Real-world Hypervisor Exploits

A bone of contention that keeps appearing in discussion of hypervisor compliance, especially in terms of the new PCI DSS 2.0 and NIST SP 800-37 risk-based methodologies, is that there are few real-world hypervisor exploit examples.

I have thus been compiling both quantitative and qualitative data. Here is one of the more interesting cases I ran across.

It is said that the researcher was not happy with the vendor response and so demonstrated the exploit at the 23rd Chaois Communication Congress (23C3) in late 2006. However, the system was patched only six days after the demonstration, which suggests a fix was already underway by the time the exploit was public.

The SecurityFocus bulletin gives details on the flaw.

Unprivileged code interacts with the hypervisor via the “sc” (“syscall”) instruction, which causes the machine to enter hypervisor mode. The vulnerability is a result of incomplete checking of the parameters passed to the syscall dispatcher, as illustrated below.

The simple attack explanation is that the system inconsistently used “secure mode”. The exploit was to access untrusted memory and then push the hypervisor to access the same area as trusted.

As it is not possible to directly overwrite even non-priviledged code, existing code needs to be tricked into calling the hypervisor syscall with the desired register set. This can be done by setting up a stack frame and forcing a context switch to this stack frame.

Giving access to trusted space from untrusted paths is a good example of multi-tenant risk and a real-world hypervisor exploit.

In other words, this is like a highly secure castle that has rents out 32 of 64 inside bedrooms on weekends and holidays. The first 32 rooms are accounted for all year but there is a good chance the other bedrooms will become occupied by hostile residents who may attack when approached.

Chepstow CastleInside the main gate of Chepstow Castle, Wales. The curtain wall on the right was breached 25 May 1648 by Isaac Ewer’s cannons and the site where Royalist commander Sir Nicholas Kemeys was killed. Photo by me.

I will speak to this and related issues in tomorrow morning’s presentation sponsored by Cisco, Savvis, HyTrust, VMWare and CoalFire:

Title: PCI-Compliant Virtualization Reference Architecture Webinar
Date and time: Wednesday, November 10, 2010 10:00 am Pacific Standard Time (San Francisco, GMT-08:00)
Program: HyTrust Webcast Series
Duration: 1 hour

One thought on “Real-world Hypervisor Exploits”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.