machine virtualization efficient hypervisors stealthy
play

Machine Virtualization: Efficient Hypervisors, Stealthy Malware - PowerPoint PPT Presentation

Sep 23, 2022 •333 likes •553 views

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion & Hypervisor Technologies and Consulting Ltd Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 1 /

  1. Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion & Hypervisor Technologies and Consulting Ltd Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 1 / 21

  2. Background: x86 machine virtualization Running multiple different unmodified operating systems Each in an isolated virtual machine Simultaneously On the x86 architecture Many uses: live migration, record & replay, testing, . . . , security Foundation of IaaS cloud computing Used nearly everywhere Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 2 / 21

  3. x86 virtualization primer How does it work? Popek and Goldberg’s virtualization model [Popek74]: Trap and emulate Privileged instructions trap to the hypervisor Hypervisor emulates their behavior Without hardware support With hardware support Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 3 / 21

  4. What is a rootkit? First you take control. How? Then you hide to avoid detection and maintain control. How? Usual methods are ugly and intrusive: easy to detect! Can rootkit authors do better? Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 4 / 21

  5. Hypervisor-level rootkits Hypervisors have full control over the hardware Hypervisors can trap any operating system event Code can enter hypervisor-mode at any time Bluepill: run the rootkit as the hypervisor Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 5 / 21

  6. Bluepill: a hypervisor level rootkit [Rutkowska06] Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 6 / 21

  7. Recursive Bluepill Bluepill installs itself on the fly Bluepill is now the hypervisor Reminder: x86 only supports one hypervisor in hardware So how can you bluepill bluepill? Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 7 / 21

  8. The Turtles project: Nested x86 Virtualization Efficient nested virtualization for Intel x86 based on KVM Runs multiple guest hypervisors and VMs “The Turtles Project: Design and Implementation of Nested Virtualization”, [Ben-Yehuda10] Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 8 / 21

  9. What is the Turtles project? (cont’) Nested VMX virtualization for nested CPU virtualization Multi-dimensional paging for nested MMU virtualization Multi-level device assignment for nested I/O virtualization Micro-optimizations to make it go fast + + = Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 9 / 21

  10. Theory of nested CPU virtualization Trap and emulate[PopekGoldberg74] ⇒ it’s all about the traps Single-level (x86) vs. multi-level (e.g., z/VM) Single level ⇒ one hypervisor, many guests Turtles approach: L 0 multiplexes the hardware between L 1 and L 2 , running both as guests of L 0 —without either being aware of it (Scheme generalized for n levels; Our focus is n=2) Guest Guest L2 L2 L2 Guest Guest Guest Guest Hypervisor Guest Hypervisor Guest L1 L1 L2 L2 L0 Host Hypervisor L0 Host Hypervisor Hardware Hardware Multiple logical levels Multiplexed on a single level Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 10 / 21

  11. Detecting hypervisor-based rootkits Bluepill authors claim “undetectable” “Compatibility is Not Transparency: VMM Detection Myths and Realities” [Garfinkel07] Hardware discrepancies Resource-sharing attacks Timing attacks: PCI register access, page-faults on MMIO access, cpuid timing vs. nops Can you trust time? Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 11 / 21

  12. The Dual Role of a Hypervisor Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 12 / 21

  13. Background: interrupts IDTR IDT IDT Entry Vector 1 Address Vector 2 IDT Entry … Limit IDT Entry Vector n IDT I nterrupt Interrupt handlers R egister D escriptor T able I/O devices raise interrupts CPU temporarily stops the currently executing code CPU jumps to a pre-specified interrupt handler Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 13 / 21

  14. Interrupts as an Attack Vector Follow the White Rabbit [Rutkowska11] Tell the device to generate “interesting” interrupts Attack: fool the CPU into SIPI Attack: syscall/hypercall injection In interrupt-based attacks an untrusted guest generates malicious interrupts which are handled in host mode Protect: handle interrupts in guest—not host—mode Serve: bare-metal performance! Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 14 / 21

  15. ELI: Exitless Interrupts guest (a) Baseline Physical Interrupt hypervisor Interrupt Interrupt Completion Injection guest ELI (b) delivery Interrupt hypervisor Completion guest ELI delivery & (c) completion hypervisor (d) bare-metal (time) ELI: direct interrupts for unmodified, untrusted guests “ELI: Bare-Metal Performance for I/O Virtualization”, Gordon12 Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 15 / 21

  16. ELI: delivery Shadow IDT Guest Interrupt IDT Handler Assigned #NP Interrupt P=0 IDT Entry IDTR Limit Shadow Handler P=1 IDT IDT Entry VM Non-assigned … Interrupt (#NP/#GP exit) ELI Delivery Hypervisor #NP P=0 IDT Entry Physical Interrupt #GP IDT Entry All interrupts are delivered directly to the guest Host and other guests’ interrupts are bounced back to the host . . . without the guest being aware of it Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 16 / 21

