Experience Report: An Analysis of Hypercall Handler Vulnerabilities

Aleksandar Milenkoski Karlsruhe Institute of Technology, Karlsruhe, Germany

Bryan D. Payne Nebula Inc., Mountain View, CA, USA

Nuno Antunes, Marco Vieira University of Coimbra, Coimbra, Portugal

Samuel Kounev University of Würzburg, Würzburg, Germany

ISSRE 2014, November 4th, Naples, Italy

Motivation

Webserver Application Server

Database Server

VM 1 VM 2 VM 3

Hypervisor

VM: Virtual Machine

Virtualization: Benefits and Challenges

Reduced costs

Security

Hypervisor

VM

VM exit events / Hypercalls

Attack Scenario: Guest VM à Hypervisor

Introduction Analysis Recommendations Conclusions 2/22

Hypercall Attacks Are Severe Denial-of-service (DoS)

Malicious code execution

Motivation

Introduction Analysis Recommendations Conclusions

Contributions Analysis of origins of hypercall vulnerabilities Demonstration and analysis of hypercall attacks Hypercall attack models Lessons learned and recommendations

Problem Statement Lack of information on hypercall vulnerabilities / attacks Characterization of the hypercall attack surface

3/22

Sample Set of Hypercall Vulnerabilities

Analyzed Hypercall Vulnerabilities 35 hypercall vulnerabilities (Aug. 2008 – Jul.2014)

Xen: 25 KVM: 9 Hyper-V: 1

Analysis Approach (i) Analysis of vulnerability reports (ii) Reverse-engineering the released patch (iii) Developing and executing proof-of-concept code

Benefits Understanding the origins of hypercall vulnerabilities

Observation of all stages of an attack life cycle

Introduction Analysis Recommendations Conclusions 4/22

Hypercall Vulnerabilities: Error Systematization Systematization of Errors

Error

Implementation

Value validation

Missing Incorrect

Inverse procedures

Non-implementation 17

Number of vulnerabilities

18

16 1

10 6 Not for general use

Aleksandar Milenkoski, Marco Vieira, Bryan D. Payne, Nuno Antunes, and Samuel Kounev. Technical Information on Vulnerabilities of Hypercall Handlers. Technical Report SPEC-RG-2014-001 v.1.0, SPEC Research Group - IDS Benchmarking Working Group, Standard Performance Evaluation Corporation (SPEC), August 2014.

5/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions

Hypercall Vulnerabilities: Example 1

Discussion Variable value validations against missing value validation errors

à Reduced hypercall execution speed Hypercall continuations

[Xen] Programming practices à Vulnerabilities Performance ßà Security

Value Validation – Missing

CVE-2012-5525

Hypervisor: Xen Hypercall: multiple

get_page_from_gfn ß mfn uses mfn as offset

Guest VM! Hypervisor!

HYPERVISOR_mmuext_op!(&op, …)!

Crash!

op.cmd = 16; //MMUEXT_CLEAR_PAGE!.arg1.mfn=0x0EEEEE;!

6/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions

Hypercall Vulnerabilities: Example 2

Value Validation – Missing

CVE-2012-5513

Hypervisor: Xen Hypercall: memory_op

copy_to_guest_offset ß addr_to, addr_from

addr_from and addr_to pre-validated

Guest VM! Hypervisor!

HYPERVISOR_update_va_mapping!(…)!

Crash!.out.extent_start = 0xFFFF808000000000;!

HYPERVISOR_memory_op!(XENMEM_exchange, &exchange);!

0

x32!

7/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions

Hypercall Vulnerabilities: Example 3 Non-implementation

CVE-2013-1964

Hypervisor: Xen Hypercall: grant_table_op, operation GNTTABOP_copy

copies a page from a source VM (SVM) to a destination VM (DVM) using grants supports the use of transitive grants that point to a grant of the SVM

What if the acquired grant is non-transitive?

