So this has been way overdue, but here are my slides from my ShmooCon presentation, Ring -1 vs. Ring -2: Containerizing Malicious SMM Interrupt Handlers on AMD-V.
Honestly, I'm a little disappointed in myself for the presentation. I think it went well but I didn't really have time to make the talk as accessible as I would have liked, also this was my first time presenting at a conference so usual jitters apply, hopefully I'll get the chance to do it again.
A little explanation: The goal of this project was to determine how to protect a virtual machine monitor from a malicious System Management Mode Interrupt handler.
When I started working for Crucial Security my main focus was on building a hypervisor that was able to isolate a process from a malicious OS, the idea being that we wanted to ensure that even if an attacker got access to a server they'd still have to exploit the specific service to gain access to its data. During development we kept discovering new avenues of attacking the VMM, one of the most damaging ways was to use a malicious SMI handler as was done in Rafal Wojtczuk and Joanna Rutkowska's presentation on Attacking Intel's TXT.
The defense against their attack that Intel responded with was that the VMM developer should run the SMI handler inside of a virtual machine. Joanna's counter point was that, no one has good documentation on how to do that. Since I was developing a tiny VMM for security, I took that challenge and on the AMD-V platform developed a hypervisor that could run a limited SMI handler inside of a virtual machine as a PoC.
Unfortunately almost all of my time was spent developing and debugging the PoC, with less attention than I would have liked going to the actual presentation. Anyway I still need to get the source off of back ups since my corporate laptop died. However it should be up by the end of May. Comments and feed back are greatly appreciated.
My hope is that this helps VMM developers get a better idea in what's involved with isolating an SMI handler and in rare cases where that level of paranoia is needed, that my work can help other people find the information they need more quickly.
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment