Attacking Hypervisors via Firmware and Hardware

More documents

Recommendations

Info

What is S3 boot script table?A table of opcodes in physical memory which restoresplatform configurationS3_BOOTSCRIPT_MEM_WRITE opcode writes some value tospecified memory location on behalf of firmwareS3_BOOTSCRIPT_DISPATCH/2S3_BOOTSCRIPT_PCI_CONFIG_WRITES3_BOOTSCRIPT_IO_WRITE…
NORMAL BOOTMODIFYS3 RESUMEXen exposes S3 boot script table to Dom0Privileged PV guest (Dom0)ExploitVM modifies S3 bootscript table in memoryUpon resume, firmwareexecutes rogue S3 scriptXen HypervisorU/EFI System <strong>Firmware</strong>BDSDXEUEFI core& driversS3 BootScript TableRestoreshardware configScript EnginePlatform PEI0xDBAA4000Platform PEI
Page 1 and 2: Attacking Hypervisorsvia Firmware a
Page 3 and 4: Image sourceHypervisor Based Isolat
Page 5 and 6: Hypervisor Based IsolationVirtual M
Page 7 and 8: CPU Virtualization (simplified)VM G
Page 9 and 10: Hypervisor ProtectionsSystem Firmwa
Page 11 and 12: What is firmware rootkit?Virtual Ma
Page 13 and 14: “Backdoor” for attacker’s VM1
Page 15 and 16: Using hardware SPI flash programmer
Page 17 and 18: Software access and exploiting some
Page 19 and 20: Installing rootkit in firmware from
Page 21 and 22: We flashed rootkited part of firmwa
Page 23 and 24: VMCS, MSR and I/O bitmaps..
Page 25 and 26: Image sourceAttacking Hypervisor Em
Page 27 and 28: Did you know that VMMs emulate virt
Page 29 and 30: Crashing Host or Guest from Ring3
Page 31 and 32: Pointer Vulnerabilities in SMI Hand
Page 33: DEMOAttacking Hypervisor viaPoisono
Page 36 and 37: So that’s a firmware issue! Firmw
Page 38 and 39: Attacking VMM by proxying through S
Page 40 and 41: Do Hypervisors Dreamof Electric She
Page 44 and 45: Xen attack via S3 boot scriptFound
Page 46 and 47: Image sourceDEMOAttacking Xenin its
Page 48 and 49: So these firmware vulnerabilities a
Page 50 and 51: First things first - fix that firmw
Page 52 and 53: Dealing with system firmware attack
Page 54 and 55: References1. CHIPSEC: https://githu

Attacking Hypervisors via Firmware and Hardware

Create successful ePaper yourself

Delete template?

Save as template?