  17. ELI: signaling completion Guests signal interrupt completions by writing to the Local Advance Programmable Interrupt Controller (LAPIC) End-of-Interrupt (EOI) register Old LAPIC: hypervisor traps load/stores to LAPIC page x2APIC: hypervisor can trap specific registers Signaling completion without trapping requires x2APIC ELI gives the guest direct access only to the EOI register Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 17 / 21

  18. ELI: threat model Threats: malicious guests might try to: keep interrupts disabled signal invalid completions consume other guests or host interrupts Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 18 / 21

  19. ELI: protection VMX preemption timer to force exits instead of timer interrupts Ignore spurious EOIs Protect critical interrupts by: Delivering them to a non-ELI core if available Redirecting them as NMIs → unconditional exit Use IDTR limit to force #GP exits on critical interrupts Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 19 / 21

  20. Conclusions Machine virtualization be used for good, or evil How do you protect and serve? Happy hacking! Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 20 / 21

  21. Questions? muli@cs.technion.ac.il mulix@hypervisorconsulting.com Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 21 / 21

Recommend

ECE 650 Systems Programming & Engineering Spring 2018 Hypervisors & CPU Virtualization

ECE 650 Systems Programming & Engineering Spring 2018 Hypervisors & CPU Virtualization

ECE 650 Systems Programming & Engineering Spring 2018 Hypervisors & CPU Virtualization Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Overview of Virtualization Weve discussed a form of virtualization

716 views • 19 slides
Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D.

Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D.

Introduction Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D. Chisnall The definitive guide to Xen Hypervisor G. Kesden Lect. 25 CS 15-440 G. Heiser UNSW/NICTA/OKL Agenda

113 views • 9 slides
meets Micro-Hypervisors: Towards a Virtualization Architecture for User-Centric Multi-Clouds Alex

meets Micro-Hypervisors: Towards a Virtualization Architecture for User-Centric Multi-Clouds Alex

Nested Virtualization meets Micro-Hypervisors: Towards a Virtualization Architecture for User-Centric Multi-Clouds Alex PALESANDRO Marc LACOSTE Nadia BENNANI Chirine GHEDIRA-GUEGAN SEC2 - 30 June 2015, Lille Is this the best of all possible

294 views • 6 slides
Hypervisors Credits : P. Chaganti Xen Virtualization A practical handbook D.

Hypervisors Credits : P. Chaganti Xen Virtualization A practical handbook D.

Introduction Hypervisors Credits : P. Chaganti Xen Virtualization A practical handbook D. Chisnall The definitive guide to Xen Hypervisor G. Kesden Lect. 25 CS 15-440 G. Heiser UNSW/NICTA/OKL Introduction

346 views • 8 slides
Virtualization and Containerization What is Virtualization? What is Containerization? What does

Virtualization and Containerization What is Virtualization? What is Containerization? What does

Virtualization and Containerization What is Virtualization? What is Containerization? What does this do for us? Virtual Machines: Terminology Types of Hypervisors VirtualBox and VMWare

2.8k views • 30 slides
Virtualization Virtualization Memory virtualization Process feels like it has its own

Virtualization Virtualization Memory virtualization Process feels like it has its own

4/25/08 Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine External

441 views • 8 slides
Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/

Virtualization What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This simulated environment is called a virtual machine --Wikipedia 2 Computer Systems Arch.

1.26k views • 26 slides
Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg.

Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg.

Introduction to Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg. IIT Kanpur At a glance Virtualization Introduction to virtualization Basic Concepts Hypervisors Cloud

432 views • 31 slides
AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica

AMD Pacifica Virtualization Technology AMD Unveils Virtualization Platform AMD Pacifica Tutorial 2 Virtual Machine Approaches Carve a Server into Many Virtual Machines Hosted Hypervisor-based Virtualization Virtualization App App

539 views • 18 slides
4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Distributed Systems Storage virtualization Logical view of disks connected to a machine

407 views • 3 slides
EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong

EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong

EUROPA: Efficient User-Mode Packet Forwarding in Network Virtualization Virtualization Yong Liao Dong Yin Lixin Gao Yong Liao, Dong Yin, Lixin Gao Univ. of Massachusetts, Amherst Network Virtualization Platform Network Virtualization

367 views • 17 slides
Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare metal. Dedicated virtualization machine. Higher performance. Typical for servers. Type 2 Virtualization Hypervisor sits on

571 views • 17 slides
IO Virtualization Kedar & Ozzie Overview Benefits Challenges Full Virtualization

