![Page 1: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/1.jpg)
Attacking Hypervisorsvia Firmware and Hardware
Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov,Andrew Furtak, Yuriy Bulygin
Advanced Threat Research
![Page 2: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/2.jpg)
Agenda
Hypervisor based isolation
Firmware rootkit vs hypervisor
Attacking hypervisor emulation of hardware devices
Attacking hypervisors through system firmware
Tools and mitigations
Conclusions
![Page 3: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/3.jpg)
Hypervisor Based Isolation
Image source
![Page 4: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/4.jpg)
Hypervisor Based Isolation
Hardware
I/O
Memory
Network
Graphics
VMM / Hypervisor
System Firmware(BIOS, U/EFI firmware, SMI handlers, Coreboot…)
CPU
Priv
ilege
Virtual Machine
Operating System
App App
Virtual Machine
App App
Operating System
![Page 5: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/5.jpg)
Hypervisor Based Isolation
Hardware
I/O
Memory
Network
Graphics
VMM / Hypervisor
System Firmware(BIOS, U/EFI firmware, SMI handlers, Coreboot…)
CPU
Priv
ilege
Virtual Machine
Operating System
App App
Virtual Machine
App Attack
Operating System
![Page 6: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/6.jpg)
Hypervisor Protections
Software IsolationCPU / SoC: traps to hypervisor (VM Exits), MSR & I/O permissions bitmaps, rings (PV)…Memory / MMIO: hardware page tables (e.g. EPT, NPT), software shadow page tables
Devices IsolationCPU / SoC: interrupt remappingMemory / MMIO: IOMMU, No-DMA ranges
![Page 7: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/7.jpg)
CPU Virtualization (simplified)
VMM Host
VM Guest OS
VM Exit Handler
VM Control Structure (VMCS)
MSR Bitmaps I/O Bitmaps
Instructions,
exceptions,
interrupts…
Extended Page Tables
Access to I/O ports
(e.g. 0xB2)Access to CPU MSRs
(e.g. DEBUGCTL)
Access to memory
(EPT violations)
Hypervisor Traps (VM Exits)
![Page 8: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/8.jpg)
Protecting Memory with HW Assisted Paging
VA0
VA1
VA2
VA3
VA4
…
VM Guest OS
GPA0
GPA1
GPA2
GPA3
GPA4
GPA5
GPA6
…
GPA0 HPA3
VMM Host
GPA2 HPA5
GPA4 HPA4 (1:1 mapping)
GPA6 block
HPA0
HPA1
HPA2
HPA3
HPA4
HPA5
HPA6
…
Process Virtual Memory
Guest Page Tables
Guest Physical Memory
EPT
Host PhysicalMemory
VMCSEPTPCR3
![Page 9: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/9.jpg)
Hypervisor Protections
System Firmware Isolation
![Page 10: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/10.jpg)
Firmware Rootkit vs Hypervisor
Image source
![Page 11: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/11.jpg)
What is firmware rootkit?
Hardware
I/O
Memory
Network
Graphics
VMM / Hypervisor
System Firmware
CPU
Priv
ilege
Virtual Machine
Operating System
App App
Virtual Machine
App App
Operating System
Rootkit(e.g. DXE driver)
![Page 12: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/12.jpg)
Firmware rootkit can open a backdoor for an attacker VM to access all other VMs
System Firmware Rootkit
VMM / Hypervisor
Backdoor
2. During each boot rootkit installs a backdoor for an
attacker controlled VM
Virtual Machine
Operating System
App App
Attacker VM
App App
Operating System
1. At some point system firmware got
infected with a rootkit staying
persistent
3. Now using this backdoor, attacker
VM can access all of memory of victim
VMs
![Page 13: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/13.jpg)
“Backdoor” for attacker’s VM
2. Rootkit added page table entries to
attacker VM which expose entire
physical memory
1. Firmware rootkit searches & modifies VM’s VMCS(B), VMM
page tables
Now attacker VM has full access to physical memory of VMM and
other VMs
![Page 14: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/14.jpg)
So how would one install a rootkit in the firmware?
