SlideShare une entreprise Scribd logo

CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security

CanSecWest
CanSecWest

CanSecWest2017

Internet
1  sur  39
Télécharger pour lire hors ligne
Dig into qemu security Qiang Li & Zhibin Hu & Mei Wang /Qihoo 360 Gear Team CanSecWest 2017
About us 2 l  Qihoo 360 l  One of the most famous security company in China l  Gear Team l  Mainly focus on the cloud security l  Xen, QEMU, OpenSSL, NTP, Firefox, etc l  Very young and passional team l  100+ CVE last year l  Especially 70+ CVE from QEMU
Agenda 3 l  QEMU introducKon l  QEMU aLack surfaces l  ALack from internal l  ALack from external l  Thoughts in QEMU security study
4 QEMU introduction
QEMU introduction 5 l  Qemu is widely used emulator, it can do Full system/User mode emulaKon l  Implement in SoRware l  Accelerated by KVM/XEN
QEMU introduction 6 l  QEMU is a normal user mode process l  QEMU’s virtual address space is used as guest’s RAM l  QEMU’s thread act as guest vCPU
QEMU introduction 7 l  Qemu communicate with kvm through kvm char device l  Generally guest code can directly run on naKve cpu l  When running sensiKve instrucKons, it will trap into kvm by vm-exit instrucKon, code control transfer from qemu to kvm l  If the exit event is IO event, it will then dispatch to qemu
8 QEMU attack surfaces
QEMU attack surfaces 9 l  Most security issue is caused by handling untrusted data incorrectly l  Important thing is the data flow and what data we can control l  Data from internal, mainly from the guests, most from guest’s device emulator l  Data from external, vnc/spice/qmp, etc
QEMU attack surfaces - from internal 10 l  Device emulaKon of qemu has lots of vulnerabiliKes include some criKcal ones l  Full emulaKon is discussed a lot, but virKo is not, virKo is very useful for improving performance, we will talk about virKo later l  For convenience, most virtualizaKon product install a agent in the guest, qemu has its guest agent(qga), not powerful as vmware tools and less vulnerable
QEMU attack surfaces - from external 11 l  VNC is used for remote desktop access, not only used in VMs l  Spice is like vnc, but usually used for remote access to VMs, contains four parts : protocol, client, server, guest l  QEMU Machine Protocol(QMP), lightweight text based protocol, allows applicaKon interact with QEMU l  Malicious image
12 Attack from internal
Attack from internal - device emulation 13 l  Qemu device emulators are the biggest source of vulnerabiliKes l  Full virtualizaKon / paravirtualizaKon l  The 3rd library drivers, like virglrenderer
Attack from internal - device emulation 14 l  Most of the devices are based on soRware emulaKon l  Guest is unaware of the underlying virtualizaKon environment, so qemu will do lots of work to implement it l  There are many devices should be emulated, such as different kinds of disk, network card, etc
Attack from internal - device emulation 15 l  PCI devices expose BAR(Base Address Register) to OS, so OS can interact with devices, QEMU should provide this layer in device emulaKon as well l  The guest OS interacts with the device by reading and wriKng to the BARs registered by the device, this operaKons trap into the KVM and dispatch back to QEMU callback handlers which are registered while device iniKalizing
Attack from internal - device emulation 16 l  If we don’t consider about KVM, just regard it as a simple proxy l  Guest data is untrusted and can be malicious, it will cause vulnerabiliKes in QEMU l  Data flow would be simplify : Guest -> QEMU
Attack from internal - device emulation 17 l  Two types of BARs: IO port & MMIO l  We can read/write IO port/MMIO to trigger flaws in QEMU l  Malicious kernel module can act as a device driver by reading or wriKng its BARS
Attack from internal - example 18 l  We found a flaw in Cirrus VGA driver l  When VGA copy data by Bitblt in backward mode will trigger this bug l  We can use it to do OOB read/write
Attack from internal - example 19 It is the patch for this bug, when calculate min variable, it forgets to decrease s->cirrus_blt_width and cause the OOB read/write It is the execuKon flow, when guest write to vga io port, kvm dispatch the io event to qemu cirrus vga driver
Attack from internal - virtio 20 l  VirKo is for io paravirtualizaKon l  It has front-end in guest, back-end in qemu l  They do data exchange by vring mechanism
