Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Talk Title Here
Author Name, Company
How Open Source Project Xen
Puts Security Ahead of
Emerging Threats
Mihai Donțu, Bitd...
In An Ideal World…
OSes would be
designed differently
Humans would not
code
… In The Real World
OSes are flawed by
design
Humans (still) code
Perfect St[w]orms
Vulnerability in widely-used services or protocols
Vulnerable service exposed to the outside world
Vulne...
Some Examples?
MS08-067 – MS NetAPI32 Vulnerability
* https://blogs.technet.microsoft.com/johnla/2015/09/26/the-inside-story-behind-ms08-...
… 9 years later
MS17-010 – MS SMB v1 Vulnerability (EternalBlue)
*https://businessinsights.bitdefender.com/hypervisor-introspection-defeat...
So What Really Changed?
Vulns & Exploit
Branding!
OS-based
Exploit Mitigation
In-Guest
Security Tools
ASLR
DEP
SafeSEH
SEHOP
Next-Gen Stuff
Endpoi...
Vulns & Exploit
Branding!
OS-based
Exploit Mitigation
In-Guest
Security Tools
?
Back To The Ideal World…
Generic Exploit
P...
HVI Demo: Defeating EternalBlue
Open Source Collaboration
2003
2008
2010
2012
2014
2014
2016
2017
First notable academic research (by Garfinkel & Rosenblum)
First proof of concept ...
How HVI Works
• Uses the VMI capabilities of Xen (xen-access, vm-events)
• Builds a "shadow" state of the OS
• Enforces ce...
Guest Guest Guest Guest Guest
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
Critical
Memory
Access
...
A Closer Look: EternalBlue
MS17-010: The Vulnerability
Integer Overflow
DWORD subtracted into a WORD
Buffer Overflow
memove operation in srv!SrvOs2Fe...
MS17-010 : Exploiting The Vulnerability
• The exploit is using MDL (Memory Descriptor Lists) to control the
source & desti...
MS17-010: The Payload – Stage 1
Trick to determine if the OS is 32 or 64 bit
If 32 bit then bail out else continue
executi...
MS17-010: The Payload – Stage 2
As soon as an application initiates a SYSCALL, the main
payload gains code execution
• It ...
MS17-010: The Payload – Stage 3
(The stage 2?3) payload:
• Iterates all the loaded drivers, searches for the samba drivers...
… and HVI Defeats EternalBlue
Trick to determine if the OS is 32 or 64 bit
If 32 bit then bail out else continue
execution (in this example) 1
• Read Mo...
MS17-010: Preventing Exploitation
The samba drivers are protected against modifications and the SrvTransaction2DispatchTab...
• Expand the protection over more OS areas (eg. HAL’s heap)
• Prevent credential theft from Windows LSASS
• Integrate more...
1
Open-source
Collaboration is Key
2
VMI is Changing the
Security Industry
3
Commercial
Implementations Are
Available
Conc...
Time For Questions!
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of Emerging Threats - Mihai Donțu & Andrei Flore...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of Emerging Threats - Mihai Donțu & Andrei Flore...
Upcoming SlideShare
Loading in …5
×

OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of Emerging Threats - Mihai Donțu & Andrei Florescu, Bitdefender

321 views

Published on

This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of Emerging Threats - Mihai Donțu & Andrei Florescu, Bitdefender