![Page 15: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/15.jpg)
Using hardware SPI flash programmer…
![Page 16: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/16.jpg)
USB & exploiting weak firmware protections...
![Page 17: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/17.jpg)
From privileged guest (e.g. Dom0). Requires privesc from normal guest (e.g. DomU) or remote
From the host OS before/in parallel to VMM
From normal guest if firmware is exposed to the guest by VMM
For example, if firmware is not adequately write protected in
system flash memory
Software access and exploiting some vulnerability in firmware …
![Page 18: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/18.jpg)
DEMORootkit in System Firmware Exposes
Secrets from Virtual MachinesImage source
![Page 19: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/19.jpg)
Installing rootkit in firmware from root partition
![Page 20: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/20.jpg)
Attacker VM exposes secrets of other VMs through a backdoor opened by the rootkit
![Page 21: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/21.jpg)
We flashed rootkited part of firmware image from within a root partition to install the rootkit
The system doesn’t properly protect firmware in SPI flash memory so we could bypass write-protection
Finally more systems protect firmware on the flash memory
common.bios_wpCHIPSEC module to test write-protection
Malware can exploit vulnerabilities in firmware to install a rootkit on such systems
Attacking and Defending BIOS in 2015
![Page 22: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/22.jpg)
VMM “forensics”
With the help of a rootkit in firmware any VM guest can extract all information about hypervisor and other VMs … and just from memory
VMCS structures, MSR and I/O bitmaps for each VM guest
EPT for each VM guest
Regular page tables for hypervisor and each VM guest
IOMMU pages tables for each IOMMU device
Full hypervisor memory map, VM exit handler…
Real hardware configuration (registers for real PCIe devices, MMIO contents…)
![Page 23: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/23.jpg)
VMCS, MSR and I/O bitmaps..
![Page 24: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/24.jpg)
VMM Hardware Page Tables…
![Page 25: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/25.jpg)
Attacking Hypervisor Emulation of Hardware Devices
Image source
![Page 26: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/26.jpg)
Hardware Emulation Attack Vectors
VMM Host
VM Guest OS
Hypervisor
INSTR Emulation
CPU MSR Emulatio
n
Device I/O
Emulation
Instructions
(CPUID…)
Device MMIO/Buffers
Emulation
Access to device I/O
portsAccess to CPU MSRs
Access to device MMIO, CMD buffers…
Hypercall Impl
Hypercall API
Clo
ud
bu
rst
CV
E-2
01
4-0
98
3… V
EN
OM
XS
A-1
38
…XS
A-1
08
… MS
13
-09
2X
SA
-12
2…X
SA
-75
SY
SR
ET
…
![Page 27: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/27.jpg)
Did you know that VMMs emulate virtual devices of other VMMs?
Host / Hypervisor
Virtual Machine
Operating System
App
Virtual sVGA Device
sVGA commandsFIFO buffer
App
Frame buffer
So Cloudburst was fixed in VMWare but … QEMU and VirtualBox also emulate VMWare virtual
SVGA device
SVGA_CMD_RECT_FILL…
![Page 28: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/28.jpg)
QEMU / KVMCVE-2014-3689
3 vulnerabilities in the vmware-vga driver in QEMU allows local guest to write to QEMU memory and gain host/hypervisor privileges via unspecified parameters related to rectangle handling
Oracle VirtualBox (Jan 2015 Critical Patch Update)
CVE-2014-6588Memory corruption in VMSVGAGMRTRANSFER
CVE-2014-6589, CVE-2014-6590Memory corruptions in VMSVGAFIFOLOOP
CVE-2015-0427Integer overflow memory corruption in
VMSVGAFIFOGETCMDBUFFER
Guest to Host Memory Corruption
![Page 29: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/29.jpg)
Crashing Host or Guest from Ring3 …
CVE-2015-0377Writing arbitrary data to upper 32 bits of IA32_APIC_BASE MSR causes VMM and host OS to crash on Oracle VirtualBox 3.2, 4.0.x-4.2.x
# chipsec_util.py msr 0x1B 0xFEE00900 0xDEADBEEF
CVE-2015-0418, CVE-2014-3646VirtualBox and KVM guest crash when executing INVEPT/INVVPID instructions in Ring3
