The document discusses the challenges of securing virtualization from a technical perspective. It covers weaknesses in hardware-assisted virtualization approaches, software stacks used for virtualization, complex memory management, computer platform internals, and potential attack vectors against virtualization. The presentation aims to demonstrate that achieving secure virtualization is virtually impossible due to the numerous opportunities for exploitation throughout the software and hardware stack.
eMMC 5.0 is the latest generation of embedded NAND Flash IP. Arasan provides a complete solution including digital controllers for host and device, the mixed PHY I/O and pads, software drivers, hardware validation and support.
In recent years, we have been witnessing a steady increase in security vulnerabilities in firmware. Nearly all of these issues require local (often privileged) or physical access to exploit. In this talk, we will present novel *remote* attacks on system firmware.
In this talk, we will show different remote attack vectors into system firmware, including networking, updates over the Internet, and error reporting. We will also be demonstrating and remotely exploiting vulnerabilities in different UEFI firmware implementations which can lead to installing persistent implants remotely at scale. The proof-of-concept exploit is less than 800 bytes.
How can we defend against such firmware attacks? We will analyze the remotely exploitable UEFI and BMC attack surface of modern systems, explain specific mitigations for the discussed vulnerabilities, and provide recommendations to detect such attacks and discover compromised systems.
Presentation from the Embedded Conference Scandinavia (ECS2014) about the merits of the different embedded computing form factors... and the difficulties they have! There's one that we think comes out first among them!
Universal Flash Storage is an upcoming memory specification for use in mobile phones, tablets and other consumer electronics devices.
It is the successor of Embedded Multimedia controller (eMMC) that currently prevails and will be available as storage in on-chip and expandable form (in the form of memory cards).
Title: Secure Boot
A 101 style introduction to what Secure Boot is as Secure means different things to different people. Covering the current status, what features are implemented currently on ARM64 and what features should be implemented in the future. Followed by a discussion period.
Speaker: Ard Biesheuvel
Embitude's Linux SPI Drivers Training Slides. Contains the details of AM335X specific low level programming, SPI components such as SPI Master Driver, SPI Client Driver, Device Tree for SPI
eMMC 5.0 is the latest generation of embedded NAND Flash IP. Arasan provides a complete solution including digital controllers for host and device, the mixed PHY I/O and pads, software drivers, hardware validation and support.
In recent years, we have been witnessing a steady increase in security vulnerabilities in firmware. Nearly all of these issues require local (often privileged) or physical access to exploit. In this talk, we will present novel *remote* attacks on system firmware.
In this talk, we will show different remote attack vectors into system firmware, including networking, updates over the Internet, and error reporting. We will also be demonstrating and remotely exploiting vulnerabilities in different UEFI firmware implementations which can lead to installing persistent implants remotely at scale. The proof-of-concept exploit is less than 800 bytes.
How can we defend against such firmware attacks? We will analyze the remotely exploitable UEFI and BMC attack surface of modern systems, explain specific mitigations for the discussed vulnerabilities, and provide recommendations to detect such attacks and discover compromised systems.
Presentation from the Embedded Conference Scandinavia (ECS2014) about the merits of the different embedded computing form factors... and the difficulties they have! There's one that we think comes out first among them!
Universal Flash Storage is an upcoming memory specification for use in mobile phones, tablets and other consumer electronics devices.
It is the successor of Embedded Multimedia controller (eMMC) that currently prevails and will be available as storage in on-chip and expandable form (in the form of memory cards).
Title: Secure Boot
A 101 style introduction to what Secure Boot is as Secure means different things to different people. Covering the current status, what features are implemented currently on ARM64 and what features should be implemented in the future. Followed by a discussion period.
Speaker: Ard Biesheuvel
Embitude's Linux SPI Drivers Training Slides. Contains the details of AM335X specific low level programming, SPI components such as SPI Master Driver, SPI Client Driver, Device Tree for SPI
Breaking hardware enforced security with hypervisorsPriyanka Aash
"Hardware-Enforced Security is touted as the panacea solution to many modern computer security challenges. While certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this talk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of security made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's Trusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's AES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted computing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect user data from privileged processes snooping or controlling execution. These technologies claim that no elevated process, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to compromise the user's data and execution.
This presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have surfaced not as design issues but during implementation. Whether there remains a hardware weakness where attestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits exfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology. Summation will offer defenses against all too often pitfalls when deploying these systems, including proper deployment design using sealed storage, remote attestation, and hardware hardening."
(Source: Black Hat USA 2016, Las Vegas)
EuskalHack 2017 - Secure initialization of TEEs: when secure boot falls shortCristofaro Mune
Our presentation focuses on the critical role of secure initialization in the establishment of a Trusted Execution Environment.
The concepts are discussed in the light of the ARM TrustZone technology, although the considerations made may be valid for a wider range of TEEs.
We analyze past public attacks related to TEE initialization and we show how its security foundations go beyond the mere implementation of a Secure Boot chain of trust.
Security models used for TEE discussions often encompass a CPU-centric perspective at runtime.
We provide indications that such models should be augmented by including TEE lifecycle stages (e.g. Secure Cold/Warm Boot) and by considering the whole SoC as part of the security model.
We conclude that an holistic, system-level, view is required, along with careful design and implementation for establishing a secure TEE.
PCI Pass-through - FreeBSD VM on Hyper-V (MeetBSD California 2016)iXsystems
The slides for Kylie Liang's presentation, “PCI Pass-through - FreeBSD VM on Hyper-V”, given at MeetBSD California 2016 in Berkeley, CA.
A recording of the talk can be viewed at: http://bit.ly/2hteton.
Takaaki Fukai, Satoru Takekoshi, Kohei Azuma, Takahiro Shinagawa, Kazuhiko Kato.
In Proceedings of the 9th IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2017), Dec 2017.
http://dx.doi.org/10.1109/CloudCom.2017.43
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
Докладчик покажет, как с помощью bare-metal programming подружить Raspberry Pi с GPIO, памятью и Ethernet, и пояснит, кому и зачем это может понадобиться.
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
Intel Boot Guard — аппаратно поддержанная технология верификации подлинности BIOS, которую вендор компьютерной системы может встроить на этапе производства. Докладчик представит результаты анализа технологии, расскажет об её эволюции. Слушатели узнают, как годами клонируемая ошибка на производстве нескольких вендоров позволяет потенциальному злоумышленнику воспользоваться этой технологией для создания в системе неудаляемого (даже программатором!) скрытого руткита. Github: https://github.com/flothrone/bootguard
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
Руткиты в мире основанных на ядре Linux операционных систем уже не являются редкостью. Рассказ будет о том, как попытки в современных реалиях определить то, скомпрометирована ли система, привели к неожиданному результату.
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
Расскажу где и как iCloud Keychain хранит пароли, и какие потенциальные риски это несёт. Apple утверждает, что пароли надежно защищены, и даже её сотрудники не могут получить к ним доступ. Чтобы это подтвердить или опровергнуть, необходимо разобраться с внутренним устройством iCloud Keychain, чем мы и займемся.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
2. -CONFIDENTIAL-
/WhoAmI ?
• Chief Research Officer @ Cvyera LTD
• Formerly Security Evaluation Architect of the
Software & Services Group @ Intel®
• Before that – Entrepreneur, Consultant, IDF
• Always a security “enthusiast”
– Personal focus areas:
•
•
•
•
DBI, Fuzzing & Automated exploitation
Exploitation techniques & Mitigations
Vehicles & Traffic systems
Embedded systems
3. -CONFIDENTIAL-
ThankZ & GreetZ
• My wife
– For tolerating me doing security research
• Everyone at Cyvera, special thanks to:
– Harel Baris for help with the presentation design
– Gal Badishi and Ariel Cohen for reviewing
• All Intel security people
– Especially my old team
4. -CONFIDENTIAL-
What I will talk about today
Beyond why virtualization is virtually impossible to secure…
• Hardware assisted virtualization
• SW stacks and different virtualization
approaches and related weaknesses
• The complexity in memory management and
related weaknesses
• Computer platforms internals and related
weaknesses
• Finally, I will present a small taxonomy of
attacks against virtualization
• Special bonus – potential VM escape ;-)
5. -CONFIDENTIAL-
What is Virtualization?
