Black Hat USA 2009 Weekday Training Session

July 27-28

Virtualization (In)Security

Rafal Wojtczuk & Joanna Rutkowska

Detailed Agenda | Training Brochure

This course will:

Present an unbiased view on the security of recent Xen systems (Xen 3.3 and 3.2), show exemplary attacks and study how various technology (e.g. Intel VT-d and TXT) and clever design of the VMM can help to improve security. Point out where the weakness are still present and what we can expect in the future.

Provide a good baseline for comparing Xen-based products with other hypervisors on the market from security standpoint, thus allow for better decision making when buying virtualization products (participants will know what "hard questions" to ask vendors and what features to look for).

Enable administrators of current virtualization systems to better plan the deployment in order to optimize security.

Provide fun and excitement by enabling technically savvy attendees to perform real-world attacks on one of the most advanced and exciting technology (Xen 3.3, VT-d, TXT) on the planet.

Provide food for thought for all people engaged in design or development of virtualization systems, as well as "normal" operating systems.

Topics Covered*:

• Escaping from DomU to Dom0 (**)
• Compromising Xen from Dom0
• Xen Hypervisor Rootkits
• Protecting Xen hypervisor
• Direct hypervisor hijacking
• Nested hardware virtualization (**)
• BluePillBoot
• Intel TXT and tboot vs. BluePillBoot
• XenBluePill: Bluepilling Xen on the fly
• HyperGuard vs. XenBluePill

*This is a preliminary list and is subject to change. Topics marked with an (**) require deep technical knowledge on system programming and/or contemporary exploitation techniques. It is, however, not strictly required that the participants were able to follow all the details presented in those topics, as it is most important to understand the consequences of the presented attacks, not necessarily the details of how the attacks are coded. Nevertheless, for all those, who are system and exploit experts, we will present all the bits and bytes, to satisfy their curiosity as well.

Target audience

Senior administrators of virtualization systems, security architects planning (secure) deployment of a virtualization solutions (especially Xen-based, but not limited to), virtualization systems and operating systems designers/developers, advanced security professionals interested in designing security solutions for virtualization-based systems, other curious individuals.

Required skills/knowledge

For everybody: Basic Linux console skills (will be using Linux-based OS for Dom0), basic knowledge of current OS and virtualization systems design.

Additionally for people willing to understand/complete most of the exercises: advanced Linux skills, advanced C system programming, basic knowledge of current systems hardware design, basic GDB skills, advanced experience with using Xen systems.

Additionally for people willing to understand/complete all the exercises: proficiency in using and understanding GDB, understanding of advanced exploitation methods, good understanding of contemporary computer systems hardware design, excellent understanding of Xen system design and implementation.

About authors and trainers

This training has been prepared and will be presented by the Invisible Things Lab team, composed of: Rafal Wojtczuk, Alexander Tereshkin and Joanna Rutkowska. Invisible Things Lab is a boutique security research and consulting company, focusing on OS and virtualization systems security. ITL's members are experienced security researchers, well known for finding design and implementation weaknesses in a wide-range of operating systems, hypervisors and even systemlevel software, like BIOS, presenting new system compromise methods, as well as conducting a cutting-edge research into new defensive technology.

Joanna Rutkowska

is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world.

Check out Joanna's blog on her training.

Alexander Tereshkin

is a Principal Researcher at Invisible Things Lab, is an experienced reverse engineer and an expert into Windows® kernel and hardware virtualization, specializing in rootkit technology and kernel exploitation. He is known for his research on sophisticated ideas for novel rootkit creation and personal firewall bypassing in the past years. Recently he has done significant work in the field of virtualization based malware and Microsoft® Vista™ kernel security. He is a co-author of "Understanding Stealth Malware" course. Alex holds the Russian equivalent of a Master's Degree in Applied Mathematics, and
also the Russian equivalent of a PhD degree in Information Security from Taganrog State University Of Radioengineering (Southern Federal University).

Rafal Wojtczuk

is a Principal Researcher at Invisible Things Lab, has over 10 years of experience with computer security. Specializing primarily in kernel and virtualization security, over the years he has disclosed many security
vulnerabilities in popular operating system kernels (Linux®, SELinux, *BSD, Windows®) and virtualization software (Xen®, VMWare® and Microsoft® virtualization products). He is also well known for his articles on advanced exploitation techniques, including novel methods for exploiting buffer overflows in partially randomized address space environments. He is also the author of libnids, a low-level packet reassembly library. He holds a Master’s Degree in Computer Science from University of Warsaw.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$2600	$2700	$2900	$3100	$3400