半虛擬化漏洞造成雲端平台隔離性失效之研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：48

、訪客IP：3.129.22.238

姓名

莊承恩(Cheng-en Chuang) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

半虛擬化漏洞造成雲端平台隔離性失效之研究
(On the Fail of Isolation in Cloud Computing Platform with Paravirtualization Vulnerability)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

現行各種雲端運算之彈性仰賴於虛擬化技術的支持，然而虛擬化之安全建構於其技術所能提供之隔離性，若雲端平台上使用者打破虛擬化隔離性，則雲端平台所有共用使用者將一併受害。本論文以Xen Hypervisor所提供之半虛擬化技術為對象，探討使用虛擬化技術時隔離議題之重要性，歸納出虛擬化技術中實作顯示暫存區常發生之共同漏洞，並以半虛擬化顯示暫存區漏洞的實際漏洞CVE-2008-1943，展示虛擬機器脫逸(Virtual Machine Escape)實驗，取得Xen中的Domain 0之Root Shell，來證明虛擬化的隔離非牢不可破。最後在其他Domain U不知情的情況下，以竄改該Domain U的開機磁區，使其開機程序受到綁架，由此說明隔離性失效之後帶來的影響及損失。研究貢獻在於歸納出虛擬化技術中實作顯示暫存之共同漏洞，並以實際半虛擬化顯示暫存區進行虛擬機器脫逸實驗，以實驗結果證明虛擬化隔離性失效。此外更提供開機磁區竄改實驗作為後續攻擊之案例，以說明隔離性失效後可能帶來之損失，作為未來雲端安全核心研究之基礎。

摘要(英)

The on-demand feature of cloud computing is rely on supporting of virtualization technology, it is worth to know that security in virtualization is built upon the isolation. Thus, once the user of the cloud platform break the isolation, then all the users in the cloud platform will become victims. In this thesis, I focus on paravirtualization which is provided by Xen hypervisor to discuss about the importance of isolation in virtualization technology. It conclude that there are common vulnerability in many implementation of video-related device in virtualization technology. Moreover, with a practical exploitation about CVE-2008-1943, this thesis show that user can escape from an unpriviedge domain to the privilege domain’’s root shell (Virtual Machine Escape). Finally, this thesis show that attacker can easily hijack other user’’s virtual machine by modifying the virtual machine’’s master boot record. The major contributions are conclude the common vulnerability which is the implementation of video device in virtualization technology, and provide an hand-on VM escape experiment to prove the fail of isolation in virtualization. Moreover, this thesis provide an attack model, Master Boot Record Hijacking, to explain the impact after the fail of isolation.

關鍵字(中)

★ 雲端平台
★ 虛擬化隔離
★ 半虛擬化漏洞
★ 虛擬機器脫逸
★ Xen Hypervisor

關鍵字(英)

★ Cloud Computing
★ Isolation of Virtualization
★ Paravirtualization Vulnerability
★ Virtual Machine Escape
★ Xen Hypervisor

論文目次

摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vii
表目錄 ix
第一章緒論 1
1.1 研究背景 .................................... 1
1.2 研究動機 .................................... 2
1.2.1 CSEP:雲端安全實驗平台....................... 2
1.2.2 虛擬化隔離之重要性.......................... 4
1.3 研究目的.................................... 7
1.4 研究貢獻.................................... 8
1.5 論文架構.................................... 9
第二章相關研究 10
2.1 虛擬化平台分類................................. 10
2.2 程式及系統安全................................. 12
2.2.1 Stack-basedBufferOverflow ...................... 12
2.2.2 ReturnintoLib(c)............................ 15
2.3 虛擬機器脫逸相關實驗............................. 19
2.3.1 VMware分享資料夾漏洞........................ 19
2.3.2 Cloudburst:VMware虛擬顯示裝置之漏洞.............. 21
2.3.3 Virtunoid:KVM類型之虛擬機器脫逸 ................ 22
第三章虛擬機器脫逸 25
3.1 半虛擬化技術之架構.............................. 25
3.2 實例:CVE-2008-1943漏洞分析........................ 26
3.2.1 修改tools/ioemu/hw/xenfb.c...................... 30
3.2.2 修改drivers/video/xen-fbfront.c .................... 33
3.3 實驗結果 .................................... 38
3.3.1 假設與情境............................... 38
3.3.2 實際測試 ................................ 40
3.4 脫逸實驗相關討論 ............................... 43
3.4.1 全虛擬化脫逸之討論.......................... 43
3.4.2 硬體支援虛擬化脫逸之討論...................... 44
3.4.3 虛擬機器脫逸共同模式 ........................ 45
第四章虛擬化隔離性探討 47
4.1 隔離性失效後之攻擊.............................. 47
4.2 MasterBootRecord竄改............................ 48
4.2.1 開機磁區之說明 ............................ 48
4.2.2 MasterBootRecord實作........................ 49
4.3 竄改MBR之實驗結果............................. 52
第五章結論 55
5.1 研究結論與貢獻................................. 55
5.2 未來可行之研究................................. 56
參考文獻 57
附錄 A. Xen 漏洞統計表 64
附錄 B. Windows XP 之 Master Boot Record 66
附錄 C. MBR 常數及函式 (參考自 Stoned Bootkit) 68

