Jonathan Brossard CTO - P1 Code Security

[email protected]

[email protected]


Virtualization : big picture

Attack surface analysis

The need for new tools

Introducing Virtual 8086 mode

Practical fuzzing with vm86()

Virtualization : time to care !

Market shares Defnitions

Virtualization : market shares

Source : Forrester Research 2009

78% of companies have production servers virtualized.

20% only have virtualized servers.

Virtualization : market shares

Source : Forrester Research 2009

VMWare is present in 98% of the companies.

Microsoft virtualization products are used by 17%.

Citrix/Xen is used by 10%.

Bottom line...

Virtualization software are so widespread that they have become more attractive targets than say web, mail or dns servers !

There is a lower variety too !


Virtualization : Defnitions


Virtualization is the name given to the simulation with higher level components, of lower level components.

NOTE: Virtualization of applications (as opposed to full Oses) is out of topic.

Virtualization : Defnitions

Virtual Machine

A virtual machine (VM) is : "an efficient, isolated duplicate of a real machine".

--Gerald J. Popek and Robert P. Goldberg (1974). "Formal Requirements for Virtualizable Third Generation Architectures", Communications of the ACM.


Virtualization : Defnitions


Requires the modifcation of the guest Oses (eg: Xen, UML, Qemu with kquemu, VMWare Workstation with VMWare Tools).

Opposed to « full virtualization ».

Virtualization : Defnitions

There are two types of virtualizations : Virtual Machine Monitors (or

Hypervisors) of type I and type II.

Type I Hypervisor

Virtualization : Defnitions

Hypervisors of type I

Run on bare metal (eg: Xen, Hyper-V, VMWare ESX).

Type II hypervisor

Virtualization : Defnitions

Hypervizors of type II

Run as a process inside a host OS to virtualize guests Oses (eg: Qemu, Virtualbox, VMWare Workstation, Parallels).




Hardware assisted


-Takes advantage of AMD-V On Intel VT-x CPU extentions for virtualization.

-x64 Only.

-The hypervizor is running in « ring -1 ».

-Much like the NX bit : requires the motherboard to support it and activation in the BIOS.

Virtualization : Defnitions


Isolation of the userland part of the OS to simulate independant machines (eg: Linux-Vservers, Solaris « Zones », BSD « jails », OpenVZ under GNU/Linux).


Attack surface analysis

Depending on your perspective...

What are the risks ? Where to attack ?

Privilege escalation on the


VMware Tools HGFS Local Privilege Escalation Vulnerability



Privilege escalation on the


CVE-2009-2267 « Mishandled exception on page fault in VMware » Tavis Ormandy and Julien Tinnes

Attacking other guests

Vmare workstation guest isolation weaknesses (clipboard transfer)


DoS (Host + Guests)

CVE-2007-4591 CVE-2007-4593 (bad

ioctls crashing the Host+Guests)

Escape to host

Rafal Wojtczuk (Invisible things, BHUS 2008)

IDEFENSE VMware Workstation Shared Folders Directory Traversal Vulnerability (CVE-2007-1744)

Attack surface analysis :


Hosting two companies on the same hardware is very common (shared hosting).

Getting a shell on the same machine as a given target may therefor be a matter of paying a few euros a month.

Attack surface : conclusion

Owning the Host OS from the Guest is practical : security through virtualization is a failure.

Seemingly minor bugs (local, DoS) do matter : virtualization amplifes consequences.

The need for dedicated methodologies and tools

The need for new tools :


How to dynamically test a virtual Hard Drive ?

How to dynamically test a virtual Hard Drive ? Naive approach

Standard API :

ssize_t read(int fd, void *buf, size_t count);

ssize_t write(int fd, const void *buf, size_t count);

This would mostly fuzz the kernel, not the Virtual Machine :(

We need something (much) lower level.

Standard (low level) attack



outb, outw, outl, outsb, outsw, outsl, inb, inw, inl, insb, insw, insl, outb_p, outw_p, outl_p, inb_p, inw_p, inl_p

Problems: sequence, multiple ports


int ioctl(int d, int request, ...)

Problems : arbitrary input size !

How did we used to do it

« back in the days » ?

MS Dos : direct access to the hardware (interrupts : BIOS, HD, Display, …)

Can we get back to this ?

Introducing the Virtual 8086 mode

Introducing the Virtual 8086 mode

Introduced with Intel 386 (1985)