hyper cube
play

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, - PowerPoint PPT Presentation

Dec 30, 2022 •153 likes •688 views

Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wrner and Thorsten Holz Chair for Systems Security Ruhr-Universitt Bochum Motivation Hypervisor Motivation Hypervisor VM 1 VM 2

  1. Hyper-Cube High-Dimensional Hypervisor Fuzzing Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner and Thorsten Holz Chair for Systems Security Ruhr-Universität Bochum

  2. Motivation Hypervisor

  3. Motivation Hypervisor VM 1 VM 2

  4. Motivation Hypervisor VM 1 VM 2 Malicious Guest (Privileged; Running in Ring-0)

  5. Motivation Hypervisor VM 1 VM 2 Local VM DoS (Crash or Deadlock)

  6. Motivation Hypervisor VM 1 VM 2

  7. Motivation Hypervisor VM 1 VM 2 Virtual Machine DoS (Crash or Deadlock)

  8. Motivation Hypervisor VM 1 VM 2 Virtual Machine Escape (Other Guest)

  9. Motivation Hypervisor VM 1 VM 2

  10. Motivation Hypervisor VM 1 VM 2 Host DoS (Kernel Panic or Deadlock)

  11. Motivation Hypervisor VM 1 VM 2 Virtual Machine Escape (Host)

  12. Motivation Hypervisor VM 1 VM 2

  13. Challenge

  14. Challenge Fuzzer of your Choice

  15. Challenge Fuzzer of your Choice Target Software

  16. Challenge Fuzzer of your Choice Target Software

  17. Challenge User Space Fuzzing

  18. Challenge Hypervisor Fuzzing

  19. Attack Surface

  20. ① ② Hypervisor Attack Surface Guest Hypervisor

  21. ① ② Hypervisor Attack Surface Guest Hypervisor

  22. Hypervisor Attack Surface Guest Hypervisor Code Privileged Instructions Hypervisor Core ... ① Emulation Request mov cr4, 0xAF ... ② Return to Guest

  23. ① ② Hypervisor Attack Surface

  24. Implementation

  25. Design Goals • x86 Hypervisor Agnostic • Blackbox Fuzzing with High Througput • High-Dimensional in Terms of ➤ Interfaces ➤ Operations

  26. ➤ ➤ Our Approach Hypervisor

  27. ➤ ➤ Our Approach Hypervisor VM

  28. ➤ ➤ Our Approach Hypervisor VM Hyper-Cube OS

  29. ➤ ➤ Our Approach Hypervisor VM Hyper-Cube OS Interface Enumeration

  30. ➤ ➤ Our Approach Hypervisor VM PCI Devices ISA Devices Hyper-Cube OS MSR Interface Enumeration Hypercalls PIC HPET APIC Chipset

  31. ➤ ➤ Our Approach Hypervisor VM PCI Devices ISA Devices Hyper-Cube OS MSR Hypercalls PIC Tesseract Interpreter HPET APIC Chipset

  32. Tesseract Handlers memset_mmio write_msr reads_io writes_io write_io kvm_hypercall memset_io read_io xor_io read_mmio write_mmio io_write_scratch_ptr reads_mmio writes_mmio xor_mmio vmport bruteforce_mmio mmio_write_scratch_ptr bruteforce_io

  33. Tesseract Interpreter PRNG Stream ... 0120: 2fff 1c27 ab47 5700 0128: adf2 3d60 092f 5488 0130: ec2d 9d1a 029d 56fd 0138: e0d1 a275 1f56 1d28 0140: ea78 a2fa db07 d60d 0148: 1288 3a5a 91f9 1756 0150: 1cae 31ad 9b9c 938e 0158: 2a33 f597 6615 e267 0160: 0117 1f16 b440 8a86 0168: 9154 5b55 e4ca 9e3d 0170: 9d19 ae79 efac e500 0178: 8cdf 8c00 9a83 df76 0180: 91fe d779 026c 2e2b 0188: 9137 1ef8 eea3 d29c 0190: 1789 5938 a36f 718a 0198: 81e4 678c 20f5 fa0b 01a0: 774d 07f1 cee3 62bc 01a8: ... d845 bc86 7631 6eac

