Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
The Elephant in the Room:
What to ask your CP about Hypervisor BreakoutsFlorian Magin - [email protected]
2
whoami
o Security Researcher at ERNW Research GmbH from Heidelberg, Germany
o Organizer of the Wizards of Dos CTF team from Darmstadt, Germany
o Reach me via:o Twitter: @0x464D
o Email: [email protected]
3
Who we are
o Germany-based ERNW GmbHo Independent
o Deep technical knowledge
o Structured (assessment) approach
o Business reasonable recommendations
o We understand corporate
o Blog: www.insinuator.net
o Conference: www.troopers.de
44
Agenda
o What exactly are Hypervisors?
o What constitutes a breakout and how do they happen?
o Overview of popular cloud hypervisors in terms of security
5
Zerodium Payouts
https://zerodium.com/images/zerodium_prices.png
6
What are Hypervisors?
o How it used to be:
o Physical server runs on physical hardware
o How it is now:
o Virtual Machine runs on virtual Hardware
Hypervisor is the abstraction layer
7
o Hypervisors
o Hyper-V
o Xen
o KVM
o ESXi
o Virtualbox
o xhyve
o bhyve
o Container Technologies
o Docker
o LXC
o rkt
o OpenVZ
o systemd-nspawn
o Solaris Zones
o BSD Jails
Hypervisors vs Containers
8
9
Hardware and Paravirtualization
o PV OS is aware that it is virtualized
o PV drivers don’t talk to (emulated) hardware but directly to the hypervisor
o Host does not need to emulate hardware
o Different but smaller attack surface
10
What are Hypervisor Breakouts?
o Everything that breaks the assumption that the virtual machines can be treated like separate physical machines
11
Virtualization Attack Surface
o Management Interfaces and APIs
o Device Emulation
o Network Stack
12
Kinds of Attacks
1. Guest Execution Escape
2. Guest reads of other guest data
3. Guest crashes Host and/or other Guests
13
QEMU
o Emulator, not Hypervisor
o Used for emulating devices in Xen and KVM
o Basically the main source of CVEs in anything it is involved ino Remember VENOM?
o Or CVE-2017-2615,CVE-2017-2620,CVE-2017-2630,CVE-2017-2633,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5579,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898,CVE-2017-5931,CVE-2017-5973,CVE-2017-5987,CVE-2017-6058
14
QEMU Security Features
o None directly
o Many CVEs are in unneeded or extra Features
o Solution: Further compartmentalization
o Exploiting QEMU is less dangerous if this just lands you in one of the above environments
15
Popular Cloud Hypervisors
16
KVM
o Part of Linux since February 2007
o Used by:
o Google Compute Engine (without QEMU)
o Red Hat
o Default for OpenStack Clouds
o Mix of Type 1 and Type 2 Hypervisors
o Flexibility of Type 2 with performance of Type 1
o Used with libvirt for cloud use cases
17
KVM + Libvirt Security Details
o Libvirt provides sVirt
o Automatic SELinux labelling for VMs
o Integrates well into existing Linux security infrastructure
o Access Control
o User management
o Kernel hardening is possible
o gr-security
18
Xen
o initial release 1.0 2003
o Oldest open source hypervisor
o Used by:o Amazon AWS
o IBM
o Different Virtualization Modeso Paravirtualization
o Hardwarevirtualization
o Mixed
19
Xen Security Features
o Driver or Stub Domains
o Would have contained the infamous VENOM and any other QEMU vulnerability
o XSM-FLASK
o Fine grained access controls
o PvGrub(2)
20
Hyper-V
o released with Microsoft Server 2008 in February 2008
o Used by
o Microsoft Azure
21
Hyper-V Security Features
o Effort to formally verify it by Microsoft
o Mathematically prove correct behavior
o Only few known vulnerabilities
o But it’s proprietary so not many people looking at it
o We did: “TROOPERS14 - Compromise-as-a-Service: Our PleAZURE - Matthias Luft & Felix Wilhelm”
22
VMWare ESXi
o January 2002
o Few public clouds based on ESXi
o Mostly used in “private Clouds”
o On premise solution
o Not that well documented
o “VMDK has left the building” Research
o “It’s not a bug it’s a feature”
23
Conclusion
o Layered Defense
o Don’t build your security concept on the assumption that your hypervisor is secure
o Reduce attack surface (DEVICES!)
o Really need Floppy Support?
24
Questions for your Cloud Provider
o Which Hypervisor do you use?
o What security measures are in place?
o Just default ones?
o Further hardening?
o What virtual devices are allowed?
o How do you detect and deal with possible breakouts?
25
www.ernw.de
www.insinuator.net
Thank you for your attention
0x464D