Hypervisor From Scratch – Part 4: Address Translation Using Extended Page Table (EPT)

https://rayanfam.com/topics/hypervisor-from-scratch-part-4/

NIST RFC: Draft NISTIR 8221, A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks

NIST has released Draft NIST Internal Report (NISTIR) 8221, “A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks”, which analyzes recent vulnerabilities associated with two open-source hypervisorsXen and KVMas reported by the NIST National Vulnerability Database. The document develops a profile of those vulnerabilities in terms of hypervisor functionality, attack type, and attack source. The objective is to determine the evidence coverage for detecting and reconstructing those attacks and subsequently identify the techniques required to gather missing evidence. The methodologies outlined can assist cloud providers in enhancing the security of their virtualized infrastructure and take proactive steps toward preventing such attacks on their operating environment in the future.

A public comment period for this draft document is open until October 12, 2018.

https://csrc.nist.gov/publications/detail/nistir/8221/draft

https://csrc.nist.gov/news/2018/nist-releases-draft-nistir-8221-for-comment

Falkervisor hypervisor for fuzzing

Falkervisor_grilled_cheese:  This is the latest C version of my hypervisor and probably some of the best C code I’ve ever written (I’ve since switched to Rust, you should too). This was used roughly between 2015-2016, and replaced with a Rust version in late 2016.

https://github.com/gamozolabs/falkervisor_grilled_cheese

See-also:

https://github.com/gamozolabs/falkervisor_beta/

ECR_Toolkit: hypervisor introspection of VM guests (Who Watches the Watchers?)

https://github.com/ainfosec/ecr_toolkit

http://dfrws.org/sites/default/files/session-files/paper_who_watches_the_watcher_detecting_hypervisor_introspection_from_unprivileged_guests.pdf

https://www.ainfosec.com/

Hypervisor From Scratch – Part 2: Entering VMX Operation

Re: https://firmwaresecurity.com/2018/08/22/hypervisor-from-scratch-part-1-basic-concepts-configure-testing-environment/

The second part of this tutorial series has been publsihed.

https://rayanfam.com/topics/hypervisor-from-scratch-part-2/

Hypervisor From Scratch – Part 1: Basic Concepts & Configure Testing Environment

Welcome to the first part of a multi-part series of tutorials called “Hypervisor From Scratch”. As the name implies, this course contains technical details to create a basic Virtual Machine based on hardware virtualization. If you follow the course, you’ll be able to create your own virtual environment and you’ll get an understanding of how VMWare, VirtualBox, KVM and other virtualization softwares use processors’ facilities to create a virtual environment.[…]

https://rayanfam.com/topics/hypervisor-from-scratch-part-1/

 

Bromium: uXen open source hypervisor

https://www.bromium.com/opensource/

NIST SP 800-125A: Security Recommendations for Server-based Hypervisor Platforms

Re: https://firmwaresecurity.com/2018/01/26/nist-releases-sp-800-125a-security-recommendations-for-hypervisors/

Date Published: June 2018
Supersedes: SP 800-125A (January 2018)

The Hypervisor platform is a collection of software modules that provides virtualization of hardware resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (made of an operating system (OS) and application programs) called Virtual Machines (VMs) to be run on a single physical host. In addition, it may have the functionality to define a network within the single physical host (called virtual network) to enable communication among the VMs resident on that host as well as with physical and virtual machines outside the host. With all this functionality, the hypervisor has the responsibility to mediate access to physical resources, provide run time isolation among resident VMs and enable a virtual network that provides security-preserving communication flow among the VMs and between the VMs and the external network. The architecture of a hypervisor can be classified in different ways. The security recommendations in this document relate to ensuring the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture. Further, the recommendations are in the context of a hypervisor deployed for server virtualization and not for other use cases such as embedded systems and desktops. Recommendations for secure configuration of a virtual network are dealt with in a separate NIST document (Special Publication 800-125B). [This revision includes additional technologies for device virtualization such as para-virtualization, passthrough and self-virtualizing hardware devices as well as associated security recommendations. Major content changes in this revision are in: Section 1.1, Section 2.2.2 and Section 5.]

https://csrc.nist.gov/News/2018/NIST-Publishes-SP-800-125A-Rev-1

https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final

https://www.nist.gov/news-events/news/2018/04/nist-releases-draft-nist-special-publication-sp-800-125a-revision-1

 

Shadow-Box: Lightweight and Practical Kernel Protector for x86 (or ARM)

Lightweight Hypervisor-Based Kernel Protector

Shadow-box v2 (for ARM) is a next generation of Shadow-box v1 (for x86). If you want to know about Shadow-box for ARM, please visit Shadow-box for ARM project.

