Monday, July 07, 2008

0wning Xen in Vegas!

At this year’s Black Hat conference in Las Vegas in August we will be presenting three talks about the Xen hypervisor (in)security. The three presentations have been designed in such a way that they complement each other and create one bigger entirety, thus they can be referred as “Xen 0wning Trilogy” for brevity.

In the first presentation, Subverting the Xen hypervisor, Rafal will discuss how to modify the Xen’s hypervisor memory and consequently how to use this ability to plant hypervisor rootkits inside Xen (everything on the fly, without rebooting Xen). Hypervisor rootkits are very different creatures from virtualization based rootkits (e.g. Bluepill). This will be the first public demonstration of practical VMM 0wning (proof of concept code will be released, of course).

In the second talk, Detecting and Preventing the Xen hypervisor subversions, Rafal and I will discuss various anti-subverting techniques (IOMMU, Xen’s driver- and stub- domains) and whether they really can protect the Xen (or similar) hypervisor from compromises. After demonstrating that those mechanisms can be bypassed, we will switch to discussing hypervisor integrity scanning and will present some prototype solutions to this problem.

Our trilogy wouldn’t be complete without discussing virtualization based malware in the context of bare-metal hypervisor compromises. Thus, in the third speech, Bluepilling the Xen hypervisor, Alex and I will discuss how to insert Bluepill on top of the running Xen hypervisor. We will show how to do that both with and without restart (i.e. on the fly). To make this possible, our Bluepill needs to support full nested virtualization, so that Xen can still function properly. We will also discuss how the “Bluepill detection” methods proposed over the last 2 years, as well as the integrity scanning methods discussed in the previous speech, fit into this new scenario and how far we are from the stealth malware’s Holy Grail ;)

Special thanks to Black Hat organizers for scheduling all the three presentations one after another in a dedicated Virtualization track on the 2nd day of the conference (August 7th).

It’s worth noting that we chose Xen as the target not because we think it’s insecure and worthless. On the contrary, we believe Xen is the most secure bare-metal hypervisor out there (especially with all the goodies in the upcoming Xen 3.3). Still we believe that it needs some improvements when it comes to security. We hope that our presentations will help making Xen (and similar hypervisors) more secure.

Tuesday, July 01, 2008

Rafal Wojtczuk joins Invisible Things Lab

I’m very happy to announce that a well known researcher, Rafal Wojtczuk, will join our team this month.

For anybody who is serious about OS security research it is hard not to know Rafal’s work. I remember reading his Defeating Solar Designer non-executable stack patch article somewhere around 1998, when I was still a Linux newbie, learning shell programming back at that time ;)

Since then Rafal published many other articles, advisories and exploits, mostly Linux-related. To mention just a few – the *BSD procfs vulnerability (2000), the Linux Ptrace vulnerability (2001), the famous Advanced return-into-lib(c) paper (2002), the vulnerability in the SELinux (2003), a tool for automatic integer overflow discovery in Win32 binaries (2005) and many others. He’s also known for his libnids project.

Recently Rafal has been doing a lot of research in the area of virtualization and VMM security. In the recent months he found vulnerabilities that potentially allowed to escape a VM jail in all the major virtualization software from Microsoft, VMWare and, of course, Xen.

I wrote “and, of course, Xen”, as Rafal will be presenting a talk at the upcoming Black Hat about Subverting the Xen hypervisor. His talk will be the first one in the series of 3 presentations about Xen (in)security that Invisible Things Lab prepared for this year’s Black Hat. Stay tuned for more details in the coming days.

Rafal has been with McAfee Avert Labs until this month.