1

The Elephant in the Room:

What to ask your CP about Hypervisor BreakoutsFlorian Magin - fmagin@ernw.de

2

whoami

o Security Researcher at ERNW Research GmbH from Heidelberg, Germany

o Organizer of the Wizards of Dos CTF team from Darmstadt, Germany

o Reach me via:o Twitter: @0x464D

o Email: fmagin@ernw.de

3

Who we are

o Germany-based ERNW GmbHo Independent

o Deep technical knowledge

o Structured (assessment) approach

o Business reasonable recommendations

o We understand corporate

o Blog: www.insinuator.net

o Conference: www.troopers.de

44

Agenda

o What exactly are Hypervisors?

o What constitutes a breakout and how do they happen?

o Overview of popular cloud hypervisors in terms of security

5

Zerodium Payouts

https://zerodium.com/images/zerodium_prices.png

6

What are Hypervisors?

o How it used to be:

o Physical server runs on physical hardware

o How it is now:

o Virtual Machine runs on virtual Hardware

Hypervisor is the abstraction layer

7

o Hypervisors

o Hyper-V

o Xen

o KVM

o ESXi

o Virtualbox

o xhyve

o bhyve

o Container Technologies

o Docker

o LXC

o rkt

o OpenVZ

o systemd-nspawn

o Solaris Zones

o BSD Jails

Hypervisors vs Containers

8

9

Hardware and Paravirtualization

o PV OS is aware that it is virtualized

o PV drivers don’t talk to (emulated) hardware but directly to the hypervisor

o Host does not need to emulate hardware

o Different but smaller attack surface

10

What are Hypervisor Breakouts?

o Everything that breaks the assumption that the virtual machines can be treated like separate physical machines

11

Virtualization Attack Surface

o Management Interfaces and APIs

o Device Emulation

o Network Stack

12

Kinds of Attacks

1. Guest Execution Escape

2. Guest reads of other guest data

3. Guest crashes Host and/or other Guests

13

QEMU

o Emulator, not Hypervisor

o Used for emulating devices in Xen and KVM

o Basically the main source of CVEs in anything it is involved ino Remember VENOM?

o Or CVE-2017-2615,CVE-2017-2620,CVE-2017-2630,CVE-2017-2633,CVE-2017-5525,CVE-2017-5526,CVE-2017-5552,CVE-2017-5578,CVE-2017-5579,CVE-2017-5667,CVE-2017-5856,CVE-2017-5857,CVE-2017-5898,CVE-2017-5931,CVE-2017-5973,CVE-2017-5987,CVE-2017-6058

14

QEMU Security Features

o None directly

o Many CVEs are in unneeded or extra Features

o Solution: Further compartmentalization

o Exploiting QEMU is less dangerous if this just lands you in one of the above environments

15

Popular Cloud Hypervisors

16

KVM

o Part of Linux since February 2007

o Used by:

o Google Compute Engine (without QEMU)

o Red Hat

o Default for OpenStack Clouds

o Mix of Type 1 and Type 2 Hypervisors

o Flexibility of Type 2 with performance of Type 1

o Used with libvirt for cloud use cases

17

KVM + Libvirt Security Details

o Libvirt provides sVirt

o Automatic SELinux labelling for VMs

o Integrates well into existing Linux security infrastructure

o Access Control

o User management

o Kernel hardening is possible

o gr-security

18

Xen

o initial release 1.0 2003

o Oldest open source hypervisor

o Used by:o Amazon AWS

o IBM

o Different Virtualization Modeso Paravirtualization

o Hardwarevirtualization

o Mixed

19

Xen Security Features

o Driver or Stub Domains

o Would have contained the infamous VENOM and any other QEMU vulnerability

o XSM-FLASK

o Fine grained access controls

o PvGrub(2)

20

Hyper-V

o released with Microsoft Server 2008 in February 2008

o Used by

o Microsoft Azure

21

Hyper-V Security Features

o Effort to formally verify it by Microsoft

o Mathematically prove correct behavior

o Only few known vulnerabilities

o But it’s proprietary so not many people looking at it

o We did: “TROOPERS14 - Compromise-as-a-Service: Our PleAZURE - Matthias Luft & Felix Wilhelm”

22

VMWare ESXi

o January 2002

o Few public clouds based on ESXi

o Mostly used in “private Clouds”

o On premise solution

o Not that well documented

o “VMDK has left the building” Research

o “It’s not a bug it’s a feature”

23

Conclusion

o Layered Defense

o Don’t build your security concept on the assumption that your hypervisor is secure

o Reduce attack surface (DEVICES!)

o Really need Floppy Support?

24

Questions for your Cloud Provider

o Which Hypervisor do you use?

o What security measures are in place?

o Just default ones?

o Further hardening?

o What virtual devices are allowed?

o How do you detect and deal with possible breakouts?

25

www.ernw.de

www.insinuator.net

Thank you for your attention

fmagin@ernw.de

0x464D