Attack from internal - virtio 21 l  The guest add data to vring’s in buffer, when the data is ready, it will trigger a kick to noKce QEMU l  QEMU receive the noKce and pull the data from guest and process it l  ARer QEMU completely handle the request, it will push the result to vring’s out buffer l  Malicious guest can write corrupt data to qemu through vring
Attack from internal - virtio 22 l  Every virKo device has one or more vqueues, and every vqueue has a handler to process data l  During device creaKon, it register the handler to the vqueue l  In the callback, it will pop the request from guest and then process l  Every virKo device has the same data processing model
Attack from internal - example 23 l  VirtFS is a paravirtualized filesystem, used to share files between host and guest l  It uses virKo model, we can see v9fs client in the guest and v9fs server in the qemu, they exchange data through vring
Attack from internal - example 24 l  V9fs has a vqueue handler for every request, like v9fs_read funcKon l  It will unmarshal the arguments from guest, and most important thing is the arguments are totally controlled by guest l  Vulnerability would occur if the handler failed to do sanity checking carefully
Attack from internal - example 25We found a flaw in v9fs driver, it is a integer overflow bug, write_count is signed integer, but off and count is unsigned, when they do subtracKon, it will cause integer overflow, and then trigger buffer overflow via memcpy
Attack from internal - third party library 26 l  QEMU uses some third party libraries, like gpu virKo device l  Virglrenderer is a third party library, and QEMU gpu device uses it to accelerate 3D rendering l  A lot of vulnerabiliKes we found in this lib CVE-2017-6386, CVE-2017-6355, CVE-2017-6317, CVE-2017-6210, CVE-2017-6209, CVE-2017-5994, CVE-2017-5993,CVE-2017-5957, CVE-2017-5956, CVE-2016-10214, CVE-2017-5937,CVE-2016-10163, CVE-2017-5580
Attack from internal - third party library 27 FuncKons in the red box have been found vulnerabiliKes, because they failed to check data carefully Let us recall the framework of virKo in the leR picture
28 Attack from external
Attack from external - vnc 29 l  VNC is for desktop sharing system based on RFB protocol l  QEMU has a built-in vnc server l  Several vulnerabiliKes has been found in this module
Attack from external - example 30 We found a DOS bug in VNC module. When we set red_max to zero, it will crash the qemu via divide by zero
Attack from external - spice 31 l  Spice is an another way for remote accessing to guest l  It has four parts : Protocol, Client, Server and guest l  VulnerabiliKes can exist in somewhere : qxl driver in guest -> device in QEMU spice client -> spice server in QEMU
Attack from external - example 32 We discover this issue alone, but someone has been already found it. This issue can be triggered by remote client. When client connect to spice server in QEMU, it will call reds_handle_read_link_done funcKon, the link_mess variable is the packet pointer, and num_channel_caps and num_common_caps are all controlled by remote client, it can trigger a integer overflow bug, and then cause memory corrupt
Attack from external - qmp 33 l  HMP/QMP is used to interact with QEMU l  Lightweight, text-based data format l  Very useful, such as capabiliKes negoKaKon, device (un)hotplug …
Attack from external - example 34 We found a flaw in hmp module, it triggers array out of range access, then cause memory corrupt
35 Thoughts in QEMU security study
Thoughts in QEMU security study 36 l  Audit code by some people viz. code review - limit by energy, brain memory, associaKve ability … l  Fuzzing - limit by comprehending program behavior … l  Both ways have shortcomings
Thoughts in QEMU security study 37 l Fuzzing is using a model repeatedly trying and learning l SomeKmes we can’t establish the model or implement it l So we would say “This flaw can not be found by fuzzing”
Thoughts in QEMU security study 38 l  The most efficient way to find bugs is : Knowledge + fuzzing l  AFL just knows a liLle more about program running, but it is far more efficient than dumb fuzzers l  Knowledge is important, fuzzing is efficient, combinaKon is complex: we’re conKnue improving our methods to find bugs, and may share new studies in the furture
39 Thank you Qiang Li && Zhibin Hu && Mei Wang Gear Team, Qihoo 360 Inc liq3ea@gmail.com huzhibin@360.cn wangmei@360.cn

