@CSICyberSEED
Virtual Machine Introspection toDetect and Protect
“It’s turtles all the way down!”
Tamas K Lengyel@tklengyel
@CSICyberSEED
# whoami• Senior Security Researcher at Novetta• PhD Student at UConn CSE• DARPA Cyber Fast Track participant• Maintainer of Xen, DRAKVUF & LibVMI
@CSICyberSEED
Outline• Brief look at the current security model• Virtualization• Virtual Machine Introspection• It’s turtles all the way down!
@CSICyberSEED
How?● Isolation: provided by the hypervisor● Interpretation: use forensics tools
○ LibVMI, Rekall, Volatility● Interposition: use hardware extensions
○ Intel EPT, #VE
@CSICyberSEED
It’s turtles all the way down!A well-known scientist (some say it was Bertrand Russel) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said:"What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise."The scientist gave a superior smile before replying,"What is the tortoise standing on?""You're very clever, young man, very clever," said the old lady. "But it's turtles all the way down!"— Hawking, A Brief History of Time
@CSICyberSEED
But why stop there?
System Management ModeDual-monitor mode Hypervisor
SMM VM
No nested hypervisor in SMM
The real root hypervisor withreference implementation available!Only OEM access on most hw
@CSICyberSEED
There is more!
SMM Hypervisor
SMM VM
Intel Management Engine
No reference implementationNo documentationOnly Intel has access
@CSICyberSEED
The bottom line• Adding layers doesn’t solve the problem
• Only increases the cost of breaking through
• Building cross-layer tools is hard• That’s the whole point
• Barrier erodes with time
@CSICyberSEED
What’s the catch?• Keeping lower layers as small as possible
• More code = more attack surface
• Users should have the ability to inspect these layers• Lower the layer the fewer folks have insight/access
• Isn’t that the perfect setup for DRM?
• It may be about security - but not necessarily yours!
@CSICyberSEED
Thanks!
Tamas K [email protected]@novetta.com@tklengyel
LibVMI http://libvmi.comDRAKVUF http://drakvuf.com