SlideShare ist ein Scribd-Unternehmen logo

[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode

Moabi.com
Moabi.com

Talk given at Ruxcon 2010 (Melbourne, Australia) on breaking virtualization.

1 von 86
Downloaden Sie, um offline zu lesen
Breaking virtualization by switching the cpu to virtual 8086 mode Jonathan Brossard CEO – Toucan System jonathan@ toucan-system.com
Agenda Virtualization : big picture Attack surface analysis The need for new tools Introducing Virtual 8086 mode •Practical fuzzing with vm86()
Virtualization : big picture Market shares Definitions
Virtualization : market shares Source : Forrester Research 2009 78% of companies have production servers virtualized. 20% only have virtualized servers.
Virtualization : market shares Source : Forrester Research 2009 VMWare is present in 98% of the companies. Microsoft virtualization products are used by 17%. Citrix/Xen is used by 10%.
In a nutshell... - As widespread as Apache or Bind • - Proprierary software + very few builds + weak toolchains so it runs with other toolchains (no SSP, etc) = reliable exploitation. - You don't need a « remote » exploit : you buy a shell at the same hosting provider.
Usage - Cost reduction (shared hosting) - Scalability (cloud computing) - Run broken applications on broken Oses (legacy).
Definitions
Virtualization : Definitions Virtualization Virtualization is the name given to the simulation with higher level components, of lower level components. NOTE: Virtualization of applications (as opposed to full Oses) is out of topic.
Virtualization : Definitions Virtual Machine A virtual machine (VM) is : "an efficient, isolated duplicate of a real machine". -- Gerald J. Popek and Robert P. Goldberg (1974). "Formal Requirements for Virtualizable Third Generation Architectures", Communications of the ACM.
Paravirtualization
Virtualization : Definitions Paravirtualization Requires the modification of the guest Oses (eg: Xen, UML, Qemu with kquemu, VMWare Workstation with VMWare Tools). Opposed to « full virtualization ».
Virtualization : Definitions There are two types of virtualizations : Virtual Machine Monitors (or Hypervisors) of type I and type II.
Type I Hypervisor
Virtualization : Definitions Hypervisors of type I Run on bare metal (eg: Xen, Hyper-V, VMWare ESX).
Type II hypervisor
Virtualization : Definitions Hypervizors of type II Run as a process inside a host OS to virtualize guests Oses (eg: Qemu, Virtualbox, VMWare Workstation, Parallels).
Hardware assisted virtualization
Hardware assisted virtualization - Takes advantage of AMD-V On Intel VT-x CPU extentions for virtualization. - x64 Only. - The hypervisor is running in « ring -1 ». - Much like the NX bit : requires the motherboard to support it and activation in the BIOS.
Virtualization : Definitions Isolation Isolation of the userland part of the OS to simulate independant machines (eg: Linux-Vservers, Solaris « Zones », BSD « jails », OpenVZ under GNU/Linux).
Isolation
Attack surface analysis Depending on your perspective... What are the risks ? Where to attack ?
Privilege escalation on the host Exemple : VMware Tools HGFS Local Privilege Escalation Vulnerability (http://labs.idefense.com/intelligence/v ulnerabilities/display.php?id=712)
Demos Attacking setuid binaries in vmware. Virtual machines file fuzzing on virtualbox.
Privilege escalation on the Guest Exemple : CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes
Demo Overwriting the MBR under vserver and instrumenting the original bootloader with keyboard/motherboard PIC programming through ioports (see also « Invisible Man » tool from Jonathan Brossard, Defcon 2008).
Attacking other guests Exemple: Vmare workstation guest isolation weaknesses (clipboard transfer) http://www.securiteam.com/securitynew s/5GP021FKKO.html
DoS (Host + Guests) Exemple: CVE-2007-4591 CVE-2007-4593 (bad ioctls crashing the Host+Guests)
Demo Attacking vmware kernel modules with ioctls.
Escape to host Exemples : Rafal Wojtczuk (Invisible things, BHUS 2008) Kostya Kortchinsky (« Cloudburst », BHUS 2009). IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744)
Escape to host This is the real hard thing, and what we will focus on on the rest of this talk.
Attack surface analysis : usage Hosting two companies on the same hardware is very common (shared hosting). Getting a shell on the same machine as a given target may therefor be a matter of paying a few euros a month.
Attack surface : conclusion Rooting the Host OS from the Guest is practical (Kostya Kortchinsky BHUS 2009, Rafal Wojtczuk BHUS 2008). Seemingly minor bugs (local, DoS) do matter : virtualization amplifies consequences. Note : public, reliable, packed attack tools exist (Claudio Criscione, HITB Kuala Lumpur 2010)
The need for dedicated methodologies and tools
The need for new tools : example How do you attack a hard drive with software ? What about a screen or a keyboard ? => Unusual attack surface.
How to dynamically test a virtual Hard Drive ? Naive approach Standard API : ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); This would mostly fuzz the kernel, not the Virtual Machine :( We need something (much) lower level.
(low level) attack vectors Ioports: outb, outw, outl, outsb, outsw, outsl, inb, inw, inl, insb, insw, insl, outb_p, outw_p, outl_p, inb_p, inw_p, inl_p Problems: sequence, multiple ports Ioctls: int ioctl(int d, int request, ...) Problems : arbitrary input size !
Demos Attacking Vmware's Direct Memory Access (DMA) with ioports fuzzing.
How did we used to do it « back in the days » ? MS Dos : direct access to the hardware (interrupts : BIOS, HD, Display, …) Can we get back to this ?
Introducing the Virtual 8086 mode
Introducing the Virtual 8086 mode Introduced with Intel 386 (1985) Purpose : run 16b applications under 32b Operationg systems (eg : MS DOS COM files under Windows).
Introducing the Virtual 8086 mode Intel x86 cpus support 3 main modes - Protected mode - Real mode - System Management Mode (SMM)
Nice things about Real mode / Virtual 8086 mode Direct access to hardware via interruptions !
example: Mov ah, 0x42 ; read sector from drive Mov ch, 0x01 ; Track Mov cl, 0x02 ; Sector Mov dh, 0x03 ; Head Mov dl, 0x80 ; Drive (here first HD) Mov bx, offset buff ; es:bx is destination Int 0x13 ; hard disk operation
Complexity ax*bx*cx*dx (per interruption) Id est: [0;65535]^4 ~ 1.8 * 10^19 => still huge. But it's possible to call every function on every device (just not with all possible parameters). => much better than ioctl()'s arbitrary input length !
Attacking a Hard Disk : exemple functions tested Int 13/AH=00h - DISK - RESET DISK SYSTEM Int 13/AH=01h - DISK - GET STATUS OF LAST OPERATION Int 13/AH=02h - DISK - READ SECTOR(S) INTO MEMORY Int 13/AH=03h - DISK - WRITE DISK SECTOR(S) Int 13/AH=04h - DISK - VERIFY DISK SECTOR(S) Int 13/AH=05h - FLOPPY - FORMAT TRACK … Int 13/AH=09h - HARD DISK - INITIALIZE CONTROLLER WITH DRIVE PARAMETERS Int 13/AH=0Ah - HARD DISK - READ LONG SECTOR(S) (AT and later) Int 13/AH=0Bh - HARD DISK - WRITE LONG SECTOR(S) (AT and later) Int 13/AH=0Ch - HARD DISK - SEEK TO CYLINDER Int 13/AH=0Dh - HARD DISK - RESET HARD DISKS Int 13/AH=0Eh - HARD DISK - READ SECTOR BUFFER (XT only) Int 13/AH=0Fh - HARD DISK - WRITE SECTOR BUFFER (XT only) Int 13/AH=10h - HARD DISK - CHECK IF DRIVE READY Int 13/AH=11h - HARD DISK - RECALIBRATE DRIVE Int 13/AH=12h - HARD DISK - CONTROLLER RAM DIAGNOSTIC (XT,PS) ...
Attacking a Hard Disk : model/vendor specific ints Int 13/AH=43h - IBM/MS INT 13 Extensions - EXTENDED WRITE Int 13/AH=44h - IBM/MS INT 13 Extensions - VERIFY SECTORS Int 13/AH=45h - IBM/MS INT 13 Extensions - LOCK/UNLOCK DRIVE Int 13/AH=46h - IBM/MS INT 13 Extensions - EJECT MEDIA Int 13/AH=47h - IBM/MS INT 13 Extensions - EXTENDED SEEK Int 13/AH=48h - IBM/MS INT 13 Extensions - GET DRIVE PARAMETERS Int 13/AH=49h - IBM/MS INT 13 Extensions - EXTENDED MEDIA CHANGE … Int 13/AX=5504h - Seagate ST01/ST02 - RETURN IDENTIFICATION Int 13/AX=5505h - Seagate - ??? - PARK HEADS Int 13/AX=5505h - Seagate ST01/ST02 - PARK HEADS Int 13/AX=5506h - Seagate ST01/ST02 - SCSI Bus Parity Int 13/AX=5507h - Seagate ST01/ST02 - RESERVED FUNCTIONS
