experience report: an analysis of hypercall handler ... · report spec-rg-2014-001 v.1.0, spec...
TRANSCRIPT
Experience Report: An Analysis of Hypercall Handler Vulnerabilities
Aleksandar Milenkoski Karlsruhe Institute of Technology, Karlsruhe, Germany
Bryan D. Payne Nebula Inc., Mountain View, CA, USA
Nuno Antunes, Marco Vieira University of Coimbra, Coimbra, Portugal
Samuel Kounev University of Würzburg, Würzburg, Germany
ISSRE 2014, November 4th, Naples, Italy
Motivation
Webserver Application Server
Database Server
VM 1 VM 2 VM 3
Hypervisor
VM: Virtual Machine
Virtualization: Benefits and Challenges
Reduced costs
Security
Hypervisor
VM
VM exit events / Hypercalls
Attack Scenario: Guest VM à Hypervisor
Introduction Analysis Recommendations Conclusions 2/22
Hypercall Attacks Are Severe Denial-of-service (DoS)
Malicious code execution
Motivation
Introduction Analysis Recommendations Conclusions
Contributions Analysis of origins of hypercall vulnerabilities Demonstration and analysis of hypercall attacks Hypercall attack models Lessons learned and recommendations
Problem Statement Lack of information on hypercall vulnerabilities / attacks Characterization of the hypercall attack surface
3/22
Sample Set of Hypercall Vulnerabilities
Analyzed Hypercall Vulnerabilities 35 hypercall vulnerabilities (Aug. 2008 – Jul.2014)
Xen: 25 KVM: 9 Hyper-V: 1
Analysis Approach (i) Analysis of vulnerability reports (ii) Reverse-engineering the released patch (iii) Developing and executing proof-of-concept code
Benefits Understanding the origins of hypercall vulnerabilities
Observation of all stages of an attack life cycle
Introduction Analysis Recommendations Conclusions 4/22
Hypercall Vulnerabilities: Error Systematization Systematization of Errors
Error
Implementation
Value validation
Missing Incorrect
Inverse procedures
Non-implementation 17
Number of vulnerabilities
18
16 1
10 6 Not for general use
Aleksandar Milenkoski, Marco Vieira, Bryan D. Payne, Nuno Antunes, and Samuel Kounev. Technical Information on Vulnerabilities of Hypercall Handlers. Technical Report SPEC-RG-2014-001 v.1.0, SPEC Research Group - IDS Benchmarking Working Group, Standard Performance Evaluation Corporation (SPEC), August 2014.
5/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions
Hypercall Vulnerabilities: Example 1
Discussion Variable value validations against missing value validation errors
à Reduced hypercall execution speed Hypercall continuations
[Xen] Programming practices à Vulnerabilities Performance ßà Security
Value Validation – Missing
CVE-2012-5525
Hypervisor: Xen Hypercall: multiple
get_page_from_gfn ß mfn uses mfn as offset
Guest VM! Hypervisor!
HYPERVISOR_mmuext_op!(&op, …)!
Crash!
op.cmd = 16; //MMUEXT_CLEAR_PAGE!.arg1.mfn=0x0EEEEE;!
6/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions
Hypercall Vulnerabilities: Example 2
Value Validation – Missing
CVE-2012-5513
Hypervisor: Xen Hypercall: memory_op
copy_to_guest_offset ß addr_to, addr_from
addr_from and addr_to pre-validated
Guest VM! Hypervisor!
HYPERVISOR_update_va_mapping!(…)!
Crash!.out.extent_start = 0xFFFF808000000000;!
HYPERVISOR_memory_op!(XENMEM_exchange, &exchange);!
0
x32!
7/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions
Hypercall Vulnerabilities: Example 3 Non-implementation
CVE-2013-1964
Hypervisor: Xen Hypercall: grant_table_op, operation GNTTABOP_copy
copies a page from a source VM (SVM) to a destination VM (DVM) using grants supports the use of transitive grants that point to a grant of the SVM
What if the acquired grant is non-transitive?
