Download as PDF, PPTX
![#RSAC
Why Device EmulaLon?
4
Supports more guest devices with virtual devices
If physical devices number are not enough - limited GPU resource
If physical devices don’t support device virtualizaLon – Not every device
support SRIOV
If physical devices don’t exist – some outdated devices
Popular usage in cloud environment to support many VMs
QEMU can provide device emulaLon for KVM/XEN, but it brings new
a]ack surface on virtualizaLon stack](https://image.slidesharecdn.com/hta-f01enhancevirtualizationstackwithintelcetandmpx-180611061212/85/Enhance-Virtualization-Stack-with-Intel-CET-and-MPX-4-320.jpg)
![#RSAC
CVE-2015-7504 – Out of Bound Read Defense
with MPX
31
Enable MPX on buffer[4096] memory access](https://image.slidesharecdn.com/hta-f01enhancevirtualizationstackwithintelcetandmpx-180611061212/85/Enhance-Virtualization-Stack-with-Intel-CET-and-MPX-31-320.jpg)
Uploaded byPriyanka Aash
Enhance Virtualization Stack with Intel CET and MPX
The document discusses enhancing virtualization security using Intel's Control-flow Enforcement Technology (CET) and Memory Protection Extensions (MPX) in the context of a full virtualization stack. It highlights vulnerabilities in QEMU, including specific CVEs, and presents a case study on VM escape exploits. The document concludes with recommendations for improving security measures against these vulnerabilities in cloud environments.
More Related Content
Similar to Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPX
- 1. SESSION ID: #RSAC Xiaoning Li ENHANCEVIRTUALIZATION STACK WITH INTEL CET AND MPX HTA-F01 Chief Security Architect Alibaba Cloud Ravi Sahita Principal Engineer Intel CorporaLon
- 2. #RSAC Agenda 2 Full VirtualizaLon Stack QEMUVulnerabiliLes Intel CET Intel MPX and PKU VM Escape Case Study MiLgaLon with CET/MPX Other MiLgaLons
- 3. #RSAC Full VirtualizaLon Stack 3 CPU(VT-x) Hypervisor Dom0/Host OS Guest OS Device EmulaLon Frontend Driver/VirtIODevice Driver CPU (VT-x) Hypervisor Dom0/Host OS Guest OS Device Driver Pass-through Device Driver HVM Guest OS with Device Pass-through HVM Guest OS Without Device Pass-through
- 4. #RSAC Why Device EmulaLon? 4 Supportsmore guest devices with virtual devices If physical devices number are not enough - limited GPU resource If physical devices don’t support device virtualizaLon – Not every device support SRIOV If physical devices don’t exist – some outdated devices Popular usage in cloud environment to support many VMs QEMU can provide device emulaLon for KVM/XEN, but it brings new a]ack surface on virtualizaLon stack
- 5.
- 6. #RSAC QEMU VulnerabiliLes by2018 Jan 6
- 7.
- 8. #RSAC CVE-2015-7504 – HeapOverflow 8
- 9.
- 10. #RSAC Intel® Control-flow EnforcementTechnology 10 Intel CET Indirect Branch Tracking Shadow Stack
- 11. #RSAC Shadow Stack 11 Return Address1 Return Address 2 Parameter Return Address 4 Parameter Parameter Return Address 3 Return Address 1 Return Address 3 Return Address 2 Return Address 4 RET Return Address 4 Return Address 4
- 12. #RSAC Shadow Stack ControlProtecLon ExcepLon 12 Return Address 1 Return Address 2 Parameter Return Address 4 Parameter Parameter Return Address 3 Return Address 1 Return Address 3 Return Address 2.1 Return Address 4 RET #CP
- 13. #RSAC Indirect Branch Tracking 13 RET IndirectBranch InstrucLon2 ENDBR32/ENDBR64 InstrucLon… InstrucLon… InstrucLon1 IND JMP IND CALL
- 14. #RSAC Indirect Branch Tracking 14 RET IndirectBranch InstrucLon2 ENDBR32/ENDBR64 InstrucLon… InstrucLon… InstrucLon1 RET ENDBR32/ENDBR64 InstrucLon… IND JMP IND CALL
- 15. #RSAC Indirect Branch Tracking#CP 15 RET Indirect Branch InstrucLon2 ENDBR32/ENDBR64 InstrucLon… InstrucLon… InstrucLon1 RET Push Eax InstrucLon… IND JMP IND CALL #CP
- 16. #RSAC Cross Mode IndirectBranch Tracking 16 InstrucLon2 32 ENDBR32 InstrucLon1 32 IND JMP IND CALL InstrucLon2 64 ENDBR32 InstrucLon1 64 32bit Mode 64bit Mode Same binary built by compiler
- 17.
- 18. #RSAC Intel® Memory ProtecLonExtensions 18 MPX Bound Check ISA Bound Table
- 19.
- 20.
- 21. #RSAC QEMU VM ESCAPECASE STUDY
- 22. #RSAC CVE-2015-5165 and CVE-2015-7504Exploit 22 #HITB2016AMS D1T1 - Escape From The Docker KVM QEMU Machine - Shengping Wang and Xu Liu
- 23. #RSAC CVE-2015-5165 Memory Disclosure 23 MalformedPackage Malformed Package Host Guest OS QEMU Vulnerable Code Host Memory Data Host Memory Data QEMU Memory Address Guest OS Memory Address
- 24. #RSAC CVE-2015-7504 Code ExecuLon 24 MalformedPackage Host Guest OS QEMU Vulnerable Code CriLcal Pointer
- 25.
- 26.
- 27. #RSAC CVE-2015-7504 Exploit inHITB 27 xchg rax,rsp; ret
- 28. #RSAC CVE-2015-7504 Exploit inPhrack 28 qemu_set_irq Mprotect shellcode
- 29.
- 30. #RSAC CVE-2015-5165 – Outof Bound Access Defense with MPX 30 Enable MPX on packet memory access
- 31. #RSAC CVE-2015-7504 – Outof Bound Read Defense with MPX 31 Enable MPX on buffer[4096] memory access
- 32. #RSAC CVE-2015-7504 Exploit Defensewith CET 32 xchg rax,rsp; ret Shadow Stack can stop “xchg rax,rsp;ret”
- 33. #RSAC CVE-2015-7504 Exploit Defensewith CET 33 qemu_set_irq Mprotect shellcode Indirect Branch Tracking can stop irq->handler calling qemu_set_irq without valid tag
- 34.
- 35. #RSAC Other MiLgaLon -PKU 35
- 36. #RSAC Other MiLgaLon -PMI 36 ENDBR32/ENDBR64 IND JMP IND CALL PMI Handler with Target Tag Check LBR_FROM LBR_TO
- 37. #RSAC Summary 37 VM escape ispracLcal and impacts cloud foundaLon security Intel CET/MPX can enhance miLgaLon on ROP/JOP/COP and buffer overflow, specifically on cloud virtualizaLon stack
- 38. #RSAC Call For AcLons 38 Applynew CPU mechanisms such as CET/MPX/PMU/PKU on exploit defense
- 39.