How to attack a Hard drive ? By calling all those functions, our coverage is much much better than if we just had used read()/write() on disk.
How to attack a keyboard ? Int 16/AH=00h - KEYBOARD - GET KEYSTROKE Int 16/AH=01h - KEYBOARD - CHECK FOR KEYSTROKE Int 16/AH=02h - KEYBOARD - GET SHIFT FLAGS Int 16/AH=03h - KEYBOARD - SET TYPEMATIC RATE AND DELAY Int 16/AH=04h - KEYBOARD - SET KEYCLICK (PCjr only) Int 16/AH=09h - KEYBOARD - GET KEYBOARD FUNCTIONALITY Int 16/AH=0Ah - KEYBOARD - GET KEYBOARD ID Int 16/AH=10h - KEYBOARD - GET ENHANCED KEYSTROKE Int 16/AH=11h - KEYBOARD - CHECK FOR ENHANCED KEYSTROKE Int 16/AH=12h - KEYBOARD - GET EXTENDED SHIFT STATES Int 16/AH=20h - KEYBOARD - GET 122-KEY KEYSTROKE Int 16/AH=21h - KEYBOARD - CHECK FOR 122-KEY KEYSTROKE Int 16/AH=22h - KEYBOARD - GET 122-KEY SHIFT STATUS ...
How to attack a screen ? Int 10/AH=00h - VIDEO - SET VIDEO MODE Int 10/AX=0070h - VIDEO - Everex Micro Enhancer EGA/Viewpoint VGA - EXTENDED MODE SET Int 10/AX=007Eh - VIDEO - Paradise VGA, AT&T VDC600 - SET SPECIAL MODE Int 10/AX=007Fh/BH=00h - VIDEO - Paradise VGA, AT&T VDC600 - SET VGA OPERATION Int 10/AX=007Fh/BH=01h - VIDEO - Paradise VGA, AT&T VDC600 - SET NON-VGA OPERATION Int 10/AX=007Fh/BH=02h - VIDEO - Paradise VGA, AT&T VDC600 - QUERY MODE STATUS Int 10/AX=007Fh/BH=03h - VIDEO - Paradise VGA, AT&T VDC600 - LOCK CURRENT MODE Int 10/AX=007Fh/BH=04h - VIDEO - Paradise VGA, AT&T VDC600 - ENTER MDA EMULATION MODE Int 10/AX=007Fh/BH=05h - VIDEO - Paradise VGA, AT&T VDC600 - ENTER CGA EMULATION MODE Int 10/AX=007Fh/BH=06h - VIDEO - Paradise VGA, AT&T VDC600 - ENTER MONOCHROME VGA MODE Int 10/AX=007Fh/BH=07h - VIDEO - Paradise VGA, AT&T VDC600 - ENTER COLOR VGA MODE ...
Introducing the Virtual 8086 mode Problem is... is this even possible inside a virtual machine ?
Introducing the Virtual 8086 mode The kernel boots in (16b) real mode, and then switches to protected mode (32b). The cpu normally doesn't get back to real mode untill next reboot.
Introducing the Virtual 8086 mode Corollary The hypervisor could run under any mode. protected mode in practice (being it ring0, ring1 or ring3). All of the guests run only in protected mode.
Now how to swith to Virtual 8086 mode ? It this even possible ?
Leaving protected mode ? (Ascii Art : Courtesy of phrack 65) Setting the VM flag in CR0 under protected mode would get us to Virtual Mode Removing the PE flag from CR0 would get us back to real mode
Leaving protected mode ? linux-2.6.31/arch/x86/kernel/reboot.c: static const unsigned char real_mode_switch [] = { 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */ 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */ 0x66, 0x0d, 0x00, 0x00, 0x00, 0x60, /* orl $0x60000000,%eax */ 0x66, 0x0f, 0x22, 0xc0, /* movl %eax,%cr0 */ 0x66, 0x0f, 0x22, 0xd8, /* movl %eax,%cr3 */ 0x66, 0x0f, 0x20, 0xc3, /* movl %cr0,%ebx */ 0x66, 0x81, 0xe3, 0x00, 0x00, 0x00, 0x60, /* andl $0x60000000,%ebx */ 0x74, 0x02, /* jz f */ 0x0f, 0x09, /* wbinvd */ 0x24, 0x10, /* f: andb $0x10,al */ 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */ };
Trouble is... This obviously won't work inside a virtual machine ! Because CR[1-4] registers are themselves emulated
IS THIS « GAME OVER » ? Actually not quite ...
Truth is : we don't need to switch back to real mode/virtual 8086 mode ! Most Operating systems offer a way to run 16b applications (eg: MS DOS) under protected mode by emulating a switch to Virtual 8086 Mode. Notably Windows (x86) and Linux (x86).
The Windows case NTVDM : ntvdm.exe « Windows 16b Virtual Machine »
The Linux case The linux kernel provides an emulation of real mode in the form of two syscalls: #define __NR_vm86old 113 #define __NR_vm86 166
The Linux case #include <sys/vm86.h> int vm86old(struct vm86_struct *info); int vm86(unsigned long fn, struct vm86plus_struct *v86);
struct vm86_struct { struct vm86_regs regs; unsigned long flags; unsigned long screen_bitmap; unsigned long cpu_type; struct revectored_struct int_revectored; struct revectored_struct int21_revectored; };
The Linux case linux-2.6.31/arch/x86/include/asm/vm86.h: struct vm86_regs { long ebx; long ecx; long edx; long esi; long edi; long ebp; long eax; (…) unsigned short es, __esh; unsigned short ds, __dsh; unsigned short fs, __fsh; unsigned short gs, __gsh; };
In a nutshell - The switch to Virtual mode is entirely emulated by the kernel (this will work inside a VM) - We can still program using old school interruptions (easy !) - Those interruptions are delivered to the hardware (id est: either the emulated one, or the real one). => We just got a « bare metal (possibly virtualized) hardware interface »
The x64 case...
The x64 case X64 cpus in 64b long mode can't swith to Virtual mode. That's too bad : we'd like to fuzz latest Vmware ESX or Microsoft HyperV (necessarily under x64). But under virtualization, the switch to VM86 mode is being emulated by the kernel...
The x64 case Using kernel patches, we can add VM86 capabilities to a x64 GNU/Linux kernel. EG: http://v86-64.sourceforge.net to run Dosemu under x64. What's not possible in real hardware becomes possible under a virtualized environment !
Practical use : Fuzzing using vm86()
Practical use : Fuzzing using vm86() Looking at the IVT allows us to fuzz all the hardware detected after BIOS Post, efficently (no calls to empty/dummy interrupts).
Practical use : Fuzzing using vm86() Exemple bugs !
Practical use : Fuzzing using vm86() Bugs in hypervizors...
Virtualbox 00:21:13.603 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 00:21:13.603 !! 00:21:13.603 !! Guru Meditation -2403 (VERR_TRPM_DONT_PANIC) 00:21:13.603 !! 00:21:13.603 !! TRAP=0e ERRCD=0000000000000000 CR2=00000000000c0000 EIP=ff215e33 Type=0 00:21:13.603 !! EIP in VMMGC.gc (ff1dd000) at rva 38e33 near symbols: 00:21:13.603 !! ff215df0 rva 00038df0 off 00000043 _ZL10disCoreOneP12_DISCPUSTATEyPj 00:21:13.603 !! ff216040 rva 00039040 off -0000020d DISCoreOneEx 00:21:13.603 !! fff8:ff215e33 0f b6 10 movzx edx, byte [eax] 00:21:13.603 !! 00:21:13.603 !! 00:21:13.603 !! 00:21:13.603 Hypervisor CPUM state: se 00:21:13.603 .eax=000c0000 .ebx=fed69cfc .ecx=00000000 .edx=00000000 .esi=00000001 .edi=fec01000
Virtualbox (take 2) 00:02:51.129 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 00:02:51.129 !! 00:02:51.129 !! Guru Meditation -2403 (VERR_TRPM_DONT_PANIC) 00:02:51.129 !! 00:02:51.129 !! TRAP=0e ERRCD=0000000000000000 CR2=00000000000ab000 EIP=ff215e33 Type=0 00:02:51.129 !! EIP in VMMGC.gc (ff1dd000) at rva 38e33 near symbols: 00:02:51.129 !! ff215df0 rva 00038df0 off 00000043 _ZL10disCoreOneP12_DISCPUSTATEyPj 00:02:51.129 !! ff216040 rva 00039040 off -0000020d DISCoreOneEx 00:02:51.129 !! fff8:ff215e33 0f b6 10 movzx edx, byte [eax] 00:02:51.129 !! 00:02:51.129 !! 00:02:51.129 !! 00:02:51.129 Hypervisor CPUM state: se 00:02:51.129 .eax=000ab000 .ebx=fed69cfc .ecx=00000000 .edx=00000000 .esi=00000001 .edi=fec01000 00:02:51.129 .eip=ff215e33 .esp=fed69c7c .ebp=fed69cc4 .iopl=0 rf nv up di nt zr ac pe cy
More (guest) bugs
Virtual PC
Parallels (Guest) -------------- Guest processor state --------------- Inhibit Mask=0 CS=FF63 [0000FFFF 0000F30F] V=1 SS=FFD3 [0000FFFF 00CF9300] V=1 DS=0018 [0000FFFF 00CFF300] V=1 ES=0018 [0000FFFF 00CFF300] V=1 FS=FF9B [0000FFFF 00CF9300] V=1 GS=0018 [0000FFFF 00CF9300] V=1 EAX=000000A9 EBX=00005148 ECX=0000F686 EDX=0000000B ESI=00002D72 EDI=000007E4 EBP=00002E99 ESP=00000FFA EIP=0000FE96 EFLAGS=00023202
What about x64 ?
Attacking Microsoft HyperV
DEMO Fuzzing the virtualised hardware though VM86 mode under Vmware an Virtualbox.
Practical use : Fuzzing using vm86() Exemple bugs !
Attacking hot-plugged hardware ? => We need PCI capabilities.
Attacking hot-plugged hardware ? - PCI fuzzing over VM86: Int 1A/AX=B102h - PCI BIOS v2.0c+ - FIND PCI DEVICE Int 1A/AX=B103h - PCI BIOS v2.0c+ - FIND PCI CLASS CODE Int 1A/AX=B106h - PCI BIOS v2.0c+ - PCI BUS-SPECIFIC OPERATIONS Int 1A/AX=B108h - PCI BIOS v2.0c+ - READ CONFIGURATION BYTE Int 1A/AX=B109h - PCI BIOS v2.0c+ - READ CONFIGURATION WORD Int 1A/AX=B10Ah - PCI BIOS v2.0c+ - READ CONFIGURATION DWORD … - Or dedicated PCI configuration/memory fuzzer.
Limitations of VM86 fuzzing Hardware has to been accesible though interrupts (typically known at BIOS POST).
Thank you for coming Questions ?

Empfohlen

D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...kbour23
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARMLinaro
 
Audio Drivers
Audio DriversAudio Drivers
Audio DriversAnil Kumar Pugalia
 
Masked Occlusion Culling
Masked Occlusion CullingMasked Occlusion Culling
Masked Occlusion CullingIntel® Software
 
2166 Quayle
2166 Quayle2166 Quayle
2166 QuayleStanley F. Quayle
 
Virtualization Technology for Test Automation
Virtualization Technology for Test AutomationVirtualization Technology for Test Automation
Virtualization Technology for Test AutomationIosif Itkin
 
Embedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationEmbedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationManish Jaggi
 
Implements BIOS emulation support for BHyVe
Implements BIOS emulation support for BHyVeImplements BIOS emulation support for BHyVe
Implements BIOS emulation support for BHyVeTakuya ASADA
 

Empfohlen

D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...kbour23
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARMLinaro
 
Audio Drivers
Audio DriversAudio Drivers
Audio DriversAnil Kumar Pugalia
 
Masked Occlusion Culling
Masked Occlusion CullingMasked Occlusion Culling
Masked Occlusion CullingIntel® Software
 
2166 Quayle
2166 Quayle2166 Quayle
2166 QuayleStanley F. Quayle
 
Virtualization Technology for Test Automation
Virtualization Technology for Test AutomationVirtualization Technology for Test Automation
Virtualization Technology for Test AutomationIosif Itkin
 
Embedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationEmbedded Systems Conference 2014 Presentation
Embedded Systems Conference 2014 PresentationManish Jaggi
 
