Jump to content
Tuts 4 You

Virtualization & Virtual Machines

27 files

  1. Cross-VM Side Channels and Their Use to Extract Private Keys

    By Teddy Rogers

    This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine(VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized using a modern VMM (Xen). Such systems are very common today, ranging from desktops that use virtualization to sandbox application or OS compromises, to clouds that co-locate the workloads of mutually distrustful customers. Constructing such a side-channel requires overcoming challenges including core migration, numerous sources of channel noise, and the difficulty of preempting the victim with sufficient frequency to extract fine-grained information from it. This paper addresses these challenges and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victim using the most recent version of the libgcrypt cryptographic library.

    110 downloads

    0 comments

    Submitted

  2. Dealing with Virtualization

    By Teddy Rogers

    Theoretical research into ways of scanning through virtualization obfuscators.

    239 downloads

    0 comments

    Submitted

  3. Defeating HyperUnpackMe2 with an IDA Processor Module

    By Teddy Rogers

    This article is about breaking modern executable protectors. The target, a crackme known as HyperUnpackMe2, is modern in the sense that it does not follow the standard packer model of yesteryear wherein the contents of the executable in memory, minus the import information, are eventually restored to their original forms.

    Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.

    This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill.

    NOTE: all code snippets beginning with "ROM:" come from the disassembled VM code; all other snippets come from the protected binary.

    HyperUnpackMe2.zip is provided as an ancillary to this article and includes:
    codeseg--lightly--commented.idb: IDB of Virtual Machine (VM) dumped.exe: Statically unpacked executable Notepad.idb: IDB of packed executable processor_module_source.zip: Source code for IDA processor module th.w32: IDA processor module The processor module (th.w32) belongs in %IDADIR%\procs. It requires IDA 5.0, as do both of the IDBs. Although I own IDA 5.0, these IDBs are linked with the pirated 5.0 key. This is due to the fact that IDB files contain the majority of your personal keyfile. Hence, the IDBs will stop working under 5.1, unless you patch out the blacklist code (which is trivial). If you are a legitimate customer of IDA and would like IDBs for a later version, contact me under the information at the bottom of the article.

    134 downloads

    0 comments

    Submitted

  4. Detecting the Presence of Virtual Machines Using the Local Data Table

    By Teddy Rogers

    In this paper we describe a method for determining the presence of virtual machine emulation in a non-privileged operating environment. This attack is useful for triggering anti-virtualization attacks and evading analysis. We then discuss methods for mitigating this risk for malware analysts. This method was demonstrated using the Windows series of operating systems.

    116 downloads

    0 comments

    Submitted

  5. Fine Grain Cross-VM Attacks on Xen and VMware

    By Teddy Rogers

    This work exposes further vulnerabilities in virtualized cloud servers by mounting Cross-VM cache attacks in Xen and VMware VMs targeting AES running in the victim VM. Even though there exists a rich literature on cache attacks on AES, so far only a single work, demonstrating a working attack on an ARM platform running a L4Re virtualization layer has been published. Here we show that AES in a number popular cryptographic libraries including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s correlation attack when run in Xen and VMware (bare metal version) VMs, the most popular VMs used by cloud service providers (CSP) such as Amazon and Rackspace. We also show that the vulnerability persists even if the VMs are placed on different cores in the same machine. The results of this study shows that there is a great security risk to AES and (data encrypted under AES) on popular cloud services.

    80 downloads

    0 comments

    Submitted

  6. Inside Code Virtualizer v1.0.1.0

    By Teddy Rogers

    First of all, I need to say sorry. Probably you will see a lot of mistakes because of my english but I hope you will understand me.

    This article aim to explain how Code Virtualizer works. During the last month, I spent all my free time analysing the Code Virtualizer Demo 1.0.1.0 unpacked by softworm. Fortunately, I nished my analysis and I can say that this is the best software I have seen before. Not best in the meaning of protection, but in the meaning of organization. This was the most pleasing software I have analysed.

    Three important things to notice are that the description and explanation of the code disassembled by OllyDbg is done in the code execution order. Most things that I am going to say are applicable only for the 1.0.1.0 version of Code Virtualizer. For comments on new versions, see "Hopes for the Future and Acknowledgments. And I will not threat the 64-bit case.

