Abstract

Virtualization is a powerful technology to increase the efficiency of computing services; however, besides its advantages, it also raises a number of security issues. In this paper, we provide a thorough survey of those security issues in hardware virtualization. We focus on potential vulnerabilities and existing attacks on various virtualization platforms, but we also briefly sketch some possible countermeasures. To the best of our knowledge, this is the first survey of security issues in hardware virtualization with this level of details. Moreover, the adversary model and the structuring of the attack vectors are original contributions, never published before.

Keywords

hardware virtualization

---

Abstract

Direct-device assignment is one of the most controversial issues in hardware virtualization, as it allows for using devices almost at native speed, however, raises many security problems. As most of these issues can be evaded by properly configured system software and hardware, the security issues of that area seemed to be solved. At the same time, virtual instances with direct-device assignment are publicly available via various cloud providers, so the security issues have to be examined in more details. In my presentation, an interesting vulnerability is going to be detailed which is not a simple software bug, but an example for an issue on how to handle improperly a hardware-level mechanism: the interrupt generation.

Abstract

Message Signaled Interrupts (MSI) interrupts on Intel platforms are defined as DWORD writes to a special address location (0xFEE?????). MSIs on Intel Platforms supporting VT-d have two defined formats - Remappable format interrupts, and Compatibility (not remappable) format interrupts, based on the format of their data payload. Remappable interrupts are subject to interrupt-remapping protection checks, while compatibility format interrupts are not. For protection reasons, host software disables compatibility format interrupts (causing them to be blocked by interrupt translation hardware) and manages the remappable interrupts through programming of interrupt-remapping table entries. Malformed MSIs are transactions to the special (0xFEE?????) address range that do not have proper attributes of MSI requests (e.g., size of request is invalid). Such malformed transactions are detected and aborted by the platform, before they are subject to further interrupt remapping/processing. For RAS purposes, some platforms may be configured to support System Error Reporting (SERR) capability. These platforms raise a PCI system error (SERR#) due to Unsupported Request, which are typically delivered as Non-Maskable Interrupts (NMI), to report such errors to software. Depending on hypervisor and Dom0 kernel configuration, such an NMI may be handled by the hypervisor/Dom0 or can result in a host software halt ("panic"). On platforms with SERR enabled, such malformed MSI requests can be generated by guest OS with an assigned device, causing hypervisor/Dom0 receive NMI despite using VT-d and interrupt remapping for device assignment.

Abstract

Abstract

Abstract

Abstract

In September 2011, a European company sought our help to investigate a security incident that happened in their IT system. During the investigation, we discovered a new malware that was unknown to all mainstream anti-virus products, however, it showed striking similarities to the infamous Stuxnet worm. We named the new malware Duqu, and we carried out its rst analysis. Our ndings led to the hypothesis that Duqu was probably created by the same people who developed Stuxnet, but with a dierent purpose: unlike Stuxnet whose mission was to attack industrial equipment, Duqu is an information stealer rootkit. Nevertheless, both pieces of malware have a modular structure, and they can be re-congured remotely from a Command and Control server to include virtually any kind of functionality. In this paper, we present an abridged version of our initial Duqu analysis, which is available in a longer format as a technical report. We also describe the Duqu detector toolkit, a set of heuristic tools that we developed to detect Duqu and its variants. Finally, we discuss a number of issues that we learned, observed, or identied during our Duqu analysis project concerning the problems of preventing, detecting, and handling targeted malware attacks; we believe that solving these issues represents a great challenge to the system security community.

Abstract

Abstract

Abstract

Abstract

Abstract

Abstract

Stuxnet was the first targeted malware that received worldwide attention forcausing physical damage in an industrial infrastructure seemingly isolated from the onlineworld. Stuxnet was a powerful targeted cyber-attack, and soon other malware samples were discovered that belong to this family. In this paper, we will first present our analysis of Duqu, an information-collecting malware sharing striking similarities with Stuxnet. Wedescribe our contributions in the investigation ranging from the original detection of Duquvia finding the dropper file to the design of a Duqu detector toolkit. We then continue with the analysis of the Flame advanced information-gathering malware. Flame is unique in thesense that it used advanced cryptographic techniques to masquerade as a legitimate proxyfor the Windows Update service. We also present the newest member of the family, called Gauss, whose unique feature is that one of its modules is encrypted such that it can onlybe decrypted on its target system; hence, the research community has not yet been able to analyze this module. For this particular malware, we designed a Gauss detector serviceand we are currently collecting intelligence information to be able to break its very specialencryption mechanism. Besides explaining the operation of these pieces of malware, wealso examine if and how they could have been detected by vigilant system administrators manually or in a semi-automated manner using available tools. Finally, we discuss lessonsthat the community can learn from these incidents. We focus on technical issues, and avoidspeculations on the origin of these threats and other geopolitical questions.

Abstract

Abstract

Abstract

Abstract

Keywords

Stateful firewall, FIREMAN, verification, security, inconsistency

---

Abstract

Firewalls play an important role in the enforcement of access control policies in contemporary networks. However, firewalls are effective only if they are configured correctly such that their access control rules are consistent and the firewall indeed implements the intended access control policy. Unfortunately, due to the potentially large number of rules and their complex relationships with each other, the task of firewall configuration is notoriously error-prone, and in practice, firewalls are often misconfigured leaving security holes in the protection system. In this paper, we address the problem of consistency verification of stateful firewalls that keep track of already existing connections. For the first sight, the consistency verification of stateful firewalls appears to be harder than that of stateless firewalls. We show that, in fact, this is not the case: consistency verification of stateful firewalls can be reduced to the stateless case, and hence, they have the same complexity. We also report on our prototype implemetation of an automated consistency verification tool that can handle stateful firewalls.

Abstract

Autonomous robot navigation is an important research field because these robots can solve problems where the human presence is impossible, dangerous, expensive, or uncomfortable. In this paper, a new hybrid autonomous navigation method is introduced. The algorithm is composed of visibility graph based global navigation and simple potential field based local navigation parts. It applies a new automated graph generation method which may become necessary if, because of the observed new obstacles, a new path should be generated. The quasi optimal route is found by applying the well known A* algorithm on the graph. The presented technique offers a quasi optimal universal navigation technique which can successfully be used in all, known, unknown, and dynamically changing environments.

Abstract

Autonomous robot navigation is an important research field because these robots can solve problems where the human presence is impossible, dangerous, expensive, or uncomfortable. In this paper, a new hybrid autonomous navigation method is introduced. The algorithm is composed of visibility graph based global navigation and simple potential field based local navigation parts. It applies a new automated graph generation method which may become necessary if, because of the observed new obstacles, a new path should be generated. The quasi optimal route is found by applying the well known A* algorithm on the graph. The presented technique offers a quasi optimal universal navigation technique which can successfully be used in all, known, unknown, and dynamically changing environments.