SlideShare a Scribd company logo
1 of 26
Download to read offline
Virtual Machine
Introspection with
Xen
Tamas K Lengyel
tamas@tklengyel.com
Virtual Machine Introspection
● Isolation
● Interpretation
● Interposition
Isolation
● From in-guest kernel/userspace
• Provided by Xen
• Buggy emulation blurres the line
● From trusted computing base (TCB)
• Possible via Xen Security Modules
• Move introspection system out from dom0!
Xen Security Modules (XSM)
● Usable since Xen 4.3
and Linux 3.8
● Disaggregate the TCB
● Available on both
x86 and ARM
● Not enabled by default
Interpretation
● Reconstruct
kernel/process state
● Use memory forensic
techniques
● LibVMI –
http://libvmi.com
00 00 00 00 9c 95 ba e0 7c b7 37 c1 6c 6f 6f 70
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 60 ae 27 de c0 4a 80 df
e4 95 ba e0 cc 4a 80 df c0 4a 80 df 6c b0 37 c1
40 35 8e df 03 00 00 00 07 00 00 00 5c c1 c3 e0
00 00 00 00 00 00 00 00 00 70 2a de 00 00 00 00
00 00 00 00 80 7f 33 de 50 c0 c3 e0 60 c0 c3 e0
02 00 00 00 68 c0 c3 e0 02 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 f0 c3 e0 00 00 00 00 00 a0 c3 e0
00 00 00 00 a5 26 00 00 00 00 00 00 3d 1e 00 00
00 00 00 00 02 00 00 00 90 96 ba e0 c8 8f 38 c1
d4 bf c3 e0 c8 c2 c3 e0 c8 c2 c3 e0 20 00 00 00
20 00 00 00 c8 c4 c3 e0 c8 c4 c3 e0 00 1c ba df
00 7f 33 de 00 00 00 00 58 ae 27 de 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 a0 c2 c3 e0 a0 c2 c3 e0 30 84 99 de
b8 bd c3 e0 a8 79 3f fe 00 00 00 00 00 00 00 00
struct module
state
list
name
mkobj
modinfo_attrs
version
src_version
holders_dir
syms
crcs
num_syms
...
ctors
num_ctors
module_state = MODULE_STATE_LIVE
struct list_head
next
prev
unsigned int = 0
void (*)() = NULL
char[60] = "loop"
struct module_kobject
kobj
mod
drivers_dir
mp
Interposition
● Trap to Xen when something of interest
happens within the guest
• Enable optional hardware traps
• CLTS, HLT, LGDT, LIDT, LLDT, LTR, SGDT, MOV from
CR3, MOV from CR8, MOV to CR0, MOV to CR3, MOV
to CR4, MOV to CR8, MOV DR, MWAIT, INT3, INT0,
MTF, etc..
• See full list in Intel SDM 3c 25.1.3
Interposition
● Change access
permissions in EPT
● Trap violation into
Xen
● R/W/X
● With some caveats
EPT caveats
“An EPT violation that occurs during as a
result of execution of a read-modify-write
operation sets bit 1 (data write). Whether it
also sets bit 0 (data read) is implementation-
specific and, for a given implementation,
may differ for different kinds of read-modify-
write operations.” - Intel SDM 3c
EPT caveats
● “Why can't the hardware report the true
characteristics right away?” - Jan Beulich
● “when spec says so, there is a reason but I
can't tell here. :-)” - Kevin Tian
● Well.. let's just mark all write volation as
read violation too..
● Patched in Xen 4.5
EPT caveats
● Requires relaxing the
EPT permissions
● Requires singlestepping
the vCPU
● Many VMEXITs not
shown in picture!
● Fixed for Xen 4.6
EPT caveats
● Race-condition if VM
has multiple vCPU
● No solution for this
problem prior to Xen 4.6
● New method introduced
in Xen 4.6 that solves
this: altp2m
altp2m
● Add support for
multiple EPTs for
second stage lookup!
● One table for
“restricted view”
● One table for “normal
view”
altp2m
● EPT pointer can be
swapped in the
VMCS
● No need to change
EPT PTE permissions
all the time
● No race condition
Interposition
● Once trapped to Xen, forward events
• Formerly known as mem_event
• Renamed and reworked as vm_event in 4.6
● Request/response via shared memory ring
• Monitor page used for VMI related events
• Two additional pages: memory sharing and
paging
vm_event & mem_access & monitor
● Let's keep track of subsystem names
● vm_event is the underlying request/response
mechanism
● mem_access memops control EPT
● monitor_op domctls control all other optional
VM execution traps
Event delivery structures in 4.6
● Defined in xen/vm_event.h public header
● Easily extendable and versioned
● No more hackery
● Event response can trigger specific behavior
without additional hypercalls
• Trigger emulation, singlestepping, swap altp2m...
VMI with Xen on ARM
● ARM has two-stage paging similar to EPT
● mem_access implemented for 4.6
● Some caveats:
• No singlestepping?
• Can be worked around but it's a pain
• Split-TLB ambiguities
ARM mem_access
● ARM PTEs have fewer software
programmable bits as compared to EPT
● ARM mem_access requires maintaining a
Radix-tree to keep track of PTEs with
custom permissions
● Radix-tree keyed with GPA
ARM mem_access
● For a 2nd
stage violation ARM provides the
faulting GVA
● GPA only provided if fault happened during
1st
stage pagetable walk
● Xen needs to translate GVA to GPA to
perform Radix-tree lookup
ARM mem_access
● Native CPU instructions to perform GVA to
GPA translation
● Performs lookup as data-fetch access
● What if we trapped an instruction-fetch
access?
• In-guest translation hits iTLB
• Xen hits dTLB
● Split-TLB is a real rootkit problem
• ShadowWalker, MoRE, etc..
● Guest can load the iTLB with rootkit page
and dTLB with benign page
● Flushing the TLB does not help, iTLB
translation may be lost if PT no longer
represents the cached translation
ARM Split-TLB problem
● Execution tracing with mem_access may be
problematic
● Use Secure Monitor Call (SMC) instruction
injection!
● Similar to 0xCC injection on x86
● TODO
ARM future work
● altp2m is primarily designed to be used with
Intel #VE
● VMCALL instruction to perform EPTP
switching from the guest
● Hybrid VMI
● KVM events
x86 future work
● Why aren't we using git pulls?
• Patches in mailinglist without branch-off point
specified
• Carving patches from mbox is a pain
• Start providing a public git branch for your
series!!
Lessons learnt
● Provide build-testing for the community
• It's a waste of time to wait for review on
something that's broken
• Check for style issues automatically?
• Travis-CI is OK but can time-out on large series
• https://github.com/tklengyel/xen/tree/travis
Lessons learnt
Thanks!
Tamas K Lengyel
tamas@tklengyel.com
tlengyel@novetta.com
@tklengyel
LibVMI http://libvmi.com
DRAKVUF http://drakvuf.com

