Attacking Hypervisors Using Firmware and Hardware

Presented at Black Hat USA 2015, Aug. 5, 2015, 4:20 p.m. (50 minutes)

In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware, such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines.

We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.


Presenters:

  • Oleksandr Bazhaniuk - Intel Security
    Oleksandr Bazhaniuk is a security researcher in the Advanced Threat Research team at Intel, Inc. His primary interests are low-level hardware security, bios/uefi security, and automation of binary vulnerability analysis. His work has been presented at many conferences, including Black Hat USA, Hack In The Box, Hackito Ergo Sum, Positive Hack Days, Toorcon, CanSecWest, Troopers. He is also a co-founder of DCUA, the first DefCon group in Ukraine.
  • Mikhail Gorobets - Intel
    Mikhail Gorobets is a security researcher in the Intel Advanced Threat Research team. His area of expertise includes hardware security, virtualization technologies, reverse engineering, and vulnerability analysis. Previously, he led a team of security researchers working on Intel Virtualization Technology (VTx) and Intel Atom core security evaluation. Mikhail holds a MS in computing machines, systems, and networks from the Moscow Institute of Electronics and Mathematics.
  • Alexander Matrosov - Intel
    Alexander Matrosov has more than ten years of experience with malware analysis, reverse engineering, and advanced exploitation techniques. He is currently a senior security researcher in the Advanced Threat Research team at Intel Security Group. Prior to this role, he spent four years focused on advanced malware research at ESET. He is co-author of the numerous research papers, including Stuxnet Under the Microscope, The Evolution of TDL: Conquering x64, and 'Mind the Gapz: The Most Complex Bootkit Ever Analyzed?' Alexander is frequently invited to speak at security conferences, such as REcon, Ekoparty, Zeronigths, AVAR, CARO, and Virus Bulletin. Nowadays, he specializes in the comprehensive analysis of advanced threats, modern vectors of exploitation, and hardware security research.
  • Yuriy Bulygin - Intel Security, Advanced Threat Research
    Yuriy Bulygin is a Principal Threat Engineer for a Fortune 50 company where he enjoys analyzing security of modern PC, server, mobile, and embedded platforms, advancing research in security threats and protections on those platforms.

Links:

Similar Presentations: