Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

Announcement – Since the original post encountered slow response issue. In order to keep the comments input by visitors. We are going to keep the original post. This post is cater for visitor who can’t access the original web page. Please accept our apologizes that has been made.

 

 

The trend in IT world running into virtual world nowadays. Even though your mobile phone operation system is run on top of virtual machine. The memory resources utilization from tradition static to dynamic since virtual machine architecture founded. Security experts worries about infiltration of malware on virtual machine. A mitigation step introduce on VMware since 2014. The system designer conducted a technology alleged address space layout randomization. As a result it avoid malware implant to kernel since no living place for the malware alive (see below – a statement on technical article point out that how ASLR bring in the value)

The VMware ESXi kernel uses an address space layout randomization (ASLR) methodology to provide random and unpredictable addresses for user-mode applications, drivers, libraries and other executable components. This is a significant security benefit because of the way ASLR thwarts malware looking to take advantage of memory-based exploits. The malware would not have a known address to use as a vector for the exploit because of the randomization.

As times goes by, ASLR not even is the assistance of virtual machine designer. On the other hand, he will become a killer to kill his master. But this fact is not a news today. Regarding to the technology expertise experimental studies, it is possible to execute a attack on kernel side through malicious Java application. The method is a kind of side-channel attack (side-channel attacks) and based on the definition of indirect addresses to which had previously been handling when traversing page tables memory processor unit MMU (Memory Management Unit) in the translation of virtual memory addresses to physical memory addresses. Since cache CPU general and it is recognized as an active application or activity the MMU, then by evaluating differences in data access time before and after resetting the cache (the attack variety “EVICT + TIME”) can with high probability to choose the address and able to detect the locations since it is under the operation of memory management unit.

By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the computer’s memory.

The vulnerability channel found on web browser announced by Professor of Computer Science at Cornell Tech on Jan 2016.

When attacking browsers, may be able to insert arbitrary objects into the victim’s heap. Let’s focus on web browser design fundamental.

Web applications communicate with each other through system calls to the browser kernel. As we know, web applications exist in separate processes owned by the browser kernel, they are prohibited from communicating with each other, except through the browser kernel.

 

However Plugins are less reliable than browsers.

However Plugins are less reliable than browsers

 

As a matter of fact, Java script is the helper of ASLR vulnerability. Sounds like java-script is an accomplice. The murderer is plug in application.

But in which situation virtual machine will be compromise of this vulnerability?

From technical point of view hacker engage a cyber attack targets workplace on memory area we understood that it is a malware form style attack.  As we know, AMD architecture define a feature named SVM instruction set.  AMD virtualization technology, codenamed “Pacifica,” introduces several new instructions and modifies several existing instructions to facilitate the implementation of VMM systems.
The SVM instruction set includes instructions to:

Start execution of a guest (VMRUN)
Save and restore subsets of processor state (VMSAVE,VMLOAD)
Allow guests to explicitly communicate with the VMM (VMMCALL)
Set and clear the global interrupt flag (STGI, CLGI)
Invalidate TLB entries in a specified ASID (INVLPGA)
Read and write CR8 in all processor modes
Secure init and control transfer with attestation (SKINIT)

Remark: Fundamentally, VMMs (Hypervisor) work by intercepting and emulating in a safe manner sensitive operations in the guest (such as changing the page tables, which could give a guest access to memory it is not allowed to access).

 

As such,  you are more free to run on memory address space once AMD-V is enabled in the BIOS (or by the host OS).

Remark: (VERR_SVM_ENABLED)

Below confirmed CVEs looks headaches to virtual machine core designers (VMWARE, VBOX, Hyper-V), right?

  • CVE-2017-5925 for Intel processors
  • CVE-2017-5926 for AMD processors
  • CVE-2017-5927 for ARM processors
  • CVE-2017-5928 for a timing issue affecting multiple browsers

Since founded AnC attack (EVICT+TIME), it  can detect which locations in the page table pages are accessed during a page table walk performed by the MMU.  In the sense that it such a way broken the ASLR feature on virtual machine. The objective of ASLR mainly avoid malware infection on virtual machine. What scenario we can foreseen tomorrow!