Implements BIOS emulation support for BHyVe
Implements BIOS emulation support for BHyVeImplements BIOS emulation support for BHyVe
Implements BIOS emulation support for BHyVeTakuya ASADA
 
Masked Software Occlusion Culling
Masked Software Occlusion CullingMasked Software Occlusion Culling
Masked Software Occlusion CullingIntel® Software
 
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD HypervisorImplements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD HypervisorTakuya ASADA
 
SPI Drivers
SPI DriversSPI Drivers
SPI DriversSysPlay eLearning Academy for You
 
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC ClustersSR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC ClustersGlenn K. Lockwood
 
Project ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorialProject ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorialProject ACRN
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
Vpu technology &gpgpu computing
Vpu technology &gpgpu computingVpu technology &gpgpu computing
Vpu technology &gpgpu computingArka Ghosh
 
Project ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
numPYNQ: accelerating NumPy on PYNQ
numPYNQ: accelerating NumPy on PYNQnumPYNQ: accelerating NumPy on PYNQ
numPYNQ: accelerating NumPy on PYNQNECST Lab @ Politecnico di Milano
 
GPU: Understanding CUDA
GPU: Understanding CUDAGPU: Understanding CUDA
GPU: Understanding CUDAJoaquín Aparicio Ramos
 
Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Rob Gillen
 
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 Wikelius
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 WikeliusARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 Wikelius
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 WikeliusThe Linux Foundation
 
Understanding the BBB
Understanding the BBBUnderstanding the BBB
Understanding the BBBSysPlay eLearning Academy for You
 
The Real World of Virtual Datacenters + Supporting Materials
The Real World of Virtual Datacenters + Supporting MaterialsThe Real World of Virtual Datacenters + Supporting Materials
The Real World of Virtual Datacenters + Supporting MaterialsX. Breogan COSTA
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionProject ACRN
 
Qemu
QemuQemu
Qemurobertsong
 
[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writesMoabi.com
 
Modo 8086 virtual
Modo 8086 virtualModo 8086 virtual
Modo 8086 virtualAlejandro Rodriguez
 
Nourifusion
NourifusionNourifusion
Nourifusioncarlosperu
 
MOOCs und OER - Wozu?
MOOCs und OER - Wozu?MOOCs und OER - Wozu?
MOOCs und OER - Wozu?Martin Ebner
 
Espazo natural Serra de Foncuberta
Espazo natural Serra de FoncubertaEspazo natural Serra de Foncuberta
Espazo natural Serra de Foncubertamonadela
 

Weitere ähnliche Inhalte

Was ist angesagt?

Masked Software Occlusion Culling
Masked Software Occlusion CullingMasked Software Occlusion Culling
Masked Software Occlusion CullingIntel® Software
 
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD HypervisorImplements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD HypervisorTakuya ASADA
 
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC ClustersSR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC ClustersGlenn K. Lockwood
 
Project ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorialProject ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorialProject ACRN
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation Jiann-Fuh Liaw
 
Vpu technology &gpgpu computing
Vpu technology &gpgpu computingVpu technology &gpgpu computing
Vpu technology &gpgpu computingArka Ghosh
 
Project ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
 
Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Rob Gillen
 
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 Wikelius
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 WikeliusARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 Wikelius
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 WikeliusThe Linux Foundation
 
The Real World of Virtual Datacenters + Supporting Materials
The Real World of Virtual Datacenters + Supporting MaterialsThe Real World of Virtual Datacenters + Supporting Materials
The Real World of Virtual Datacenters + Supporting MaterialsX. Breogan COSTA
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionProject ACRN
 

Was ist angesagt? (17)

Masked Software Occlusion Culling
Masked Software Occlusion CullingMasked Software Occlusion Culling
Masked Software Occlusion Culling
 
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD HypervisorImplements BIOS emulation support for BHyVe: A BSD Hypervisor
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
 
SPI Drivers
SPI DriversSPI Drivers
SPI Drivers
 
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC ClustersSR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters
SR-IOV: The Key Enabling Technology for Fully Virtualized HPC Clusters
 
Project ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorialProject ACRN GVT-d introduction and tutorial
Project ACRN GVT-d introduction and tutorial
 
QEMU - Binary Translation
QEMU - Binary Translation QEMU - Binary Translation
QEMU - Binary Translation
 
Vpu technology &gpgpu computing
Vpu technology &gpgpu computingVpu technology &gpgpu computing
Vpu technology &gpgpu computing
 
Project ACRN Device Model architecture introduction
Project ACRN Device Model architecture introductionProject ACRN Device Model architecture introduction
Project ACRN Device Model architecture introduction
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
numPYNQ: accelerating NumPy on PYNQ
numPYNQ: accelerating NumPy on PYNQnumPYNQ: accelerating NumPy on PYNQ
numPYNQ: accelerating NumPy on PYNQ
 
GPU: Understanding CUDA
GPU: Understanding CUDAGPU: Understanding CUDA
GPU: Understanding CUDA
 
Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)Intro to GPGPU with CUDA (DevLink)
Intro to GPGPU with CUDA (DevLink)
 
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 Wikelius
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 WikeliusARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 Wikelius
ARM Servers and Xen – Hypervisor Support at Hyperscale-XPUS13 Wikelius
 
Understanding the BBB
Understanding the BBBUnderstanding the BBB
Understanding the BBB
 
The Real World of Virtual Datacenters + Supporting Materials
The Real World of Virtual Datacenters + Supporting MaterialsThe Real World of Virtual Datacenters + Supporting Materials
The Real World of Virtual Datacenters + Supporting Materials
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introductionACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
 
Qemu
QemuQemu
Qemu
 

Andere mochten auch

[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writesMoabi.com
 
MOOCs und OER - Wozu?
MOOCs und OER - Wozu?MOOCs und OER - Wozu?
MOOCs und OER - Wozu?Martin Ebner
 
Espazo natural Serra de Foncuberta
Espazo natural Serra de FoncubertaEspazo natural Serra de Foncuberta
Espazo natural Serra de Foncubertamonadela
 
Bases Sorteo Corsa
Bases Sorteo CorsaBases Sorteo Corsa
Bases Sorteo Corsadiegops
 
Pretivm september presentation
Pretivm september presentationPretivm september presentation
Pretivm september presentationPretiumR
 
July 9 ssc_gc_net_wan_service_industry_day_slides
July 9 ssc_gc_net_wan_service_industry_day_slidesJuly 9 ssc_gc_net_wan_service_industry_day_slides
July 9 ssc_gc_net_wan_service_industry_day_slidesKBIZEAU
 
Gremi d'Hotels de Barcelona (3ª sesión)
Gremi d'Hotels de Barcelona (3ª sesión)Gremi d'Hotels de Barcelona (3ª sesión)
Gremi d'Hotels de Barcelona (3ª sesión)Tirso Maldonado
 
Deloitte es tmt_predicciones-2016-infografia
Deloitte es tmt_predicciones-2016-infografiaDeloitte es tmt_predicciones-2016-infografia
Deloitte es tmt_predicciones-2016-infografiaOptimediaSpain
 
