Poacher Turned Gamekeeper: Lessons Learned from Eight Years of Breaking Hypervisors

Presented at Black Hat USA 2014, Aug. 7, 2014, 5 p.m. (60 minutes)

Hypervisors have become a key element of both cloud and client computing. It is without doubt that hypervisors are going to be commonplace in future devices, and play an important role in the security industry. In this presentation, we discuss in detail the various lessons learnt whilst building and breaking various common hypervisors. In particular, we take a trip down memory lane and examine vulnerabilities found in all the popular hypervisors that have led to break-outs. To add some spice, we will talk about details of four not-yet-discussed vulnerabilities we recently discovered. One of the key value propositions of hypervisors as they relate to security is to shrink the attack surface. However, in the quest for new features and functionality some trade-offs are made, which can prove to be fatal. While discussing the particular problems we will examine what the strong (and weak) security-related features of hypervisors are. We compare the attack surface of hypervisors with that of user mode applications and operating systems kernels, and show that the purpose and design of the hypervisor significantly changes its attack surface size. Most importantly, we make a fact based argument that many hypervisors aren't designed with security in mind. We show how superfluous code and poor design can be punished by demonstrating real examples of hypervisor break-outs. The presentation ends with lessons learned and recommendations for hypervisor design and approaches that can be taken to harden them.

Presenters:

• Rafal Wojtczuk - Bromium
  Rafal Wojtczuk has over 15 years of experience with computer security. Specializing primarily in kernel and virtualization security, over the years he has disclosed many security vulnerabilities in popular operating system kernels and virtualization software. He is also well known for his articles on advanced exploitation techniques, including novel methods for exploiting buffer overflows in partially randomized address space environments. Recently he was researching advanced Intel security-related technologies, particularly TXT and VTd. He is also the author of libnids, a low-level packet reassembly library. He holds a master's degree in Computer Science from University of Warsaw.

Links:

• https://www.blackhat.com/us-14/archives.html#poacher-turned-gamekeeper-lessons-learned-from-eight-years-of-breaking-hypervisors
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Poacher Turned Gamekeeper - Lessons Learned from Eight Years of Breaking Hypervisors.mp4
• https://www.youtube.com/watch?v=zHwErzJ1udc
• https://www.blackhat.com/docs/us-14/materials/us-14-Wojtczuk-Poacher-Turned-Gamekeeper-Lessons_Learned-From-Eight-Years-Of-Breaking-Hypervisors.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Wojtczuk-Poacher-Turned-Gamekeeper-Lessons_Learned-From-Eight-Years-Of-Breaking-Hypervisors-wp.pdf

Similar Presentations:

• Black Hat Europe 2014 / Lessons Learned from Eight Years of Breaking Hypervisors
• Black Hat USA 2015 / Attacking Hypervisors Using Firmware and Hardware
• DEF CON 23 (2015) / Attacking Hypervisors Using Firmware and Hardware