More Related Content

What's hot

VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingTamas K Lengyel
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMTamas K Lengyel
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromePositive Hack Days
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализаPositive Hack Days
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureTamas K Lengyel
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking MechanismsKernel TLV
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
 
Kernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkKernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkAnne Nicolas
 

What's hot (20)

VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Linux Locking Mechanisms
Linux Locking MechanismsLinux Locking Mechanisms
Linux Locking Mechanisms
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Kernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkKernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver framework
 

Similar to Virtual Machine Introspection with Xen

SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat Security Conference
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Advanced Root Cause Analysis
Advanced Root Cause AnalysisAdvanced Root Cause Analysis
Advanced Root Cause AnalysisEric Sloof
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overviewLinaro
 
Troubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTroubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTanel Poder
 
20150918 klug el performance tuning-v1.4
20150918 klug el performance tuning-v1.420150918 klug el performance tuning-v1.4
20150918 klug el performance tuning-v1.4Jinkoo Han
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLinaro
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Armboot process zeelogic
Armboot process zeelogicArmboot process zeelogic
Armboot process zeelogicAleem Shariff
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Jian-Hong Pan
 
Buiding a better Userspace - The current and future state of QEMU and KVM int...
Buiding a better Userspace - The current and future state of QEMU and KVM int...Buiding a better Userspace - The current and future state of QEMU and KVM int...
Buiding a better Userspace - The current and future state of QEMU and KVM int...aliguori
 
Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)Dario Faggioli
 
Spectre and meltdown
Spectre and meltdownSpectre and meltdown
Spectre and meltdownAditya Kamat
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 

Similar to Virtual Machine Introspection with Xen (20)

SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
 
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilitiesBlueHat v18 || A mitigation for kernel toctou vulnerabilities
BlueHat v18 || A mitigation for kernel toctou vulnerabilities
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
 
Java Memory Model
Java Memory ModelJava Memory Model
Java Memory Model
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
Analisis_avanzado_vmware
Analisis_avanzado_vmwareAnalisis_avanzado_vmware
Analisis_avanzado_vmware
 
