Jonathan Brossard CTO - P1 Code Security

jonathan@p1sec.com

endrazine@gmail.com

Agenda

Virtualization : big picture

Attack surface analysis

The need for new tools

Introducing Virtual 8086 mode

Practical fuzzing with vm86()

Virtualization : time to care !

Market shares Definitions

Virtualization : market shares

Source : Forrester Research 2009

78% of companies have production servers virtualized.

20% only have virtualized servers.

Virtualization : market shares

Source : Forrester Research 2009

VMWare is present in 98% of the companies.

Microsoft virtualization products are used by 17%.

Citrix/Xen is used by 10%.

Bottom line...

Virtualization software are so widespread that they have become more attractive targets than say web, mail or dns servers !

There is a lower variety too !

Definitions

Virtualization : Definitions

Virtualization

Virtualization is the name given to the simulation with higher level components, of lower level components.

NOTE: Virtualization of applications (as opposed to full Oses) is out of topic.

Virtualization : Definitions

Virtual Machine

A virtual machine (VM) is : "an efficient, isolated duplicate of a real machine".

--Gerald J. Popek and Robert P. Goldberg (1974). "Formal Requirements for Virtualizable Third Generation Architectures", Communications of the ACM.

Paravirtualization

Virtualization : Definitions

Paravirtualization

Requires the modification of the guest Oses (eg: Xen, UML, Qemu with kquemu, VMWare Workstation with VMWare Tools).

Opposed to « full virtualization ».

Virtualization : Definitions

There are two types of virtualizations : Virtual Machine Monitors (or Hypervisors) of type I and type II.

Type I Hypervisor

Virtualization : Definitions

Hypervisors of type I

Run on bare metal (eg: Xen, Hyper-V, VMWare ESX).

Type II hypervisor

Virtualization : Definitions

Hypervizors of type II

Run as a process inside a host OS to virtualize guests Oses (eg: Qemu, Virtualbox, VMWare Workstation, Parallels).

Hardware assisted

virtualization

Hardware assisted

virtualization

-Takes advantage of AMD-V On Intel VT-x CPU extentions for virtualization.

-x64 Only.

-The hypervizor is running in « ring -1 ».

-Much like the NX bit : requires the motherboard to support it and activation in the BIOS.

Virtualization : Definitions

Isolation

Isolation of the userland part of the OS to simulate independant machines (eg: Linux-Vservers, Solaris « Zones », BSD « jails », OpenVZ under GNU/Linux).

Isolation

Attack surface analysis

Depending on your perspective...

What are the risks ?

Where to attack ?

Privilege escalation on the

host

VMware Tools HGFS Local Privilege Escalation Vulnerability

(http://labs.idefense.com/intelligence/vu

lnerabilities/display.php?id=712)

Privilege escalation on the

Guest

CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes

Attacking other guests

Vmare workstation guest isolation weaknesses (clipboard transfer)

http://www.securiteam.com/securitynew

s/5GP021FKKO.html

DoS (Host + Guests)

CVE-2007-4591 CVE-2007-4593 (bad ioctls crashing the Host+Guests)

Escape to host

Rafal Wojtczuk (Invisible things, BHUS 2008)

IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744)

Attack surface analysis :

usage

Hosting two companies on the same hardware is very common (shared hosting).

Getting a shell on the same machine as a given target may therefor be a matter of paying a few euros a month.

Attack surface : conclusion

Owning the Host OS from the Guest is practical : security through virtualization is a failure.

Seemingly minor bugs (local, DoS) do matter : virtualization amplifies consequences.

The need for dedicated methodologies and tools

The need for new tools :

example

How to dynamically test a virtual Hard Drive ?

How to dynamically test a virtual Hard Drive ? Naive approach

Standard API :

ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t

count);

This would mostly fuzz the kernel, not the Virtual Machine :(

We need something (much) lower level.

Standard (low level) attack

vectors

Ioports:

outb, outw, outl, outsb, outsw, outsl, inb, inw, inl, insb, insw, insl, outb_p, outw_p, outl_p, inb_p, inw_p, inl_p Problems: sequence, multiple ports

Ioctls:

int ioctl(int d, int request, ...) Problems : arbitrary input size !

How did we used to do it

« back in the days » ?

MS Dos : direct access to the hardware (interrupts : BIOS, HD, Display, …)

Can we get back to this ?

Introducing the Virtual 8086 mode

Introducing the Virtual 8086 mode

Introduced with Intel 386 (1985)