• In the context of this talk replacing the CPU
and computer platform with a virtual
environment
• A bit of history:
– Turing’s universal computing machine
– Popek and Goldberg virtualization requirements
6. -CONFIDENTIAL-
Terminology
• A Virtual Machine Manager (VMM) is the software
virtualizing privileged instructions and hardware
• A Virtual Machine (VM) is a software stack running
under a VMM
• A Guest OS is the operating system of a VM
• A Host OS is the operating system controlling the
VMM
• Root operation is when you execute inside a VMM
7. -CONFIDENTIAL-
What is “secure” virtualization?
Security Goals:
– Prevent modification of VMM and host OS
by guests
– Prevent guest OS from modifying another
guest
– Prevent guest from subverting hardware or
firmware*
– Prevent guest from stealing data from
other guest OS / host OS / VMM*
– Prevent DOS by guest OS* or getting unfair
share of resources relative to other guests*
– Keep guest OS secure – don’t harm normal
OS defenses*
* Depending on the hypervisor design, might be a non-goal
9. -CONFIDENTIAL-
Software Stack
Type 1 Hypervisor
Process 1
Process 2
Process 3
Process 1
Process 2
Process 3
System Calls
VM EXIT
Guest Operating System 2
Guest Operating System 1
VM Exits / Entries
VM Entry
Virtual Machine Manager (Hypervisor / VMM)
Instruction Set
Hardware
10. -CONFIDENTIAL-
Software Stack
Type 2 Hypervisor
Process 1
Process 2
Process 3
Virtualized System Calls
Guest Operating System
VM Exits / Entries
Process 1
Process 2
Process 3
VMM
System Calls
Host Operating System
Instruction Set
Hardware
11. -CONFIDENTIAL-
ISA emulation challenges
• A VMM needs to emulate every
instruction or event it registers on
• A VMM must register to a certain set of
instructions and x86 events known as the “fixed-1
exits”
– e.g: CPUID, GETSEC, INVD, XSETBV and various VT ISA
• ISA emulation challenges
– Specification
– Corner cases
– Deciding if the guest has the right privilege from root
operation is hard
• Confused deputy situation…
12. -CONFIDENTIAL-
Software Stack
SMM with VMM
RSM
#SMI
Process
1
SMM
Process
2
Process
3
Process
1
Process
2
Process
3
System Calls
Guest OS 2
Guest OS 1
VM Exits / Entries
Virtual Machine Manager (Hypervisor / VMM)
Instruction Set
Hardware
13. -CONFIDENTIAL-
Software Stack
SMM Transfer Monitor (STM)
Process
1
Process
2
Process
3
Process
1
Process
2
Process
3
SMM
System Calls
Guest OS 2
Guest OS 1
VM Exits / Entries
STM
Virtual Machine Manager (Hypervisor / VMM)
Instruction Set
Hardware
15. -CONFIDENTIAL-
Section summary
• There are many ways to use hardware
virtualization technology:
– Type I, Type II, Micro-VMMs, …
• Each approach has its own unique challenges:
– Full HW virtualization: Secure a big implementation
of SW emulation for all HW
– Para-virtualization: Secure the guest OS interface
with the host OS
– All implementations: Emulate ISA correctly and
securely
– Micro-VMMs: Defend from HW subversion
• SMM is too privileged and where are the STMs?
19. -CONFIDENTIAL-
Memory – Address Translations
Linear addressing
DRAM
System view
Guest physical
0xFF…...FF
0x12345678
0xABABABAB
Paging
translation
EPT
translation
MCH
mappings
0x00……00
* MCH = Memory Control Hub (MMU)
** Segmentation adds another translation and the cache adds a whole new translation path
23. -CONFIDENTIAL-
Cache!
Sorry, out of scope for today–
there is no end to it once you start discussing
cache and security
Suffice to say that it adds another translation
layer and that it is complex and performance
oriented
performance
Security
24. -CONFIDENTIAL-
Section summary
• Memory is complex!
