Attacking Hypervisors via Firmware and Hardware

More documents

Recommendations

Info

Attacking VMM by proxying through SMI handlerVirtual Machine(child partition)AppAppOperating SystemRoot partitionApp AttackOperating SystemVM with direct access toSMIs invokes SMIhandler and supplies apointer to some VMMpageVMM / HypervisorMemorySMI HandlersSystem FirmwareHardwareCPUGraphicsSMI handler writes tothe supplied pointeroverwriting contents ofprotected VMM pageI/ONetwork
Sometimes attacker doesn’t need avulnerability in firmware…When VMM grants VM direct access tofirmware or hardware interfacesVM exploit doesn’t always need to exploitfirmware first through these interfacesIt may use firmware or hardware as aconfused deputy and attack VMM throughsome function on behalf of firmwareRead excellent paper Hardware InvolvedSoftware Attacks by Jeff Forristal
Page 1 and 2: Attacking Hypervisorsvia Firmware a
Page 3 and 4: Image sourceHypervisor Based Isolat
Page 5 and 6: Hypervisor Based IsolationVirtual M
Page 7 and 8: CPU Virtualization (simplified)VM G
Page 9 and 10: Hypervisor ProtectionsSystem Firmwa
Page 11 and 12: What is firmware rootkit?Virtual Ma
Page 13 and 14: “Backdoor” for attacker’s VM1
Page 15 and 16: Using hardware SPI flash programmer
Page 17 and 18: Software access and exploiting some
Page 19 and 20: Installing rootkit in firmware from
Page 21 and 22: We flashed rootkited part of firmwa
Page 23 and 24: VMCS, MSR and I/O bitmaps..
Page 25 and 26: Image sourceAttacking Hypervisor Em
Page 27 and 28: Did you know that VMMs emulate virt
Page 29 and 30: Crashing Host or Guest from Ring3
Page 31 and 32: Pointer Vulnerabilities in SMI Hand
Page 33: DEMOAttacking Hypervisor viaPoisono
Page 36 and 37: So that’s a firmware issue! Firmw
Page 40 and 41: Do Hypervisors Dreamof Electric She
Page 42 and 43: What is S3 boot script table?A tabl
Page 44 and 45: Xen attack via S3 boot scriptFound
Page 46 and 47: Image sourceDEMOAttacking Xenin its
Page 48 and 49: So these firmware vulnerabilities a
Page 50 and 51: First things first - fix that firmw
Page 52 and 53: Dealing with system firmware attack
Page 54 and 55: References1. CHIPSEC: https://githu

Attacking Hypervisors via Firmware and Hardware

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?