VirtualBoxINVEPT : VM crashINVVPID : VM crashVMCALL : #UD faultVMLAUNCH : #UD faultVMRESUME : #UD fault
KVMINVEPT : VM crashINVVPID : VM crashVMCALL : No ExceptionVMLAUNCH : #UD faultVMRESUME : #UD fault
![Page 30: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/30.jpg)
Attacking Hypervisors throughSystem Firmware
(with OS kernel access)
Image source
![Page 31: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/31.jpg)
Pointer Vulnerabilities in SMI Handlers
Phys Memory
SMI Handlers in SMRAM
OS Memory
Exploit tricks SMI handler to write to an address inside SMRAMAttacking and Defending BIOS in 2015
RAX (code)
RBX (pointer)
RCX (function)
RDX
RSI
RDI
Fake structure inside SMRAM
SMI
![Page 32: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/32.jpg)
Exploiting firmware SMI handler to attack VMM
Hardware
I/O
Memory
Network
Graphics
Hypervisor
SMI HandlersSystem Firmware
CPU
Virtual Machine(child partition)
Operating System
App App
Root partition
App
Operating System
Attack
SM
I Po
inte
r Compromised VM injects SMM
payload through the input pointer
vulnerability in SMI handler
SMM firmware payload modifies
hypervisor code or VMCS/EPT to install
a backdoor
VMM allows VM to invoke SMI
handlers (grants access to SW SMI
I/O port 0xB2)
![Page 33: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/33.jpg)
DEMOAttacking Hypervisor via
Poisonous Pointers in Firmware SMI handlers
![Page 34: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/34.jpg)
![Page 35: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/35.jpg)
Root cause? Port B2h is open to VM in I/O bitmap
![Page 36: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/36.jpg)
So that’s a firmware issue! Firmware has to validate pointers
Phys Memory
SMI Handlers in SMRAM
Hypervisor Memory (Protected
by EPT)
Firmware SMI handler validates input pointers to ensure they are outside of SMRAM preventing overwrite of SMI code/data
RAX (code)
RBX (pointer)
RCX (function)
RDX
RSI
RDI
SMI
![Page 37: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/37.jpg)
Point SMI handler to overwrite VMM page!
Phys Memory
SMI Handlers in SMRAM
Hypervisor Memory (Protected
by EPT)
• VT state and EPT protections are OFF in SMM (without STM)
• SMI handler writes to a protected page via supplied pointer
RAX (code)
RBX (pointer)
RCX (function)
RDX
RSI
RDI
VMM Protected Page
SMI
VMM Protections are OFF
![Page 38: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/38.jpg)
Attacking VMM by proxying through SMI handler
Hardware
I/O
Memory
Network
Graphics
VMM / Hypervisor
SMI HandlersSystem Firmware
CPU
VM with direct access to SMIs invokes SMI handler and supplies
a pointer to some VMM page
Virtual Machine(child partition)
Operating System
App App
Root partition
App
Operating System
Attack
SMI handler writes to the supplied pointer overwriting contents
of protected VMM page
![Page 39: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/39.jpg)
Sometimes attacker doesn’t need a vulnerability in firmware…
When VMM grants VM direct access to firmware or hardware interfaces
VM exploit doesn’t always need to exploit firmware first through these interfaces
It may use firmware or hardware as a confused deputy and attack VMM through some function on behalf of firmware
Read excellent paper Hardware Involved Software Attacks by Jeff Forristal
![Page 40: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/40.jpg)
Do Hypervisors Dreamof Electric Sheep?
Vulnerability used in this section is VU#976132 a.k.a. S3 Resume Boot Script Vulnerability independently discovered by ATR of Intel Security, Rafal Wojtczuk of Bromium and LegbaCore
It’s also used in Thunderstrike 2 by LegbaCore & Trammell Hudson
![Page 41: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/41.jpg)
Waking the system from S3 “sleep” state
VMM / Hypervisor
U/EFI System Firmware
Virtual Machine
Platform Init
DXE
UEFI core & drivers
BDS
Platform Init
S3 BootScript Table
Restoreshardware config Script EngineN
OR
MA
L B
OO
T
S3
RESU
ME
Apps / OS
![Page 42: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/42.jpg)
What is S3 boot script table?