Recommandé

BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBshimosawa
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverLinaro
 
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...Anne Nicolas
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 

Recommandé

BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully
BlueHat v17 || Out of the Truman Show: VM Escape in VMware Gracefully BlueHat Security Conference
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBshimosawa
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxJulian Catrambone
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
SFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverSFO15-200: Linux kernel generic TEE driver
SFO15-200: Linux kernel generic TEE driverLinaro
 
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...
Embedded Recipes 2018 - Yoctoception: Containers in the embedded world - Jéré...Anne Nicolas
 
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEEBKK16-110 A Gentle Introduction to Trusted Execution and OP-TEE
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Platform Drivers
Platform DriversPlatform Drivers
Platform DriversSysPlay eLearning Academy for You
 
Ovs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadOvs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadKevin Traynor
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Yannick Gicquel
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linuxChih-Min Chao
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
ARM: Trusted Zone on Android
ARM: Trusted Zone on AndroidARM: Trusted Zone on Android
ARM: Trusted Zone on AndroidKan-Han (John) Lu
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
Spi drivers
Spi driversSpi drivers
Spi driverspradeep_tewani
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinuxandroid sola
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
 
SPI Drivers
SPI DriversSPI Drivers
SPI DriversSysPlay eLearning Academy for You
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 

Contenu connexe

Tendances

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsoViller Hsiao
 
Ovs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadOvs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadKevin Traynor
 
Secure boot general
Secure boot generalSecure boot general
Secure boot generalPrabhu Swamy
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Yannick Gicquel
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device driversHoucheng Lin
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewLinaro
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Linaro
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linuxChih-Min Chao
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationWill Schroeder
 
ARM: Trusted Zone on Android
ARM: Trusted Zone on AndroidARM: Trusted Zone on Android
ARM: Trusted Zone on AndroidKan-Han (John) Lu
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCanSecWest
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLinaro
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
 

Tendances (20)

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
twlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdsotwlkh-linux-vsyscall-and-vdso
twlkh-linux-vsyscall-and-vdso
 
Platform Drivers
Platform DriversPlatform Drivers
Platform Drivers
 
Ovs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offloadOvs dpdk hwoffload way to full offload
Ovs dpdk hwoffload way to full offload
 
Secure boot general
Secure boot generalSecure boot general
Secure boot general
 
Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)Introduction to Optee (26 may 2016)
Introduction to Optee (26 may 2016)
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Arm device tree and linux device drivers
Arm device tree and linux device driversArm device tree and linux device drivers
Arm device tree and linux device drivers
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting Review
 
Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_Trusted firmware deep_dive_v1.0_
Trusted firmware deep_dive_v1.0_
 
Device tree support on arm linux
Device tree support on arm linuxDevice tree support on arm linux
Device tree support on arm linux
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
ARM: Trusted Zone on Android
ARM: Trusted Zone on AndroidARM: Trusted Zone on Android
ARM: Trusted Zone on Android
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_finalCSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
 
LCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platformLCU14 302- How to port OP-TEE to another platform
LCU14 302- How to port OP-TEE to another platform
 
Spi drivers
Spi driversSpi drivers
Spi drivers
 
AndroidとSELinux
AndroidとSELinuxAndroidとSELinux
AndroidとSELinux
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with nose
 
SPI Drivers
SPI DriversSPI Drivers
SPI Drivers
 

En vedette

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCanSecWest
 
CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCanSecWest
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CanSecWest
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCanSecWest
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CanSecWest
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCanSecWest
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Csw2016 song li-smart_wars
Csw2016 song li-smart_warsCsw2016 song li-smart_wars
Csw2016 song li-smart_warsCanSecWest
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCanSecWest
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCanSecWest
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCanSecWest
 

En vedette (20)

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_markCSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
CSW2017 Peng qiu+shefang-zhong win32k -dark_composition_finnal_finnal_rm_mark
 
CSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 finalCSW2017 Harri hursti csw17 final
CSW2017 Harri hursti csw17 final
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CSW2017 Enrico branca What if encrypted communications are not as secure as w...
CSW2017 Enrico branca What if encrypted communications are not as secure as w...
 
CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1CSW2017 Scott kelly secureboot-csw2017-v1
CSW2017 Scott kelly secureboot-csw2017-v1
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCSW2017 Mickey+maggie low cost radio attacks on modern platforms
CSW2017 Mickey+maggie low cost radio attacks on modern platforms
 
CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017CSW2017 Qidan he+Gengming liu_cansecwest2017
CSW2017 Qidan he+Gengming liu_cansecwest2017
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
 
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
CSW2017 Saumil shah stegosploit_internals_cansecwest_2017
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 
Csw2016 song li-smart_wars
Csw2016 song li-smart_warsCsw2016 song li-smart_wars
Csw2016 song li-smart_wars
 
CSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detectionCSW2017 jun li_car anomaly detection
CSW2017 jun li_car anomaly detection
 
Csw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technologyCsw2016 tang virtualization_device emulator testing technology
Csw2016 tang virtualization_device emulator testing technology
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 

Similaire à CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security

LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStackShapeBlue
 
Build-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenBuild-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenThe Linux Foundation
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicekbuildacloud
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 
Moving to the Cloud with ny times.com
Moving to the Cloud with ny times.comMoving to the Cloud with ny times.com
Moving to the Cloud with ny times.combgerst
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
OpenNebula - OpenNebula and tips for CentOS 7
OpenNebula - OpenNebula and tips for CentOS 7OpenNebula - OpenNebula and tips for CentOS 7
OpenNebula - OpenNebula and tips for CentOS 7OpenNebula Project
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014TGodfrey
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 

Similaire à CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security (20)

LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project Hypervisor
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen Hypervisor
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
 
Volume Encryption In CloudStack
Volume Encryption In CloudStackVolume Encryption In CloudStack
Volume Encryption In CloudStack
 
Build-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenBuild-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with Xen
 
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell PavlicekSecuring Your Cloud With the Xen Hypervisor by Russell Pavlicek
Securing Your Cloud With the Xen Hypervisor by Russell Pavlicek
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
Moving to the Cloud with ny times.com
Moving to the Cloud with ny times.comMoving to the Cloud with ny times.com
Moving to the Cloud with ny times.com
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
OpenNebula - OpenNebula and tips for CentOS 7
OpenNebula - OpenNebula and tips for CentOS 7OpenNebula - OpenNebula and tips for CentOS 7
OpenNebula - OpenNebula and tips for CentOS 7
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014Kali Linux - Falconer - ISS 2014
Kali Linux - Falconer - ISS 2014
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Npmwormdisclosure
NpmwormdisclosureNpmwormdisclosure
Npmwormdisclosure
 
QEMU in Cross building
QEMU in Cross buildingQEMU in Cross building
QEMU in Cross building
 
Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 

Plus de CanSecWest

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCanSecWest
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCanSecWest
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 

Plus de CanSecWest (9)

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Csw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooksCsw2016 macaulay eh_trace-rop_hooks
Csw2016 macaulay eh_trace-rop_hooks
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 

Dernier

定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 

Dernier (20)