  34. Tesseract Interpreter PRNG Stream Opcode Handler ... vmport (0xbd4,0x10ea) 0120: 2fff 1c27 ab47 5700 0128: memset_io (0x426,0xce0,0x9dc,0xca8) adf2 3d60 092f 5488 0130: ec2d 9d1a 029d 56fd 0138: e0d1 a275 1f56 1d28 writes_mmio (0xec8,0xad,0x10ac,0x7e9) Robust 0140: ea78 a2fa db07 d60d bruteforce_mmio (0xce4,0xdfa,0xe31,0x322) 0148: 1288 3a5a 91f9 1756 Interpretation 0150: 1cae 31ad 9b9c 938e writes_io (0x4bb,0xb8,0xeb1,0x401) 0158: 2a33 f597 6615 e267 0160: 0117 1f16 b440 8a86 0168: 9154 5b55 e4ca 9e3d memset_mmio (0x128,0xa73,0x2b3,0xa84) 0170: 9d19 ae79 efac e500 0178: 8cdf 8c00 9a83 df76 read_mmio (0xbf3,0x907) 0180: 91fe d779 026c 2e2b bruteforce_io (0x5c4,0x49a,0x94f,0xb1c) 0188: 9137 1ef8 eea3 d29c 0190: 1789 5938 a36f 718a 0198: 81e4 678c 20f5 fa0b 01a0: 774d 07f1 cee3 62bc xor_mmio (0x54b,0xa00,0xb51) 01a8: ... d845 bc86 7631 6eac

  35. ≈ Evaluation

  36. ≈ Tested Hypervisors FreeBSD bhyve (12.0-RELEASE) VirtualBox (5.1.37_Ubuntu r122592) Parallels Desktop (14.1.3) KVM/QEMU (4.0.1-rc4) Intel ACRN (29360 Build) VMware Fusion (11.0.3)

  37. ≈ Results Assert Failures 25 Null-Pointer Dereferences 13 55 Memory-Corruptions 8 Bugs 5 Div-By-Zero (FP Exceptions) 4 Deadlocks

  38. ≈ Case Study: bhyve CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest

  39. ≈ Case Study: bhyve CVE-2019-12071 CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest FreeBSD Kernel Denial of Service via Privileged Guest

  40. ≈ Case Study: bhyve CVE-2019-12071 CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest FreeBSD Kernel Denial of Service via Privileged Guest Translates to

  41. ≈ Case Study: bhyve CVE-2019-12071 CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest FreeBSD Kernel Denial of Service via Privileged Guest

  42. ≈ Case Study: bhyve CVE-2019-12071 FreeBSD Kernel Denial of Service via Privileged Guest

  51. Conclusion

  52. Conclusion • Novel Technique to Fuzz Hypervisors • Outperforms Coverage-Guided Fuzzers • Full-System Fuzzing

  53. Thank You! Q & A

Recommend

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta

Outline Cube Release Roadmap Release Notes Cube 7 Highlights Cube 7 Beta Testing CITILABS UPDATE Program Cube Roadmap Anticipated Release Schedule Cube 6.4.5 Spring 2019 Cube 6.4.6 - Summer 2019 Cube 7 Beta -

656 views • 30 slides
Hyper: Make VM Runs Like Container Xu Wang <xu@hyper.sh> Hyper HQ Agenda Lesson

Hyper: Make VM Runs Like Container Xu Wang <xu@hyper.sh> Hyper HQ Agenda Lesson

Hyper: Make VM Runs Like Container Xu Wang <xu@hyper.sh> Hyper HQ Agenda Lesson learned from docker Hyper: App-centric VM Hyper and Xen Next step Docker Seems to Beat VM Everywhere Docker announced in 2013 and release

531 views • 13 slides
S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

S ENTENCES IN FOL Cube(a) xCube(x) a is a cube For any x, x is a cube True in a world if a

P UZZLE A, B, and C are each either knights or knaves. A says At least one of the three of us is a knight B says At least one

461 views • 19 slides
From HyPer to Hyper Integrating an academic DBMS into a leading analytics and business

From HyPer to Hyper Integrating an academic DBMS into a leading analytics and business

From HyPer to Hyper Integrating an academic DBMS into a leading analytics and business intelligence platform Tobias Muehlbauer, tmuehlbauer@tableau.com Jan Finis, jfinis@tableau.com The Story of Hyper 2020: Hyper as a general-purpose Database

747 views • 37 slides
Determinants Every n n matrix A has an associated scalar value called the determinant of A ,

Determinants Every n n matrix A has an associated scalar value called the determinant of A ,

2.1-2.3 Determinants P. Danziger Determinants Every n n matrix A has an associated scalar value called the determinant of A , denoted by det( A ) or | A | . The determinant gives the (hyper)volume of the unit (hyper)cube after it has been