    This article is divided in three parts. Firstly I am going to talk about how theVirtual Machine is generated and why Oreans[4] says that each Virtual Machine has its own characteristics. Secondly I use the concepts described before to explain how the Virtual Opcodes are generated, how they are executed and why they emulate the original code of an application. The last part is a bonus: you are going to learn how to make an unpacked version of Code Virtualizer full.

    Enjoy this article and I hope you learn something reading it.

    293 downloads

    0 comments

    Submitted

  7. Introducing Software Virtualization

    By Teddy Rogers

    Software Virtualization Solution (SVS) is a revolutionary approach to software management. By placing applications and data into managed units called Virtual Software Packages, Software Virtualization Solution lets you instantly activate, deactivate or reset applications and to completely avoid conflicts between applications without altering the base Windows installation.

    130 downloads

    0 comments

    Submitted

  8. Introduction to Modern Code Virtualization

    By Teddy Rogers

    This paper describes how code protection is done via "virtual machines" and techniques used in popular virtual machines, giving a considerable level of understanding of such virtual machines for readers from beginners to professionals.

    202 downloads

    0 comments

    Submitted

  9. Lightweight Approach to Hypervisor Control-Flow

    By Teddy Rogers

    Virtualization is being widely adopted in today's computing systems. Its unique security advantages in isolating and introspecting commodity OSes as virtual machines (VMs) have enabled a wide spectrum of applications. However, a common, fundamental assumption is the presence of a trustworthy hypervisor. Unfortunately, the large code base of commodity hypervisors and recent successful hypervisor attacks (e.g., VM escape) seriously question the validity of this assumption.

    In this paper, we present HyperSafe, a lightweight approach that endows existing Type-I bare-metal hypervisors with a unique self-protection capability to provide lifetime control-flow integrity. Specifically, we propose two key techniques. The first one "non-bypassable memory lockdown" reliably protects the hypervisor's code and static data from being compromised even in the presence of exploitable memory corruption bugs (e.g., buffer overflows), therefore successfully providing hypervisor code integrity. The second one "restricted pointer indexing" introduces one layer of indirection to convert the control data into pointer indexes. These pointer indexes are restricted such that the corresponding call/return targets strictly follow the hypervisor control flow graph, hence expanding protection to control-flow integrity. We have built a prototype and used it to protect two open-source Type-I hypervisors: BitVisor and Xen. The experimental results with synthetic hypervisor exploits and benchmarking programs show HyperSafe can reliably enable the hypervisor self-protection and provide the integrity guarantee with a small performance overhead.

    86 downloads

    0 comments

    Submitted

  10. A No-Frills Introduction to Lua 5.1 VM Instructions

    By Teddy Rogers

    This is a no-frills introduction to the instruction set of the Lua 5.1 virtual machine. Compared to Perl or Python, the compactness of Lua makes it relatively easier for someone to peek under the hood and understand its internals. I think that one cannot completely grok a scripting language, or any complex system for that matter, without slitting the animal open and examining the entrails, organs and other yucky stuff that isn't normally seen. So this document is supposed to help with the peek under the hood bit.

    This introductory guide covers Lua 5.1 only. Please see the older document for the guide to Lua 5.0.2 virtual machine instructions. This is intentional; the internals of Lua is not fixed or standardized in any way, so users must not expect compatibility from one version of Lua to another as far as internals are concerned.

    Output from ChunkSpy (URL: http://luaforge.net/projects/chunkspy/), a Lua 5 binary chunk disassembler which I wrote while studying Lua internals, was used to generate the examples shown in this document. The brief disassembly mode of ChunkSpy is very similar to the output of the listing mode of luac, so you do not need to learn a new listing syntax. ChunkSpy can be downloaded from LuaForge (URL: http://luaforge.net/); it is licensed under the same type of MIT-style license as Lua 5 itself.

    ChunkSpy has an interactive mode: you can enter a source chunk and get an immediate disassembly. This allows you to use this document as a tutorial by entering the examples into ChunkSpy and seeing the results yourself. The interactive mode is also very useful when you are exploring the behaviour of the Lua code generator on many short code snippets.