定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 

CSW2017 Qiang li zhibinhu_meiwang_dig into qemu security

  • 1. Dig into qemu security Qiang Li & Zhibin Hu & Mei Wang /Qihoo 360 Gear Team CanSecWest 2017
  • 2. About us 2 l  Qihoo 360 l  One of the most famous security company in China l  Gear Team l  Mainly focus on the cloud security l  Xen, QEMU, OpenSSL, NTP, Firefox, etc l  Very young and passional team l  100+ CVE last year l  Especially 70+ CVE from QEMU
  • 3. Agenda 3 l  QEMU introducKon l  QEMU aLack surfaces l  ALack from internal l  ALack from external l  Thoughts in QEMU security study
  • 6. QEMU introduction 6 l  QEMU is a normal user mode process l  QEMU’s virtual address space is used as guest’s RAM l  QEMU’s thread act as guest vCPU
  • 7. QEMU introduction 7 l  Qemu communicate with kvm through kvm char device l  Generally guest code can directly run on naKve cpu l  When running sensiKve instrucKons, it will trap into kvm by vm-exit instrucKon, code control transfer from qemu to kvm l  If the exit event is IO event, it will then dispatch to qemu
  • 9. QEMU attack surfaces 9 l  Most security issue is caused by handling untrusted data incorrectly l  Important thing is the data flow and what data we can control l  Data from internal, mainly from the guests, most from guest’s device emulator l  Data from external, vnc/spice/qmp, etc
  • 10. QEMU attack surfaces - from internal 10 l  Device emulaKon of qemu has lots of vulnerabiliKes include some criKcal ones l  Full emulaKon is discussed a lot, but virKo is not, virKo is very useful for improving performance, we will talk about virKo later l  For convenience, most virtualizaKon product install a agent in the guest, qemu has its guest agent(qga), not powerful as vmware tools and less vulnerable
  • 11. QEMU attack surfaces - from external 11 l  VNC is used for remote desktop access, not only used in VMs l  Spice is like vnc, but usually used for remote access to VMs, contains four parts : protocol, client, server, guest l  QEMU Machine Protocol(QMP), lightweight text based protocol, allows applicaKon interact with QEMU l  Malicious image
  • 13. Attack from internal - device emulation 13 l  Qemu device emulators are the biggest source of vulnerabiliKes l  Full virtualizaKon / paravirtualizaKon l  The 3rd library drivers, like virglrenderer
  • 14. Attack from internal - device emulation 14 l  Most of the devices are based on soRware emulaKon l  Guest is unaware of the underlying virtualizaKon environment, so qemu will do lots of work to implement it l  There are many devices should be emulated, such as different kinds of disk, network card, etc
  • 15. Attack from internal - device emulation 15 l  PCI devices expose BAR(Base Address Register) to OS, so OS can interact with devices, QEMU should provide this layer in device emulaKon as well l  The guest OS interacts with the device by reading and wriKng to the BARs registered by the device, this operaKons trap into the KVM and dispatch back to QEMU callback handlers which are registered while device iniKalizing
  • 16. Attack from internal - device emulation 16 l  If we don’t consider about KVM, just regard it as a simple proxy l  Guest data is untrusted and can be malicious, it will cause vulnerabiliKes in QEMU l  Data flow would be simplify : Guest -> QEMU
  • 17. Attack from internal - device emulation 17 l  Two types of BARs: IO port & MMIO l  We can read/write IO port/MMIO to trigger flaws in QEMU l  Malicious kernel module can act as a device driver by reading or wriKng its BARS
  • 18. Attack from internal - example 18 l  We found a flaw in Cirrus VGA driver l  When VGA copy data by Bitblt in backward mode will trigger this bug l  We can use it to do OOB read/write
  • 19. Attack from internal - example 19 It is the patch for this bug, when calculate min variable, it forgets to decrease s->cirrus_blt_width and cause the OOB read/write It is the execuKon flow, when guest write to vga io port, kvm dispatch the io event to qemu cirrus vga driver
  • 20. Attack from internal - virtio 20 l  VirKo is for io paravirtualizaKon l  It has front-end in guest, back-end in qemu l  They do data exchange by vring mechanism
