1

Speaker: Qinghao Tang �

Title：360 Marvel Team Leader

Vulnerabilities mining technology of Cloud and Virtualization platform

2

360 Marvel Team As the first virtualization security team in China, 360 marvel team focus on attack and

defence technology on virtualization and cloud platforms, aiming to lead the reaearch on

vulnerability mining and defecing on these platform, providing tools and solutions for mian

stream hypervisors:

● Virtualization fuzz framework.

● Guest OS escape tools.

-Support Docker, Xen,KVM,VMware

● Hypervisor strengthen solutions

-block Guest OS escape

-Scan Guest OS agentless

3

Agenda

•  Brief intruduction of hypervisor security

•  Fuzzing framework

•  Analysis of network device vulnerability

4

Brief intruduction of hypervisor

security

5

Hypervisor

Major

Xen

Kvm

Vmware

Functions

Quantitative distribution

Flexible scheduling

6

Cloud Computing

7

Distinction

OS

Physical Devices

Guest OS

Device emulator

Hypervisor

Physical Devices

Guest OS

Device emulator

Normal Server Virtualization Server

8

Escape form Guest OS

9

•  Typical virtualization security vulnerability

•  Can cause the virtual machine escape

•  Exist in floppy device emulator Code

•  More Venoms? Yes!

Venom

10

Fuzzing Framework

11

•  More underlying target

•  More Particular of Test Data

Features of Virtualization Vulnerability Mining

IE

flash

server

System Kernel �

Hypervisor �

12

•  Unconventional method

HOOK Driver function

Change Kernel files.

•  Relate to the context

Test Pocess of Emulation Device

13

Features

• Commonness of hypervisors

• Features of solution

Coding Langurage

Operating System Type

Coding Style

14

os

Control Center

Architecture

Hypervisor Hypervisor

os os os os os

15

Fuzzing-Collect device information

16

•  Device IO Methods

•  Controller Data Structure

•  Device State Machine

Test - Integrated Test Data

17

Fuzzing-Attack emulation device

kernel_agent

fuzz_client

•  User Space

•  Kernel Space

18

Feedback

•  No effect

•  Blue Screen

•  Implicit Result

•  Crash

19

Feedback-VM manage automation

•  Snapshot

•  Reboot

•  Virtual Device Edit

•  Debugging Mode on Start

•  Load Debugging Plugin

20

Feedback- Monitoring technology

•  Dynamic

•  Static

コントロール センター

テスト フィード

バック

解析

21

Control Center-Process

Step 2

Step 1 Step 3 �

22

Control Center-Statistics&Optimization

• Total test count

• Fuzz coverage

• Optimize test data

23

Achievement

•  120 days

•  2 platforms

•  10 vulnerabilities

24

Analysis of network

device vulnerability

25

Principle of QEMU

User Space •  Send

Kernel Space

•  Syscall •  tcp_* •  ip_* •  dev_* •  e1000_*

Device Emulator

•  Network devices •  hub •  slirp

APP

APP

APP

Network Devices

Kernel

26

• Initialization Port Allocation，Address Mapping

Device Status Setting, Resource Allocation

• Data Transfer 'Write Command' to device TDT register

process of descriptor

3 types descripror：context，data，legacy

data xfer

set status，wait for next instruction

• Processing Details Circular Memory

TSO：tcp segmentation/flow control.

Principle of Network Device

27

•  Qemu e1000 Network Device •  Vmware e1000 Network Device

E1000 vulnerability analysis

28

Summary

Pay continuous attention to virtualization security and follow Marvel Team

29

Q & A

Email：tangqinghao@360.cn QQ：702108451