    This is a quick introduction, so it isn't intended to be a comprehensive or expert treatment of the Lua virtual machine (from this point on, "Lua" refers to "Lua 5" unless otherwise stated) or its instructions. It is intended to be a simple, easy-to-digest beginner's guide to the Lua virtual machine instruction set, it won't do cartwheels or blow smoke rings.

    The objective of this introduction is to cover all the Lua virtual machine instructions and the structure of Lua 5 binary chunks with a minimum of fuss. Then, if you want more detail, you can use luac or ChunkSpy to study non-trivial chunks of code, or you can dive into the Lua source code itself for the real thing.

    163 downloads

    0 comments

    Submitted

  11. An Efficient Virtual Machine Based Software Protection

    By Teddy Rogers

    This paper presents Truly protect, a system, incorporating a virtual machine, that enables execution of encrypted programs. Our intention is to form a framework for a conditional access/digital rights management system.

    We avoid relying on obscurity and rely only on assumptions about the system itself and on cryptographic measures to develop VM based conditional access/trusted computing environment.

    Rolles in, proposes a general way of breaking systems of type described herein. We claim that Rolles' method fails to defeat our system.

    114 downloads

    0 comments

    Submitted

  12. An Improved VM-Based Software Protection

    By Teddy Rogers

    The technology of VM (virtual-machine) based software protection is a hot research field of software protection. Based on researching on the traditional VM-based software protection, we improvement this technology and design new one called NISLVMP, in which there are double register environment, security virtual instruction and more deformation templates. At last, analysis and test show that NISLVMP effectively enhance security of protected software.

    110 downloads

    0 comments

    Submitted

  13. Attacks on More Virtual Machine Emulators

    By Teddy Rogers

    As virtual machine emulators have become commonplace in the analysis of malicious code, malicious code has started to fight back. This paper describes known attacks against the most widely used virtual machine emulators (VMware and VirtualPC). This paper also demonstrates newly discovered attacks on other virtual machine emulators (Bochs, Hydra, QEMU, Sandbox, VirtualBox, and CWSandbox), and describes how to defend against them.

    91 downloads

    0 comments

    Submitted

  14. CloudBurst

    By Teddy Rogers

    This report presents the results of an auditing work carried out against VMware virtualization products in an attempt to find a way to execute code on the host from the guest.

    The following is mostly focusing on the virtualized video device "VMware SVGA II" which happened to offer all the "features" needed to reliably execute code even on hosts with address space randomization and nonexecutable pages.

    84 downloads

    0 comments

    Submitted

  15. Creating Code Obfuscation Virtual Machines

    By Teddy Rogers

    Explanation of what a virtual machine is and how they are used. It focuses on embedded virtual machines used for code obfuscation. Specific coding examples are provided on how to write your own opcode interpreter. Code samples on how to embed your newly created VM into a C application is also provided. Additional obfuscation techniques for the VM are discussed and even though this is a 101 course a solid understanding of x86 assembler is required.

    217 downloads

    0 comments

    Submitted

  16. A Glance at Virtual Machine Monitor

    By Teddy Rogers

    Virtual-machine monitor (VMM) manages the resources of the underlying hardware and provides an abstraction of one or more virtual machines [1]. Each virtual machine can run a complete operating system and its applications. Software running within a virtual machine is called guest software. All guest software runs in user mode; only the VMM runs in the most privileged level (kernel mode). The host OS is used to provide portable access to a wide variety of I/O devices [2]. virtual machine monitors export hardware-level abstractions to guest software using emulated hardware. The guest OS interacts with the virtual hardware in the same manner as it would with real hardware, for example IN / OUT instructions, and these interactions are trapped by the VMM and emulated in software. This emulation allows the guest OS to run without modification while maintaining control over the system at the VMM layer [2].

