned and Taylor—this should be considered ‘generally sound advice’. Move the filesystem encryption inside the guest operating system of the VM using a boot passphrase in order to help protect the VM’s logical disk from fabric attacks. Attack #2 Mitigation(s)
  • 15. Attack #3 “Ned gives up but Taylor likes his new car and continues the attack.” 6 Taylor succeeds in obtaining credentials for the HR-admin and gives himself a raise 5 TayLoader writes the passphrase to its own virtual disk and resumes the natural boot process of the real OS automating entry of the boot passphrase 4 As is usual, Taylor contacts the VM-owner who then connects to the VM console and, unbeknownst to him, enters the passphrase into TayLoader 3 During a regular maintenance window, the VM is rebooted into TayLoader which bears a striking resemblance to the boot process of the real disk 2 Taylor then takes a copy of the VM’s real virtual disk file 1 Taylor abuses his fabric admin permission and adds a new virtual disk to the domain controller VM that contains a malicious boot loader: TayLoader Mitigations in place • Virtual disk files are stored on encrypted volumes • VM’s are encrypting their own volumes using unique keys that are released using a boot passphrase
  • 16. Fire both Ned and Taylor—advice this good rarely needs changing regardless of Ned’s apparent lack of involvement. Enough of this break:fix legacy drivel—time to move to a modern hypervisor that offers modern security capabilities to guest VMs such as UEFI firmware with Secure Boot and support for secure key-release mechanisms, e.g. synthetic TPMs whose secrets are sealed to boot measurements Attack #3 Mitigation(s)
  • 18. Attack #4 “Ned has been fired but Taylor is still unscathed; down but not beaten.” 5 Taylor succeeds in obtaining credentials for the HR-admin and gives himself a raise 4 Taylor injects the FVEK and mounts the virtual disk 3 Once again, Taylor copies the VM’s virtual disk and take it home 2 Taylor cracks open the resulting dump file and uses a tool to locate the OS’ BitLocker full-volume encryption key (FVEK) 1 Taylor triggers a dump of the virtual machine’s worker process using a SysInternals’ tool called LiveKD Mitigations in place • Virtual disk files are stored on encrypted volumes • VM’s are encrypting their own volumes • Modern hypervisor that can provide its VMs with secure boot and TPM-backed key release
  • 19. Fire Taylor—it’s still solid advice. Implement code integrity policies to block the use of malicious tooling such as user-mode debuggers. Reduce the attack surface by removing unnecessary/legacy VM devices. Ensure the hypervisor employs reasonable process-protection mechanisms such as Windows Server’s protected process light (PPL). Attack #4 Mitigation(s)
  • 21. Attack #5 “CI policy? Not for Taylor!” 5 Taylor succeeds in obtaining credentials for the HR-admin and gives himself a raise 4 Once complete, Taylor mounts the virtual disk 3 With his tools now permitted by the CI policy, he repeats attack #4 2 Taylor copies the new CI policy to the host and reboots to apply it 1 Taylor (ab)uses his admin privileges to create a new CI policy that allows his debugger and other malicious tools to run Mitigations in place • Virtual disk files are stored on encrypted volumes • VM’s are encrypting their own volumes • Deploy modern hypervisors that can provide their VMs with UEFI, secure boot and TPM-backed key release • Restrictive code-integrity policies are enforced
  • 22. Sign and lock the legitimate, restrictive code integrity policy to UEFI – the machine must be reboot in order for the malicious CI policy to become effective. When the machine reboots, it will compare the blessed policy signature locked in UEFI to the current policy signature and blue screen if the two do NOT match. Attack #5 Mitigation(s)
  • 24. Attack #6 “Taylor’s running out of options and is ready to take greater risks.” 5 Taylor once again succeeds in obtaining credentials for the HR- admin and gives himself a raise 4 Taylor then injects the FVEK and mounts the virtual disk 3 The tool isolates the VM’s memory and locates the BitLocker full- volume encryption key (FVEK) 2 As before, Taylor copies the crashdump off and cracks it open on another machine that is not subject to locked CI policies 1 Taylor decides to trigger a memory dump on the virtualization host (e.g. hibernate, crashdump) Mitigations in place • Virtual disk files are stored on encrypted volumes • VM’s are encrypting their own volumes • Deploy modern hypervisors that can provide their VMs with UEFI, secure boot and TPM-backed key release • Restrictive code-integrity policies are enforced and locked to UEFI secure variables
  • 25. Configure the host to disallow or encrypt memory dumps—both settings are measureable. Introduce an external health attestation component outside of Taylor’s realm of administrative influence that attests to the configuration of the virtualization host including measuring the encryption key and attesting to it. Tightly couple health attestation to the key release process to ensure that sensitive VMs cannot be decrypted, powered on or moved without the host first being deemed “healthy”. Attack #6 Mitigation(s)
  • 26. 1. Virtual disk files are stored on encrypted volumes 2. VM’s are encrypting their own volumes 3. Modern hypervisors are used to provide VMs with UEFI, secure boot and TPM-backed key release 4. Restrictive code-integrity policies are enforced and locked to UEFI secure variables 5. An external health attestation component outside of fabric-admin influence attests to the configuration of the virtualization host including measuring the encryption key and attesting to it 6. Tightly couple health attestation to the key release process to ensure that sensitive VMs cannot be decrypted, powered on or moved without the host first being deemed “healthy” Review: The set of mitigations now in force
  • 28. A Hyper-V powered virtualization fabric capable of protecting tenant workloads from inspection, theft and tampering from malware and system administrators both at rest as well as in- flight. These protected workloads are called “Shielded VMs”.

Editor's Notes

  1. 12/9/2017