PacSec 2015 speaker

1. 1
Speaker: Qinghao Tang
Title：360 Marvel Team Leader
Vulnerabilities mining
technology of Cloud and
Virtualization platform

2. 2
360 Marvel Team
As the first virtualization security team in China, 360 marvel team focus on attack and
defence technology on virtualization and cloud platforms, aiming to lead the reaearch on
vulnerability mining and defecing on these platform, providing tools and solutions for mian
stream hypervisors:
● Virtualization fuzz framework.
● Guest OS escape tools.
-Support Docker, Xen,KVM,VMware
● Hypervisor strengthen solutions
-block Guest OS escape
-Scan Guest OS agentless

3. 3
Agenda
• Brief intruduction of hypervisor security
• Fuzzing framework
• Analysis of network device vulnerability

4. 4
Brief intruduction of hypervisor
security

5. 5
Hypervisor
Major
Xen
Kvm
Vmware
Functions
Quantitative distribution
Flexible scheduling

6. 6
Cloud Computing

7. 7
Distinction
OS
Physical Devices
Guest OS
Device
emulator
Hypervisor
Physical Devices
Guest OS
Device
emulator
Normal Server Virtualization Server

8. 8
Escape form Guest OS

9. 9
• Typical virtualization security vulnerability
• Can cause the virtual machine escape
• Exist in floppy device emulator Code
• More Venoms? Yes!
Venom

10. 10
Fuzzing Framework

11. 11
• More underlying target
• More Particular of Test Data
Features of Virtualization Vulnerability
Mining
IE
flash
server
System
Kernel
Hypervisor

12. 12
• Unconventional method
HOOK Driver function
Change Kernel files.
• Relate to the context
Test Pocess of Emulation Device

13. 13
Features
• Commonness of hypervisors
• Features of solution
Coding Langurage
Operating System Type
Coding Style

14. 14
os
Control Center
Architecture
HypervisorHypervisor
os os os osos

15. 15
Fuzzing-Collect device information

16. 16
• Device IO Methods
• Controller Data Structure
• Device State Machine
Test - Integrated Test Data

17. 17
Fuzzing-Attack emulation device
kernel_agent
fuzz_client
• User Space
• Kernel Space

18. 18
Feedback
• No effect
• Blue Screen
• Implicit Result
• Crash

19. 19
Feedback-VM manage automation
• Snapshot
• Reboot
• Virtual Device Edit
• Debugging Mode on Start
• Load Debugging Plugin

20. 20
Feedback- Monitoring technology
• Dynamic
• Static

21. コント
ロール
センター
テスト
フィー
ド
バック
解析
21
Control Center-Process
Step 2
Step 1 Step 3

22. 22
Control Center-Statistics&Optimization
• Total test count
• Fuzz coverage
• Optimize test data

23. 23
Achievement
• 120 days
• 2 platforms
• 10 vulnerabilities

24. 24
Analysis of network
device vulnerability

25. 25
Principle of QEMU
User
Space • Send
Kernel
Space
• Syscall
• tcp_*
• ip_*
• dev_*
• e1000_*
Device
Emulator
• Network devices
• hub
• slirp
APP
APP
APP
Network Devices
Kernel

26. 26
• Initialization
Port Allocation，Address Mapping
Device Status Setting, Resource Allocation
• Data Transfer
'Write Command' to device TDT register
process of descriptor
3 types descripror：context，data，legacy
data xfer
set status，wait for next instruction
• Processing Details
Circular Memory
TSO：tcp segmentation/flow control.
Principle of Network Device

27. 27
• Qemu e1000 Network Device
• Vmware e1000 Network Device
E1000 vulnerability analysis

28. 28
Summary
Pay continuous attention to virtualization
security and follow Marvel Team

29. 29
Q & A
Email：tangqinghao@360.cn
QQ：702108451