491 views • 18 slides
Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use

Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use

Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use largest magnitude component R of R to determine face of cube Other 2 components give texture coordinates 1 Cube Map Layout Example R = (

833 views • 40 slides
Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV

Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV

Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV Michel Mi chele Sel e Selva vaggi ggi (CP3) (CP3) An Andr drew w Lar Larko koski ski (MIT), Fabi abio Mal altoni (CP CP3) Flavo vor

623 views • 31 slides
Explorations of the Rubiks Cube Group Zeb Howell May 2016 Explorations of the Rubiks Cube

Explorations of the Rubiks Cube Group Zeb Howell May 2016 Explorations of the Rubiks Cube

Explorations of the Rubiks Cube Group Zeb Howell May 2016 Explorations of the Rubiks Cube Group Whats the Deal with Rubiks Cubes? One Cube made up of twenty six subcubes called cubelets. Each cubelet has one, two, or

246 views • 10 slides
CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye

CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye

CPS Translations and Applications: The Cube and Beyond Section 2: The domain-free -cube Haye Bhm June 12, 2018 What weve seen so far 1 CBV/CBN reduction strategies 2 Simulating CBN in a CBV language Wrap each argument in an extra x .

321 views • 19 slides
Hyper-Resolution AUTOMATED REASONING Hyper-resolution is the strategy employed (electron) in the

Hyper-Resolution AUTOMATED REASONING Hyper-resolution is the strategy employed (electron) in the

8ai Hyper-Resolution AUTOMATED REASONING Hyper-resolution is the strategy employed (electron) in the widely used Otter family of provers. SLIDES 8: {Px,Qx,Rx} {Qa,C} Hyper-resolution generalises ``bottom- (nucleus) up reasoning

343 views • 7 slides
Outreach for Hyper-Kamiokande Jost Migenda (they/them) for the Hyper-Kamiokande

Outreach for Hyper-Kamiokande Jost Migenda (they/them) for the Hyper-Kamiokande

Outreach for Hyper-Kamiokande Jost Migenda (they/them) for the Hyper-Kamiokande Proto-Collaboration @JostMigenda TAUP 2019 2019-09-11 Disclaimer This talk is not exhaustive! Personal, subjective selection Thanks to the whole

576 views • 20 slides
1 Cube geometry (for pillars) Cube Geometry (separate Color) Cube geometry (for pillars) Cube

1 Cube geometry (for pillars) Cube Geometry (separate Color) Cube geometry (for pillars) Cube

To Do To Do Foundations of Computer Graphics Foundations of Computer Graphics Continue working on HW 2. Can be difficult (Spring 2012) (Spring 2012) Class lectures, programs primary source CS 184, Lecture 8: OpenGL 2 Can leverage

337 views • 7 slides
Quotient Cube: How to Summarize the Semantics of a Data Cube Laks V.S. Lakshmanan (Univ. of

Quotient Cube: How to Summarize the Semantics of a Data Cube Laks V.S. Lakshmanan (Univ. of

Quotient Cube: How to Summarize the Semantics of a Data Cube Laks V.S. Lakshmanan (Univ. of British Columbia) * Jian Pei (State Univ. of New York at Buffalo) * Jiawei Han (Univ. of Illinois at Urbana-Champaign) + * The work is partially supported

798 views • 44 slides
bluecube V 4 . 3 1 Blue Cube CMS V4.3 by Digitalcube TABLE OF CONTENTS Introduction Discover

bluecube V 4 . 3 1 Blue Cube CMS V4.3 by Digitalcube TABLE OF CONTENTS Introduction Discover

Content Management System bluecube V 4 . 3 1 Blue Cube CMS V4.3 by Digitalcube TABLE OF CONTENTS Introduction Discover CMS Blue Cube Modules Customers 2 BLUE CUBE CMS V4.3 by Digitalcube Blue Cube CMS V4.3 by Digitalcube CMS without bugs

316 views • 28 slides
Status of the Hyper- Kamiokande Experiment Erin OSullivan, on behalf of the Hyper-Kamiokande

Status of the Hyper- Kamiokande Experiment Erin OSullivan, on behalf of the Hyper-Kamiokande

Status of the Hyper- Kamiokande Experiment Erin OSullivan, on behalf of the Hyper-Kamiokande proto-collaboration Stockholm University NuFACT 2017 Hyper-Kamiokande collaboration Proto-collaboration formed in 2015 ~ 300 members from 14

