Microsoft Hyper-V

–
A first Security Inspection

Roger Klose, rklose@ernw.de

Enno Rey, erey@ernw.de

1
ERNW GmbH
  Founded in 2001
  Based in Heidelberg, Germany (+ small office in Lisbon, Portugal)
  Network Consulting with a dedicated focus on IT-Security
  Current force level: 15 Experts
  Key fields of activity:
  Audit/Penetration-Testing
  Risk-Evaluation & -Management, Security Management
  Security Research

  Our typical customers : banks, federal agencies, internet providers/

carriers, large enterprises

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 2

Notice

  Everything you are about to see,

hear, read and experience is for
educational purposes only. No
warranties or guarantees implied or
otherwise are in effect. Use of these
tools, techniques and technologies
are at your own risk.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 3

Some introductory remarks

  This presentation is based on an internal research project

we started recently (in fact this stuff has not yet been
discussed in public too extensively so far).

  Thus parts of the presentation are... somewhat preliminary

  If interested in progress, pls follow event announcements
on www.ernw.de.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 4

Agenda

  Hyper-V, overview

  Some attack types in virtualized environments

  Ways of security testing & results

  Overall assessment

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 5

Hyper-V

  Hyper-V is a Server Role of Windows Server 2008, with a

special property: it converts the original Server 2008
installation in a so-called “root” system.

  Hypervisor consists of a 64-bit micro kernel.

  Windows Server 2008 in the root partition in some way
privileged with regard to child partitions.
VMBus is a point-to-point high-speed connection.

  Microsoft just released a free "Hyper-V Server”; in this

product there’s no (full) Windows Server 2008 in the root
partition.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 6

Features and capabilities

  Hyper-V:
  Requires hardware support (Intel-VT /AMD-VT)
  Requires 64-bit hardware
  Supports/requires hardware-based DEP
  Requires Windows Server 2008 (64-bit)
  Guest systems: 32- /64-bit

  Creation of virtual network devices (e.g. switches) is possible

  Some support for VSS (for fast copying and moving VMs)

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 7

Features and capabilities

  Hyper-V:

  Supports management via command line or MMC (local/remote). In the

future also via SC VMM.
  Snapshot, moving & more typical features are supported
  Supports up to 64 GB RAM per VM
  Supports up to 4 logical CPUs per VM

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 8

Features and capabilities

  Officially supported guest systems (as of today):

  Windows Server 2008 x86 (VM configured as 1, 2 or 4-way SMP)
  Windows Server 2008 x64 (VM configured as 1, 2 or 4-way SMP)
  Windows Server 2003 x86 (VMs configured as 1 or 2-way SMP only)
  Windows Server 2003 x64 (VMs configured as 1-way only)
  Windows Vista x86 with Service Pack 1 (VMs configured as 1-way only)
  Windows XP x86 with Service Pack 3 (VMs configured as 1-way only)
  SUSE Linux Enterprise Server 10 with Service Pack 1 x86 Edition
  SUSE Linux Enterprise Server 10 with Service Pack 1 x64 Edition

  Actually, more seem to work.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 9

Features and capabilities

  Hyper-V does not support:

  migration from a physical to a virtual machine

  WLAN capabilities (on guest)
  USB access from guest
  Sleep & hibernate on laptops ;-(

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 10

Architecture

Root Partition Guest Partition

Virtualization Stack

WMI Provider VM Worker Guest Applications

Processes
VM Service

Ring 3: User Mode

Ring 0: Kernel Mode

Virtualization Stack
Server Core Virtualization
Service Virtualization
Service Clients OS Kernel
Provider (VSPs) (VSCs)
Windows Device
Kernel VMBus
Drivers

Hyper-V
System Hardware
© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 11
VMWP (Virtual Machine Worker Process)

  Each virtual machine has it`s own one

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 12

Overview, Types of attack
  Attacks against guest
  From other guests
  From host
  Especially if the host (Mgmt) was previously compromised
  Unclear responsibilities / Managed environment

