loading

Logout succeed

Logout succeed. See you again!

search
Advance search
xAdvance search
submenu
search
search
xAdvance search
Students access

VMware escape and firmware viruses or “Are you sure that it is your network card running under the hypervisor?” Arrigo Triulzi [email protected] 30th October 2007 © Arrigo Triulzi, 2007 1 Overview • Historical background • Escaping Virtual Machines • Escaping VMware • Altering the landscape • Beyond escaping • Conclusions 30th October 2007 © Arrigo Triulzi, 2007 2 Historical background • Virtual Machines (VMs) are an old concept: – Pioneered by IBM in 1968 (System/36 and OS/VM). – Evolved by IBM to the point of testing new releases of OS/VM under OS/VM itself. – Used also for programming languages (Pascal p-code, Java, etc.). 30th October 2007 © Arrigo Triulzi, 2007 3 Historical background • The “industrial strength” VMs were IBM!s forte. The concept of “LPAR escape” is still viewed as heresy. • Weaker forms of VMs exist: BSD jails, Solaris containers, etc. • In programming languages they are very fashionable: Java, C#, etc. 30th October 2007 © Arrigo Triulzi, 2007 4 Escaping Virtual Machines • Escaping a VM is obviously attractive: – Prevent virus/bot analysis, – Take over a virus analyst!s console, – Modify the host operating system, – Walk away with the VMware disk images and demand a ransom, – Subvert “secure” software environments… 30th October 2007 © Arrigo Triulzi, 2007 5 Escaping Virtual Machines Let us consider the JVM… • Initial design: – Bytecode was always interpreted – Bytecode was verified on load – Ran (almost) everywhere – Was terribly slow! 30th October 2007 © Arrigo Triulzi, 2007 6 Escaping Virtual Machines • Enter the Just-In-Time compiler: – Selected bytecode is compiled into machine code for the architecture – By carefully choosing the bytecode to be compiled the JVM obtains substantial speed improvements – So, everyone is happy, right? 30th October 2007 © Arrigo Triulzi, 2007 7 Escaping Virtual Machines • The JIT is a complex piece of code, far more complex than the bytecode interpreter itself. • The bytecode interpreter is “provably correct”. • The JIT isn!t. • Therefore the JIT is “interesting”. 30th October 2007 © Arrigo Triulzi, 2007 8 Escaping Virtual Machines data code JVM bytecode JIT The JVM now has a fast path “hotspot” which assumes that the hotspot code is safe and correct. 30th October 2007 © Arrigo Triulzi, 2007 9 Escaping Virtual Machines • The JIT converts data (the bytecode) into code (the “hotspot”) thereby bypassing the “interpret only” security of the JVM. • So, if we manage to write some bytecode which is acceptable to the JVM bytecode verifier but triggers a bug in the JIT we might have an escape… 30th October 2007 © Arrigo Triulzi, 2007 10

ebook img

VMware escape and firmware viruses PDF

pages30 Pages
release year2007
file size2.01 MB
languageEnglish
by Arrigo Triulzi

Preview VMware escape and firmware viruses

VMware escape and firmware viruses or “Are you sure that it is your network card running under the hypervisor?” Arrigo Triulzi [email protected] 30th October 2007 © Arrigo Triulzi, 2007 1 Overview • Historical background • Escaping Virtual Machines • Escaping VMware • Altering the landscape • Beyond escaping • Conclusions 30th October 2007 © Arrigo Triulzi, 2007 2 Historical background • Virtual Machines (VMs) are an old concept: – Pioneered by IBM in 1968 (System/36 and OS/VM). – Evolved by IBM to the point of testing new releases of OS/VM under OS/VM itself. – Used also for programming languages (Pascal p-code, Java, etc.). 30th October 2007 © Arrigo Triulzi, 2007 3 Historical background • The “industrial strength” VMs were IBM!s forte. The concept of “LPAR escape” is still viewed as heresy. • Weaker forms of VMs exist: BSD jails, Solaris containers, etc. • In programming languages they are very fashionable: Java, C#, etc. 30th October 2007 © Arrigo Triulzi, 2007 4 Escaping Virtual Machines • Escaping a VM is obviously attractive: – Prevent virus/bot analysis, – Take over a virus analyst!s console, – Modify the host operating system, – Walk away with the VMware disk images and demand a ransom, – Subvert “secure” software environments… 30th October 2007 © Arrigo Triulzi, 2007 5 Escaping Virtual Machines Let us consider the JVM… • Initial design: – Bytecode was always interpreted – Bytecode was verified on load – Ran (almost) everywhere – Was terribly slow! 30th October 2007 © Arrigo Triulzi, 2007 6 Escaping Virtual Machines • Enter the Just-In-Time compiler: – Selected bytecode is compiled into machine code for the architecture – By carefully choosing the bytecode to be compiled the JVM obtains substantial speed improvements – So, everyone is happy, right? 30th October 2007 © Arrigo Triulzi, 2007 7 Escaping Virtual Machines • The JIT is a complex piece of code, far more complex than the bytecode interpreter itself. • The bytecode interpreter is “provably correct”. • The JIT isn!t. • Therefore the JIT is “interesting”. 30th October 2007 © Arrigo Triulzi, 2007 8 Escaping Virtual Machines data code JVM bytecode JIT The JVM now has a fast path “hotspot” which assumes that the hotspot code is safe and correct. 30th October 2007 © Arrigo Triulzi, 2007 9 Escaping Virtual Machines • The JIT converts data (the bytecode) into code (the “hotspot”) thereby bypassing the “interpret only” security of the JVM. • So, if we manage to write some bytecode which is acceptable to the JVM bytecode verifier but triggers a bug in the JIT we might have an escape… 30th October 2007 © Arrigo Triulzi, 2007 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.