Virtual Machine Introspection

March 14, 2016 (at 9 a.m.)

Agenda

With the rapid adaptation of the cloud in our everyday life, knowledge of building security tools for virtualized environments is critical. In this workshop we will take a deep dive into modern virtualization technologies to examine how to construct next-generation security tools with the aid of a hypervisor. The technique for this is know as VMI - Virtual Machine Introspection. During this workshop we will focus closely on modern x86 and ARM hardware and how the virtualization extensions found in today’s CPUs can be effectively used to build stealthy and secure security platforms. Through exercises students will be introduced to the open-source LibVMI library and create their own introspection tools. In the second half of the workshop we will take a look at hardware limitations and counter-tactics. Finally, we will introduce Intel’s brand-new #VE virtualization extension and discuss its potential to create a new generation of introspection tools.

BYOH:

A laptop with wifi and an SSH client installed. Exercises will be done on a pre-configured server (to save time) to which students will be given access to in the beginning of the training.

Outline

  1. Introduction to Virtualization
    • Core concepts
    • Hands-on with the Xen Hypervisor
  2. Virtual memory and paging
    • Paging formats
    • Two-stage paging on Intel and ARM
  3. Hardware events of interest
    • Overview of x86 registers
    • Combining events
  4. LibVMI overview
    • Exercise in execution tracing of live virtual machines
    • Debugging VMI applications
  5. There be dragons
    • Tracing on SMP systems
    • TLB attacks
    • Detection mechanisms
  6. Intel #VE
    • Next generation of VMI tools
    • Xen altp2m

Tamas Lengyel

Tamas K Lengyel works as Senior Security Researcher at Novetta and holds a PhD from the University of Connecticut in Computer Science and Engineering. He is an avid open-source developer, acting as maintainer of the Xen Project Hypervisor, LibVMI and the DRAKVUF Dynamic Malware Analysis system. His expertise and interest include low-level hardware security, virtualization, networking and forensics. Tamas has appeared at many security conferences, giving talks most recently at BlackHat USA, CCC and the Xen Project Developer Summit. He can be found on Twitter with the handle @tklengyel.

Jacob Torrey

Jacob Torrey is an Advising Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture. He can be found posting goofy stuff to his Twitter: @JacobTorrey when not out in the mountains or tending to his critters..