Back to the Future: A Radical Insecure Design of KVM on ARM

Presented at Black Hat USA 2018, Aug. 8, 2018, 5:05 p.m. (25 minutes)

<div>In ARM there are certain instructions that generates exception. Such instructions are typically executed to request a service from software that runs at a higher privilege level. From the OS kernel (EL1), software can call the Hypervisor (EL2) with the HVC instruction.<br><br></div><div>The KVM Hypervisor is part of the Linux kernel and by default it is enabled on all supported ARM system. In ARM architecture KVM is implemented through split-mode virtualization and runs across different privileged CPU modes. This talk will discuss about the design and a security issue in a way Linux kernel initializes the KVM Hypervisor. An attacker having access to host EL1 can execute code in EL2. This security issue can be exploited by an attacker to install a Hypervisor root kit on ARM system. </div>

Presenters:

• Rahul Kashyap - Chief Technology Officer, Cylance Inc
  Rahul Kashyap is Global Chief Technology Officer at Cylance, where he is responsible for strategy, products and architecture. Before joining Cylance, he was head of Security Research at Bromium. He also led the worldwide Vulnerability Research teams at McAfee Labs, a wholly owned subsidiary of Intel. He has led cyber defense technologies focused on exploit prevention and mitigation for both host and network related products. Rahul has published papers in renowned security journals, and has been a speaker at several security conferences.
• Baibhav Singh - Security Researcher, Samsung Research America
  <span>Baibhav Singh is currently employed at Samsung Research America. He works on Knox Security, which involves architecting and hacking mobile/IoT products to enhance security. He has more than 10 years of experience in the security industry. Before joining Samsung, he worked for Bromium as a Security Architect where he designed and developed EDR solution to detected advanced malware and APTs. He has authored various books and patents in the areas of Vulnerability Analysis, Reverse Engineering, Malware Analysis, and Intrusion Prevention System.He was also part of Security Research team of McAfee where he worked as a Research Scientist. He has extensive experiences in OS kernel layer with deep knowledge in advanced vulnerability exploitation and detection, including firmware security, and virtualization technology.</span>

Links:

• https://www.blackhat.com/us-18/briefings/schedule/#back-to-the-future-a-radical-insecure-design-of-kvm-on-arm-10778
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2018/Back to the Future - A Radical Insecure Design of KVM on ARM.mp4
• https://www.youtube.com/watch?v=QrI2QLLrzzg

Similar Presentations:

• Black Hat USA 2021 / Alcatraz: A Practical Hypervisor Sandbox to Prevent Escapes from the KVM/QEMU and KVM-Based MicroVMs
• Black Hat USA 2011 / Virtualization Under Attack: Breaking out of KVM
• DEF CON 19 (2011) / Virtualization Under Attack Breaking out of KVM