  • 21. Attack from internal - virtio 21 l  The guest add data to vring’s in buffer, when the data is ready, it will trigger a kick to noKce QEMU l  QEMU receive the noKce and pull the data from guest and process it l  ARer QEMU completely handle the request, it will push the result to vring’s out buffer l  Malicious guest can write corrupt data to qemu through vring
  • 22. Attack from internal - virtio 22 l  Every virKo device has one or more vqueues, and every vqueue has a handler to process data l  During device creaKon, it register the handler to the vqueue l  In the callback, it will pop the request from guest and then process l  Every virKo device has the same data processing model
  • 23. Attack from internal - example 23 l  VirtFS is a paravirtualized filesystem, used to share files between host and guest l  It uses virKo model, we can see v9fs client in the guest and v9fs server in the qemu, they exchange data through vring
  • 24. Attack from internal - example 24 l  V9fs has a vqueue handler for every request, like v9fs_read funcKon l  It will unmarshal the arguments from guest, and most important thing is the arguments are totally controlled by guest l  Vulnerability would occur if the handler failed to do sanity checking carefully
  • 25. Attack from internal - example 25We found a flaw in v9fs driver, it is a integer overflow bug, write_count is signed integer, but off and count is unsigned, when they do subtracKon, it will cause integer overflow, and then trigger buffer overflow via memcpy
  • 26. Attack from internal - third party library 26 l  QEMU uses some third party libraries, like gpu virKo device l  Virglrenderer is a third party library, and QEMU gpu device uses it to accelerate 3D rendering l  A lot of vulnerabiliKes we found in this lib CVE-2017-6386, CVE-2017-6355, CVE-2017-6317, CVE-2017-6210, CVE-2017-6209, CVE-2017-5994, CVE-2017-5993,CVE-2017-5957, CVE-2017-5956, CVE-2016-10214, CVE-2017-5937,CVE-2016-10163, CVE-2017-5580
  • 27. Attack from internal - third party library 27 FuncKons in the red box have been found vulnerabiliKes, because they failed to check data carefully Let us recall the framework of virKo in the leR picture
  • 29. Attack from external - vnc 29 l  VNC is for desktop sharing system based on RFB protocol l  QEMU has a built-in vnc server l  Several vulnerabiliKes has been found in this module
  • 30. Attack from external - example 30 We found a DOS bug in VNC module. When we set red_max to zero, it will crash the qemu via divide by zero
  • 31. Attack from external - spice 31 l  Spice is an another way for remote accessing to guest l  It has four parts : Protocol, Client, Server and guest l  VulnerabiliKes can exist in somewhere : qxl driver in guest -> device in QEMU spice client -> spice server in QEMU
  • 32. Attack from external - example 32 We discover this issue alone, but someone has been already found it. This issue can be triggered by remote client. When client connect to spice server in QEMU, it will call reds_handle_read_link_done funcKon, the link_mess variable is the packet pointer, and num_channel_caps and num_common_caps are all controlled by remote client, it can trigger a integer overflow bug, and then cause memory corrupt
  • 33. Attack from external - qmp 33 l  HMP/QMP is used to interact with QEMU l  Lightweight, text-based data format l  Very useful, such as capabiliKes negoKaKon, device (un)hotplug …
  • 34. Attack from external - example 34 We found a flaw in hmp module, it triggers array out of range access, then cause memory corrupt
  • 36. Thoughts in QEMU security study 36 l  Audit code by some people viz. code review - limit by energy, brain memory, associaKve ability … l  Fuzzing - limit by comprehending program behavior … l  Both ways have shortcomings
  • 37. Thoughts in QEMU security study 37 l Fuzzing is using a model repeatedly trying and learning l SomeKmes we can’t establish the model or implement it l So we would say “This flaw can not be found by fuzzing”
  • 38. Thoughts in QEMU security study 38 l  The most efficient way to find bugs is : Knowledge + fuzzing l  AFL just knows a liLle more about program running, but it is far more efficient than dumb fuzzers l  Knowledge is important, fuzzing is efficient, combinaKon is complex: we’re conKnue improving our methods to find bugs, and may share new studies in the furture
  • 39. 39 Thank you Qiang Li && Zhibin Hu && Mei Wang Gear Team, Qihoo 360 Inc liq3ea@gmail.com huzhibin@360.cn wangmei@360.cn