Advanced Root Cause Analysis
Advanced Root Cause AnalysisAdvanced Root Cause Analysis
Advanced Root Cause Analysis
 
Lcu14 101- coresight overview
Lcu14 101- coresight overviewLcu14 101- coresight overview
Lcu14 101- coresight overview
 
Troubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contentionTroubleshooting Complex Performance issues - Oracle SEG$ contention
Troubleshooting Complex Performance issues - Oracle SEG$ contention
 
20150918 klug el performance tuning-v1.4
20150918 klug el performance tuning-v1.420150918 klug el performance tuning-v1.4
20150918 klug el performance tuning-v1.4
 
LCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC sessionLCA14: LCA14-412: GPGPU on ARM SoC session
LCA14: LCA14-412: GPGPU on ARM SoC session
 
VXCON 2017
VXCON 2017VXCON 2017
VXCON 2017
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
 
Armboot process zeelogic
Armboot process zeelogicArmboot process zeelogic
Armboot process zeelogic
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
 
Buiding a better Userspace - The current and future state of QEMU and KVM int...
Buiding a better Userspace - The current and future state of QEMU and KVM int...Buiding a better Userspace - The current and future state of QEMU and KVM int...
Buiding a better Userspace - The current and future state of QEMU and KVM int...
 
Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)Core Scheduling for Virtualization: Where are We? (If we Want it!)
Core Scheduling for Virtualization: Where are We? (If we Want it!)
 
Spectre and meltdown
Spectre and meltdownSpectre and meltdown
Spectre and meltdown
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 

More from Tamas K Lengyel

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningTamas K Lengyel
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenTamas K Lengyel
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningTamas K Lengyel
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 

More from Tamas K Lengyel (6)

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and Xen
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 

Recently uploaded

Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfDeskTrack
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMok TH
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesNeo4j
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Gáspár Nagy
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...naitiksharma1124
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckMarc Lester
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersEmilyJiang23
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...CloudMetic
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationHelp Desk Migration
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise
 
Sourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerSourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerWave PLM
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionWave PLM
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 

Recently uploaded (20)

Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptx
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Sourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerSourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing Manufacturer
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 

