Upload
pacsecjp
View
950
Download
0
Embed Size (px)
Citation preview
1
Speaker: Qinghao Tang �
Title:360 Marvel Team Leader
Vulnerabilities mining technology of Cloud and Virtualization platform
2
360 Marvel Team As the first virtualization security team in China, 360 marvel team focus on attack and
defence technology on virtualization and cloud platforms, aiming to lead the reaearch on
vulnerability mining and defecing on these platform, providing tools and solutions for mian
stream hypervisors:
● Virtualization fuzz framework.
● Guest OS escape tools.
-Support Docker, Xen,KVM,VMware
● Hypervisor strengthen solutions
-block Guest OS escape
-Scan Guest OS agentless
3
Agenda
• Brief intruduction of hypervisor security
• Fuzzing framework
• Analysis of network device vulnerability
4
Brief intruduction of hypervisor
security
5
Hypervisor
Major
Xen
Kvm
Vmware
Functions
Quantitative distribution
Flexible scheduling
6
Cloud Computing
7
Distinction
OS
Physical Devices
Guest OS
Device emulator
Hypervisor
Physical Devices
Guest OS
Device emulator
Normal Server Virtualization Server
8
Escape form Guest OS
9
• Typical virtualization security vulnerability
• Can cause the virtual machine escape
• Exist in floppy device emulator Code
• More Venoms? Yes!
Venom
10
Fuzzing Framework
11
• More underlying target
• More Particular of Test Data
Features of Virtualization Vulnerability Mining
IE
flash
server
System Kernel �
Hypervisor �
12
• Unconventional method
HOOK Driver function
Change Kernel files.
• Relate to the context
Test Pocess of Emulation Device
13
Features
• Commonness of hypervisors
• Features of solution
Coding Langurage
Operating System Type
Coding Style
14
os
Control Center
Architecture
Hypervisor Hypervisor
os os os os os
15
Fuzzing-Collect device information
16
• Device IO Methods
• Controller Data Structure
• Device State Machine
Test - Integrated Test Data
17
Fuzzing-Attack emulation device
kernel_agent
fuzz_client
• User Space
• Kernel Space
18
Feedback
• No effect
• Blue Screen
• Implicit Result
• Crash
19
Feedback-VM manage automation
• Snapshot
• Reboot
• Virtual Device Edit
• Debugging Mode on Start
• Load Debugging Plugin
20
Feedback- Monitoring technology
• Dynamic
• Static
コントロール センター
テスト フィード
バック
解析
21
Control Center-Process
Step 2
Step 1 Step 3 �
22
Control Center-Statistics&Optimization
• Total test count
• Fuzz coverage
• Optimize test data
23
Achievement
• 120 days
• 2 platforms
• 10 vulnerabilities
24
Analysis of network
device vulnerability
25
Principle of QEMU
User Space • Send
Kernel Space
• Syscall • tcp_* • ip_* • dev_* • e1000_*
Device Emulator
• Network devices • hub • slirp
APP
APP
APP
Network Devices
Kernel
26
• Initialization Port Allocation,Address Mapping
Device Status Setting, Resource Allocation
• Data Transfer 'Write Command' to device TDT register
process of descriptor
3 types descripror:context,data,legacy
data xfer
set status,wait for next instruction
• Processing Details Circular Memory
TSO:tcp segmentation/flow control.
Principle of Network Device
27
• Qemu e1000 Network Device • Vmware e1000 Network Device
E1000 vulnerability analysis
28
Summary
Pay continuous attention to virtualization security and follow Marvel Team