  Attacks against host

  From a guest
  Against management

  Attacks on network level

  Configuration problems
  vSwitch/VMBus = software component

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 13

Guest vs. Guest

Guest01 Guest02 Guest03 Guest04

Hypervisor Mgmt
Host

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 14

Guest vs. Host/Hypervisor

Guest01 Guest02 Guest03 Guest04

Hypervisor Mgmt
Host

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 15

Guest against Mgmt

Guest01 Guest02 Guest03 Guest04

Hypervisor Mgmt
Host

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 16

General inspection approach

  Check relevant binaries for “security attributes” (e.g.

memory protection compiler flags)
  Check for (configuration) bells & whistles
  Look at management interfaces
  Fuzzing

  Reverse Engineering was not an option

  Would have violated the EULA 

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 17

Identify & check relevant binaries

  This includes (but not limited):

  vmconnect.exe
  vmms.exe
  vmsntfy.dll
  storflt.sys
  vmbus.sys
  vmswitch.sys
  vhdparser.sys

  Tools:
  Ollie Whitehouse’s GSAudit for GS flag
  ERNW vistacheck for ASLR, DEP, SEH

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 18

Results

  GS flag seems to be present in all of them

  Our tool vistacheck does not (yet) work

  Has to be ported to x64 architecture
  We used some manual tests (inspection of PE headers) instead

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 19

Results

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 20

Talking about bells & whistles…

  … there are quite none (with

security impact).

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 21

Management interfaces

  Locally management seems to be done with some sort of

“internal RDP connection” that is secured by a self-signed
certificate.

  There’s a new port for this:

  vmrdp 2179/tcp Microsoft RDP for
virtual machines
vmrdp 2179/udp RDP for virtual
machines
# Brian Henry <brian.henry&microsoft.com>
March 2007
  We could not yet identify interesting stuff here.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 22

Fuzzing, Definition
  “Fuzz testing or Fuzzing is a Black Box software testing
technique, which basically consists in finding
implementation bugs using malformed/semi-malformed
data injection in an automated fashion
http://www.owasp.org/index.php/Fuzzing

  “A highly automated testing technique that covers

numerous boundary cases using invalid data (from files,
network protocols, API calls, and other targets) as
application input to better ensure the absence of
exploitable vulnerabilities.” Peter Oehlert, “Violating
Assumptions with Fuzzing”, IEEE Security & Privacy, March/
April 2005

23
Fuzzing

  Interfaces to fuzz:

  “Hardware” (from guest/child perspective)

  Network (VMBus)
  Management interface(s)

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 24

Tools used for “HW fuzzing“

  Crashme
  Old school unix tool for executing random opcodes
  Also runs on Windows ;-)
  No results

  IOfuzz
  Tavis Ormandy`s tool to fuzz virtual machines
  Results see next slides …

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 25

Green Screen
  QEMU CIRRUS BITBLT HEAP
OVERFLOW Test from Iofuzz

  Ends up with a freezed (child)

machine
  Results in this screen
  Hard shutdown necessary

  No impact on root or Hyper-V

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 26

Programmable Interrupt Controller

  While fuzzing the Programmable Interrupt Controller 2

(phy. Addr. 0x 00a0-00a1) the machine hangs again
  This time there was no way to shutdown/reboot the
machine.
  The associated VMWP needs to be killed via TaskMgr.

  Again: no impact on other machines, root or Hyper-V.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 27

VGA+
  Fuzzing the VGA+ (physical) Address Space (0x03c0-03df) causes the
VMWP to crash.
  No impact on other childs, root or Hyper-V.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 28

Details of the VGA+ fuzzing

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 29

Network Fuzzing (on VMBus)

  We used our own L2 fuzzing toolkit (which is an extension

of Python based Sulley).

  Tried various protocols, different

parameters and durations.

  No impact on other components or

their network traffic.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 30

Preliminary overall assessment

  Hyper-V seems to be well thought-out architecture wise

and quite resistant against “standard fuzzing”.

  Direct hardware access of standard (legacy?) Windows

drivers might turn out as a problem (albeit I do not expect
this).

  You should have got an idea how to tackle COTS (and

EULA protected) software for “a first impression”. Feel
free to ask us for the tools mentioned.

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 31

Thank you!

  For listening.

  Enjoy the party!

© ERNW GmbH . Breslauer Str. 28 . D-69124 Heidelberg . www.ernw.de 32