7 Days To Virtualization: A Series On Hypervisor Development
Zelda Screen Transitions are Undefined Behaviour
> The vertical scrolling effect in the original “The Legend of Zelda” relies on manipulating the NES graphics hardware in a manor likely that was unintended by its designers.
Running iOS in QEMU to an interactive bash shell (1): tutorial
> While wanting to do some iOS security research and inspired by the work done by zhuowei, I decided to try and get this emulation project further along the boot process. The goal was to get the system to boot without having to patch the kernel beforehand or during the boot process, have new modules that extend QEMU’s capabilities to execute arm64 XNU systems and, get an interactive bash shell. This post is the first post in a 2-post series, in which I will present instructions for executing iOS on QEMU and launching an interactive bash shell. In the second post, I will detail some of the research that was required in order to get there. For this project, the iOS version and device that were chosen are iOS 12.1 and iPhone 6s Plus, because this specific iOS 12 image comes with a lot of symbols exported in the kernel image compared to other iOS kernel images that are usually stripped of most symbols.
Assessing Unikernel Security
> Unikernels are small, specialized, single-address-space machine images constructed by treating component applications and drivers like libraries and compiling them, along with a kernel and a thin OS layer, into a single binary blob. Proponents of unikernels claim that their smaller codebase and lack of excess services make them more efficient and secure than full-OS virtual machines and containers. We surveyed two major unikernels, Rumprun and IncludeOS, and found that this was decidedly not the case: unikernels, which in many ways resemble embedded systems, appear to have a similarly minimal level of security. Features like ASLR, W^X, stack canaries, heap integrity checks and more are either completely absent or seriously flawed. If an application running on such a system contains a memory corruption vulnerability, it is often possible for attackers to gain code execution, even in cases where the application’s source and binary are unknown. Furthermore, because the application and the kernel run together as a single process, an attacker who compromises a unikernel can immediately exploit functionality that would require privilege escalation on a regular OS, e.g. arbitrary packet I/O. We demonstrate such attacks on both Rumprun and IncludeOS unikernels, and recommend measures to mitigate them.
From Zero to NVMM
> Six months ago, I told myself I would write a small hypervisor for an old x86 AMD CPU I had. Just to learn more about virtualization, and see how far I could go alone on my spare time. Today, it turns out that I’ve gone as far as implementing a full, fast and flexible virtualization stack for NetBSD. I’d like to present here some aspects of it.
XSA-294 - x86 shadow: Insufficient TLB flushing when using PCID
> Use of Process Context Identifiers (PCID) was introduced into Xen in order to improve performance after XSA-254 (and in particular its Meltdown sub-issue). This enablement implied changes to the TLB flushing logic. One aspect which was overlooked is the safety of switching between shadow pagetables, which previously relied on the unconditional flushing of a write to CR3.
> With PCID enabled, a switch of shadow pagetable for a 64bit PV guest fails to invalidate the linear mappings of the previous shadow pagetable. As a result, subsequent accesses to the shadow pagetables may be deemed to be safe by the shadow logic (based on the old shadow pagetable) but fault when made in practice.
MirageOS Spring Hack Retreat, Marrakesh 2019
> On this retreat, we ate our own dogfood, and used our MirageOS DHCP, recursive DNS resolver, and CalDAV unikernels as isolated virtual machines running on a PC Engines APU with FreeBSD as host system. The CalDAV server persisted its data in a git repository on the host system, using the raw git protocol for communication, the smart HTTP protocol could have been used as well.
The Sound Of Nostalgia
> The Sega Genesis, with its “Blast Processing” and blue mascot (who is getting a questionable movie makeover in the coming months), stood out for a lot of reasons, but one of the most subtle is something that it contained in at least one of its variants that not a lot of its competitors did—a headphone jack that could produce stereo sound. In a way, it was a nod to its sound chips, which were some of the best to be found on a video game console at the time and had more in common with the era’s sound synthesizers. Reliving those sounds in their best form hasn’t been easy in the modern day, however, due to challenges in emulating the console correctly. However, a challenger appears: The Analogue Mega Sg, a field programmable gate array (FPGA)-based console aims to recreate the experience. Today’s Tedium is a review of that console—and a little backstory on the biggest problem it tries to solve.
Slim: OS kernel support for a low-overhead container overlay network
> In theory there are four possible modes for container networking: a bridge mode for containers on the same host; host mode in which containers use the IP address of their host network interface; macvlan mode (or similar hardware mechanisms) to give each container its own IP address; and overlay mode in which each container is given its own own virtual network interface and each application has its own network namespace.
Reverse emulating the NES!
Breaking out of Docker via runC – Explaining CVE-2019-5736
> This post aims to be a comprehensive technical deep dive into the vulnerability and it’s various exploitation methods.
Too much stuff in the container and some of it leaks out.
AWS Nitro System
> The Nitro System supports key network, server, security, firmware patching, and monitoring functions freeing up the entire underlying server for customer use. This allows EC2 instances to have access to all cores – none need to be reserved for storage or network I/O. This both gives more resources over to our largest instance types for customer use – we don’t need to reserve resource for housekeeping, monitoring, security, network I/O, or storage. The Nitro System also makes possible the use of a very simple, light weight hypervisor that is just about always quiescent and it allows us to securely support bare metal instance types.
A proposed API for full-memory encryption
> Hardware memory encryption is, or will soon be, available on multiple generic CPUs. In its absence, data is stored — and passes between the memory chips and the processor — in the clear. Attackers may be able to access it by using hardware probes or by directly accessing the chips, which is especially problematic with persistent memory. One new memory-encryption offering is Intel’s Multi-Key Total Memory Encryption (MKTME) [PDF]; AMD’s equivalent is called Secure Encrypted Virtualization (SEV). The implementation of support for this feature is in progress for the Linux kernel. Recently, Alison Schofield proposed a user-space API for MKTME, provoking a long discussion on how memory encryption should be exposed to the user, if at all.
Writing a Hyper-V “Bridge” for Fuzzing
> After spending the better part of a weekend writing a specialized Windows driver for the purposes of allowing me to communicate with the Hyper-V hypervisor, as well as the Secure Kernel, from user-mode, I realized that there was a dearth of concise technical content on non-PnP driver development, and especially on how the Windows Driver Foundation (WDF) fundamentally changes how such drivers can be developed.
Part 2 is where it starts to get interesting: http://www.alex-ionescu.com/?p=471
Wine 4.0 Released
> This release represents a year of development effort and over 6,000 individual changes. It contains a large number of improvements that are listed in the release notes below. The main highlights are:
> Vulkan support.
> Direct3D 12 support.
> Game controllers support.
> High-DPI support on Android.
Advanced Mac Substitute
> Advanced Mac Substitute is an API-level reimplementation of classic Mac OS. It runs 68K Mac applications in an emulator without an Apple ROM or system software.
> Unlike traditional emulators, Advanced Mac Substitute doesn’t emulate the hardware on which an operating system runs (except for the 680x0 processor), but actually replaces the OS — so it launches directly into an application, without a startup phase.
How does Nested-Virtualization works?
> Nowadays, Software Security is becoming more important criteria in the industry, and in recent years, virtualization as a popular topic for protecting / attacking a software, however, most of the virtualization technology framework (bluepill-liked) is not provide an ability that let a guest virtualize one more layer, we called it “Nested Virtualization“, level 2.
A little hard to follow, but I think it covers the basic idea.
The Firecracker virtual machine monitor
> Cloud computing services that run customer code in short-lived processes are often called “serverless”. But under the hood, virtual machines (VMs) are usually launched to run that isolated code on demand. The boot times for these VMs can be slow. This is the cause of noticeable start-up latency in a serverless platform like Amazon Web Services (AWS) Lambda. To address the start-up latency, AWS developed Firecracker, a lightweight virtual machine monitor (VMM), which it recently released as open-source software. Firecracker emulates a minimal device model to launch Linux guest VMs more quickly. It’s an interesting exploration of improving security and hardware utilization by using a minimal VMM built with almost no legacy emulation.
The Super Capsicumizer 9000
> capsicumizer is a sandbox launcher that imposes Capsicum capability mode onto an unsuspecting program, allowing “sysadmin style” or “oblivious” sandboxing (i.e. no source code modifications, all restrictions added externally).
> How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?
> At Microsoft we regularly encounter these situations, so we developed Windows Sandbox: an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.