csw2017 qiang li zhibinhu_meiwang_dig into qemu security

Dig into qemu security

Qiang Li & Zhibin Hu & Mei Wang /Qihoo 360 Gear Team CanSecWest 2017

About us

2

l  Qihoo360l  OneofthemostfamoussecuritycompanyinChina

l  GearTeaml  Mainlyfocusonthecloudsecurityl  Xen,QEMU,OpenSSL,NTP,Firefox,etcl  Veryyoungandpassionalteaml  100+CVElastyearl  Especially70+CVEfromQEMU

Agenda

3

l  QEMUintroducKonl  QEMUaLacksurfacesl  ALackfrominternall  ALackfromexternall  ThoughtsinQEMUsecuritystudy

4

QEMU introduction

QEMU introduction

5

l  Qemuiswidelyusedemulator,itcandoFullsystem/UsermodeemulaKon

l  ImplementinSoRware

l  AcceleratedbyKVM/XEN

QEMU introduction

6

l  QEMUisanormalusermodeprocess

l  QEMU’svirtualaddressspaceisusedasguest’sRAM

l  QEMU’sthreadactasguestvCPU

QEMU introduction

7

l  Qemucommunicatewithkvmthroughkvmchardevicel  Generallyguestcodecandirectlyrunon

naKvecpul  WhenrunningsensiKveinstrucKons,itwilltrapintokvmbyvm-exitinstrucKon,codecontroltransferfromqemutokvml  IftheexiteventisIOevent,itwillthendispatchtoqemu

8

QEMU attack surfaces

QEMU attack surfaces

9

l  Mostsecurityissueiscausedbyhandlinguntrusteddataincorrectly

l  Importantthingisthedataflowandwhatdatawecancontrol

l  Datafrominternal,mainlyfromtheguests,mostfromguest’sdeviceemulator

l  Datafromexternal,vnc/spice/qmp,etc

QEMU attack surfaces - from internal

10

l  DeviceemulaKonofqemuhaslotsofvulnerabiliKesincludesomecriKcalones

l  FullemulaKonisdiscussedalot,butvirKoisnot,

virKoisveryusefulforimprovingperformance,wewilltalkaboutvirKolater

l  Forconvenience,mostvirtualizaKonproduct

installaagentintheguest,qemuhasitsguestagent(qga),notpowerfulasvmwaretoolsandlessvulnerable

QEMU attack surfaces - from external

11

l  VNCisusedforremotedesktopaccess,notonlyusedinVMs

l  Spiceislikevnc,butusuallyusedforremoteaccesstoVMs,containsfourparts:protocol,client,server,guest

l  QEMUMachineProtocol(QMP),lightweighttext

basedprotocol,allowsapplicaKoninteractwithQEMU

l  Maliciousimage

12

Attack from internal

Attack from internal - device emulation

13

l  QemudeviceemulatorsarethebiggestsourceofvulnerabiliKes

l  FullvirtualizaKon/paravirtualizaKon

l  The3rdlibrarydrivers,likevirglrenderer

Attack from internal - device emulation

14

l  MostofthedevicesarebasedonsoRwareemulaKon

l  GuestisunawareoftheunderlyingvirtualizaKonenvironment,soqemuwilldolotsofworktoimplementit

l  Therearemanydevicesshouldbeemulated,suchasdifferentkindsofdisk,networkcard,etc

Attack from internal - device emulation

15

l  PCIdevicesexposeBAR(BaseAddressRegister)toOS,soOScaninteractwithdevices,QEMUshouldprovidethislayerindeviceemulaKonaswell

l  TheguestOSinteractswiththedevicebyreadingandwriKngtotheBARsregisteredbythedevice,thisoperaKonstrapintotheKVManddispatchbacktoQEMUcallbackhandlerswhichareregisteredwhiledeviceiniKalizing�

Attack from internal - device emulation

16

l  Ifwedon’tconsideraboutKVM,justregarditasasimpleproxy

l  Guestdataisuntrustedandcanbemalicious,itwillcausevulnerabiliKesinQEMU

l  Dataflowwouldbesimplify:Guest->QEMU

Attack from internal - device emulation

17

l  TwotypesofBARs:IOport&MMIO

l  Wecanread/writeIOport/MMIOtotriggerflawsinQEMU

l  MaliciouskernelmodulecanactasadevicedriverbyreadingorwriKngitsBARS

Attack from internal - example

18

l  WefoundaflawinCirrusVGAdriver

l  WhenVGAcopydatabyBitbltinbackwardmodewilltriggerthisbug

l  WecanuseittodoOOBread/write

Attack from internal - example

19

Itisthepatchforthisbug,whencalculateminvariable,itforgetstodecreases->cirrus_blt_widthandcausetheOOBread/write�

ItistheexecuKonflow,whenguestwritetovgaioport,kvmdispatchtheioeventtoqemucirrusvgadriver �

Attack from internal - virtio

20

l  VirKoisforioparavirtualizaKon

l  Ithasfront-endinguest,back-endinqemu

l  Theydodataexchangebyvringmechanism

Attack from internal - virtio

21

l  Theguestadddatatovring’sinbuffer,whenthedataisready,itwilltriggerakicktonoKceQEMU

l  QEMUreceivethenoKceandpullthedatafromguestandprocessit

l  ARerQEMUcompletelyhandletherequest,itwillpushtheresulttovring’soutbuffer

l  Maliciousguestcanwritecorruptdatatoqemuthroughvring

Attack from internal - virtio

22

l  EveryvirKodevicehasoneormorevqueues,andeveryvqueuehasahandlertoprocessdata

l  DuringdevicecreaKon,itregisterthehandlertothevqueue

l  Inthecallback,itwillpoptherequestfromguestandthenprocess

l  EveryvirKodevicehasthesamedataprocessingmodel

Attack from internal - example

23

l  VirtFSisaparavirtualizedfilesystem,usedtosharefilesbetweenhostandguest

l  ItusesvirKomodel,wecanseev9fsclientintheguestandv9fsserverintheqemu,theyexchangedatathroughvring

Attack from internal - example

24

l  V9fshasavqueuehandlerforeveryrequest,likev9fs_readfuncKon

l  Itwillunmarshaltheargumentsfromguest,andmostimportantthingistheargumentsaretotallycontrolledbyguest

l  Vulnerabilitywouldoccurifthehandlerfailedtodosanitycheckingcarefully

Attack from internal - example

25 Wefoundaflawinv9fsdriver,itisaintegeroverflowbug,write_countissignedinteger,butoffandcountisunsigned,whentheydosubtracKon,itwillcauseintegeroverflow,andthentriggerbufferoverflowviamemcpy�

Attack from internal - third party library

26

l  QEMUusessomethirdpartylibraries,likegpuvirKodevice

l  Virglrendererisathirdpartylibrary,andQEMUgpudeviceusesittoaccelerate3Drendering

l  AlotofvulnerabiliKeswefoundinthislibCVE-2017-6386,CVE-2017-6355,CVE-2017-6317,CVE-2017-6210,CVE-2017-6209,CVE-2017-5994,CVE-2017-5993,CVE-2017-5957,CVE-2017-5956,CVE-2016-10214,CVE-2017-5937,CVE-2016-10163,CVE-2017-5580

Attack from internal - third party library

27

FuncKonsintheredboxhavebeenfoundvulnerabiliKes,becausetheyfailedtocheckdatacarefully�

LetusrecalltheframeworkofvirKointheleRpicture�

28

Attack from external

Attack from external - vnc

29

l  VNCisfordesktopsharingsystembasedonRFBprotocol

l  QEMUhasabuilt-invncserver

l  SeveralvulnerabiliKeshasbeenfoundinthismodule

Attack from external - example

30 WefoundaDOSbuginVNCmodule.Whenwesetred_maxtozero,itwillcrashtheqemuviadividebyzero �

Attack from external - spice

31

l  Spiceisananotherwayforremoteaccessingtoguest

l  Ithasfourparts:Protocol,Client,Serverandguest

l  VulnerabiliKescanexistinsomewhere:

qxldriveringuest->deviceinQEMUspiceclient->spiceserverinQEMU

Attack from external - example

32

Wediscoverthisissuealone,butsomeonehasbeenalreadyfoundit.Thisissuecanbetriggeredbyremoteclient.WhenclientconnecttospiceserverinQEMU,itwillcallreds_handle_read_link_donefuncKon,thelink_messvariableisthepacketpointer,andnum_channel_capsandnum_common_capsareallcontrolledbyremoteclient,itcantriggeraintegeroverflowbug,andthencausememorycorrupt�

Attack from external - qmp

33

l  HMP/QMPisusedtointeractwithQEMU

l  Lightweight,text-baseddataformat

l  Veryuseful,suchascapabiliKesnegoKaKon,device(un)hotplug…

Attack from external - example

34

Wefoundaflawinhmpmodule,ittriggersarrayoutofrangeaccess,thencausememorycorrupt�

35

ThoughtsinQEMUsecuritystudy

Thoughts in QEMU security study

36

l  Auditcodebysomepeopleviz.codereview-limitbyenergy,brainmemory,associaKveability…

l  Fuzzing-limitbycomprehendingprogrambehavior…

l  Bothwayshaveshortcomings

Thoughts in QEMU security study

37

l Fuzzingisusingamodelrepeatedlytryingandlearning

l SomeKmeswecan’testablishthemodelorimplementit

l Sowewouldsay“Thisflawcannotbefoundbyfuzzing”

�

Thoughts in QEMU security study

38

l  Themostefficientwaytofindbugsis:Knowledge+fuzzingl  AFLjustknowsaliLlemoreaboutprogramrunning,butitisfarmoreefficientthandumbfuzzersl  Knowledgeisimportant,fuzzingisefficient,combinaKoniscomplex:we’reconKnueimprovingourmethodstofindbugs,andmaysharenewstudiesinthefurture�

39

Thank you Qiang Li && Zhibin Hu && Mei Wang

Gear Team, Qihoo 360 Inc

liq3ea@gmail.com

huzhibin@360.cn

wangmei@360.cn