S3_BOOTSCRIPT_DISPATCH/2
S3_BOOTSCRIPT_PCI_CONFIG_WRITE
S3_BOOTSCRIPT_IO_WRITE
…
A table of opcodes in physical memory which restores platform configuration
S3_BOOTSCRIPT_MEM_WRITE opcode writes some value to specified memory location on behalf of firmware
![Page 43: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/43.jpg)
Xen exposes S3 boot script table to Dom0
Xen Hypervisor
U/EFI System Firmware
Privileged PV guest (Dom0)
Exploit
VM modifies S3 boot script table in
memory
Upon resume, firmware executes
rogue S3 script
Platform PEI
DXE
UEFI core & drivers
BDS
Platform PEI
S3 BootScript Table
Restoreshardware config Script EngineN
OR
MA
L B
OO
T
S3
RESU
ME
MO
DIF
Y
0xDBAA4000
![Page 44: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/44.jpg)
Xen attack via S3 boot script
Found S3 boot script table in memory
accessible to Dom0
Changing the boot script to access Xen
hypervisor pages
![Page 45: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/45.jpg)
Dumping Dom0 VMCS from memory
protected by EPT
![Page 46: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/46.jpg)
DEMOAttacking Xen
in its sleep
Image source
![Page 47: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/47.jpg)
Déjà vu?
Xen 0wning Trilogy (Part 3) by Invisible Things Lab
![Page 48: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/48.jpg)
So these firmware vulnerabilities are exploitable from privileged guest (e.g. root partition, Dom0 ..)
What about use cases where guests must be strongly isolated from the root partition?
![Page 49: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/49.jpg)
Tools and Mitigations
Image sciencenews.org
![Page 50: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/50.jpg)
First things first - fix that firmware!
Firmware can be tested for vulnerabilities!common.uefi.s3bootscript
(tests S3 boot script protections)
tools.smm.smm_ptr
(tests for SMI pointer issues)
Protect the firmware in system flash memorycommon.bios_wp
common.spi_lock
...
(tests firmware protections in system flash memory)
![Page 51: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/51.jpg)
Testing hypervisors…
Simple hardware emulation fuzzing modules for open source CHIPSECtools.vmm.*_fuzz
I/O, MSR, PCIe device, MMIO overlap, more soon …
Tools to explore VMM hardware configchipsec_util iommu (IOMMU)
chipsec_util vm (CPU VM extensions)
![Page 52: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/52.jpg)
Dealing with system firmware attacks..
A number of interfaces through which firmware can be attacked or relay attack onto VMM UEFI variables, SMI handlers, S3 boot script, SPI
flash MMIO, FW update.. FW doesn’t know memory VMM needs to protect
VMM need to be careful with which of these it exposes to VMs including to administrative (privileged) guests Some need not be exposed (e.g. S3 boot script),
some may be emulated and monitored
![Page 53: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/53.jpg)
Conclusions
• Compromised firmware is bad news for VMM. Test your system’s firmware for security issues
• Windows 10 enables path for firmware deployment via Windows Update
• Secure privileged/administrative guests; attacks from such guests are important
• Vulnerabilities in device and CPU emulation are very common. Fuzz all HW interfaces
• Firmware interfaces/features may affect hypervisor security if exposed to VMs. Both need to be designed to be aware of each other
![Page 54: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/54.jpg)
References
1. CHIPSEC: https://github.com/chipsec/chipsec
2. Intel’s ATR Security of System Firmware
3. Attacking and Defending BIOS in 2015 by Intel ATR
4. Hardware Involved Software Attacks by Jeff Forristal
5. Xen 0wning Trilogy by Invisible Things Lab
6. http://www.legbacore.com/Research.html
7. Low level PC attack papers by Xeno Kovah
![Page 55: Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research](https://reader034.vdocuments.mx/reader034/viewer/2022051516/56649e205503460f94b0c63e/html5/thumbnails/55.jpg)
Thank You!