Csw2016 tang virtualization_device emulator testing technology
â˘
2 gefällt mirâ˘1,900 views
CanSecWest2016
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ăhnlich wie Csw2016 tang virtualization_device emulator testing technology
Ăhnlich wie Csw2016 tang virtualization_device emulator testing technology (20)
KĂźrzlich hochgeladen
KĂźrzlich hochgeladen (20)
Csw2016 tang virtualization_device emulator testing technology
- 1. 1 Speaker: Qinghao Tang Titleďź360 Marvel Team Leader Virtualization Device Emulator Testing Technology
- 2. 2 360 Marvel Team Established in May 2015, the first professional could computing and virtualization security team in China. Focusing on attack and defense techniques in virtualization system. â fuzzing framework â guest machine escape technology â Hypervisor risk defense technology
- 3. 3 Agenda â˘âŻ Virtualization System Attack Surface â˘âŻ Fuzzing framework â˘âŻ Case study
- 4. 4 Virtualization System Attack Surface
- 7. 7 Distinctions OS Physical Devices Guest OS Hardware emulator Hypervisor Physical Devices Guest OS Hardware emulator Normal Server Virtualization Server
- 8. 8 Attacking Processes in cloud computing 1.⯠Enter VM via web or other devices 2.⯠Exploit virtualization system vulnerabilities to escape VM 3.⯠lateral movements to others VMs on host 4.⯠Access to host network
- 9. 9 Operation Principles of device emulators
- 10. 10 The attack surface â˘âŻ Hardware virtualization componentsâ diversity Qemuďź 30+ Vmwareďź20+ â˘âŻ Bridge between inside-outside VM os -> device emulators -> Host os â˘âŻ Related Vulnerabilities result big dangers â˘âŻ Limitation
- 12. 12 Basic intro Attack surface ďź hardware virtual components Environment ďź qemu ďź vmware Testing results ďź more than 20 vulnerabilities Challenges ďź lower layers hard to predictďź Trends â˘âŻ more attack surfaces â˘âŻ more kinds of virtualization systems
- 13. 13 â˘âŻ Hardware virtualization focus on lower layers â˘âŻ Testing data totally different Compare to traditional targets System Kernel Hypervisor
- 14. 14 1. Analyze data which flowed to components 2. Change flowed-in dataâs contents and timing 3. Recording all of tiny abnormal activities 4. Analyze abnormal activities, takes and optimize fuzz framework. Methods for testing hardware virtual components
- 15. 15 Other factors of fuzz framework 1.Flexibility (other OS) â˘âŻ vm in Linux â˘âŻ coding in C and Python 2. Deeply understand VM system â˘âŻ language for coding â˘âŻ development environment â˘âŻ coding style
- 16. 16 os Control Center Fuzz framework structure HostHost os os os osos
- 17. 17 Fuzz framework working flow (part 1) 1. Set up network and hardware environment, launch server, client and monitor. 2. Load system hook module, get all of machinesâ device emulators 3. Client ask server for testing data of emulators, server send out required data. 4. Client received and loaded testing data, launch test. 5. Monitor continually monitor hypervisor, and record logs.
- 18. 18 Fuzz framework working flow (part 2) 6. Notify the server after client testing finished 7. Server get logs from client and monitor, save it. 8. Server launch log analyze module, determine if anything wrong happened, and notify admins. 9. Analyze program exceptions, optimize fuzz framework
- 19. 19 Functions of controlling center
- 20. 20 Get target components info
- 21. 21 â˘âŻ Device access ports â˘âŻ Device deal with structures used by data. â˘âŻ Device data processing Testing data
- 22. â˘âŻ User space: generate testing dat, send request to client kernel â˘âŻ Kernel space: apply for memory, fill memory, send info to ports â˘âŻ Device emulatorďźtesting data flow insideďźtrigger exceptions 22 Testing data attacks user space Kernel space Device controller
- 23. 23 Monitor VM management â˘âŻ Snapshot â˘âŻ Reboot â˘âŻ VM device editing Dynamic debugging â˘âŻ Debugging Mode on Start â˘âŻ Load Debugging Plugin VM processing log â˘âŻ User space â˘âŻ Kernel space
- 24. 24 Exceptions occur in device emulator â˘âŻ VM os crash â˘âŻ Hypervisor crash â˘âŻ Invisible results
- 25. 25 Advanced monitoring skills â˘âŻ Dynamic â˘âŻ Static
- 26. 26 Optimize fuzz framework by using log data â˘âŻ Client log Decrease invalid combinations â˘âŻ Monitor log Promote coverage â˘âŻ Server log
- 27. 27 Vulnerabilities found by us
- 28. 28 Case Study
- 29. 29 â˘âŻInitialization Port Allocation ďź Address Mapping Device Status Setting, Resource Allocation â˘âŻData Transfer 'Write Command' to device TDT register process of descriptor 3 types descriptor ďź context ďź data ďź legacy data xfer set status ďź wait for next instruction â˘âŻProcessing Details Circular Memory TSO ďź tcp segmentation/flow control. Principle of e1000 Network Device
- 30. 30 â˘âŻ Qemu e1000 Network Device â˘âŻ Vmware e1000 Network Device E1000 vulnerability analysis
- 31. 31 Pcnet network card emulator working processes Io port write Control and Status Registers write Receive Send Virtual Network Interface
- 32. 32 â˘âŻ Qemu pcnet Network Device Pcnet vulnerability analysis
- 33. 33 Summary Stay tuned for more achievements by 360 Marvel Team