https://github.com/kkamagui/shadow-box-for-x86

https://github.com/kkamagui/shadow-box-for-arm

NIST releases SP 800-125A: security recommendations for hypervisors

SP 800-125A: Security Recommendations for Hypervisor Deployment on Servers

The Hypervisor is a collection of software modules that provides virtualization of hardware resources (such as CPU/GPU, Memory, Network and Storage) and thus enables multiple computing stacks (made of an operating system (OS) and Application programs) called Virtual Machines (VMs) to be run on a single physical host. In addition, it may have the functionality to define a network within the single physical host (called virtual network) to enable communication among the VMs resident on that host as well as with physical and virtual machines outside the host. With all this functionality, the hypervisor has the responsibility to mediate access to physical resources, provide run time isolation among resident VMs and enable a virtual network that provides security-preserving communication flow among the VMs and between the VMs and the external network. The architecture of a hypervisor can be classified in different ways. The security recommendations in this document relate to ensuring the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture. Further, the recommendations are in the context of a hypervisor deployed for server virtualization and not for other use cases such as embedded systems and desktops. Recommendations for secure configuration of a virtual network are dealt with in a separate NIST Special Publication (SP), SP 800-125B.

Keywords: Virtualization; Hypervisor; Virtual Machine; Virtual Network; Secure Configuration; Security Monitoring; Guest OS

 

https://csrc.nist.gov/News/2018/Security-Recommendations-for-Deploying-Hypervisors
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125A.pdf
https://csrc.nist.gov/publications/detail/sp/800-125a/final

See-also:
SP 800-125B: Secure Virtual Network Configuration for Virtual Machine (VM) Protection
https://csrc.nist.gov/publications/detail/sp/800-125b/final

NIST releases SP 800-125A 2nd ed, hypervisor security

NIST Releases the Second Public Draft of Special Publication (SP) 800-125A,” Security Recommendations for Hypervisor Deployment” is now available for public comment, deadline for feedback is October 6th.

The NIST web site is changing on September 18 2017. Some links will change, below are pre- and post-Sep 18 URLs:

https://beta.csrc.nist.gov/publications/detail/sp/800-125A/draft
https://csrc.nist.gov/publications/detail/sp/800-125A/draft

 

CrowdStrike seeks UEFI/hypervisor researcher

Researcher – Strategic Research Initiatives (SRI):
As the core research and development arm of the CrowdStrike Falcon product, the Strategic Research Initiatives (SRI) Team is at the forefront of cutting-edge research into security-related systems and techniques. The team strives to deliver cross-platform features for mid to long-term, visionary projects that expand the capabilities of Falcon Sensor. New EDR techniques and data sources, UEFI/Hypervisor capability, PnP and network stack visibility, containerization, scripting engine introspection, and emulation/sandboxing are just a few examples of SRI projects.[…]

https://jobs.jobvite.com/careers/crowdstrike/job/oAlo4fw7?__jvst=Job%20Board

The Threat of Virtualization: Hypervisor-Based Rootkits on the ARM Architecture

The Threat of Virtualization: Hypervisor-Based Rootkits on the ARM Architecture
Robert Buhren, Julian Vetter, Jan C. Nordholz

The virtualization capabilities of today’s systems offer rootk-its excellent hideouts, where they are fairly immune to countermeasures. In this paper, we evaluate the vulnerability to hypervisor-based rootkits of ARM-based platforms, considering both ARMv7 and ARMv8. We implement a proof-of-concept rootkit to prove the validity of our findings. We then detail the anatomy of an attack wherein a hypervisor rootkit and a userspace process collaborate to undermine the isolation properties enforced by the Linux kernel. Based on our discoveries, we explore the possibilities of mitigating each attack vector. Finally, we discuss methods to detect such highly privileged rootkits so as to conceive more effective countermeasures.

https://www.researchgate.net/publication/309770683_The_Threat_of_Virtualization_Hypervisor-Based_Rootkits_on_the_ARM_Architecture

 

SimpleSvm: hypervisor for AMD Windows systems

SimpleSvm is a minimalistic educational hypervisor for Windows on AMD processors. It aims to provide small and explanational code to use Secure Virtual Machine (SVM), the AMD version of Intel VT-x, with Nested Page Tables (NPT) from a windows driver. SimpleSvm is inspired by SimpleVisor, an Intel x64/EM64T VT-x specific hypervisor for Windows, written by Alex Ionescu.

https://github.com/tandasat/SimpleSvm

MemoryMonRWX: Windows hypervisor to detect rootkits

Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

http://igorkorkin.blogspot.com/2017/03/memorymonrwx-detect-kernel-mode.html