Black Hat USA 2010 Weekday Training Session

July 24 - 27

Virtualization (In)Security

Joanna Rutkowska & Rafal Wojtczuk

Register Button


Present an unbiased view on the security of recent Xen systems (Xen 3.3 and 3.2), show exemplary attacks and study how various technology (e.g. Intel VT-d and TXT) and clever design of the VMM can help to improve security. Point out where the weakness are still present and what we can expect in the future.

Provide a good baseline for comparing Xen-based products with other hypervisors on the market from security standpoint, thus allow for better decision making when buying virtualization products (participants will know what "hard questions" to ask vendors and what features to look for).

Enable administrators of current virtualization systems to better plan the deployment in order to optimize security.

Provide fun and excitement by enabling technically savvy attendees to perform real-world attacks on one of the most advanced and exciting technology (Xen 3.3, VT-d, TXT) on the planet.

Provide food for thought for all people engaged in design or development of virtualization systems, as well as "normal" operating systems.

Topics Covered:*

  • Escaping from DomU to Dom0 (**)
  • Compromising Xen from Dom0
  • Xen Hypervisor Rootkits
  • Protecting Xen hypervisor
  • Direct hypervisor hijacking
  • Nested hardware virtualization (**)
  • BluePillBoot
  • Intel TXT and tboot vs. BluePillBoot
  • XenBluePill: Bluepilling Xen on the fly
  • HyperGuard vs. XenBluePill

*This is a preliminary list and is subject to change. Topics marked with an (**) require deep technical knowledge on system programming and/or contemporary exploitation techniques. It is, however, not strictly required that the participants were able to follow all the details presented in those topics, as it is most important to understand the consequences of the presented attacks, not necessarily the details of how the attacks are coded. Nevertheless, for all those, who are system and exploit experts, we will present all the bits and bytes, to satisfy their curiosity as well.

Target audience:

Senior administrators of virtualization systems, security architects planning (secure) deployment of a virtualization solutions (especially Xen-based, but not limited to), virtualization systems and operating systems designers/developers, advanced security professionals interested in designing security solutions for virtualization-based systems, other curious individuals.

Required skills/knowledge:

For everybody: Basic Linux console skills (will be using Linux-based OS for Dom0), basic knowledge of current OS and virtualization systems design.

Additionally for people willing to understand/complete most of the exercises: advanced Linux skills, advanced C system programming, basic knowledge of current systems hardware design, basic GDB skills, advanced experience with using Xen systems.

Additionally for people willing to understand/complete all the exercises: proficiency in using and understanding GDB, understanding of advanced exploitation methods, good understanding of contemporary computer systems hardware design, excellent understanding of Xen system design and implementation.

What to bring:

Attendees should bring fairly modern laptops that can boot from USB flash drives and run Xen. During the training we will provide bootable USB sticks with various Xen hypervisors, Dom0, and exemplary VMs, and attendees will be using this enviroment for doing the labs. Some exercises require Intel VT-x, VT-d, and/or Intel TXT extensions, but it's still possible to do majority of the exercises on systems without such extensions and watch the other exercises being demonstrated at the main screen.

DISCLAIMER: One should not use a production system for the training. Invisible Things Labs, nor Black Hat, cannot be held responsible for any potential data loss or other potential unspecified system damage that might be caused by the malfunctioning user or software run during the training.

About authors and trainers:

This training has been prepared and will be presented by the Invisible Things Lab team, composed of: Rafal Wojtczuk, Alexander Tereshkin and Joanna Rutkowska. Invisible Things Lab is a boutique security research and consulting company, focusing on OS and virtualization systems security. ITL's members are experienced security researchers, well known for finding design and implementation weaknesses in a wide-range of operating systems, hypervisors and even systemlevel software, like BIOS, presenting new system compromise methods, as well as conducting a cutting-edge research into new defensive technology.

Rafal Wojtczuk is a Principal Researcher at Invisible Things Lab, has over 10 years of experience with computer security. Specializing primarily in kernel and virtualization security, over the years he has disclosed many security vulnerabilities in popular operating system kernels (Linux®, SELinux, *BSD, Windows®) and virtualization software (Xen®, VMWare® and Microsoft® virtualization products). He is also well known for his articles on advanced exploitation techniques, including novel methods for exploiting buffer overflows in partially randomized address space environments. He is also the author of libnids, a low-level packet reassembly library. He holds a Master’s Degree in Computer Science from University of Warsaw.

Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted multiple times by international press and she is also a frequent speaker at security conferences around the world.

Check out Joanna's blog on her training.

Register Button

Super Early:
Ends Apr 1

Ends May 15

Ends Jun 15

Ends Jul 23