  1. 1. Talk Title Here Author Name, Company How Open Source Project Xen Puts Security Ahead of Emerging Threats Mihai Donțu, Bitdefender Andrei Florescu, Bitdefender
  2. 2. In An Ideal World…
  3. 3. OSes would be designed differently Humans would not code
  4. 4. … In The Real World
  5. 5. OSes are flawed by design Humans (still) code
  6. 6. Perfect St[w]orms Vulnerability in widely-used services or protocols Vulnerable service exposed to the outside world Vulnerability remotely exploitable Both Servers and Workstations vulnerable Vulnerability affects OS Kernel “Wormable”
  7. 7. Some Examples?
  8. 8. MS08-067 – MS NetAPI32 Vulnerability * https://blogs.technet.microsoft.com/johnla/2015/09/26/the-inside-story-behind-ms08-067/ 1 AD… Vulnerability present and exploitable MS caught wind of 0-day through WER* 09/25/2008 10/23/2008 Out-of-band patch released 11/2008 Conficker/Downadup worm released in the wild 1/2009 Infected >9mil systems including: defense, gov, commercial
  9. 9. … 9 years later
  10. 10. MS17-010 – MS SMB v1 Vulnerability (EternalBlue) *https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori 1 AD… Vulnerability present and exploitable MS released patch (on a Tuesday) 3/14/2017 4/14/2017 Some bad people released a public exploit - EternalBlue 5/12/2017 WannaCry Released in the wild. Over 300k systems infected in 3 days. 6/27/2017 NotPetya (or something) released
  11. 11. So What Really Changed?
  12. 12. Vulns & Exploit Branding! OS-based Exploit Mitigation In-Guest Security Tools ASLR DEP SafeSEH SEHOP Next-Gen Stuff Endpoint Detection and Response (EDR) Threat-hunting Incident Response Sandboxing ? In Reality…
  13. 13. Vulns & Exploit Branding! OS-based Exploit Mitigation In-Guest Security Tools ? Back To The Ideal World… Generic Exploit Prevention No Prior Knowledge Required Real-Time Alerts Forensics Details Provided Isolated From Attackable Surface
  14. 14. HVI Demo: Defeating EternalBlue
  15. 15. Open Source Collaboration
  16. 16. 2003 2008 2010 2012 2014 2014 2016 2017 First notable academic research (by Garfinkel & Rosenblum) First proof of concept on Xen (Ether) Started working on a VMI-based security technology using a custom hypervisor First proof of concept with Xen Started working with the Xen Project community on improving and extending Xen’s VMI features Intel announced the first CPU features aimed at speeding up VMI First beta for Bitdefender’s HVI technology First commercial release with Citrix XenServer 7.0 (Xen 4.6) Project History
  17. 17. How HVI Works • Uses the VMI capabilities of Xen (xen-access, vm-events) • Builds a "shadow" state of the OS • Enforces certain access restrictions on: • Code (kernel or user application) • Stack • Heap • Data • Driver Objects (Windows) • IDT/GDT etc. • Sensitive MSR-s (eg. MSR_LSTAR)
  18. 18. Guest Guest Guest Guest Guest Critical Memory Access Critical Memory Access Critical Memory Access Critical Memory Access Critical Memory Access Networking StorageCompute XenServer Hypervisor XenServer Control Domain (dom0) Security Appliance (domU) Memory Introspection Engine Direct Inspect APIs Architecture Overview
  19. 19. A Closer Look: EternalBlue
  20. 20. MS17-010: The Vulnerability Integer Overflow DWORD subtracted into a WORD Buffer Overflow memove operation in srv!SrvOs2FeaToNt Arbitrary write-what-where primitive (Classic heap spraying & grooming to gain RCE) RIP is hijacked in srvnet!SrvNetWskReceiveComplete
  21. 21. MS17-010 : Exploiting The Vulnerability • The exploit is using MDL (Memory Descriptor Lists) to control the source & destination of arbitrary writes • ASLR is bypassed by using hard-coded memory regions o HalHeap is located at 0xffffffffffd00000 o Fixed in Windows 10 Redstone 1 (april 2017) • Page-Table addresses are also “hard-coded” o Self mapped at entry 0x1ed o Fixed in Windows 10 Anniversary Update (august 2016) • DEP is disabled on the HalHeap region by directly editing the page-tables • The payload is placed inside the HalHeap • The handler for the connection-close is overwritten and offers RCE • The shellcode is executed when the connection is closed
  22. 22. MS17-010: The Payload – Stage 1 Trick to determine if the OS is 32 or 64 bit If 32 bit then bail out else continue execution (in this example) 1 • Read Model Specific Register (MSR) 0xC0000082 – IA32_LSTAR MSR – and save it • This MSR contains the kernel address of the SYSCALL handling routine • Any SYSCALL made by a user-mode app will end up running the code pointed by IA32_LSTAR 2 Modify IA32_LSTAR MSR so that it points to the main payload inside the HalHeap 3
  23. 23. MS17-010: The Payload – Stage 2 As soon as an application initiates a SYSCALL, the main payload gains code execution • It restores the original SYSCALL handler • It does whatever the payload was programmed to do This is the main functionality of the exploit 4
  24. 24. MS17-010: The Payload – Stage 3 (The stage 2?3) payload: • Iterates all the loaded drivers, searches for the samba drivers • Overwrites a SrvTransactionNotImplemented function inside the SrvTransaction2DispatchTable => backdoor • Next time someone wants to see if a system ha been compromised, it can simply “knock” and see if DoublePulsar responds
  25. 25. … and HVI Defeats EternalBlue
  26. 26. Trick to determine if the OS is 32 or 64 bit If 32 bit then bail out else continue execution (in this example) 1 • Read Model Specific Register (MSR) 0xC0000082 – IA32_LSTAR MSR – and save it • This MSR contains the kernel address of the SYSCALL handling routine • Any SYSCALL made by a user-mode app will end up running the code pointed by IA32_LSTAR 2 The IA32_LSTAR MSR is protected against modifications • Although the stage 1 payload may get code execution, it cannot ensure the execution of the main payload; the main payload will never run 3 MS17-010: Preventing Exploitation
  27. 27. MS17-010: Preventing Exploitation The samba drivers are protected against modifications and the SrvTransaction2DispatchTable is located inside such a driver (srv.sys) • The backdoor cannot be installed on the system • … although it never gets to this, because we already blocked it at stage 1 
  28. 28. • Expand the protection over more OS areas (eg. HAL’s heap) • Prevent credential theft from Windows LSASS • Integrate more hardware features to accelerate VMI (eg. Intel’s #VE) • Extract more context out of the guest to improve attack analysis (opened connections, accessed files etc.) • Help create an ecosystem for VMI-based security tools to which more organizations can contribute Future Work
  29. 29. 1 Open-source Collaboration is Key 2 VMI is Changing the Security Industry 3 Commercial Implementations Are Available Conclusions
  30. 30. Time For Questions!

×