TDS CASSIDA GREASE HTS 2
TDS CASSIDA GREASE HTS 2TDS CASSIDA GREASE HTS 2
TDS CASSIDA GREASE HTS 2Đỗ Bá Tùng
 
Lista de Ganhadores eCGlobal/ Setembro 2013
Lista de Ganhadores eCGlobal/ Setembro 2013Lista de Ganhadores eCGlobal/ Setembro 2013
Lista de Ganhadores eCGlobal/ Setembro 2013eCGlobal Community
 
Slideshare dec-remarq-high value lead acquisition
Slideshare dec-remarq-high value lead acquisitionSlideshare dec-remarq-high value lead acquisition
Slideshare dec-remarq-high value lead acquisitionremarqio
 
Planetario luis enrique erro
Planetario luis enrique erroPlanetario luis enrique erro
Planetario luis enrique errosaytd
 

Andere mochten auch (20)

[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes[h2hc] Generic exploitation of invalid memory writes
[h2hc] Generic exploitation of invalid memory writes
 
Modo 8086 virtual
Modo 8086 virtualModo 8086 virtual
Modo 8086 virtual
 
Nourifusion
NourifusionNourifusion
Nourifusion
 
MOOCs und OER - Wozu?
MOOCs und OER - Wozu?MOOCs und OER - Wozu?
MOOCs und OER - Wozu?
 
Espazo natural Serra de Foncuberta
Espazo natural Serra de FoncubertaEspazo natural Serra de Foncuberta
Espazo natural Serra de Foncuberta
 
Bases Sorteo Corsa
Bases Sorteo CorsaBases Sorteo Corsa
Bases Sorteo Corsa
 
Pretivm september presentation
Pretivm september presentationPretivm september presentation
Pretivm september presentation
 
July 9 ssc_gc_net_wan_service_industry_day_slides
July 9 ssc_gc_net_wan_service_industry_day_slidesJuly 9 ssc_gc_net_wan_service_industry_day_slides
July 9 ssc_gc_net_wan_service_industry_day_slides
 
Zen hd thao tac
Zen hd thao tacZen hd thao tac
Zen hd thao tac
 
Gremi d'Hotels de Barcelona (3ª sesión)
Gremi d'Hotels de Barcelona (3ª sesión)Gremi d'Hotels de Barcelona (3ª sesión)
Gremi d'Hotels de Barcelona (3ª sesión)
 
Presentacion CMC - MAR16
Presentacion CMC - MAR16Presentacion CMC - MAR16
Presentacion CMC - MAR16
 
Deloitte es tmt_predicciones-2016-infografia
Deloitte es tmt_predicciones-2016-infografiaDeloitte es tmt_predicciones-2016-infografia
Deloitte es tmt_predicciones-2016-infografia
 
TDS CASSIDA GREASE HTS 2
TDS CASSIDA GREASE HTS 2TDS CASSIDA GREASE HTS 2
TDS CASSIDA GREASE HTS 2
 
El mito del especulador
El mito del especuladorEl mito del especulador
El mito del especulador
 
Lista de Ganhadores eCGlobal/ Setembro 2013
Lista de Ganhadores eCGlobal/ Setembro 2013Lista de Ganhadores eCGlobal/ Setembro 2013
Lista de Ganhadores eCGlobal/ Setembro 2013
 
Ppt mesa 2.0
Ppt mesa 2.0Ppt mesa 2.0
Ppt mesa 2.0
 
Slideshare dec-remarq-high value lead acquisition
Slideshare dec-remarq-high value lead acquisitionSlideshare dec-remarq-high value lead acquisition
Slideshare dec-remarq-high value lead acquisition
 
Skillphones virtual campus
Skillphones virtual campusSkillphones virtual campus
Skillphones virtual campus
 
Pre K At The Weekday School
Pre K At The Weekday SchoolPre K At The Weekday School
Pre K At The Weekday School
 
Planetario luis enrique erro
Planetario luis enrique erroPlanetario luis enrique erro
Planetario luis enrique erro
 

Ähnlich wie [Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode

[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
Virtual Pc Seminar
Virtual Pc SeminarVirtual Pc Seminar
Virtual Pc Seminarguest5b5549
 
Xen Euro Par07
Xen Euro Par07Xen Euro Par07
Xen Euro Par07congvc
 
Parallel Graphics in Frostbite - Current & Future (Siggraph 2009)
Parallel Graphics in Frostbite - Current & Future (Siggraph 2009)Parallel Graphics in Frostbite - Current & Future (Siggraph 2009)
Parallel Graphics in Frostbite - Current & Future (Siggraph 2009)Johan Andersson
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Achieving Performance Isolation with Lightweight Co-Kernels
Achieving Performance Isolation with Lightweight Co-KernelsAchieving Performance Isolation with Lightweight Co-Kernels
Achieving Performance Isolation with Lightweight Co-KernelsJiannan Ouyang, PhD
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java DevelopersRichard McDougall
 
Presentation v mware performance overview
Presentation v mware performance overviewPresentation v mware performance overview
Presentation v mware performance overviewsolarisyourep
 
Openstackinsideoutv10 140222065532-phpapp01
Openstackinsideoutv10 140222065532-phpapp01Openstackinsideoutv10 140222065532-phpapp01
Openstackinsideoutv10 140222065532-phpapp01sprdd
 
OpenStack: Inside Out
OpenStack: Inside OutOpenStack: Inside Out
OpenStack: Inside OutEtsuji Nakai
 
Virtualization Technology for Test Automation
Virtualization Technology for Test AutomationVirtualization Technology for Test Automation
Virtualization Technology for Test Automationextentconf Tsoy
 

Ähnlich wie [Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode (20)

[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
SR-IOV Introduce
SR-IOV IntroduceSR-IOV Introduce
SR-IOV Introduce
 
Xen io
Xen ioXen io
Xen io
 
Handout2o
Handout2oHandout2o
Handout2o
 
Virtual Pc Seminar
Virtual Pc SeminarVirtual Pc Seminar
Virtual Pc Seminar
 
Xen Euro Par07
Xen Euro Par07Xen Euro Par07
Xen Euro Par07
 
Low-level Accesses
Low-level AccessesLow-level Accesses
Low-level Accesses
 
Parallel Graphics in Frostbite - Current & Future (Siggraph 2009)
Parallel Graphics in Frostbite - Current & Future (Siggraph 2009)Parallel Graphics in Frostbite - Current & Future (Siggraph 2009)
Parallel Graphics in Frostbite - Current & Future (Siggraph 2009)
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
RISC-V 30908 patra
RISC-V 30908 patraRISC-V 30908 patra
RISC-V 30908 patra
 
Achieving Performance Isolation with Lightweight Co-Kernels
Achieving Performance Isolation with Lightweight Co-KernelsAchieving Performance Isolation with Lightweight Co-Kernels
Achieving Performance Isolation with Lightweight Co-Kernels
 
Virtualization Primer for Java Developers
Virtualization Primer for Java DevelopersVirtualization Primer for Java Developers
Virtualization Primer for Java Developers
 
Presentation v mware performance overview
Presentation v mware performance overviewPresentation v mware performance overview
Presentation v mware performance overview
 
Openstackinsideoutv10 140222065532-phpapp01
Openstackinsideoutv10 140222065532-phpapp01Openstackinsideoutv10 140222065532-phpapp01
Openstackinsideoutv10 140222065532-phpapp01
 
OpenStack: Inside Out
OpenStack: Inside OutOpenStack: Inside Out
OpenStack: Inside Out
 
Virtualization Technology for Test Automation
Virtualization Technology for Test AutomationVirtualization Technology for Test Automation
Virtualization Technology for Test Automation
 

Mehr von Moabi.com

[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
 
[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet ExplorerMoabi.com
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against JavaMoabi.com
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #WhitepaperMoabi.com
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
 
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用Moabi.com
 
Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practicalMoabi.com
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...Moabi.com
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
 

Mehr von Moabi.com (14)

[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 
[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
 
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
[2013 syscan360] Jonathan Brossard_katsuni理论介绍以及在沙盒和软件仿真方面的应用
 
Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practical
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis[Kiwicon 2011] Post Memory Corruption Memory Analysis
[Kiwicon 2011] Post Memory Corruption Memory Analysis
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
 

[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode

  • 1. Breaking virtualization by switching the cpu to virtual 8086 mode Jonathan Brossard CEO – Toucan System jonathan@ toucan-system.com
  • 2. Agenda Virtualization : big picture Attack surface analysis The need for new tools Introducing Virtual 8086 mode •Practical fuzzing with vm86()
  • 4. Virtualization : market shares Source : Forrester Research 2009 78% of companies have production servers virtualized. 20% only have virtualized servers.
  • 5. Virtualization : market shares Source : Forrester Research 2009 VMWare is present in 98% of the companies. Microsoft virtualization products are used by 17%. Citrix/Xen is used by 10%.
  • 6. In a nutshell... - As widespread as Apache or Bind • - Proprierary software + very few builds + weak toolchains so it runs with other toolchains (no SSP, etc) = reliable exploitation. - You don't need a « remote » exploit : you buy a shell at the same hosting provider.
  • 7. Usage - Cost reduction (shared hosting) - Scalability (cloud computing) - Run broken applications on broken Oses (legacy).
  • 9. Virtualization : Definitions Virtualization Virtualization is the name given to the simulation with higher level components, of lower level components. NOTE: Virtualization of applications (as opposed to full Oses) is out of topic.
  • 10. Virtualization : Definitions Virtual Machine A virtual machine (VM) is : "an efficient, isolated duplicate of a real machine". -- Gerald J. Popek and Robert P. Goldberg (1974). "Formal Requirements for Virtualizable Third Generation Architectures", Communications of the ACM.
  • 12. Virtualization : Definitions Paravirtualization Requires the modification of the guest Oses (eg: Xen, UML, Qemu with kquemu, VMWare Workstation with VMWare Tools). Opposed to « full virtualization ».
  • 13. Virtualization : Definitions There are two types of virtualizations : Virtual Machine Monitors (or Hypervisors) of type I and type II.
  • 15. Virtualization : Definitions Hypervisors of type I Run on bare metal (eg: Xen, Hyper-V, VMWare ESX).
  • 17. Virtualization : Definitions Hypervizors of type II Run as a process inside a host OS to virtualize guests Oses (eg: Qemu, Virtualbox, VMWare Workstation, Parallels).
  • 18. Hardware assisted virtualization
  • 19. Hardware assisted virtualization - Takes advantage of AMD-V On Intel VT-x CPU extentions for virtualization. - x64 Only. - The hypervisor is running in « ring -1 ». - Much like the NX bit : requires the motherboard to support it and activation in the BIOS.
  • 20. Virtualization : Definitions Isolation Isolation of the userland part of the OS to simulate independant machines (eg: Linux-Vservers, Solaris « Zones », BSD « jails », OpenVZ under GNU/Linux).
  • 22. Attack surface analysis Depending on your perspective... What are the risks ? Where to attack ?
  • 23. Privilege escalation on the host Exemple : VMware Tools HGFS Local Privilege Escalation Vulnerability (http://labs.idefense.com/intelligence/v ulnerabilities/display.php?id=712)
  • 24. Demos Attacking setuid binaries in vmware. Virtual machines file fuzzing on virtualbox.
  • 25. Privilege escalation on the Guest Exemple : CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes
  • 26. Demo Overwriting the MBR under vserver and instrumenting the original bootloader with keyboard/motherboard PIC programming through ioports (see also « Invisible Man » tool from Jonathan Brossard, Defcon 2008).
  • 27. Attacking other guests Exemple: Vmare workstation guest isolation weaknesses (clipboard transfer) http://www.securiteam.com/securitynew s/5GP021FKKO.html
  • 28. DoS (Host + Guests) Exemple: CVE-2007-4591 CVE-2007-4593 (bad ioctls crashing the Host+Guests)
  • 29. Demo Attacking vmware kernel modules with ioctls.
  • 30. Escape to host Exemples : Rafal Wojtczuk (Invisible things, BHUS 2008) Kostya Kortchinsky (« Cloudburst », BHUS 2009). IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744)
  • 31. Escape to host This is the real hard thing, and what we will focus on on the rest of this talk.
  • 32. Attack surface analysis : usage Hosting two companies on the same hardware is very common (shared hosting). Getting a shell on the same machine as a given target may therefor be a matter of paying a few euros a month.
  • 33. Attack surface : conclusion Rooting the Host OS from the Guest is practical (Kostya Kortchinsky BHUS 2009, Rafal Wojtczuk BHUS 2008). Seemingly minor bugs (local, DoS) do matter : virtualization amplifies consequences. Note : public, reliable, packed attack tools exist (Claudio Criscione, HITB Kuala Lumpur 2010)