    Virtualization has become an important tool in computer system design, and virtual machines are used in a number of sub-disciplines ranging from operating systems to programming languages to processor architectures. By freeing developers and users from traditional interface and resource constraints, virtual machines enhance software interoperability, system impregnability, and platform versatility [4]. The primary motivation for using a virtual machine is that it decouples the design of computer software from the evolution and diversity of computer hardware and operating systems. This is because the same application code can be used on any system that supports the appropriate virtual machine. Advocates of virtual machines say that it is far more convenient to implement a single virtual machine for each computer than it would be to re-implement or even just recompile each application for every different system. Furthermore, a virtual machine that allows one program to be used on different computers also aids mobility: allowing programs to move seamlessly between computers, perhaps to follow the user to a different physical location, or to relocate from a busy computer to an idle one [3]. By virtual machine, a software-implemented abstraction of a physical machine that is at a low-enough level to run an operating system, running the Operating System inside a virtual machine enables the programmer to stand outside the Operating System being debugged. From this vantage point, the programmer can use a debugger to examine and control the execution of the Operating System without perturbing its state [5].

    69 downloads

    0 comments

    Submitted

  17. A Comparison of Software and Hardware Techniques for x86 Virtualization

    By Teddy Rogers

    Until recently, the x86 architecture has not permitted classical trap-and-emulate virtualization. Virtual Machine Monitors for x86, such as VMware Workstation and Virtual PC, have instead used binary translation of the guest kernel code. However, both Intel and AMD have now introduced architectural extensions to support classical virtualization.

    We compare an existing software VMM with a new VMM designed for the emerging hardware support. Surprisingly, the hardware VMM often suffers lower performance than the pure software VMM. To determine why, we study architecture-level events such as page table updates, context switches and I/O, and ?nd their costs vastly different among native, software VMM and hardware VMM execution.

    We find that the hardware support fails to provide an unambiguous performance advantage for two primary reasons: first, it offers no support for MMU virtualization; second, it fails to co-exist with existing software techniques for MMU virtualization. We look ahead to emerging techniques for addressing this MMU virtualization problem in the context of hardware-assisted virtualization.

    92 downloads

    0 comments

    Submitted

  18. Stealthy Deployment and Execution of In-Guest Kernel Agents

    By Teddy Rogers

    As more and more virtual machines (VM) are packed into a physical machine, refactoring common kernel components shared by virtual machines running on the same physical machine could significantly reduce the overall resource consumption. The refactored kernel component typically runs on a special VM called a virtual appliance. Because of the semantics gap in Hardware Abstraction Layer (HAL)-based virtualization, a physical machine's virtual appliance requires the support of per-VM in-guest agents to perform VM-specific operations such as kernel data structure access and modification. To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of in-guest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a stealthy agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a kernel memory scanning virtual appliance that uses SADE to inject its in-guest agents, and report SADE's start-up overhead and run-time performance penalty on this virtual appliance.

    81 downloads

    0 comments

    Submitted

  19. The Cluster Computing Virtualization in Windows

    By Teddy Rogers

    Nowadays the virtualization technique presents several applications to accelerate the evaluation of code without the target machine. For instance, it is possible to execute a Windows executable file on a Linux system by dealing with the import table and simulating the Windows components, for instance WineHQ project [1]. In some cases, the x86 architecture instructions perform on Alpha architecture by emulating the x-86 instructions, for example Bochs Project [2]. The main purpose of this paper is not total virtualization, it explains a simple method that could be used as the base structure to establish a Message Passing Interface (MPI) in Visual C++. It shows how it is possible to load multi-executable files in a running process in extra threads and allow them to run inside separate threads. They will communicate with each other with two functions according to the MPI protocol. This approach is currently represented for Portable Executable (PE) files. This technique can also be implemented for the Executable and Linkable format (ELF) files of Linux systems.

    Tracing cluster computing codes encounters several problems. Firstly, the financial problem of purchasing an enormous number of machines. Furthermore, the difficulty of tracing the code in distributed systems. We can also use a Virtual Server and Virtual Machines. The Virtual Server will emulate the network communication, and the Virtual Machines will emulate the System and the Machine. However, this approach has some problems in addition to the delay of emulating the codes and the network. This was the reason that we developed programs to virtualize cluster programming according to the MPI protocol. For instance, MPICH2 [3] is a well-known program from this branch. If we look around, you will see that the main intention of this kind of programs was to run on UNIX systems. Of course, some of them have Windows versions. Nonetheless, they have not yet been applied in Windows systems as well as their applications on Linux systems. For they use some threading or emulation approach to porting the UNIX version's source. Because of all of these, the author attempts to represent a simple technique to implement the cluster computing virtualization in Windows systems. He claims this method is much faster and more comfortable than previous methods. It uses a Virtual C++ compiler that accelerates the evolution of MPI codes on Windows systems.