• Attackers with access to MMIO or physical
memory addresses can compromise anything
on the system
• Access to special address ranges is also
dangerous
• EPT can help mitigate some of the problems
– If you can configure it correctly, if it is available
26. -CONFIDENTIAL-
What is a computer?
• A very complex device internally
• The logical software architecture can be complex
• Every modern computer system is also a complex
high speed network of interconnecting hardware
components using many communication protocols
30. -CONFIDENTIAL-
VT-d (IOMMU)
• Used for virtualizing
chipset components
• DMA remapping
– Paging for devices
– Nested translations
• Interrupt remapping
– Allows directing interrupts coming from hardware There is
a good paper that explains the need for it by Rafal Wojtczuk
and Joanna Rutkowska:
• Following the White Rabbit: Software attacks against Intel® VT-d
technology
• What about older systems where you don’t have VT-d?
31. -CONFIDENTIAL-
Section summary
• Computer hardware is complex!
• Emulating necessary components is
hard:
– Multiple CVEs already found in ACPI and
APIC virtualization as well as QEMU
• VT-d helps virtualizing DMA and
hardware interrupts
– If used correctly
33. -CONFIDENTIAL-
Basic Vectors
• ISA Implementation
– Emulating x86 isn’t easy…
• Performance monitoring
– Classic side channels
– Real Time Instruction Tracing – new feature coming up
• Old systems
– New defenses were introduced with the latest HW
• New features
– Approach to new features (CPU/PCH)
• Whitelist or Blacklist?
34. -CONFIDENTIAL-
Address Space Attacks
• IO Address Space
– How many IO ports are there in x86?
– What happens if we configure port overlaps?
• MMIO Overlaps
– As discussed during the presentation
• Special memory ranges access and overlaps
– What happens when a guest can access special ranges?
• MSR address space
– MSRs define system configuration and behavior
35. -CONFIDENTIAL-
Privileged Software
• Corrupted ACMs
– ACMs run in a very high privilege, if you can
compromise one…
• CPU/PCH Firmware(s)
– Compromise of the CPU or PCH firmware naturally
allows an attacker to control any VM
• BIOS & SMM
– The BIOS is a common component of the platform and
controls both configuration and SMM code
36. -CONFIDENTIAL-
Other Interesting Vectors
• Intentional misconfiguration
– It is possible to misconfigure PCIe config space, MSRs or
MMIO constants in order to create unexpected situations
for the VMM
• Server platforms (are fun!)
– Platforms and CPUs for the server market have special
features, all of those usually run in very high privilege
• Errata
– What if there is an Errata in the CPU/PCH behavior we
rely on to emulate something - sucks, right?
37. -CONFIDENTIAL-
Bonus: Interesting Errata
• The below Errata appears in the June 2013
revision for 2nd generation core CPUs
• Sounds like an exploitable issue IF you can
prevent reload of CR3 with 32bit value
38. -CONFIDENTIAL-
Summary
• Computer platforms are complex
• There are several approaches to virtualizing
HW, each with its own inherent weaknesses
– Full hardware virtualization: slower and uses SW
emulation, therefore prone to SW vulnerabilities
– Direct hardware access: prone to malicious HW
manipulations (micro-VMMs)
• Better defenses are available only with new
and sometimes also high end HW
41. -CONFIDENTIAL-
Useful tools and info for people
interested in virtualization research
• LOLA by Jeff Forristal (free)
– Because a Python interface to the HW rocks!
• 8 series PCH manuals
• 2nd generation core Errata
• Intel software developer manuals
– Volume 3 contains most information about VT
– Other volumes are also useful to understand what is
emulated
• Patience!
– Hardware debugging, reading long technical manuals
42. -CONFIDENTIAL-
How different virtualization SW works
• VMware Player
– Emulates 440BX motherboard (15 years old)
– Monitors PCIe configuration, at least IO ports, to
some degree but because of Win95 and Win3.1
compatibility, not security!
43. -CONFIDENTIAL-
Disclaimer
• All product logos and names used in this
presentation are the property of their
respective owners. I make no claim for
ownership on those. I am merely using them as
examples of such products