SlideShare a Scribd company logo

Back to the Future: A Radical Insecure Design of KVM on ARM

Priyanka Aash
Priyanka Aash

In ARM there are certain instructions that generates exception. Such instructions are typically executed to request a service from software that runs at a higher privilege level. From the OS kernel (EL1), software can call the Hypervisor (EL2) with the HVC instruction. The KVM Hypervisor is part of the Linux kernel and by default it is enabled on all supported ARM system. In ARM architecture KVM is implemented through split-mode virtualization and runs across different privileged CPU modes. This talk will discuss about the design and a security issue in a way Linux kernel initializes the KVM Hypervisor. An attacker having access to host EL1 can execute code in EL2. This security issue can be exploited by an attacker to install a Hypervisor root kit on ARM system.

Technology
1 of 18
Download to read offline
Back To The Future: A Radical Insecure Design of KVM on ARM Baibhav Singh Rahul Kashyap B. Sing - SRA 1
• Samsung Research America • Actively working on ARM system security *The opinion present are my own and not necessarily represent the opinion of my employer Introduction B. Sing - SRA 2
• Found this issue while doing some hypervisors research • On 25 Jan 2018, reported to Red Hat Product Security team Secalert@redhat.com provided detail report with exploit code • Multiple mail exchange to help them understand the problem • Still is not fixed • Decided to submit a BH paper (Thanks to Rahul, Michael Grace) • Thanks to BH for providing the platform Background B. Singh - SRA 3
ARM v8-A Architecture HVC HVC HVC Handler B. Singh - SRA 4
Exception Vector TableB. Sing - SRA 5 VBAR_EL2HVC 0x400 +
ARM Hypervisor executes in EL2 TYPE 1 • Bare Metal Hypervisor • Host is considered as VM • XEN is type 1 and runs in EL2 TYPE 2 • Hypervisor is extension of Host Kernel • Host is not considered as VM • KVM is type 2 and runs partial in EL2 ARM - Hypervisor B. Singh - SRA 6
Linux Start EL==2 1. Updates VBAR_EL2 to Install STUB Vector Table as EL2 Exception Vector Table 2. Switches back to EL1 Normal Boot Flow YES No Linux and KVM B. Singh - SRA 7
Handler in case HVC originating from 64 bit Kernel VBAR_EL2 Stub Vector Table Filename : linuxarcharm64kernelhyp- stub.s B. Sing - SRA 8
Checks if register X0 == 0 Updates VBAR_EL2 Stub HVC Handler Filename : linuxarcharm64kernelhyp-stub.s B. Singh - SRA 9
B. Singh - SRA 10 Linux Start STUB VECTOR TABLE CMD == HVC_SET_VECTO R KVM VECTOR TABLE VBAR_EL2 State Diagram 1
Filename : linuxarcharm64kernelhyp-entry.s Checks if HVC is from Host Checks if register x0 < 3 Calls _kvm_handle_stub_hvc KVM HVC Handler B. Singh - SRA 11
Checks register X0 == 2 Disables EL2 MMU Back to Stub Vector Filename : linuxarcharm64kvmhyphyp-entry.s KVM HVC Handler B. Singh - SRA 12
B. Singh - SRA 13 Linux Start STUB VECTOR TABLE CMD == HVC_SET_VECTO R KVM VECTOR TABLE HVC == HOST && CMD == HVC_RESET_VEC TOR VBAR_EL2 Attackers Vector Table State Diagram 2
X0 =2 ; //HVC_RESET_VECTORS KVM Vector TableStub Vector Table 1. Allocate physical continuous memory 2. Embed shellcode at an offset 0x400 (Exception handler) 3. Set X0 = 0 //HVC_SET_VECTOR 4. Set X1 = physical address of buffer Attacker Allocated Buffer Disables MMU Installs Installs HVC HVC HVC EL2 Shellcode Host EL1 EL2 Exploitation B. Singh - SRA 14
KVM Team Response “You're on the host, and you can break KVMby inserting a rogue kernel module. Big deal. You can also blast the page tables, corrupt file systems, and make sure the box is on fire” KVM Threat Model Assumption : HOST.EL1 == EL2 Security hole in privilege isolation boundary Host kernel compromise is End of the Game ! Real World : EL1 != EL2 For Attacker Beginning of a New Game.… J Attacker can exploit this issue to gain more privilege and will migrate to EL2 • Launch attack from isolated and unreachable memory. • Can configure EL2 to get code execution from various different places • A generic way to bypass security implemented in the kernel (LKRG),by escaping to EL2 • Attack the secure monitoring running in hypervisor mode • Gives attacker opportunity for Blue Pill for KVM on ARM Juicy target for attacker to perform highly sophisticated and stealthy attack B. Singh - SRA 15
Potentially bigger impact for mobile and IoT •Most of them are ARM based •Chances are high that it will boot in EL2 •Single Kernel Device (More Attack Surface) Affected Architecture: ARM v7-A and ARM v8-A with hardware virtualization Impact B. Singh - SRA 16
Mitigation My two cents… You’re likely vulnerable to this attack. Patch the system by making sure Linux starts in EL1 B. Singh - SRA 17
• https://static.docs.arm.com/ddi0487/ca/DDI0487C_a_armv8_arm.pd f • https://developer.arm.com/products/architecture/a- profile/docs/100942/latest/hypervisor-software • https://dl.acm.org/citation.cfm?id=2541946 • http://www.cs.columbia.edu/~cdall/pubs/atc17-dall.pdf • http://www.cs.columbia.edu/~cdall/pubs/sosp2017-neve.pdf • https://lwn.net/Articles/557132/ • http://lia.disi.unibo.it/Courses/som1516/materiale/VOSYS_BolognaK VMARM_2_12_2015.pdf Reference B. Singh - SRA 18