    70 downloads

    0 comments

    Submitted

  20. Thwarting Virtual Machine Detection

    By Teddy Rogers

    Hello, and welcome to our presentation on virtual machine detection, and some possible methods for thwarting the types of detection currently in use by malware in the wild.

    We'll start things off with an overview of some of the methods being used to detect the use of virtual machine environments' how they work and what exactly they are detecting. Finally, we'll pass along some tips for making use of a virtualized environment more difficult for the bad guys to detect.

    84 downloads

    0 comments

    Submitted

  21. Using Memory Errors to Attack a Virtual Machine

    By Teddy Rogers

    We present an experimental study showing that soft memory errors can lead to serious security vulnerabilities in Java and .NET virtual machines, or in any system that relies on type-checking of un-trusted programs as a protection mechanism. Our attack works by sending to the JVM a Java program that is designed so that almost any memory error in its address space will allow it to take control of the JVM. All conventional Java and .NET virtual machines are vulnerable to this attack. The technique of the attack is broadly applicable against other language-based security schemes such as proof-carrying code.

    We measured the attack on two commercial Java Virtual Machines: Sun's and IBM's. We show that a single-bit error in the Java program's data space can be exploited to execute arbitrary code with a probability of about 70%, and multiple-bit errors with a lower probability.

    Our attack is particularly relevant against smart cards or tamper-resistant computers, where the user has physical access (to the outside of the computer) and can use various means to induce faults; we have successfully used heat. Fortunately, there are some straightforward defences against this attack.

    77 downloads

    0 comments

    Submitted

  22. Virtual Machine Reverse Engineering

    By Teddy Rogers

    Virtual Machines are one of the most controversial protection methods used nowadays. I try to show how virtual machines are created by examining the full reversed source code of the VM used in the T2'06 challenge, worth $1'500. It explains how to code a VM and helps those who wanted to analyse such challenge by giving direct access to its source code and its structures. The whole RE-built source code is in appendix.

    190 downloads

    0 comments

    Submitted

  23. Ring0Crackme

    By Teddy Rogers

    This time, in new article, I’m not going to talk about any comercial protection. This time I will talk about one interesting crackme from www.crackmes.de which was submitted by Ms-Rem. This crackme has a lots of nice features that make it very very interesting, some of them are IDT/SDT hooks, rootkit tricks to hide process, usage of \Device\PhysicalMemory, 2 process execution, APC, etc…

    In this tutorial I’ll cover most of stuff handled by crackme and show you my steps for bypassing it. Also you will see some neet tricks when it comes to softice antiJ , also this will maybe help you to understand how SoftICE can coexist with drivers that hook IDT. Anyway, before we start I wanna say that this crackme is real master piece, and big tnx to Ms-Rem for this crackme.

    114 downloads

    0 comments

    Submitted

  24. RISC Machine Documentation

    By Teddy Rogers

    I present this time a documentation about RISC machines. The content about this document is detailed enough to give an overview of RISC machines, how they are constructed, how they deal with virtual opcodes, and how they virtualize them.

    111 downloads

    0 comments

    Submitted

  25. Software Attacks on Intel VT-d

    By Teddy Rogers

    We discuss three software attacks that might allow for escaping from a VT-d-protected driver domain in a virtualization system. We then focus on one of those attacks, and demonstrate practical and reliable code execution exploit against a Xen system. Finally, we discuss how new hardware from Intel offers a potential for protection against our attacks in the form of Interrupt Remapping (for client systems available only on the very latest Sandy Bridge processors). But we also discuss how this protection could be circumvented on a Xen system under certain circumstances.

    74 downloads

    0 comments

    Submitted

×
×
  • Create New...