  • 34. The need for dedicated methodologies and tools
  • 35. The need for new tools : example How do you attack a hard drive with software ? What about a screen or a keyboard ? => Unusual attack surface.
  • 36. How to dynamically test a virtual Hard Drive ? Naive approach Standard API : ssize_t read(int fd, void *buf, size_t count); ssize_t write(int fd, const void *buf, size_t count); This would mostly fuzz the kernel, not the Virtual Machine :( We need something (much) lower level.
  • 37. (low level) attack vectors Ioports: outb, outw, outl, outsb, outsw, outsl, inb, inw, inl, insb, insw, insl, outb_p, outw_p, outl_p, inb_p, inw_p, inl_p Problems: sequence, multiple ports Ioctls: int ioctl(int d, int request, ...) Problems : arbitrary input size !
  • 38. Demos Attacking Vmware's Direct Memory Access (DMA) with ioports fuzzing.
  • 39. How did we used to do it « back in the days » ? MS Dos : direct access to the hardware (interrupts : BIOS, HD, Display, …) Can we get back to this ?
  • 41. Introducing the Virtual 8086 mode Introduced with Intel 386 (1985) Purpose : run 16b applications under 32b Operationg systems (eg : MS DOS COM files under Windows).
  • 42. Introducing the Virtual 8086 mode Intel x86 cpus support 3 main modes - Protected mode - Real mode - System Management Mode (SMM)
  • 43. Nice things about Real mode / Virtual 8086 mode Direct access to hardware via interruptions !
  • 44. example: Mov ah, 0x42 ; read sector from drive Mov ch, 0x01 ; Track Mov cl, 0x02 ; Sector Mov dh, 0x03 ; Head Mov dl, 0x80 ; Drive (here first HD) Mov bx, offset buff ; es:bx is destination Int 0x13 ; hard disk operation
  • 45. Complexity ax*bx*cx*dx (per interruption) Id est: [0;65535]^4 ~ 1.8 * 10^19 => still huge. But it's possible to call every function on every device (just not with all possible parameters). => much better than ioctl()'s arbitrary input length !
  • 46. Attacking a Hard Disk : exemple functions tested Int 13/AH=00h - DISK - RESET DISK SYSTEM Int 13/AH=01h - DISK - GET STATUS OF LAST OPERATION Int 13/AH=02h - DISK - READ SECTOR(S) INTO MEMORY Int 13/AH=03h - DISK - WRITE DISK SECTOR(S) Int 13/AH=04h - DISK - VERIFY DISK SECTOR(S) Int 13/AH=05h - FLOPPY - FORMAT TRACK … Int 13/AH=09h - HARD DISK - INITIALIZE CONTROLLER WITH DRIVE PARAMETERS Int 13/AH=0Ah - HARD DISK - READ LONG SECTOR(S) (AT and later) Int 13/AH=0Bh - HARD DISK - WRITE LONG SECTOR(S) (AT and later) Int 13/AH=0Ch - HARD DISK - SEEK TO CYLINDER Int 13/AH=0Dh - HARD DISK - RESET HARD DISKS Int 13/AH=0Eh - HARD DISK - READ SECTOR BUFFER (XT only) Int 13/AH=0Fh - HARD DISK - WRITE SECTOR BUFFER (XT only) Int 13/AH=10h - HARD DISK - CHECK IF DRIVE READY Int 13/AH=11h - HARD DISK - RECALIBRATE DRIVE Int 13/AH=12h - HARD DISK - CONTROLLER RAM DIAGNOSTIC (XT,PS) ...
  • 47. Attacking a Hard Disk : model/vendor specific ints Int 13/AH=43h - IBM/MS INT 13 Extensions - EXTENDED WRITE Int 13/AH=44h - IBM/MS INT 13 Extensions - VERIFY SECTORS Int 13/AH=45h - IBM/MS INT 13 Extensions - LOCK/UNLOCK DRIVE Int 13/AH=46h - IBM/MS INT 13 Extensions - EJECT MEDIA Int 13/AH=47h - IBM/MS INT 13 Extensions - EXTENDED SEEK Int 13/AH=48h - IBM/MS INT 13 Extensions - GET DRIVE PARAMETERS Int 13/AH=49h - IBM/MS INT 13 Extensions - EXTENDED MEDIA CHANGE … Int 13/AX=5504h - Seagate ST01/ST02 - RETURN IDENTIFICATION Int 13/AX=5505h - Seagate - ??? - PARK HEADS Int 13/AX=5505h - Seagate ST01/ST02 - PARK HEADS Int 13/AX=5506h - Seagate ST01/ST02 - SCSI Bus Parity Int 13/AX=5507h - Seagate ST01/ST02 - RESERVED FUNCTIONS
  • 48. How to attack a Hard drive ? By calling all those functions, our coverage is much much better than if we just had used read()/write() on disk.
  • 49. How to attack a keyboard ? Int 16/AH=00h - KEYBOARD - GET KEYSTROKE Int 16/AH=01h - KEYBOARD - CHECK FOR KEYSTROKE Int 16/AH=02h - KEYBOARD - GET SHIFT FLAGS Int 16/AH=03h - KEYBOARD - SET TYPEMATIC RATE AND DELAY Int 16/AH=04h - KEYBOARD - SET KEYCLICK (PCjr only) Int 16/AH=09h - KEYBOARD - GET KEYBOARD FUNCTIONALITY Int 16/AH=0Ah - KEYBOARD - GET KEYBOARD ID Int 16/AH=10h - KEYBOARD - GET ENHANCED KEYSTROKE Int 16/AH=11h - KEYBOARD - CHECK FOR ENHANCED KEYSTROKE Int 16/AH=12h - KEYBOARD - GET EXTENDED SHIFT STATES Int 16/AH=20h - KEYBOARD - GET 122-KEY KEYSTROKE Int 16/AH=21h - KEYBOARD - CHECK FOR 122-KEY KEYSTROKE Int 16/AH=22h - KEYBOARD - GET 122-KEY SHIFT STATUS ...
  • 50. How to attack a screen ? Int 10/AH=00h - VIDEO - SET VIDEO MODE Int 10/AX=0070h - VIDEO - Everex Micro Enhancer EGA/Viewpoint VGA - EXTENDED MODE SET Int 10/AX=007Eh - VIDEO - Paradise VGA, AT&T VDC600 - SET SPECIAL MODE Int 10/AX=007Fh/BH=00h - VIDEO - Paradise VGA, AT&T VDC600 - SET VGA OPERATION Int 10/AX=007Fh/BH=01h - VIDEO - Paradise VGA, AT&T VDC600 - SET NON-VGA OPERATION Int 10/AX=007Fh/BH=02h - VIDEO - Paradise VGA, AT&T VDC600 - QUERY MODE STATUS Int 10/AX=007Fh/BH=03h - VIDEO - Paradise VGA, AT&T VDC600 - LOCK CURRENT MODE Int 10/AX=007Fh/BH=04h - VIDEO - Paradise VGA, AT&T VDC600 - ENTER MDA EMULATION MODE Int 10/AX=007Fh/BH=05h - VIDEO - Paradise VGA, AT&T VDC600 - ENTER CGA EMULATION MODE Int 10/AX=007Fh/BH=06h - VIDEO - Paradise VGA, AT&T VDC600 - ENTER MONOCHROME VGA MODE Int 10/AX=007Fh/BH=07h - VIDEO - Paradise VGA, AT&T VDC600 - ENTER COLOR VGA MODE ...
  • 51. Introducing the Virtual 8086 mode Problem is... is this even possible inside a virtual machine ?
  • 52. Introducing the Virtual 8086 mode The kernel boots in (16b) real mode, and then switches to protected mode (32b). The cpu normally doesn't get back to real mode untill next reboot.
  • 53. Introducing the Virtual 8086 mode Corollary The hypervisor could run under any mode. protected mode in practice (being it ring0, ring1 or ring3). All of the guests run only in protected mode.
  • 54. Now how to swith to Virtual 8086 mode ? It this even possible ?
  • 55. Leaving protected mode ? (Ascii Art : Courtesy of phrack 65) Setting the VM flag in CR0 under protected mode would get us to Virtual Mode Removing the PE flag from CR0 would get us back to real mode