8/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions
Hypercall Vulnerabilities: Discussion
Non-implementation errors are common Triggering hypercall vulnerabilities due to non-implementation errors
“Unexpected” hypercall execution scenarios – regular hypercalls
Unintentionally during regular system operation
Are hypercall interfaces reliable?
9/22 Introduction Analysis: Origins of Vulnerabilities Recommendations Conclusions
Effects of Hypercall Attacks
Discussion Effective hypervisor DoS attacks
Malicious code execution is probable A hypercall attacks: A single step of a multi-step attack
Rutkowska and Wojtczuk @ BlackHat 2008
Wilhelm, Luft, and Ray @ HITB 2014
Attack Effect No. of Hypercall Attacks Crash / Corrupted state 12
Crash 4 Hang 4
Corrupted state 4 Hang / Crash 2
Crash / Information leakage 1 Crash / Corrupted state / Information leakage 1
10/22 Introduction Analysis: Attack Effects Recommendations Conclusions
Hypercall Attack Models
Definition and Benefits Categorized patterns of activities comprising a successful hypercall attack
Facilitate the development of approaches that involve mimicking attackers
The Hypercall Attack Models Setup phase
One or multiple regular hypercalls Optional
Attack phase
A single hypercall with regular parameter values with specifically crafted parameter value(s)
A series of regular hypercalls in a given order repetitive execution of a single hypercall repetitive execution of multiple hypercalls
11/22 Introduction Analysis: Attack Models Recommendations Conclusions
[Triggering CVE-2012-5513] Setup phase and execution of a single hypercall with a specifically crafted parameter value
Guest VM! Hypervisor!
HYPERVISOR_update_va_mapping!(…)!
Crash!.out.extent_start = 0xFFFF808000000000;!
HYPERVISOR_memory_op!(XENMEM_exchange, &exchange);!
0
x32!
Attack Models: Examples (1/4)
12/22 Introduction Analysis: Attack Models Recommendations Conclusions
[Triggering CVE-2013-1964] Setup phase and execution of a single regular hypercall
SVM! Hypervisor!
HYPERVISOR_grant_table_op!(GNTTABOP_copy, …)!
Corrupted state!
DVM!
HYPERVISOR_grant_table_op!(GNTTABOP_setup_table, …)!
0
0
Attack Models: Examples (2/4)
13/22 Introduction Analysis: Attack Models Recommendations Conclusions
[Triggering CVE-2013-4494] Execution of a series of regular hypercalls
Guest VM! Hypervisor!
HYPERVISOR_grant_table_op!(GNTTABOP_setup, ….)!
Hang!HYPERVISOR_grant_table_op!(GNTTABOP_transfer, ….)!
(at vCPU #1)!
(at vCPU #2)!
Attack Models: Examples (3/4)
14/22 Introduction Analysis: Attack Models Recommendations Conclusions
[Triggering CVE-2012-3495] Repetitive execution of a single regular hypercall
Guest VM! Hypervisor!
HYPERVISOR_physdev_op!(PHYSDEVOP_get_free_pirq, …)!
Crash!
HYPERVISOR_physdev_op!(PHYSDEVOP_get_free_pirq, …)!
0
x16!
Attack Models: Examples (4/4)
15/22 Introduction Analysis: Attack Models Recommendations Conclusions
Extending the Frontiers
Securing Hypercall Interfaces: Proactive Approaches Preventing hypercall attacks from occuring
Vulnerability discovery Secure programming practices
Securing Hypercall Interfaces: Reactive Approaches Detecting and preventing hypercall attacks as they occur
Hypercall security mechanisms
Introduction Analysis Recommendations Conclusions 16/22
Securing Hypercall Interfaces: Proactive Approaches
Vulnerability Discovery: Fuzzing Lack of publicly available approaches and tools for fuzzing hypercalls
Challenge: Systematic coverage of hypercall code
Vulnerability Discovery: Formal Verification Lack of formal verification methods for discovering non-implementation errors
Freitas and McDermott (2011) re-engineer the Xen hypercall interface Focus: Information-flow security
Pucetti (2010) use Frama-C to analyze Xen hypercalls Focus: Vulnerabilities due to implementation errors
Introduction Analysis Recommendations Conclusions 17/22
Securing Hypercall Interfaces: Proactive Approaches
Secure Programming Practices
Programming practices enforcing value validations
Missing value validation errors: 60 % of all implementation errors
Challenge Performance (… remember continuations?)