789 views • 31 slides
THE COSO INTEGRATED CONTROL CUBE THE COSO I NTEGRATED CONTROL CUBE 1 COSO Definition of I

THE COSO INTEGRATED CONTROL CUBE THE COSO I NTEGRATED CONTROL CUBE 1 COSO Definition of I

THE COSO INTEGRATED CONTROL CUBE THE COSO I NTEGRATED CONTROL CUBE 1 COSO Definition of I nternal Control Internal control is a process, effected by an entitys Board of Directors, management and other personnel, designed to provide

208 views • 16 slides
Hyper-Resolution AUTOMATED REASONING Hyper-resolution generalises ``bottom- (electron) up

Hyper-Resolution AUTOMATED REASONING Hyper-resolution generalises ``bottom- (electron) up

8ai Hyper-Resolution AUTOMATED REASONING Hyper-resolution generalises ``bottom- (electron) up reasoning and combines several Px Qx Rx Qa C SLIDES 8: resolution steps into one big step. (nucleus) Hyper-resolution is the

372 views • 8 slides
CS 225 Data Structures Au August 28 Cl Classes es and Ref efer eren ence e Variables

CS 225 Data Structures Au August 28 Cl Classes es and Ref efer eren ence e Variables

CS 225 Data Structures Au August 28 Cl Classes es and Ref efer eren ence e Variables es G G Carl Evans La Labs St Start rt T Tod oday Cube.h Cube.cpp 1 1 #pragma once #include "Cube.h" 2 2 3 class Cube { 3

622 views • 25 slides
Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working

Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working

Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working group Kamioka observatory, ICRR, Univ. of Tokyo Cosmic Frontier Workshop SLAC - March 7, 2013 Neutrinos generated by WIMP annihilation Trap

542 views • 20 slides
Cubr: Cube Puzzle Solver 18500 S19 Team D6 Project Proposal JT Aceron, Lily Chen, Sam

Cubr: Cube Puzzle Solver 18500 S19 Team D6 Project Proposal JT Aceron, Lily Chen, Sam

Cubr: Cube Puzzle Solver 18500 S19 Team D6 Project Proposal JT Aceron, Lily Chen, Sam Fazel-Sarjui Background and Application Area 3x3x3 Rubiks Cube 43,252,003,274,489,856,000 unique cube states World record time set by

709 views • 12 slides
The Arbarr Merchandising Tray System Automatic E-Cube Mini-bar, Mini-bar Retrofit,

The Arbarr Merchandising Tray System Automatic E-Cube Mini-bar, Mini-bar Retrofit,

The Arbarr Merchandising Tray System Automatic E-Cube Mini-bar, Mini-bar Retrofit, Ambient E-Cube, Combination Option Mission Statement Employing the versatile options of the Arbarr E- Cube System our company is dedicated to

133 views • 11 slides
Fe February 1 Te Templates Wa Wade Fa Fagen-Ul Ulmsch schnei eider er, , Cra Craig

Fe February 1 Te Templates Wa Wade Fa Fagen-Ul Ulmsch schnei eider er, , Cra Craig

Data Structures Fe February 1 Te Templates Wa Wade Fa Fagen-Ul Ulmsch schnei eider er, , Cra Craig Zi Zilles Example: e: assignmentOpSelf.cpp 1 #include "Cube.h" 40 Cube& Cube::operator=(const Cube

309 views • 27 slides
Evolutionary Cube Solver Anurag Misra Dept. of Computer Science and Engineering Indian

Evolutionary Cube Solver Anurag Misra Dept. of Computer Science and Engineering Indian

Evolutionary Cube Solver Anurag Misra Dept. of Computer Science and Engineering Indian Institute of Science and Technology Kanpur RUBIKS CUBE Classic 3*3*3 Rubiks Cube invented in 1974 by Erno Rubik Highly complex puzzle 4.3 *

540 views • 18 slides
Hyper-K David Hadley, University of Warwick Outline Hyper-K Detector Long baseline neutrino

Hyper-K David Hadley, University of Warwick Outline Hyper-K Detector Long baseline neutrino

Hyper-K David Hadley, University of Warwick Outline Hyper-K Detector Long baseline neutrino oscillation status and prospects Systematic uncertainty challenges and solutions 2 Kamiokande Detectors Kamiokande 680 tonne fiducial mass (1983)

1.05k views • 77 slides

More recommend