8/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions

Hypercall Vulnerabilities: Discussion

Non-implementation errors are common Triggering hypercall vulnerabilities due to non-implementation errors

“Unexpected” hypercall execution scenarios – regular hypercalls

Unintentionally during regular system operation

Are hypercall interfaces reliable?

9/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions

Effects of Hypercall Attacks

Discussion Effective hypervisor DoS attacks

Malicious code execution is probable A hypercall attacks: A single step of a multi-step attack

Rutkowska and Wojtczuk @ BlackHat 2008

Wilhelm, Luft, and Ray @ HITB 2014

Attack Effect No. of Hypercall Attacks Crash / Corrupted state 12

Crash 4 Hang 4

Corrupted state 4 Hang / Crash 2

Crash / Information leakage 1 Crash / Corrupted state / Information leakage 1

10/22 Introduction Analysis: Attack Effects Recommendations Conclusions

Hypercall Attack Models

Definition and Benefits Categorized patterns of activities comprising a successful hypercall attack

Facilitate the development of approaches that involve mimicking attackers

The Hypercall Attack Models Setup phase

One or multiple regular hypercalls Optional

Attack phase

A single hypercall with regular parameter values with specifically crafted parameter value(s)

A series of regular hypercalls in a given order repetitive execution of a single hypercall repetitive execution of multiple hypercalls

11/22 Introduction Analysis: Attack Models Recommendations Conclusions

[Triggering CVE-2012-5513] Setup phase and execution of a single hypercall with a specifically crafted parameter value

Guest VM! Hypervisor!

HYPERVISOR_update_va_mapping!(…)!

Crash!.out.extent_start = 0xFFFF808000000000;!

HYPERVISOR_memory_op!(XENMEM_exchange, &exchange);!

0

x32!

Attack Models: Examples (1/4)

12/22 Introduction Analysis: Attack Models Recommendations Conclusions

[Triggering CVE-2013-1964] Setup phase and execution of a single regular hypercall

SVM! Hypervisor!

HYPERVISOR_grant_table_op!(GNTTABOP_copy, …)!

Corrupted state!

DVM!

HYPERVISOR_grant_table_op!(GNTTABOP_setup_table, …)!

0

0

Attack Models: Examples (2/4)

13/22 Introduction Analysis: Attack Models Recommendations Conclusions

[Triggering CVE-2013-4494] Execution of a series of regular hypercalls

Guest VM! Hypervisor!

HYPERVISOR_grant_table_op!(GNTTABOP_setup, ….)!

Hang!HYPERVISOR_grant_table_op!(GNTTABOP_transfer, ….)!

(at vCPU #1)!

(at vCPU #2)!

Attack Models: Examples (3/4)

14/22 Introduction Analysis: Attack Models Recommendations Conclusions

[Triggering CVE-2012-3495] Repetitive execution of a single regular hypercall

Guest VM! Hypervisor!

HYPERVISOR_physdev_op!(PHYSDEVOP_get_free_pirq, …)!

Crash!

HYPERVISOR_physdev_op!(PHYSDEVOP_get_free_pirq, …)!

0

x16!

Attack Models: Examples (4/4)

15/22 Introduction Analysis: Attack Models Recommendations Conclusions

Extending the Frontiers

Securing Hypercall Interfaces: Proactive Approaches Preventing hypercall attacks from occuring

Vulnerability discovery Secure programming practices

Securing Hypercall Interfaces: Reactive Approaches Detecting and preventing hypercall attacks as they occur

Hypercall security mechanisms

Introduction Analysis Recommendations Conclusions 16/22

Securing Hypercall Interfaces: Proactive Approaches

Vulnerability Discovery: Fuzzing Lack of publicly available approaches and tools for fuzzing hypercalls

Challenge: Systematic coverage of hypercall code

Vulnerability Discovery: Formal Verification Lack of formal verification methods for discovering non-implementation errors

Freitas and McDermott (2011) re-engineer the Xen hypercall interface Focus: Information-flow security

Pucetti (2010) use Frama-C to analyze Xen hypercalls Focus: Vulnerabilities due to implementation errors

Introduction Analysis Recommendations Conclusions 17/22

Securing Hypercall Interfaces: Proactive Approaches

Secure Programming Practices

Programming practices enforcing value validations

Missing value validation errors: 60 % of all implementation errors

Challenge Performance (… remember continuations?)