Sample: Java code with execute arbitrary memory write

// prepare buffer with address we want to write to
ptrBuf = ""
// fill buffer: length = relative ptr address - buffer start + ptr offset
while (ptrBuf.length < (0x????? - 0x9????? + 0xC)){ptrBuf += "A"}
ptrBuf += addr

// overflow buffer and overwrite the pointer value after buffer
obj.SetText(ptrBuf,0,0)

// use overwritten pointer to conduct memory write of 4 bytes
obj.SetFontName("\xbe\xba\xfe\xca") // WHAT TO WRITE
alert("Check after write:0x???????? + 0x?

 

 

 

 

 

28 thoughts on “Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization”

  1. It is truly a nice and useful piece of information. I am satisfied that you shared this helpful information with us. Please keep us informed like this. Thanks for sharing.

  2. Very good post! We are linking to this particularly great post on our website.
    Keep up the great writing.

  3. It’s really a great and useful piece of information. I am glad that you just shared this useful
    info with us. Please keep us informed like this.
    Thanks for sharing.

  4. My brother recommended I may like this blog. He was entirely right. This post actually made my day. You can not believe simply how so much time I had spent for this information! Thank you!

  5. Nice blog! Is your theme custom made or did you download it from somewhere? A theme like yours with a few simple adjustements would really make my blog jump out. Please let me know where you got your design. With thanks

  6. I frequently look over your articles thoroughly. I am furthermore focused on aptoide app store download, maybe you could discuss that from time to time. I will be back soon.

  7. An intriguing discussion is worth comment. I think that you simply should really write a lot more on this topic, it may well not be a taboo subject but commonly people today aren’t enough to speak on such topics. To the subsequent. Cheers

  8. I found your blog website on google and verify a number of of your early posts. Proceed to maintain up the excellent operate. I simply extra up your RSS feed to my MSN Information Reader. Seeking ahead to studying extra from you in a while!?

  9. You made some first rate factors there. I regarded on the internet for the issue and found most people will go together with with your website.

  10. hey there and thank you in your information – I’ve certainly picked up anything new from right here. I did alternatively experience some technical issues using this site, since I experienced to reload the site many instances prior to I could get it to load correctly. I have been considering if your hosting is OK? Not that I’m complaining, however sluggish loading cases instances will sometimes affect your placement in google and could harm your quality score if ads with Adwords. Anyway I’m including this RSS to my email and could glance out for a lot extra of your respective interesting content. Ensure that you update this again very soon..

  11. I have read several good stuff here. Certainly worth bookmarking for revisiting. I wonder how much effort you put to make such a great informative web site.

  12. I found your weblog site on google and check a couple of of one’s early posts. Continue to keep up the really very good operate. I just extra up your RSS feed to my MSN News Reader. Seeking forward to reading a lot more from you later on!

  13. Spot on with this write-up, I actually think this website needs much more consideration. I’ll most likely be once more to read rather more, thanks for that info.

  14. I think your blog needs some fresh articles. Writing manually takes a
    lot of time, but there is tool for this boring task, search for: Boorfe’s tips unlimited content

  15. Good day very cool website!! Man .. Beautiful .. Wonderful .. I’ll bookmark your site and take the feeds also…I am glad to find numerous helpful info right here within the publish, we’d like develop more strategies in this regard, thank you for sharing. . . . . .

  16. Youre so cool! I dont suppose Ive read anything like this before. So nice to seek out somebody with some authentic thoughts on this subject. realy thank you for starting this up. this web site is one thing that is needed on the internet, somebody with slightly originality. useful job for bringing something new to the web!

  17. I all the time used to read paragraph in news papers but now as I am a user of web thus from now I am using net for posts, thanks to web. ckbfdagbedga

  18. I simply want to mention I am new to blogs and absolutely enjoyed you’re web page. Probably I’m going to bookmark your blog post . You actually have outstanding stories. With thanks for revealing your website page.

  19. “Hi my own cherished one! I wish to state that this kind of post is awesome, good composed and include virtually all important infos. I?|d want to seem added content such as this .”

  20. It’s truly very difficult in this busy life to listen news on Television,
    therefore I only use internet for that reason, and
    take the latest information.

  21. Some genuinely nice and useful info on this web site, as well I conceive the style has superb features.

  22. I have noticed you don’t monetize your site, don’t waste your traffic, you can earn extra cash every month with
    very good adsense alternative for websites like yours.
    For more info search in google: blackhatworren’s strategies

  23. I often visit your blog and have noticed that you don’t update it often. More frequent updates will give your
    site higher authority & rank in google. I know that writing content
    takes a lot of time, but you can always help yourself with
    miftolo’s tools which will shorten the time of creating an article to a few seconds.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.