Friday, November 21, 2014

Defending Against ret2dir Attacks (partially) with Virtualization Technology?

I was so excited when recently reading the paper (ret2dir: Rethinking Kernel Isolation) from Vasileios P. Kemerlis. This post is basically going to introduce the idea of ret2dir attack, and how to prevent such an attack with hardware virtualization technology, actually partially. 

Improve Performance for Separating Kernel and User Address Space with Process-Context Identifiers (PCIDs)

This post is not talking about any new idea, just about what I'm thinking..

Tuesday, November 18, 2014

Anybody knows How to Legitimately Register a PMI (PMU Performance Monitor Interrupt) Callback Handler on Windows OS?

According to IA32/Intel Software Development Manual, when some PMU (Performance Monitor Unit) counter overflows occur, or LBR (Last Branch Record)/BTS (Branch Trace Store) is near full, the processor will deliver a PMI (Performance Monitor Interrupt). In Linux Kernel implementation, the PMU (perf tool) is using NMI to deliver such a PMI interrupt, and we can directly change the kernel source to add our own PMI handler for a particular event. 

But in Windows OS, how to register a PMI handler callback in a driver without hooking the kernel IDT table? Does anybody know about it? 

Page Table Structure Corruption Attacks - How to Mitigate it?

On x86 and many other processor architectures (with MMU), page tables are critical data structures for address translations. And many hardware-based page level protection technologies in my previous post, like SMEP, XD/DEP, highly depend on correct page table settings. so what if page tables are controlled by an attacker? ...At the end of this post, I will propose an extra solution to mitigate page table structure attacks.

Monday, November 17, 2014

Implement software-based SMEP with Non-Execute (NX) bit in page tables to secure kernel/user virtual memory address space.

In my previous post, I talked about how to implement a software-based SMEP (Supervisor Mode Execution Protection) with virtualization/hypervisor for fun. In this post, I'm going to detail yet another solution to implement software-based SMEP without virtualization technology. 

Sunday, November 16, 2014

DMA Attacks Against McAfee DeepSafe

Rafal Wojtczuk (from Bromium, previously Invisible Things Lab) presented DMA attacks against DeepSafe. 

Latest researching status of ROP/JOP attacks and defenses

Control Flow Hijacking, like ROP, becomes a hot topic in recent years since ever DEP(W^X enforcement) and SMEP were introduced in h/w processor. Based upon the papers that I read recently, this post just gives a brief introduction on the recent researching status (though incomplete) about control flow attacks and defenses. 

Wednesday, November 12, 2014

How to Implement a software-based SMEP(Supervisor Mode Execution Protection) with Virtualization/Hypervisor Technology

As my previous post indicated, SMEP is a powerful security feature, and easy to deploy in modern commodity OS. However this feature requires H/W processor's support, for those processors that are not SMEP-capable, this post presents a software-based solution to emulate SMEP functionality with the help of Virtualization/Hypervisor technology

Saturday, November 08, 2014

What does Transactional Synchronization Extensions (TSX) processor technology mean to vulnerability exploits (e.g. Brute Forcing)?

Intel Transactional Synchronization Extensions (TSX) was introduced since from Haswell processor with adding hardware transactional memory support. It was originally design to speed up execution of multi-threaded software through lock elision. Every new technology has both good side and evil side, then how about TSX extension? What can we use it to do for vulnerability exploits and its defenses?

Using LBR (Last Branch Record) Feature to Detect IDT-Shadowing-Based Malicious IDT Hooking

Thanks to Yushi who shared a presentation (ELI: Bare-Metal Performance for I/O Virtualization) with me. In that hypervisor (ELI), it innovates an idea of gust IDT shadow (or IDT virtualization) design for some specific usage models. I'm going to talk a little bit about this idea.

Thursday, November 06, 2014

Monitor Trap Flag (MTF) Usage in EPT-based Guest Physical Memory Monitoring

Monitor Trap Flag (MTF) is a flag specifically designed for single-stepping in x86/Intel hardware virtualization VT-x technology. When MTF is set, the guest will trigger a VM Exit after executing each instruction (need to consider NMI or other interrupt delivery boundary). This paper presents an idea to use MTF for memory write allowing when monitoring modification to guest virtual-to-physical mapping (page table entries) tables. 

Wednesday, November 05, 2014

BitVisor - A Thin Hypervisor Built for Enforcing I/O Device Security - Storage (USB/DISK) Encryption or File Access Monitoring

This post is wrote to share an idea of the paper (BitVisor: A Thin Hypervisor for Enforcing I/O Device Security) that I read recently. It innovates a hypervisor-based solution for enforcing storage/disk encryption of ATA devices.

Tuesday, November 04, 2014

XEN PVH Virtualization Mode - "What Color Is Your Xen?"

In my previous post Why smaller code size with XEN on ARM?, one of reasons I explained is that XEN on x86 must support different guest working modes with backward compatibility due to historical x86 virtualization technology limitations (e.g. in the first x86 VT-x version, no hardware-assisted Paging support). This post just shares some useful information/links on a new XEN virtualization mode (PVH) I read recently. 

Monday, November 03, 2014

Unikernels: Library Operating Systems for the Cloud (OSv)

Unlike a general-purpose, commercial operating system (like Windows, Ubuntu), OSv ( from cloudius-systems) is a single-purpose operating system. It is also kind of library operating system designed for the cloud that running on top of different hypervisors, e.g. XEN, KVM, VMware. So what does OSv like look? 

Problems arises when supporting EFI + GRUB2 + Xen with Multiboot2 boot specification

Previously I wrote a post to discuss the limitations for Multiboot boot specification, today I saw that XEN hypervisor also has the similar problems. 

Debugging Bug Check (BSOD) 0x101 CLOCK_WATCHDOG_TIMEOUT in a Hypervisor/VMM Environment

I'm planning to write a post for debugging  Bug Check 0x101 issue (CLOCK_WATCHDOG_TIMEOUT) in Windows system. but I happened to find this blog Debugging a CLOCK_WATCHDOG_TIMEOUT Bugcheck from MSFT debugger team which explaned it in greater details. However, the issue we met is slightly different from what MSFT team was debugging. We are working in virtualization/hypervisor environment, and Windows (7+) is running as a primary Guest OS.  

Sunday, November 02, 2014

Security OS Design (cont.): Write Protection for Linux Kernel critical data structures (GDT, IDT, syscall table, task_strcture, mm_struct,...)

To be continued for previous post, let me review what must be changed in Linux kernel in order to prevent buffer overrun/overflow attacks from modifying the critical kernel data structures, like GDT, IDT, task_struct, mm_struct, etc.