Recommended

HKG15-400: Next steps in KVM enablement on ARM
HKG15-400: Next steps in KVM enablement on ARMHKG15-400: Next steps in KVM enablement on ARM
HKG15-400: Next steps in KVM enablement on ARM
Linaro
 
SFO15-407: Performance Overhead of ARM Virtualization
SFO15-407: Performance Overhead of ARM VirtualizationSFO15-407: Performance Overhead of ARM Virtualization
SFO15-407: Performance Overhead of ARM Virtualization
Linaro
 
BKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationBKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 Virtualization
Linaro
 
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
The Linux Foundation
 
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Linaro
 
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
The Linux Foundation
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
The Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
The Linux Foundation
 

Recommended

HKG15-400: Next steps in KVM enablement on ARM
HKG15-400: Next steps in KVM enablement on ARMHKG15-400: Next steps in KVM enablement on ARM
HKG15-400: Next steps in KVM enablement on ARM
Linaro
 
SFO15-407: Performance Overhead of ARM Virtualization
SFO15-407: Performance Overhead of ARM VirtualizationSFO15-407: Performance Overhead of ARM Virtualization
SFO15-407: Performance Overhead of ARM Virtualization
Linaro
 
BKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationBKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 Virtualization
Linaro
 
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
XPDDS18: Design Session - SGX deep dive and SGX Virtualization Discussion, Ka...
The Linux Foundation
 
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
MOVED: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Linaro
 
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
XPDDS18: The Evolution of Virtualization in the Arm Architecture - Julien Gra...
The Linux Foundation
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
The Linux Foundation
 
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
LCC17 - Live Patching, Virtual Machine Introspection and Vulnerability Manag...
The Linux Foundation
 
A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt DeliveryA Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
Cheng-Chun William Tu
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
月锋 李
 
XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15
The Linux Foundation
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ Processors
The Linux Foundation
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
SZ Lin
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
The Linux Foundation
 
XPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, IntelXPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, Intel
The Linux Foundation
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and Exadata
Mike Chafin
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
The Linux Foundation
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
The Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
The Linux Foundation
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
Linaro
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project Hypervisor
The Linux Foundation
 
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
The Linux Foundation
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)
The Linux Foundation
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
Kuniyasu Suzaki
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 
Q2.12: Power Management Across OSs
Q2.12: Power Management Across OSsQ2.12: Power Management Across OSs
Q2.12: Power Management Across OSs
Linaro
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
LinuxCon ContainerCon CloudOpen China
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Stefano Stabellini
 

More Related Content

What's hot

XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
The Linux Foundation
 
XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15
The Linux Foundation
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
The Linux Foundation
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
The Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
The Linux Foundation
 
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 

What's hot (20)

A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt DeliveryA Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
A Comprehensive Implementation and Evaluation of Direct Interrupt Delivery
 
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, IntelXPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
XPDDS17: Introduction to Intel SGX and SGX Virtualization - Kai Huang, Intel
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
 
XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15
 
Hardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ ProcessorsHardware accelerated Virtualization in the ARM Cortex™ Processors
Hardware accelerated Virtualization in the ARM Cortex™ Processors
 
淺談 Live patching technology
淺談 Live patching technology淺談 Live patching technology
淺談 Live patching technology
 
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
Rootlinux17: Hypervisors on ARM - Overview and Design Choices by Julien Grall...
 
XPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, IntelXPDDS18: Xen Testing at Intel - Xudong Hao, Intel
XPDDS18: Xen Testing at Intel - Xudong Hao, Intel
 
Oracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and ExadataOracle Enterprise manager SNMP and Exadata
Oracle Enterprise manager SNMP and Exadata
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
LCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted FirmwareLCU13: An Introduction to ARM Trusted Firmware
LCU13: An Introduction to ARM Trusted Firmware
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project Hypervisor
 
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...ARM Architecture-based System Virtualization: Xen ARM open source software pr...
ARM Architecture-based System Virtualization: Xen ARM open source software pr...
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)
 
”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016”Bare-Metal Container" presented at HPCC2016
”Bare-Metal Container" presented at HPCC2016
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
 
Q2.12: Power Management Across OSs
Q2.12: Power Management Across OSsQ2.12: Power Management Across OSs
Q2.12: Power Management Across OSs
 

Similar to Back to the Future: A Radical Insecure Design of KVM on ARM

Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
LinuxCon ContainerCon CloudOpen China
 
KVM/ARM Nested Virtualization Support and Performance - SFO17-410
KVM/ARM Nested Virtualization Support and Performance - SFO17-410KVM/ARM Nested Virtualization Support and Performance - SFO17-410
KVM/ARM Nested Virtualization Support and Performance - SFO17-410
Linaro
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Linaro
 
LAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
LAS16-500: The Rise and Fall of Assembler and the VGIC from HellLAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
LAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
Linaro
 
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Linaro
 

Similar to Back to the Future: A Radical Insecure Design of KVM on ARM (20)

Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Static partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-VStatic partitioning virtualization on RISC-V
Static partitioning virtualization on RISC-V
 
Gernot heiser unsw sydney and se l4 foundation
Gernot heiser unsw sydney and se l4 foundationGernot heiser unsw sydney and se l4 foundation
Gernot heiser unsw sydney and se l4 foundation
 
KVM/ARM Nested Virtualization Support and Performance - SFO17-410
KVM/ARM Nested Virtualization Support and Performance - SFO17-410KVM/ARM Nested Virtualization Support and Performance - SFO17-410
KVM/ARM Nested Virtualization Support and Performance - SFO17-410
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
 
5 kvm arm
5 kvm arm5 kvm arm
5 kvm arm
 
State of virtualisation -- 2012
State of virtualisation -- 2012State of virtualisation -- 2012
State of virtualisation -- 2012
 
Virtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVMVirtunoid: Breaking out of KVM
Virtunoid: Breaking out of KVM
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
 
Linaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARMLinaro connect : Introduction to Xen on ARM
Linaro connect : Introduction to Xen on ARM
 
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112Using SoC Vendor HALs in the Zephyr Project - SFO17-112
Using SoC Vendor HALs in the Zephyr Project - SFO17-112
 
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKSAzure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
Azure Day Rome Reloaded 2019 - Deconstructing Kubernetes using AKS
 
Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareKernel Recipes 2016 - New hwmon device registration API - Jean Delvare
Kernel Recipes 2016 - New hwmon device registration API - Jean Delvare
 
LAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
LAS16-500: The Rise and Fall of Assembler and the VGIC from HellLAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
LAS16-500: The Rise and Fall of Assembler and the VGIC from Hell
 
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live Patching
 
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Optimizing the Design and Implementation of KVM/ARM - SFO17-403
 
Implementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationImplementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migration
 
17-virtualization.pptx
17-virtualization.pptx17-virtualization.pptx
17-virtualization.pptx
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized Environment
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Back to the Future: A Radical Insecure Design of KVM on ARM