IO Virtualization Kedar & Ozzie Overview Benefits Challenges Full Virtualization

IO Virtualization Kedar & Ozzie Overview Benefits Challenges Full Virtualization Paravirtualization Front-ends, Back-ends Pass through mode Virtualization : Review Create a Virtual machine that can emulate

327 views • 20 slides
Secure remote management with virtualization Daniel P. Berrang <berrange@redhat.com>

Secure remote management with virtualization Daniel P. Berrang <berrange@redhat.com>

Secure remote management with virtualization Daniel P. Berrang <berrange@redhat.com> libvirt: Background API for management of hypervisors Community (Red Hat, Fujitsu, Bull) Isolates apps from HV specific APIs Driver

608 views • 11 slides
Light-Weight and Resource Efficient OS-Level Virtualization Herbert Ptzl 2004-2008 c

Light-Weight and Resource Efficient OS-Level Virtualization Herbert Ptzl 2004-2008 c

Light-Weight and Resource Efficient OS-Level Virtualization Herbert Ptzl 2004-2008 c Linux-VServer .org Herbert Ptzl 1 Introduction Computers have become sufficiently powerful to use virtualization to create the illusion of

545 views • 18 slides
Formal Virtualization Reqs. Def: Machine State: S = <E, M, P, R> E executable

Formal Virtualization Reqs. Def: Machine State: S = <E, M, P, R> E executable

CPSC 410/611 : Operating Systems Formal Virtualization Reqs. Def: Machine State: S = <E, M, P, R> E executable storage M processor mode P program counter R relocation-bounds register Def:

361 views • 3 slides
Embedded Virtualization Greg Ungerer greg.ungerer@accelerated.com Embedded Virtualization For

Embedded Virtualization Greg Ungerer greg.ungerer@accelerated.com Embedded Virtualization For

Embedded Virtualization Greg Ungerer greg.ungerer@accelerated.com Embedded Virtualization For development Run on host as testing tool Native development platform On target Fast cheap capable hardware Multiple machine instances

509 views • 7 slides
Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization)

Virtual Machines What is a Virtual Machine? Java Virtual Machine (Application Virtualization) Software to simulate hardware Independent Separate Use one piece of hardware to simulate many computers Topics What are

519 views • 22 slides
Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection IFIP SEC 2018 Sergej Proskurin, 1 Julian Kirsch, 1 and Apostolis Zarras 2 1 Technical University of Munich 2 Maastricht University

548 views • 20 slides
MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro

MultiNyx: A Multi-Level Abstraction Framework for Systematic Analysis of Hypervisors Pedro Fonseca, Xi Wang, Arvind Krishnamurthy Hypervisor correctness is critical Hypervisors need to virtualize correctly all the architecture details

388 views • 19 slides
Virtual Machine Monitors IBM VM/370 - Mainframe time-sharing 1990s VMware - MPP

Virtual Machine Monitors IBM VM/370 - Mainframe time-sharing 1990s VMware - MPP

Virtual Machine History 1960s Virtual Machine Monitors IBM VM/370 - Mainframe time-sharing 1990s VMware - MPP abstraction / x86 virtualization Sun JVM Application level virtualization Lincoln Uyeda CS 614 -

99 views • 6 slides
Virtual Machine Monitors Lakshmi Ganesh What is a VMM? Virtualization: Using a layer of

Virtual Machine Monitors Lakshmi Ganesh What is a VMM? Virtualization: Using a layer of

Virtual Machine Monitors Lakshmi Ganesh What is a VMM? Virtualization: Using a layer of software to present a (possibly different) logical view of a given set of resources VMM: Simulate, on a single hardware platform, multiple hardware

763 views • 38 slides
Virtualization with KVM/QEMU Report: Veit Hoehn (hoehn@cip.ifi.lmu.de) The Task: Set up virtual

Virtualization with KVM/QEMU Report: Veit Hoehn (hoehn@cip.ifi.lmu.de) The Task: Set up virtual

The Bioinformatics Lab SS2011 May 23, 2011 Virtualization with KVM/QEMU Report: Veit Hoehn (hoehn@cip.ifi.lmu.de) The Task: Set up virtual machine on Server Virtualization with KVM/QEMU 2 1. Creating the virtual machine Connect to server

473 views • 9 slides
S erver Virtualization Tina S imcich WA S tate Department of Ecology Carbon Reduction through

S erver Virtualization Tina S imcich WA S tate Department of Ecology Carbon Reduction through

S erver Virtualization Tina S imcich WA S tate Department of Ecology Carbon Reduction through IT Procurement Problem: Many servers run at 10% to 30% capacity S olution: Virtualization means more efficient use of server resources

290 views • 7 slides

More recommend