Virtual Machine Introspection with Xen

  • 1. Virtual Machine Introspection with Xen Tamas K Lengyel tamas@tklengyel.com
  • 2. Virtual Machine Introspection ● Isolation ● Interpretation ● Interposition
  • 3. Isolation ● From in-guest kernel/userspace • Provided by Xen • Buggy emulation blurres the line ● From trusted computing base (TCB) • Possible via Xen Security Modules • Move introspection system out from dom0!
  • 4. Xen Security Modules (XSM) ● Usable since Xen 4.3 and Linux 3.8 ● Disaggregate the TCB ● Available on both x86 and ARM ● Not enabled by default
  • 5. Interpretation ● Reconstruct kernel/process state ● Use memory forensic techniques ● LibVMI – http://libvmi.com 00 00 00 00 9c 95 ba e0 7c b7 37 c1 6c 6f 6f 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ae 27 de c0 4a 80 df e4 95 ba e0 cc 4a 80 df c0 4a 80 df 6c b0 37 c1 40 35 8e df 03 00 00 00 07 00 00 00 5c c1 c3 e0 00 00 00 00 00 00 00 00 00 70 2a de 00 00 00 00 00 00 00 00 80 7f 33 de 50 c0 c3 e0 60 c0 c3 e0 02 00 00 00 68 c0 c3 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 c3 e0 00 00 00 00 00 a0 c3 e0 00 00 00 00 a5 26 00 00 00 00 00 00 3d 1e 00 00 00 00 00 00 02 00 00 00 90 96 ba e0 c8 8f 38 c1 d4 bf c3 e0 c8 c2 c3 e0 c8 c2 c3 e0 20 00 00 00 20 00 00 00 c8 c4 c3 e0 c8 c4 c3 e0 00 1c ba df 00 7f 33 de 00 00 00 00 58 ae 27 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 c2 c3 e0 a0 c2 c3 e0 30 84 99 de b8 bd c3 e0 a8 79 3f fe 00 00 00 00 00 00 00 00 struct module state list name mkobj modinfo_attrs version src_version holders_dir syms crcs num_syms ... ctors num_ctors module_state = MODULE_STATE_LIVE struct list_head next prev unsigned int = 0 void (*)() = NULL char[60] = "loop" struct module_kobject kobj mod drivers_dir mp
  • 6. Interposition ● Trap to Xen when something of interest happens within the guest • Enable optional hardware traps • CLTS, HLT, LGDT, LIDT, LLDT, LTR, SGDT, MOV from CR3, MOV from CR8, MOV to CR0, MOV to CR3, MOV to CR4, MOV to CR8, MOV DR, MWAIT, INT3, INT0, MTF, etc.. • See full list in Intel SDM 3c 25.1.3
  • 7. Interposition ● Change access permissions in EPT ● Trap violation into Xen ● R/W/X ● With some caveats
  • 8. EPT caveats “An EPT violation that occurs during as a result of execution of a read-modify-write operation sets bit 1 (data write). Whether it also sets bit 0 (data read) is implementation- specific and, for a given implementation, may differ for different kinds of read-modify- write operations.” - Intel SDM 3c
  • 9. EPT caveats ● “Why can't the hardware report the true characteristics right away?” - Jan Beulich ● “when spec says so, there is a reason but I can't tell here. :-)” - Kevin Tian ● Well.. let's just mark all write volation as read violation too.. ● Patched in Xen 4.5
  • 10. EPT caveats ● Requires relaxing the EPT permissions ● Requires singlestepping the vCPU ● Many VMEXITs not shown in picture! ● Fixed for Xen 4.6
  • 11. EPT caveats ● Race-condition if VM has multiple vCPU ● No solution for this problem prior to Xen 4.6 ● New method introduced in Xen 4.6 that solves this: altp2m
  • 12. altp2m ● Add support for multiple EPTs for second stage lookup! ● One table for “restricted view” ● One table for “normal view”
  • 13. altp2m ● EPT pointer can be swapped in the VMCS ● No need to change EPT PTE permissions all the time ● No race condition
  • 14. Interposition ● Once trapped to Xen, forward events • Formerly known as mem_event • Renamed and reworked as vm_event in 4.6 ● Request/response via shared memory ring • Monitor page used for VMI related events • Two additional pages: memory sharing and paging
  • 15. vm_event & mem_access & monitor ● Let's keep track of subsystem names ● vm_event is the underlying request/response mechanism ● mem_access memops control EPT ● monitor_op domctls control all other optional VM execution traps
  • 16. Event delivery structures in 4.6 ● Defined in xen/vm_event.h public header ● Easily extendable and versioned ● No more hackery ● Event response can trigger specific behavior without additional hypercalls • Trigger emulation, singlestepping, swap altp2m...
  • 17. VMI with Xen on ARM ● ARM has two-stage paging similar to EPT ● mem_access implemented for 4.6 ● Some caveats: • No singlestepping? • Can be worked around but it's a pain • Split-TLB ambiguities
  • 18. ARM mem_access ● ARM PTEs have fewer software programmable bits as compared to EPT ● ARM mem_access requires maintaining a Radix-tree to keep track of PTEs with custom permissions ● Radix-tree keyed with GPA
  • 19. ARM mem_access ● For a 2nd stage violation ARM provides the faulting GVA ● GPA only provided if fault happened during 1st stage pagetable walk ● Xen needs to translate GVA to GPA to perform Radix-tree lookup
  • 20. ARM mem_access ● Native CPU instructions to perform GVA to GPA translation ● Performs lookup as data-fetch access ● What if we trapped an instruction-fetch access? • In-guest translation hits iTLB • Xen hits dTLB
  • 21. ● Split-TLB is a real rootkit problem • ShadowWalker, MoRE, etc.. ● Guest can load the iTLB with rootkit page and dTLB with benign page ● Flushing the TLB does not help, iTLB translation may be lost if PT no longer represents the cached translation ARM Split-TLB problem
  • 22. ● Execution tracing with mem_access may be problematic ● Use Secure Monitor Call (SMC) instruction injection! ● Similar to 0xCC injection on x86 ● TODO ARM future work
  • 23. ● altp2m is primarily designed to be used with Intel #VE ● VMCALL instruction to perform EPTP switching from the guest ● Hybrid VMI ● KVM events x86 future work
  • 24. ● Why aren't we using git pulls? • Patches in mailinglist without branch-off point specified • Carving patches from mbox is a pain • Start providing a public git branch for your series!! Lessons learnt
  • 25. ● Provide build-testing for the community • It's a waste of time to wait for review on something that's broken • Check for style issues automatically? • Travis-CI is OK but can time-out on large series • https://github.com/tklengyel/xen/tree/travis Lessons learnt