  • 56. Leaving protected mode ? linux-2.6.31/arch/x86/kernel/reboot.c: static const unsigned char real_mode_switch [] = { 0x66, 0x0f, 0x20, 0xc0, /* movl %cr0,%eax */ 0x66, 0x83, 0xe0, 0x11, /* andl $0x00000011,%eax */ 0x66, 0x0d, 0x00, 0x00, 0x00, 0x60, /* orl $0x60000000,%eax */ 0x66, 0x0f, 0x22, 0xc0, /* movl %eax,%cr0 */ 0x66, 0x0f, 0x22, 0xd8, /* movl %eax,%cr3 */ 0x66, 0x0f, 0x20, 0xc3, /* movl %cr0,%ebx */ 0x66, 0x81, 0xe3, 0x00, 0x00, 0x00, 0x60, /* andl $0x60000000,%ebx */ 0x74, 0x02, /* jz f */ 0x0f, 0x09, /* wbinvd */ 0x24, 0x10, /* f: andb $0x10,al */ 0x66, 0x0f, 0x22, 0xc0 /* movl %eax,%cr0 */ };
  • 57. Trouble is... This obviously won't work inside a virtual machine ! Because CR[1-4] registers are themselves emulated
  • 58. IS THIS « GAME OVER » ? Actually not quite ...
  • 59. Truth is : we don't need to switch back to real mode/virtual 8086 mode ! Most Operating systems offer a way to run 16b applications (eg: MS DOS) under protected mode by emulating a switch to Virtual 8086 Mode. Notably Windows (x86) and Linux (x86).
  • 60. The Windows case NTVDM : ntvdm.exe « Windows 16b Virtual Machine »
  • 61.
  • 62. The Linux case The linux kernel provides an emulation of real mode in the form of two syscalls: #define __NR_vm86old 113 #define __NR_vm86 166
  • 63. The Linux case #include <sys/vm86.h> int vm86old(struct vm86_struct *info); int vm86(unsigned long fn, struct vm86plus_struct *v86);
  • 64. struct vm86_struct { struct vm86_regs regs; unsigned long flags; unsigned long screen_bitmap; unsigned long cpu_type; struct revectored_struct int_revectored; struct revectored_struct int21_revectored; };
  • 65. The Linux case linux-2.6.31/arch/x86/include/asm/vm86.h: struct vm86_regs { long ebx; long ecx; long edx; long esi; long edi; long ebp; long eax; (…) unsigned short es, __esh; unsigned short ds, __dsh; unsigned short fs, __fsh; unsigned short gs, __gsh; };
  • 66. In a nutshell - The switch to Virtual mode is entirely emulated by the kernel (this will work inside a VM) - We can still program using old school interruptions (easy !) - Those interruptions are delivered to the hardware (id est: either the emulated one, or the real one). => We just got a « bare metal (possibly virtualized) hardware interface »
  • 68. The x64 case X64 cpus in 64b long mode can't swith to Virtual mode. That's too bad : we'd like to fuzz latest Vmware ESX or Microsoft HyperV (necessarily under x64). But under virtualization, the switch to VM86 mode is being emulated by the kernel...
  • 69. The x64 case Using kernel patches, we can add VM86 capabilities to a x64 GNU/Linux kernel. EG: http://v86-64.sourceforge.net to run Dosemu under x64. What's not possible in real hardware becomes possible under a virtualized environment !
  • 70. Practical use : Fuzzing using vm86()
  • 71. Practical use : Fuzzing using vm86() Looking at the IVT allows us to fuzz all the hardware detected after BIOS Post, efficently (no calls to empty/dummy interrupts).
  • 72. Practical use : Fuzzing using vm86() Exemple bugs !
  • 73. Practical use : Fuzzing using vm86() Bugs in hypervizors...
  • 74. Virtualbox 00:21:13.603 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 00:21:13.603 !! 00:21:13.603 !! Guru Meditation -2403 (VERR_TRPM_DONT_PANIC) 00:21:13.603 !! 00:21:13.603 !! TRAP=0e ERRCD=0000000000000000 CR2=00000000000c0000 EIP=ff215e33 Type=0 00:21:13.603 !! EIP in VMMGC.gc (ff1dd000) at rva 38e33 near symbols: 00:21:13.603 !! ff215df0 rva 00038df0 off 00000043 _ZL10disCoreOneP12_DISCPUSTATEyPj 00:21:13.603 !! ff216040 rva 00039040 off -0000020d DISCoreOneEx 00:21:13.603 !! fff8:ff215e33 0f b6 10 movzx edx, byte [eax] 00:21:13.603 !! 00:21:13.603 !! 00:21:13.603 !! 00:21:13.603 Hypervisor CPUM state: se 00:21:13.603 .eax=000c0000 .ebx=fed69cfc .ecx=00000000 .edx=00000000 .esi=00000001 .edi=fec01000
  • 75. Virtualbox (take 2) 00:02:51.129 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 00:02:51.129 !! 00:02:51.129 !! Guru Meditation -2403 (VERR_TRPM_DONT_PANIC) 00:02:51.129 !! 00:02:51.129 !! TRAP=0e ERRCD=0000000000000000 CR2=00000000000ab000 EIP=ff215e33 Type=0 00:02:51.129 !! EIP in VMMGC.gc (ff1dd000) at rva 38e33 near symbols: 00:02:51.129 !! ff215df0 rva 00038df0 off 00000043 _ZL10disCoreOneP12_DISCPUSTATEyPj 00:02:51.129 !! ff216040 rva 00039040 off -0000020d DISCoreOneEx 00:02:51.129 !! fff8:ff215e33 0f b6 10 movzx edx, byte [eax] 00:02:51.129 !! 00:02:51.129 !! 00:02:51.129 !! 00:02:51.129 Hypervisor CPUM state: se 00:02:51.129 .eax=000ab000 .ebx=fed69cfc .ecx=00000000 .edx=00000000 .esi=00000001 .edi=fec01000 00:02:51.129 .eip=ff215e33 .esp=fed69c7c .ebp=fed69cc4 .iopl=0 rf nv up di nt zr ac pe cy
  • 78. Parallels (Guest) -------------- Guest processor state --------------- Inhibit Mask=0 CS=FF63 [0000FFFF 0000F30F] V=1 SS=FFD3 [0000FFFF 00CF9300] V=1 DS=0018 [0000FFFF 00CFF300] V=1 ES=0018 [0000FFFF 00CFF300] V=1 FS=FF9B [0000FFFF 00CF9300] V=1 GS=0018 [0000FFFF 00CF9300] V=1 EAX=000000A9 EBX=00005148 ECX=0000F686 EDX=0000000B ESI=00002D72 EDI=000007E4 EBP=00002E99 ESP=00000FFA EIP=0000FE96 EFLAGS=00023202
  • 81. DEMO Fuzzing the virtualised hardware though VM86 mode under Vmware an Virtualbox.
  • 82. Practical use : Fuzzing using vm86() Exemple bugs !
  • 83. Attacking hot-plugged hardware ? => We need PCI capabilities.
  • 84. Attacking hot-plugged hardware ? - PCI fuzzing over VM86: Int 1A/AX=B102h - PCI BIOS v2.0c+ - FIND PCI DEVICE Int 1A/AX=B103h - PCI BIOS v2.0c+ - FIND PCI CLASS CODE Int 1A/AX=B106h - PCI BIOS v2.0c+ - PCI BUS-SPECIFIC OPERATIONS Int 1A/AX=B108h - PCI BIOS v2.0c+ - READ CONFIGURATION BYTE Int 1A/AX=B109h - PCI BIOS v2.0c+ - READ CONFIGURATION WORD Int 1A/AX=B10Ah - PCI BIOS v2.0c+ - READ CONFIGURATION DWORD … - Or dedicated PCI configuration/memory fuzzer.
  • 85. Limitations of VM86 fuzzing Hardware has to been accesible though interrupts (typically known at BIOS POST).
  • 86. Thank you for coming Questions ?