It's turtles all the way down!

1. @CSICyberSEED
Virtual Machine Introspection to
Detect and Protect
“It’s turtles all the way down!”
Tamas K Lengyel
@tklengyel

2. @CSICyberSEED
# whoami
• Senior Security Researcher at Novetta
• PhD Student at UConn CSE
• DARPA Cyber Fast Track participant
• Maintainer of Xen, DRAKVUF & LibVMI

3. @CSICyberSEED
Outline
• Brief look at the current security model
• Virtualization
• Virtual Machine Introspection
• It’s turtles all the way down!

4. @CSICyberSEED
Current security model
Low privilege
High privilege

5. @CSICyberSEED
Current security model
Low privilege
High privilege
X

6. @CSICyberSEED
The problem: Rootkits
Low privilege
High privilege

7. @CSICyberSEED
The problem: Rootkits
Low privilege
High privilege
X

8. @CSICyberSEED
Virtualization
Low privilege
High privilege
Higher privilege

9. @CSICyberSEED
Virtual Machine Introspection
Use the
hypervisor
for additional
security!
X
X X X

10. @CSICyberSEED
How?
● Isolation: provided by the hypervisor
● Interpretation: use forensics tools
○ LibVMI, Rekall, Volatility
● Interposition: use hardware extensions
○ Intel EPT, #VE

11. @CSICyberSEED
But wait, this looks familiar..
X
X XX
X

12. @CSICyberSEED
The million dollar question
What protects the
hypervisor?

13. @CSICyberSEED
It’s turtles all the way down!
A well-known scientist (some say it was Bertrand Russel) once gave a public lecture on
astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits
around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little
old lady at the back of the room got up and said:
"What you have told us is rubbish. The world is really a flat
plate supported on the back of a giant tortoise."
The scientist gave a superior smile before replying,
"What is the tortoise standing on?"
"You're very clever, young man, very clever," said the old lady.
"But it's turtles all the way down!"
— Hawking, A Brief History of Time

14. @CSICyberSEED
Add some more layers
Nested hypervisors
Root hypervisor

15. @CSICyberSEED
But why stop there?
System Management Mode
Dual-monitor mode Hypervisor
SMM
VM
No nested hypervisor in SMM
The real root hypervisor with
reference implementation
available!
Only OEM access on most hw

16. @CSICyberSEED
There is more!
SMM Hypervisor
SMM
VM
Intel Management
Engine
No reference implementation
No documentation
Only Intel has access

17. @CSICyberSEED
The bottom line
• Adding layers doesn’t solve the problem
• Only increases the cost of breaking through
• Building cross-layer tools is hard
• That’s the whole point
• Barrier erodes with time

18. @CSICyberSEED
What’s the catch?
• Keeping lower layers as small as possible
• More code = more attack surface
• Users should have the ability to inspect these layers
• Lower the layer the fewer folks have insight/access
• Isn’t that the perfect setup for DRM?
• It may be about security - but not necessarily yours!

19. @CSICyberSEED
Thanks!
Tamas K Lengyel
tamas@tklengyel.com
tlengyel@novetta.com
@tklengyel
LibVMI http://libvmi.com
DRAKVUF http://drakvuf.com