Ouroboros: Tearing Xen Hypervisor with the Snake

Presented at Black Hat USA 2016, Aug. 4, 2016, 9:45 a.m. (25 minutes).

The Xen Project has been a widely used virtualization platform powering some of the largest clouds in production today. Sitting directly on the hardware below any operating systems, the Xen hypervisor is responsible for the management of CPU/MMU and guest operating systems. Guest operating systems cound be controled to run in PV mode using paravirtualization technologies or HVM mode using hardware-assisted virtualization technologies. Compare to HVM mode, PV mode guest OS kernel could recognize the existence of hypervisor and, thus, work normally via hypervisor inferfaces which are called hypercalls. While performing priviledged operations, PV mode guest OS would submit requests via hypercalls then the hypervisor do these operations for it after verifying its requests. Inspired by Ouroboros, an ancient symbol with a snake bitting its tail, our team has found a critical verification bypass bug in Xen hypervisor and that will be used to tear the hypervisor a hole. With sepecific exploition vectors and payloads, malicious PV guest OS could control not only the hypervisor but also all other guest operating systems running on current platform.

Presenters:

  • Shangcong Luan - Alibaba Group Holding Limited
    Shangcong Luan is a security researcher with the Cloud Platform Security Team of Alibaba who has found a series of security vulnerabilities in various kinds of systems and has worked mainly work in the field of APT defense. He now focuses on the security of virtualization and sandbox platforms. At Alibaba, Shangcong and his team have published several research papers on platform attack recognition, interception and security enhancements. He has also been involved in research on weakness reduction policy and in finding critical vulnerabilities in open source projects.

Links:

Similar Presentations: