Return-oriented programming attack on the Xen hypervisor

Proceedings - 2012 7th International Conference on Availability, Reliability and Security, ARES 2012

Volumn , Issue , 2012, Pages 479-484

  Ding, Baozeng ^a,b   Wu, Yanjun ^a   He, Yeping ^a   Tian, Shuo ^a,b   Guan, Bei ^a,b   Wu, Guowei ^c  

^a INSTITUTE OF SOFTWARE   (China)

^b UNIVERSITY OF CHINESE ACADEMY OF SCIENCES   (China)

^c DALIAN UNIVERSITY OF TECHNOLOGY   (China)

Author keywords

hypervisor; privilege escalation; Return oriented programming; security

Indexed keywords

HYPERVISOR; INTEGRITY PROTECTION; PRIVILEGE ESCALATION; RUNTIMES; SECURITY;

EID: 84869391331     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ARES.2012.16     Document Type: Conference Paper

References (41)

1. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Annual Network and Distributed Systems Security Symposium, February 2003.
2. X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007
3. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Proceedings of the 29th IEEE Symposium on Security and Privacy, 2008.
4. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th USENIX Security Symposium, 2008.
5. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, October 2007.
6. Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering Kernel Rootkits with Lightweight Hook Protection. In Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009.
7. M. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure In-VM Monitoring Using Hardware Virtualization. In Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009.
8. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. L. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, October 2003.
9. VMware ESXi: Bare Metal Hypervisor. http://www.vmware.com/products/esxi.
10. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. In Proceedings of the 22nd Symposium on Operating Systems Principles, October 2009.
11. National Vulnerability Database.http://nvd.nist.gov/.
12. S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J.Wang, and J. R. Lorch. SubVirt: Implementing Malware with Virtual Machines. In Proceedings of the 27th IEEE Symposium on Security and Privacy, 2006.
13. R. Wojtczuk. Subverting the Xen Hypervisor. In Black Hat USA, 2008.
14. The Blue Pill Project. http://bluepillproject.org/.
15. J. Wang, A. Stavrou, and A. K. Ghosh. HyperCheck: A hardware-assisted integrity monitor. In Proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection, September 2010.
16. A. M. Azab, P. Ning, Z. Wang, X. Jiang, X. Zhang, and N. C. Skalsky. HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010.
17. H. Shacham. The geometry of innocent esh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007.
18. A. Francillon and C. Castelluccia. Code injection attacks on harvard-architecture devices. In Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008.
19. E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When good instructions go bad: Generalizing return-oriented programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008.
20. T. Kornau. Return oriented programming for the ARM architecture. http://zynamics.com/downloads/kornau-tim-diplomarbeit-rop.pdf, 2009. Master thesis, Ruhr-University Bochum, Germany.
21. S. Checkoway, A. J. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham. Can DREs provide long-lasting security? The case of return-oriented programming and the AVC advantage. In Proceedings of EVT/WOTE 2009, 2009.
22. F. Lindner. Developments in Cisco IOS forensics. CONFidence 2.0. http://www.recurity-labs.com/content/pub/FX-Router-Exploitation.pdf, Nov.2009.
23. jduck. The latest adobe exploit and session upgrading. http://blog.metasploit.com/2010/03/latest-adobe-exploit-and-session.html, 2010.
24. S. Ragan. http://www.thetechherald.com/articles/Adobe-confirms-Zero-Day- ROP-used-to-bypass-Windows-defenses/11273/
25. Adobe Systems. Security Advisory for Flash Player, Adobe Reader and Acrobat: CVE-2010-1297. http://www.adobe.com/support/security/advisories/apsa10- 01.html, 2010.
26. R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In Proceedings of the 18th USENIX Security Symposium, 2009.
27. J. Halliday. Jailbreakme released for apple devices. http://www.guardian. co.uk/technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal, Aug. 2010.
28. V. Iozzo and R.-P. Weinmann. Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN. http://blog.zynamics.com/2010/03/24/ralf-philipp- weinmann-vincenzo-iozzo-own-the-iphone-at-pwn2-own/, March, 2010.
29. Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/ kb/875352/EN-US/, 2006.
30. Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of 21st ACM Symposium on Operating Systems Principles, October, 2007.
31. McCune, J.M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., Perrig, A. Trustvisor: Efficient tcb reduction and attestation. In Proceedings of the 31st IEEE Symposiumon Security and Privacy, 2010.
32. T. Shinagawa, H. Eiraku, K. Tanimoto, K. Omote, S. Hasegawa, T. Horie, M. Hirano, K. Kourai, Y. Ohyama, E. Kawai, K. Kono, S. Chiba, Y. Shinjo, and K. Kato. Bit-Visor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 5th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, 2009.
33. Derek G. Murray, Grzegorz Milos, and Steven Hand. Improving xen security through disaggregation. In Proceedings of the 4th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, 2008.
34. U. Steinberg and B. Kauer. NOVA: A microhypervisor-based secure virtualization architecture. In Proceedings of the 5th ACM European Conference in Computer Systems, 2010.
35. Z. Wang and X. Jiang. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 31st IEEE Symposium on Security and Privacy, 2010.
36. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow integrity: Principles, implementations, and applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security, 2005.
37. ROPEME tool. http://www.vnsecurity.net/2010/08/ropeme-rop-exploit-made- easy/
38. Multiple integer overflows. http://web.nvd.nist.gov/view/vuln/detail? vulnId=CVE-2011-1583.
39. Solar Designer. "return-to-libc" attack, Bugtraq, 1997.
40. J. Rutkowska and R. Wojtczuk. Preventing and detecting Xen hypervisor subversions. In Black Hat USA, 2008.
41. B. Ding, F. Yao, Y. Wu, and Y. He. Improving flask implementation using hardware assisted in-VM isolation. In Proceedings of the 27th IFIP International Information Security and Privacy Conference, 2012.