Security enhanced operating mode of hypervisors (XSM FLASK) Security-enhanced operating modes of hypercall interfaces?

Introduction Analysis Recommendations Conclusions 18/22

Securing Hypercall Interfaces: Reactive Approaches Hypercall Security Mechanisms

Intrusion detection systems and MAC systems

Collabra , MAC/HAT, RandHyp, XSM-FLASK

Attacks triggering vulnerabilities due to non-implementation errors? Novel hypercall attack detection techniques

Attack models (attack phase)!

!Execution of a single hypercall with !

specifically crafted parameter value(s)!

!Execution of a single !

regular hypercall*!

!Execution of a series of regular hypercall in !

a given order*!

!Repetitive execution of !

a single hypercall*!

!Repetitive execution of !

multiple hypercalls*!

Current security mechanisms!

*) Hypercall(s) executed in a way such that!•  the targeted hypervisor cannot properly handle, or!•  an erroneous program code is executed.!

Introduction Analysis Recommendations Conclusions 19/22

Securing Hypercall Interfaces: Reactive Approaches

Workloads That Contain Hypercall Attacks Evaluation of hypercall security mechanisms

“We have some difficulties to fully evaluate the efficiency of our hypercall protection measures…” Le (2009), pg. 47

Aleksandar Milenkoski, Bryan D. Payne, Nuno Antunes, Marco Vieira, and Samuel Kounev. HInjector: Injecting Hypercall Attacks for Evaluating VMI-based Intrusion Detection Systems (Poster Paper). In ACSAC 2013, New Orleans, USA, 2013.

Introduction Analysis Recommendations Conclusions 20/22

Conclusions

Vulnerability Analysis 35 hypercall vulnerabilities analyzed

Reverse-engineering released patches à Proof-of-concept code

Observations Implementation errors – missing value validations: Performance ßà Security

Non-implementation errors are very common

Are hypercall interfaces reliable?

Hypercall attacks: Effective DoS attacks, parts of multi-step attacks

Attack models: Mostly regular hypercalls

Introduction Analysis Recommendations Conclusions 21/22

Conclusions

Recommendations Securing hypercall interfaces: Proactive approaches

Approaches and tools for fuzzing hypercalls

Secure hypercall programming practices

Methods for formally verifying hypercalls

Securing hypercall interfaces: Reactive approaches

Novel hypercall attack detection techniques

Approaches for generating workloads that contain hypercall attacks

Thank you for your attention

Introduction Analysis Recommendations Conclusions 22/22

References L. Freitas and J. McDermott, “Formal methods for security in the Xenon hypervisor,” International Journal on Software Tools for Technology Transfer, vol. 13, no. 5, pp. 463 – 489, 2011.

A. Puccetti, “Static Analysis of the XEN Kernel using Frama-C,” Journal of Universal Computer Science, vol. 16, no. 4, pp. 543 – 553, 2010.

XSM-FLASK. [Online]. Available: http://wiki.xen.org/wiki/ Xen Security Modules : XSM- FLASK.

S. Bharadwaja, W. Sun, M. Niamat, and F. Shen, “Collabra: A Xen Hypervisor Based Collaborative Intrusion Detection System,” in Proceedings of the 2011 Eighth International Conference on Information Technology: New Generations. IEEE Computer Society, 2011, pp. 695–700.

C. Hoang Le, “Protecting Xen hypercalls: Intrusion Detection/Prevention in a Virtualization Environment,” Master’s thesis, UBC, Vancouver, Canada, 2009.

F. Wang, P. Chen, B. Mao, and L. Xie, “RandHyp: Preventing Attacks via Xen Hypercall Interface,” in Information Security and Privacy Research. Springer Berlin Heidelberg, 2012, vol. 376, pp. 138–149.