'Hypervisor Introspection defeated Eternalblue a priori'
69 views
Skip to first unread message
Chris Laprise
Jul 7, 2017, 4:20:10 PM7/7/17
to qubes...@googlegroups.com
I know Joanna's reservations about VM introspection, but this
Bitdefender introspection example is interesting nonetheless:
https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
> Calling something revolutionary is a big claim but it is warranted because with the Direct Inspect APIs, security vendors can now build a new class of security solution that hasn’t been seen before and protects against real threats that traditional approaches are not equipped to deal with.
>
> With XenServer 7.0’s Direct Inspect APIs it is now possible for security vendors to:
>
> Protect guest memory
>
> Traditional technologies focus on protecting your filesystem (offloading real-time memory access is not performant enough). These APIs restore a security vendors’ ability to protect virtual machine memory, guarding against attacks that may never touch the filesystem.
>
> Protect against attack techniques
>
> Instead of trying to find malware this approach aims to block malware from ever executing. This is an important distinction because although an attacker can create a lot of different malware variants, they must use the same handful of techniques to abuse memory (e.g. buffer overflows, heap spray, function detouring, code injection).
>
> This means that by focusing on blocking these techniques, a security vendor can now effectively protect against the class of ‘not yet seen’ advanced attacks.
>
> As an example of this, Bitdefender has verified using their Hypervisor Introspection (HVI) product, that with the Direct Inspect APIs they could have caught a number of high profile advanced attacks, from day zero: APT28, Energetic Bear, Darkhotel, Erpic Turla, Regin, Zeus, Dyreza and Gameover (to name a few).
>
> Protect without relying on software inside the VM
>
> Relying on software inside the VM is problematic because some malware such as rootkits can (using zero-day vulnerabilities) completely compromise your ability to tell whether a system has been infected.
>
> The Direct Inspect APIs allow protection to take place from the outside using the hypervisor to provide hardware-enforced isolation. This means the attacker can no longer directly attack the security software.
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Bitdefender introspection example is interesting nonetheless:
https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
> Calling something revolutionary is a big claim but it is warranted because with the Direct Inspect APIs, security vendors can now build a new class of security solution that hasn’t been seen before and protects against real threats that traditional approaches are not equipped to deal with.
>
> With XenServer 7.0’s Direct Inspect APIs it is now possible for security vendors to:
>
> Protect guest memory
>
> Traditional technologies focus on protecting your filesystem (offloading real-time memory access is not performant enough). These APIs restore a security vendors’ ability to protect virtual machine memory, guarding against attacks that may never touch the filesystem.
>
> Protect against attack techniques
>
> Instead of trying to find malware this approach aims to block malware from ever executing. This is an important distinction because although an attacker can create a lot of different malware variants, they must use the same handful of techniques to abuse memory (e.g. buffer overflows, heap spray, function detouring, code injection).
>
> This means that by focusing on blocking these techniques, a security vendor can now effectively protect against the class of ‘not yet seen’ advanced attacks.
>
> As an example of this, Bitdefender has verified using their Hypervisor Introspection (HVI) product, that with the Direct Inspect APIs they could have caught a number of high profile advanced attacks, from day zero: APT28, Energetic Bear, Darkhotel, Erpic Turla, Regin, Zeus, Dyreza and Gameover (to name a few).
>
> Protect without relying on software inside the VM
>
> Relying on software inside the VM is problematic because some malware such as rootkits can (using zero-day vulnerabilities) completely compromise your ability to tell whether a system has been infected.
>
> The Direct Inspect APIs allow protection to take place from the outside using the hypervisor to provide hardware-enforced isolation. This means the attacker can no longer directly attack the security software.
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
pixel fairy
Jul 13, 2017, 7:45:35 PM7/13/17
to qubes-devel, tas...@openmailbox.org
On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote:
I know Joanna's reservations about VM introspection, but this
Bitdefender introspection example is interesting nonetheless:
https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
Im curious about these reservations. is it the attack surface?
xen hypervisor introspection looked like a total win to me.
Marek Marczykowski-Górecki
Jul 13, 2017, 8:02:34 PM7/13/17
to pixel fairy, qubes-devel, tas...@openmailbox.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, Jul 13, 2017 at 04:45:35PM -0700, pixel fairy wrote:
> On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote:
> >
> > I know Joanna's reservations about VM introspection, but this
> > Bitdefender introspection example is interesting nonetheless:
> >
> >
> > https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
> >
>
> Im curious about these reservations. is it the attack surface?
