25
1 The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - [email protected]

The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - [email protected]. 2 whoami o

  • Upload
    others

  • View
    4

  • Download
    0

Embed Size (px)

Citation preview

Page 1: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

1

The Elephant in the Room:

What to ask your CP about Hypervisor BreakoutsFlorian Magin - [email protected]

Page 2: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

2

whoami

o Security Researcher at ERNW Research GmbH from Heidelberg, Germany

o Organizer of the Wizards of Dos CTF team from Darmstadt, Germany

o Reach me via:o Twitter: @0x464D

o Email: [email protected]

Page 3: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

3

Who we are

o Germany-based ERNW GmbHo Independent

o Deep technical knowledge

o Structured (assessment) approach

o Business reasonable recommendations

o We understand corporate

o Blog: www.insinuator.net

o Conference: www.troopers.de

Page 4: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

44

Agenda

o What exactly are Hypervisors?

o What constitutes a breakout and how do they happen?

o Overview of popular cloud hypervisors in terms of security

Page 5: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

5

Zerodium Payouts

https://zerodium.com/images/zerodium_prices.png

Page 6: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

6

What are Hypervisors?

o How it used to be:

o Physical server runs on physical hardware

o How it is now:

o Virtual Machine runs on virtual Hardware

Hypervisor is the abstraction layer

Page 7: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

7

o Hypervisors

o Hyper-V

o Xen

o KVM

o ESXi

o Virtualbox

o xhyve

o bhyve

o Container Technologies

o Docker

o LXC

o rkt

o OpenVZ

o systemd-nspawn

o Solaris Zones

o BSD Jails

Hypervisors vs Containers

Page 8: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

8

Page 9: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

9

Hardware and Paravirtualization

o PV OS is aware that it is virtualized

o PV drivers don’t talk to (emulated) hardware but directly to the hypervisor

o Host does not need to emulate hardware

o Different but smaller attack surface

Page 10: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

10

What are Hypervisor Breakouts?

o Everything that breaks the assumption that the virtual machines can be treated like separate physical machines

Page 11: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

11

Virtualization Attack Surface

o Management Interfaces and APIs

o Device Emulation

o Network Stack

Page 12: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

12

Kinds of Attacks

1. Guest Execution Escape

2. Guest reads of other guest data

3. Guest crashes Host and/or other Guests

Page 13: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

13

QEMU

o Emulator, not Hypervisor

o Used for emulating devices in Xen and KVM

o Basically the main source of CVEs in anything it is involved ino Remember VENOM?

o Or CVE-2017-2615,CVE-2017-2620,CVE-2017-2630,CVE-2017-2633,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5579,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898,CVE-2017-5931,CVE-2017-5973,CVE-2017-5987,CVE-2017-6058

Page 14: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

14

QEMU Security Features

o None directly

o Many CVEs are in unneeded or extra Features

o Solution: Further compartmentalization

o Exploiting QEMU is less dangerous if this just lands you in one of the above environments

Page 15: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

15

Popular Cloud Hypervisors

Page 16: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

16

KVM

o Part of Linux since February 2007

o Used by:

o Google Compute Engine (without QEMU)

o Red Hat

o Default for OpenStack Clouds

o Mix of Type 1 and Type 2 Hypervisors

o Flexibility of Type 2 with performance of Type 1

o Used with libvirt for cloud use cases

Page 17: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

17

KVM + Libvirt Security Details

o Libvirt provides sVirt

o Automatic SELinux labelling for VMs

o Integrates well into existing Linux security infrastructure

o Access Control

o User management

o Kernel hardening is possible

o gr-security

Page 18: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

18

Xen

o initial release 1.0 2003

o Oldest open source hypervisor

o Used by:o Amazon AWS

o IBM

o Different Virtualization Modeso Paravirtualization

o Hardwarevirtualization

o Mixed

Page 19: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

19

Xen Security Features

o Driver or Stub Domains

o Would have contained the infamous VENOM and any other QEMU vulnerability

o XSM-FLASK

o Fine grained access controls

o PvGrub(2)

Page 20: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

20

Hyper-V

o released with Microsoft Server 2008 in February 2008

o Used by

o Microsoft Azure

Page 21: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

21

Hyper-V Security Features

o Effort to formally verify it by Microsoft

o Mathematically prove correct behavior

o Only few known vulnerabilities

o But it’s proprietary so not many people looking at it

o We did: “TROOPERS14 - Compromise-as-a-Service: Our PleAZURE - Matthias Luft & Felix Wilhelm”

Page 22: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

22

VMWare ESXi

o January 2002

o Few public clouds based on ESXi

o Mostly used in “private Clouds”

o On premise solution

o Not that well documented

o “VMDK has left the building” Research

o “It’s not a bug it’s a feature”

Page 23: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

23

Conclusion

o Layered Defense

o Don’t build your security concept on the assumption that your hypervisor is secure

o Reduce attack surface (DEVICES!)

o Really need Floppy Support?

Page 24: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

24

Questions for your Cloud Provider

o Which Hypervisor do you use?

o What security measures are in place?

o Just default ones?

o Further hardening?

o What virtual devices are allowed?

o How do you detect and deal with possible breakouts?

Page 25: The Elephant in the Room: What to ask your CP about ...€¦ · The Elephant in the Room: What to ask your CP about Hypervisor Breakouts Florian Magin - fmagin@ernw.de. 2 whoami o

25

www.ernw.de

www.insinuator.net

Thank you for your attention

[email protected]

0x464D