Security enhanced operating mode of hypervisors (XSM FLASK) Security-enhanced operating modes of hypercall interfaces?
Introduction Analysis Recommendations Conclusions 18/22
Securing Hypercall Interfaces: Reactive Approaches Hypercall Security Mechanisms
Intrusion detection systems and MAC systems
Collabra , MAC/HAT, RandHyp, XSM-FLASK
Attacks triggering vulnerabilities due to non-implementation errors? Novel hypercall attack detection techniques
Attack models (attack phase)!
!Execution of a single hypercall with !
specifically crafted parameter value(s)!
!Execution of a single !
regular hypercall*!
!Execution of a series of regular hypercall in !
a given order*!
!Repetitive execution of !
a single hypercall*!
!Repetitive execution of !
multiple hypercalls*!
Current security mechanisms!
*) Hypercall(s) executed in a way such that!• the targeted hypervisor cannot properly handle, or!• an erroneous program code is executed.!
Introduction Analysis Recommendations Conclusions 19/22
Securing Hypercall Interfaces: Reactive Approaches
Workloads That Contain Hypercall Attacks Evaluation of hypercall security mechanisms
“We have some difficulties to fully evaluate the efficiency of our hypercall protection measures…” Le (2009), pg. 47
Aleksandar Milenkoski, Bryan D. Payne, Nuno Antunes, Marco Vieira, and Samuel Kounev. HInjector: Injecting Hypercall Attacks for Evaluating VMI-based Intrusion Detection Systems (Poster Paper). In ACSAC 2013, New Orleans, USA, 2013.
Introduction Analysis Recommendations Conclusions 20/22
Conclusions
Vulnerability Analysis 35 hypercall vulnerabilities analyzed
Reverse-engineering released patches à Proof-of-concept code
Observations Implementation errors – missing value validations: Performance ßà Security
Non-implementation errors are very common
Are hypercall interfaces reliable?
Hypercall attacks: Effective DoS attacks, parts of multi-step attacks
Attack models: Mostly regular hypercalls
Introduction Analysis Recommendations Conclusions 21/22
Conclusions
Recommendations Securing hypercall interfaces: Proactive approaches
Approaches and tools for fuzzing hypercalls
Secure hypercall programming practices
Methods for formally verifying hypercalls
Securing hypercall interfaces: Reactive approaches
Novel hypercall attack detection techniques
Approaches for generating workloads that contain hypercall attacks
Thank you for your attention
Introduction Analysis Recommendations Conclusions 22/22
References L. Freitas and J. McDermott, “Formal methods for security in the Xenon hypervisor,” International Journal on Software Tools for Technology Transfer, vol. 13, no. 5, pp. 463 – 489, 2011.
A. Puccetti, “Static Analysis of the XEN Kernel using Frama-C,” Journal of Universal Computer Science, vol. 16, no. 4, pp. 543 – 553, 2010.
XSM-FLASK. [Online]. Available: http://wiki.xen.org/wiki/ Xen Security Modules : XSM- FLASK.
S. Bharadwaja, W. Sun, M. Niamat, and F. Shen, “Collabra: A Xen Hypervisor Based Collaborative Intrusion Detection System,” in Proceedings of the 2011 Eighth International Conference on Information Technology: New Generations. IEEE Computer Society, 2011, pp. 695–700.
C. Hoang Le, “Protecting Xen hypercalls: Intrusion Detection/Prevention in a Virtualization Environment,” Master’s thesis, UBC, Vancouver, Canada, 2009.
F. Wang, P. Chen, B. Mao, and L. Xie, “RandHyp: Preventing Attacks via Xen Hypercall Interface,” in Information Security and Privacy Research. Springer Berlin Heidelberg, 2012, vol. 376, pp. 138–149.