參考文獻

[1] S. Ried, H. Kisker, P. Matzke, A. Bartels, and M. Lisserman, “Sizing the cloud: Understanding and quantifying the future cloud computing,” in Forrester Research Report, 2011.
[2] T. Dillon, C. Wu, and E. Chang, “Cloud computing: Issues and challenges,” in 24th IEEE International Conference on Advanced Information Networking and Applica- tions (AINA), Perth, Australia, April 2010, pp. 27 –33.
[3] L. M. Vaquero, L. Rodero-Merino, J. Caceres, and M. Lindner, “A break in the clouds: towards a cloud definition,” SIGCOMM Comput. Commun. Rev., vol. 39, no. 1, pp. 50–55, Dec. 2008.
[4] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, “Xen and the art of virtualization,” in Proceedings of the nineteenth ACM symposium on Operating systems principles, ser. SOSP ’03. New York, NY, USA: ACM, 2003, pp. 164–177.
[5] R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. C. M. Martins, A. V. Anderson, S. M. Bennett, A. Kagi, F. H. Leung, and L. Smith, “Intel virtualization technology,” IEEE Computer Magazine, vol. 38, no. 5, pp. 48–56, May 2005.
[6] K. Adams and O. Agesen, “A comparison of software and hardware techniques for x86 virtualization,” in Proceedings of the 12th international conference on Architectural support for programming languages and operating systems, ser. ASPLOS-XII. New York, USA: ACM, 2006, pp. 2–13.
[7] Amazon, “Amazon ec2,” 2011. [Online]. Available: http://aws.amazon.com/ec2
[8] Y. M. Chen, C. E. Chuang, H. C. Liu, C. Y. Ni, and C. T. Wang, “Using agent in virtual machine for interactive security training,” in FGIT-SecTech, Jeju Island, Korea, 2011, pp. 65–74.
[9] J. Rhoton, Cloud Computing Explained. Recursive Press, 2010. [10] Google, “Google apps engine,” 2012. [Online]. Available: https://developers.google.
com/appengine/
[11] D. Hubbard and M. Sutton, “Top threats to cloud computing,” in Cloud Security Al liance, Mar. 2010. [Online]. Available: http://www.cloudsecurityalliance.org/ topthreats.html
[12] C. E. Chuang and Y. M. Chen, “使雲端運算中虛擬機器隔離性失效之實作,” 第二十二屆資訊安全會議, 中興大學, 台中, 2012.
[13] Citrix, “Xenserver.” [Online]. Available: http://www.citrix.com/English/ps2/ products/product.asp?contentID=683148
[14] J. Sahoo, S. Mohapatra, and R. Lath, “Virtualization: A survey on concepts, taxon- omy and associated security issues,” in Second International Conference on Computer and Network Technology (ICCNT), Bangkok, Thailand, April 2010, pp. 222 –226.
[15] Intel. (2006) Intel virtualization technology and intel active management technology in retail infrastructure. [Online]. Available: http://www.intel.com/design/intarch/ papers/316087.pdf
[16] A. One, “Smashing the stack for fun and profit,” Phrack, vol. 7, no. 49, Nov. 1996. [Online]. Available: http://phrack.com/issues.html?issue=49&id=14#article
[17] Nergal, “The advanced return-into-lib(c) exploits: PaX case study,” Phrack, vol. 11, no. 58, Dec 2001. [Online]. Available: http://phrack.org/phrack/58/p58-0x04
[18] E. Bhatkar, D. C. Duvarney, and R. Sekar, “Address obfuscation: an efficient ap- proach to combat a broad range of memory error exploits,” in Proceedings of the 12th USENIX Security Symposium, Washington, DC, USA, August 2003, pp. 105–120.
[19] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks,” in Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, USA, January 1998, pp. 63–78.
[20] CoreLabs, “Path traversal vulnerability in vmware’s shared folders implementation.” [Online]. Available: http://www.coresecurity.com/content/advisory-vmware
[21] CERT, “Cve-2007-1744.” [Online]. Available: http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2007-1744
[22] K. Kortchinsky, “Cloudburst – hacking 3d and breaking out of vmware,” in BlackHat USA, Las Vegas, 2009.
[23] “Virtunoid: A kvm guest → host privilege escalation exploit,” in Black Hat USA, N. Elhage, Ed., Las Vegas, 2011.
[24] CERT, “Cve-2011-1751.” [Online]. Available: http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2011-1751
[25] “Cwe-416: Use after free.” [Online]. Available: http://cwe.mitre.org/data/ definitions/416.html