  • 1. Back To The Future: A Radical Insecure Design of KVM on ARM Baibhav Singh Rahul Kashyap B. Sing - SRA 1
  • 2. • Samsung Research America • Actively working on ARM system security *The opinion present are my own and not necessarily represent the opinion of my employer Introduction B. Sing - SRA 2
  • 3. • Found this issue while doing some hypervisors research • On 25 Jan 2018, reported to Red Hat Product Security team Secalert@redhat.com provided detail report with exploit code • Multiple mail exchange to help them understand the problem • Still is not fixed • Decided to submit a BH paper (Thanks to Rahul, Michael Grace) • Thanks to BH for providing the platform Background B. Singh - SRA 3
  • 4. ARM v8-A Architecture HVC HVC HVC Handler B. Singh - SRA 4
  • 5. Exception Vector TableB. Sing - SRA 5 VBAR_EL2HVC 0x400 +
  • 6. ARM Hypervisor executes in EL2 TYPE 1 • Bare Metal Hypervisor • Host is considered as VM • XEN is type 1 and runs in EL2 TYPE 2 • Hypervisor is extension of Host Kernel • Host is not considered as VM • KVM is type 2 and runs partial in EL2 ARM - Hypervisor B. Singh - SRA 6
  • 7. Linux Start EL==2 1. Updates VBAR_EL2 to Install STUB Vector Table as EL2 Exception Vector Table 2. Switches back to EL1 Normal Boot Flow YES No Linux and KVM B. Singh - SRA 7
  • 8. Handler in case HVC originating from 64 bit Kernel VBAR_EL2 Stub Vector Table Filename : linuxarcharm64kernelhyp- stub.s B. Sing - SRA 8
  • 9. Checks if register X0 == 0 Updates VBAR_EL2 Stub HVC Handler Filename : linuxarcharm64kernelhyp-stub.s B. Singh - SRA 9
  • 10. B. Singh - SRA 10 Linux Start STUB VECTOR TABLE CMD == HVC_SET_VECTO R KVM VECTOR TABLE VBAR_EL2 State Diagram 1
  • 11. Filename : linuxarcharm64kernelhyp-entry.s Checks if HVC is from Host Checks if register x0 < 3 Calls _kvm_handle_stub_hvc KVM HVC Handler B. Singh - SRA 11
  • 12. Checks register X0 == 2 Disables EL2 MMU Back to Stub Vector Filename : linuxarcharm64kvmhyphyp-entry.s KVM HVC Handler B. Singh - SRA 12
  • 13. B. Singh - SRA 13 Linux Start STUB VECTOR TABLE CMD == HVC_SET_VECTO R KVM VECTOR TABLE HVC == HOST && CMD == HVC_RESET_VEC TOR VBAR_EL2 Attackers Vector Table State Diagram 2
  • 14. X0 =2 ; //HVC_RESET_VECTORS KVM Vector TableStub Vector Table 1. Allocate physical continuous memory 2. Embed shellcode at an offset 0x400 (Exception handler) 3. Set X0 = 0 //HVC_SET_VECTOR 4. Set X1 = physical address of buffer Attacker Allocated Buffer Disables MMU Installs Installs HVC HVC HVC EL2 Shellcode Host EL1 EL2 Exploitation B. Singh - SRA 14
  • 15. KVM Team Response “You're on the host, and you can break KVMby inserting a rogue kernel module. Big deal. You can also blast the page tables, corrupt file systems, and make sure the box is on fire” KVM Threat Model Assumption : HOST.EL1 == EL2 Security hole in privilege isolation boundary Host kernel compromise is End of the Game ! Real World : EL1 != EL2 For Attacker Beginning of a New Game.… J Attacker can exploit this issue to gain more privilege and will migrate to EL2 • Launch attack from isolated and unreachable memory. • Can configure EL2 to get code execution from various different places • A generic way to bypass security implemented in the kernel (LKRG),by escaping to EL2 • Attack the secure monitoring running in hypervisor mode • Gives attacker opportunity for Blue Pill for KVM on ARM Juicy target for attacker to perform highly sophisticated and stealthy attack B. Singh - SRA 15
  • 16. Potentially bigger impact for mobile and IoT •Most of them are ARM based •Chances are high that it will boot in EL2 •Single Kernel Device (More Attack Surface) Affected Architecture: ARM v7-A and ARM v8-A with hardware virtualization Impact B. Singh - SRA 16
  • 17. Mitigation My two cents… You’re likely vulnerable to this attack. Patch the system by making sure Linux starts in EL1 B. Singh - SRA 17
  • 18. • https://static.docs.arm.com/ddi0487/ca/DDI0487C_a_armv8_arm.pd f • https://developer.arm.com/products/architecture/a- profile/docs/100942/latest/hypervisor-software • https://dl.acm.org/citation.cfm?id=2541946 • http://www.cs.columbia.edu/~cdall/pubs/atc17-dall.pdf • http://www.cs.columbia.edu/~cdall/pubs/sosp2017-neve.pdf • https://lwn.net/Articles/557132/ • http://lia.disi.unibo.it/Courses/som1516/materiale/VOSYS_BolognaK VMARM_2_12_2015.pdf Reference B. Singh - SRA 18