This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.

1. Talk Title Here
Author Name, Company
How Open Source Project Xen
Puts Security Ahead of
Emerging Threats
Mihai Donțu, Bitdefender
Andrei Florescu, Bitdefender

2. In An Ideal World…

3. OSes would be
designed differently
Humans would not
code

4. … In The Real World

5. OSes are flawed by
design
Humans (still) code

6. Perfect St[w]orms
Vulnerability in widely-used services or protocols
Vulnerable service exposed to the outside world
Vulnerability remotely exploitable
Both Servers and Workstations vulnerable
Vulnerability affects OS Kernel
“Wormable”

7. Some Examples?

8. MS08-067 – MS NetAPI32 Vulnerability
* https://blogs.technet.microsoft.com/johnla/2015/09/26/the-inside-story-behind-ms08-067/
1 AD…
Vulnerability
present and
exploitable
MS caught wind
of 0-day through
WER*
09/25/2008
10/23/2008
Out-of-band
patch released
11/2008
Conficker/Downadup
worm released in the
wild
1/2009
Infected >9mil
systems including:
defense, gov,
commercial

9. … 9 years later

10. MS17-010 – MS SMB v1 Vulnerability (EternalBlue)
*https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
1 AD…
Vulnerability
present and
exploitable
MS released
patch (on a
Tuesday)
3/14/2017
4/14/2017
Some bad people
released a public
exploit -
EternalBlue
5/12/2017
WannaCry Released
in the wild. Over
300k systems
infected in 3 days.
6/27/2017
NotPetya (or
something) released

11. So What Really Changed?

12. Vulns & Exploit
Branding!
OS-based
Exploit Mitigation
In-Guest
Security Tools
ASLR
DEP
SafeSEH
SEHOP
Next-Gen Stuff
Endpoint Detection and
Response (EDR)
Threat-hunting
Incident Response
Sandboxing
?
In Reality…

13. Vulns & Exploit
Branding!
OS-based
Exploit Mitigation
In-Guest
Security Tools
?
Back To The Ideal World…
Generic Exploit
Prevention
No Prior Knowledge
Required
Real-Time Alerts
Forensics Details
Provided
Isolated From
Attackable Surface

14. HVI Demo: Defeating EternalBlue

15. Open Source Collaboration

17. 2003
2008
2010
2012
2014
2014
2016
2017
First notable academic research (by Garfinkel & Rosenblum)
First proof of concept on Xen (Ether)
Started working on a VMI-based security technology using a custom hypervisor
First proof of concept with Xen
Started working with the Xen Project community on improving and extending Xen’s VMI
features
Intel announced the first CPU features aimed at speeding up VMI
First beta for Bitdefender’s HVI technology
First commercial release with Citrix XenServer 7.0 (Xen 4.6)
Project History

18. How HVI Works
• Uses the VMI capabilities of Xen (xen-access, vm-events)
• Builds a "shadow" state of the OS
• Enforces certain access restrictions on:
• Code (kernel or user application)
• Stack
• Heap
• Data
• Driver Objects (Windows)
• IDT/GDT etc.
• Sensitive MSR-s (eg. MSR_LSTAR)

19. Guest Guest Guest Guest Guest
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
Networking StorageCompute
XenServer Hypervisor
XenServer
Control
Domain
(dom0)
Security
Appliance
(domU)
Memory
Introspection
Engine
Direct Inspect APIs
Architecture Overview

20. A Closer Look: EternalBlue

21. MS17-010: The Vulnerability
Integer Overflow
DWORD subtracted into a WORD
Buffer Overflow
memove operation in srv!SrvOs2FeaToNt
Arbitrary write-what-where primitive
(Classic heap spraying & grooming to gain
RCE)
RIP is hijacked in
srvnet!SrvNetWskReceiveComplete

22. MS17-010 : Exploiting The Vulnerability
• The exploit is using MDL (Memory Descriptor Lists) to control the
source & destination of arbitrary writes
• ASLR is bypassed by using hard-coded memory regions
o HalHeap is located at 0xffffffffffd00000
o Fixed in Windows 10 Redstone 1 (april 2017)
• Page-Table addresses are also “hard-coded”
o Self mapped at entry 0x1ed
o Fixed in Windows 10 Anniversary Update (august 2016)
• DEP is disabled on the HalHeap region by directly editing the
page-tables
• The payload is placed inside the HalHeap
• The handler for the connection-close is overwritten and offers
RCE
• The shellcode is executed when the connection is closed

23. MS17-010: The Payload – Stage 1
Trick to determine if the OS is 32 or 64 bit
If 32 bit then bail out else continue
execution (in this example) 1
• Read Model Specific Register
(MSR) 0xC0000082 –
IA32_LSTAR MSR – and
save it
• This MSR contains the kernel
address of the SYSCALL
handling routine
• Any SYSCALL made by a
user-mode app will end up
running the code pointed by
IA32_LSTAR
2
Modify IA32_LSTAR MSR so that it points
to the main payload inside the HalHeap
3

24. MS17-010: The Payload – Stage 2
As soon as an application initiates a SYSCALL, the main
payload gains code execution
• It restores the original SYSCALL handler
• It does whatever the payload was programmed to do
This is the main functionality of the exploit
4

25. MS17-010: The Payload – Stage 3
(The stage 2?3) payload:
• Iterates all the loaded drivers, searches for the samba drivers
• Overwrites a SrvTransactionNotImplemented function inside the
SrvTransaction2DispatchTable => backdoor
• Next time someone wants to see if a system ha been compromised, it can
simply “knock” and see if DoublePulsar responds

26. … and HVI Defeats EternalBlue

27. Trick to determine if the OS is 32 or 64 bit
If 32 bit then bail out else continue
execution (in this example) 1
• Read Model Specific Register
(MSR) 0xC0000082 –
IA32_LSTAR MSR – and
save it
• This MSR contains the kernel
address of the SYSCALL
handling routine
• Any SYSCALL made by a
user-mode app will end up
running the code pointed by
IA32_LSTAR
2
The IA32_LSTAR MSR is protected against modifications
• Although the stage 1 payload may get code execution, it cannot
ensure the execution of the main payload; the main payload will
never run
3
MS17-010: Preventing Exploitation

28. MS17-010: Preventing Exploitation
The samba drivers are protected against modifications and the SrvTransaction2DispatchTable is
located inside such a driver (srv.sys)
• The backdoor cannot be installed on the system
• … although it never gets to this, because we already blocked it at stage 1 

29. • Expand the protection over more OS areas (eg. HAL’s heap)
• Prevent credential theft from Windows LSASS
• Integrate more hardware features to accelerate VMI (eg. Intel’s #VE)
• Extract more context out of the guest to improve attack analysis (opened connections, accessed files
etc.)
• Help create an ecosystem for VMI-based security tools to which more organizations can contribute
Future Work

30. 1
Open-source
Collaboration is Key
2
VMI is Changing the
Security Industry
3
Commercial
Implementations Are
Available
Conclusions

31. Time For Questions!