[26] D. Chisnall, The definitive guide to the xen hypervisor, 1st ed. Upper Saddle River, NJ, USA: Prentice Hall Press, 2007.
[27] E. Skoudis and T. Liston, Counter hack reloaded, second edition: a step-by-step guide to computer attacks and effective defenses, 2nd ed. Upper Saddle River, NJ, USA: Prentice Hall Press, 2005.
[28] F. Bellard, “Qemu, a fast and portable dynamic translator,” in Proceedings of the an- nual conference on USENIX Annual Technical Conference, ser. ATEC ’05. Berkeley, CA, USA: USENIX Association, 2005, pp. 41–41.
[29] R. Wojtczuk, “Adventures with a certain xen vulnerability (in the pvfb backend),” October 2008. [Online]. Available: http://invisiblethingslab.com/resources/misc08/ xenfb-adventures-10.pdf
[30] Xen. How does xen work? [Online]. Available: http://www.xen.org/files/Marketing/ HowDoesXenWork.pdf
[31] D. Blazakis, “Interpreter exploitation,” in Proceedings of the 4th USENIX conference on Offensive technologies, ser. WOOT’10. Berkeley, CA, USA: USENIX Association, 2010, pp. 1–9.
[32] J. Erickson, Hacking: the art of exploitation, 2nd edition, 2nd ed. San Francisco, CA, USA: No Starch Press, 2008.
[33] R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Wal- ter, “Breaking the memory secrecy assumption,” in Proceedings of the ACM Second European Workshop on System Security, Nuremburg, Germany, 2009, pp. 1–8.
[34] VMware, “Transparent paravirtualization (vmi),” 2005. [Online]. Available: http://www.vmware.com/technical-resources/interfaces/paravirtualization.html
[35] Xen.org. Xen hypervisor. [Online]. Available: http://xen.org/
[36] Amazon.com, “Amazon web services: Overview of security processes,” 2008. [Online]. Available: http://aws.amazon.com/articles/1697
[37] CERT, “Cve-2008-3431.” [Online]. Available: http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2008-3431
[38] cert, “Cve-2009-0876.” [Online]. Available: http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2009-0876
[39] T. Mandt, “Oracle virtualbox integer overflow vulnerabili- ties,” 2011. [Online]. Available: http://mista.nu/blog/2011/07/19/ oracle-virtualbox-integer-overflow-vulnerabilities/
[40] Xen-Devel, “Vt-d (pci passthrough) msi trap injection,” 2011. [Online]. Available: http://old-list-archives.xen.org/archives/html/xen-devel/2011-05/msg00687.html
[41] dunlapg. (2012) The intel sysret privilege escalation. [Online]. Available: http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/
[42] R. Wojtczuk and J. Rutkowska, “Following the white rabbit: Software attacks against intel vt-d technology,” 2011. [Online]. Available: http://www.invisiblethingslab. com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
[43] CERT, “Cve-2012-1515,” 2012. [Online]. Available: http://www.cve.mitre.org/ cgi-bin/cvename.cgi?name=CVE-2012-1515
[44] Xen-Devel, “Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation,” 2012. [Online]. Available: http://lists.xen.org/archives/html/ xen-announce/2012-02/msg00000.html
[45] S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee, and D. Xu, “Dksm: Subverting virtual machine introspection for fun and profit,” in Proceedings of the 29th IEEE International Symposium on Reliable Distributed Systems (SRDS 2010), New Delhi, India, October 2010.
[46] B. D. Payne, M. D. P. de Carbone, and W. Lee, “Secure and flexible monitoring of virtual machines,” in Twenty-Third Annual Computer Security Applications Confer- ence, Miami Beach, FL, USA, December 2007, pp. 385–397.
[47] R. Wojtczuk, “Subverting the xen hypervisor,” in Black Hat USA, Las Vegas, USA, August 2008.
[48] P. Kleissner, “Stoned bootkit,” 2011. [Online]. Available: http://www.stoned-vienna. com/
[49] P. Rubin, D. MacKenzie, and S. Kemp., “dd,” in Linux man page, 2012.
[50] B. Salamat, T. Jackson, G. Wagner, C. Wimmer, and M. Franz, “Runtime defense against code injection attacks using replicated execution,” IEEE Transactions on Dependable and Secure Computing, vol. 8, pp. 588–601, 2011.
[51] VulneraPedia, “Symlink attacks.” [Online]. Available: http://minsky.gsi.dit.upm.es/ semanticwiki/index.php/Symlink_Attacks

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2012-8-16

推文