Yes, at least two kinds:
1. Enabling API for reading VM memory break VM isolation - misbehaving
monitoring VM can steal any secret and you'll never know
2. Parsing VM memory (operating system structures, application
structures etc) is very complex - VM that know it is monitored can try
exploit the parsing code; then go to point 1 for example
As for examples what could possibly go wrong when adding anti-virus
parsing whatever it can find, see here:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZaAoTAAoJENuP0xzK19csCqgH/RkDFLyKmIlzqasHgDp61WNE
D1r5F9UfjMYYlQCaw8niupdFrdzl13TDfZGvPsZenQ6V1Z+wglPgu5Wu4CRWt7m8
9iJ++xWqLMalEP8bz5tphXT9mpXvdhPWH/xzeABLrD97JnDenL+lNWU5pgmDwev4
WxIzqEjElJb3jp5z2iM4AS+dyFtZKYMrLbupp8Bx7qWRLLwxI3/lWCH5XGwvgNDO
5KSagseX5m9D05RfV4lEetq+kXT+RUxvyIQmOfgPWGmYUPuFk9AoQ7WODdQEgdmp
H1AflTbFvS6vQ6iImM4KFodtf7NmgHWJwlNyxiBJpPwZBykUzYPDcymlXNIzxyw=
=voU1
-----END PGP SIGNATURE-----
Hash: SHA256
On Thu, Jul 13, 2017 at 04:45:35PM -0700, pixel fairy wrote:
> On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote:
> >
> > I know Joanna's reservations about VM introspection, but this
> > Bitdefender introspection example is interesting nonetheless:
> >
> >
> > https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
> >
>
> Im curious about these reservations. is it the attack surface?
1. Enabling API for reading VM memory break VM isolation - misbehaving
monitoring VM can steal any secret and you'll never know
2. Parsing VM memory (operating system structures, application
structures etc) is very complex - VM that know it is monitored can try
exploit the parsing code; then go to point 1 for example
As for examples what could possibly go wrong when adding anti-virus
parsing whatever it can find, see here:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZaAoTAAoJENuP0xzK19csCqgH/RkDFLyKmIlzqasHgDp61WNE
D1r5F9UfjMYYlQCaw8niupdFrdzl13TDfZGvPsZenQ6V1Z+wglPgu5Wu4CRWt7m8
9iJ++xWqLMalEP8bz5tphXT9mpXvdhPWH/xzeABLrD97JnDenL+lNWU5pgmDwev4
WxIzqEjElJb3jp5z2iM4AS+dyFtZKYMrLbupp8Bx7qWRLLwxI3/lWCH5XGwvgNDO
5KSagseX5m9D05RfV4lEetq+kXT+RUxvyIQmOfgPWGmYUPuFk9AoQ7WODdQEgdmp
H1AflTbFvS6vQ6iImM4KFodtf7NmgHWJwlNyxiBJpPwZBykUzYPDcymlXNIzxyw=
=voU1
-----END PGP SIGNATURE-----
Chris Laprise
Jul 14, 2017, 12:18:41 PM7/14/17
to Marek Marczykowski-Górecki, pixel fairy, qubes-devel
On 07/13/2017 08:02 PM, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Thu, Jul 13, 2017 at 04:45:35PM -0700, pixel fairy wrote:
>> On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote:
>>>
>>> I know Joanna's reservations about VM introspection, but this
>>> Bitdefender introspection example is interesting nonetheless:
>>>
>>>
>>> https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
>>>
>>
>> Im curious about these reservations. is it the attack surface?
>
> Yes, at least two kinds:
> 1. Enabling API for reading VM memory break VM isolation - misbehaving
> monitoring VM can steal any secret and you'll never know
If scanning VM instance (template based) could be granted access to only
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Thu, Jul 13, 2017 at 04:45:35PM -0700, pixel fairy wrote:
>> On Friday, July 7, 2017 at 1:20:10 PM UTC-7, Chris Laprise wrote:
>>>
>>> I know Joanna's reservations about VM introspection, but this
>>> Bitdefender introspection example is interesting nonetheless:
>>>
>>>
>>> https://businessinsights.bitdefender.com/hypervisor-introspection-defeated-enternalblue-a-priori
>>>
>>
>> Im curious about these reservations. is it the attack surface?
>
> Yes, at least two kinds:
> 1. Enabling API for reading VM memory break VM isolation - misbehaving
> monitoring VM can steal any secret and you'll never know
one subject VM, risk may not be terribly different from a disposable VM
used to render documents.
This can also be approximated to some degree when scanning the private
storage of a subject VM... the attach function permits access to nothing
else, and the scanner's state will disappear after it issues a
(hopefully not false-negative) report and shuts down.
A template-based VM may also perform checks on its own private storage
as its mounted, as I'm exploring in a simple way with Qubes-VM-hardening.
But 'attaching' a subject VM's memory as if it were a read-only drive
would be a nifty thing to see.*
> 2. Parsing VM memory (operating system structures, application
> structures etc) is very complex - VM that know it is monitored can try
> exploit the parsing code; then go to point 1 for example
>
> As for examples what could possibly go wrong when adding anti-virus
> parsing whatever it can find, see here:
> https://bugs.chromium.org/p/project-zero/issues/detail?id=1252
somewhat different vs Qubes disposable VMs.
(* Not suggesting feature requests; just want to explore possibilities.)
Reply all
Reply to author
Forward
0 new messages