Download as PDF, PPTX
![Events on Xen with Intel CPUs
● Intel Extended Page Tables (EPT)
● Register write events ([X]CR0/3/4, MSRs)
● Software breakpoint interrupts (INT3)
● Single-stepping (MTF)](https://image.slidesharecdn.com/bigtechdayfinal-150812192925-lva1-app6891/75/Cloud-Security-with-LibVMI-45-2048.jpg)
Uploaded byTamas K Lengyel
Cloud Security with LibVMI
The document provides a brief history of hardware security from 1982 to present day, focusing on developments like protected mode, virtualization with Xen and VT-x/AMD-V, the Intel Management Engine, SGX, and virtual machine introspection (VMI). It discusses the core concepts behind VMI including isolation, interpretation, and interposition. LibVMI is introduced as a tool for VMI that allows monitoring VM memory, translating guest virtual addresses, and placing hooks in the guest. Future directions include more guest OS and hypervisor support as well as new event types.
More Related Content
Similar to Cloud Security with LibVMI
![he-dieu-hanh_david-mazieres_l18-virtual-machines - [cuuduongthancong.com].pdf](https://cdn.slidesharecdn.com/ss_thumbnails/he-dieu-hanhdavid-mazieresl18-virtual-machines-cuuduongthancong-230504152824-d5e49a1c-thumbnail.jpg?width=640&height=640&fit=bounds)
Cloud Security with LibVMI
- 2. Outline ● What isthe Cloud? ● Looking at HW based security ● Virtual Machine Introspection ● LibVMI ● Demos ● What’s next?
- 3. What is theCloud? Big Tech Technician End user Management Developers Researcher
- 5. Cloud Security ● Mainlyan issue for the cloud providers ● They need to monitor their virtual hardware ● And for enterprise cloud applications ● They need to monitor their database and webapp ● An end user can only change his password ● He has no access to the underlying hardware/software
- 6. Cloud Security ● Co-resident/breakoutattacks ● Possible ● Network based attacks ● Probable ● Attackers will go after the low-hanging fruit ● We need to leverage Cloud defense mechanisms
- 7. Why should youcare? ● The technology powering the Cloud is also available on end-user systems ● on your phone, PC, tablets.. ● Defense mechanisms that work for the Cloud will work for you!
- 8. Non-comprehensive History of HWSecurity ..in 5 minutes
- 9.
- 10.
- 11.
- 12. 1982: Protected mode Ring2 Ring1 Ring3 Ring0 Application OperatingSystem UnusedMore privilege
- 13.
- 14.
- 15.
- 16. Ring3Ring3 2003: Xen onx86-64 Ring2 Ring1 Ring3 Ring0 OS/Applications Xen Disabled
- 17. 2006: VT-x &AMD-V Ring2 Ring1 Ring3 Ring0 App Operating System Disabled/Unused Ring-1 Hypervisor
- 18. 2006: VT-x &AMD-V Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machine More privilege
- 19. 2006: VT-x &AMD-V Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines
- 20. Psst.. I’m heretoo (since ‘93)! Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines Ring-2 System Management Mode
- 21. Psst.. I’m heretoo (since ‘93)! Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines System Management Mode Ring2 Ring1 Ring3 Ring0
- 22. 2006?: Intel Dual-monitorSMM Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Secure Transfer Monitor (STM)
- 23. 2008: Intel ManagementEngine Ring-3 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Intel ME
- 25. 2008: Intel ManagementEngine User Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Kernel ARC 600(?)
- 26. 2008: Intel ManagementEngine User Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel ARC 600(?)
- 27.
- 28.
- 29.
- 30. Oh yea, wehave these too.. Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring0 SGX Ring3 SGX Ring3 User Supervisor User Supervisor User Supervisor ARM CPUs in your harddrive, NIC, etc. User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel User Kernel
- 32. The Cloud in2015 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 Ring2 Ring1 Ring3 Ring0 VMX root OS/Hypervisor VMX non-root Virtual Machines
- 33. Securing Virtual Machines ●Security based on the Hypervisor ● Move security stack outside of the OS! ● Monitor o VM Memory o Virtual Hardware state
- 34.
- 35. What is VMI ●View and control virtual machine from an external perspective ● Including o Network o Disk o Memory o vCPU
- 36. VMI - The3 aspects 1. Isolation 2. Interpretation 3. Interposition
- 37. Isolation ● Move securitycomponent outside of the guest operating system ● Hypervisor exposes a smaller attack surface ● Increasingly harder to tamper with or disable security system
- 39. Interposition ● Step intothe execution of the machine ● Prevent attacks from modifying the system (repair hooks, privileges, etc.) ● Needs to be fast, reliable, and stealthy ● Based directly on hardware events
- 40. VMI - The3 aspects 1. Isolation → Hypervisor 2. Interpretation → LibVMI / Volatility 3. Interposition → Intel
- 41.
- 42. Use cases ● System-leveldebugging ● Timeline or trend analysis ● Runtime security ● OS Integrity ● Malware analysis ● Forensics
- 44. Core features ● Readand write VM memory ● Virtual Memory Translation (Paging) o Using various methods (DTB, PID, Kernel Symbol) ● Find and map guest OS data structures ● Place monitoring event-hooks into the guest o Exceptions, Page Faults
- 45. Events on Xenwith Intel CPUs ● Intel Extended Page Tables (EPT) ● Register write events ([X]CR0/3/4, MSRs) ● Software breakpoint interrupts (INT3) ● Single-stepping (MTF)
- 48. What’s next withLibVMI?
- 49. Future directions ● Moreguest OS support: o Android, BSD, etc. ● More (and better) hypervisor support: o KVM events, VirtualBox, Hyper-V, ESXi, etc. ● More events support on more platforms: o AMD, ARM, Intel
- 50. What’s next inthe Cloud?
- 51. Future directions inthe Cloud ● Software developed with Cloud in mind ● Scalable Applications and Separation of Tasks ● Enable VMI in the cloud o The Software and Hardware is already available o Cloud Providers do not provide access
- 52. Thanks! Tamas K Lengyel tamas@tklengyel.com tlengyel@novetta.com @tklengyel ThomasKittel kittel@sec.in.tum.de LibVMI http://libvmi.com DRAKVUF http://drakvuf.com