Description
In recent years companies trend to shift their IT infrastructure to cloud systems. However, the cloud
provider or an attacker with similar privileges is able to access or modify the data being processed
by the Virtual Machines (VMs). Thus, an attacker is able to manipulate the execution of the VMs and
steal secrets and confidential data from companies and customers. The secrets could allow an attacker
to pose an online service or access additional systems, such as a database. Hardware vendors released
different technologies to protect VMs from attackers that control the cloud platform. AMD recently
released Secure Encrypted Virtualization (SEV) for this purpose. SEV encrypts the main memory of
different VMs during runtime with separate keys which are not accessible except for the hardware
itself.
Current research has shown that an attacker is able to extract the memory encryption key from the
hardware and secrets from the VM’s main memory. Further, she is able to tamper with the processed data,
and manipulate the SEV firmware.
Nevertheless, current research does not implement a code injection attack against VMs protected by
SEV. In this thesis, we perform a security analysis of SEV. Based on this analysis, we develop an
approach to inject a payload to the encrypted guest memory which utilizes virtio-based network I/O.
We combine this payload injection with a Second Level Address Translation (SLAT) remapping attack to
trigger the execution of the payload in the guest’s kernel. Thus, we exploit design vulnerabilities
of SEV to hijack the guest kernel’s control flow. By injecting the code into the guest’s kernel, we
can access all data of the VM, extract secrets, and gain persistence in the guest. Thus, we are able
to fully control the VM without the guest’s owner being able to detect the exploitation.
Based on the found vulnerabilities, we propose an effective hardware-based memory protection system
which uses Address Independent Seed Encryption (AISE) for main memory encryption and a Bonsai Merkle
Tree (BMT) for integrity and replay protection.
The designed mechanism is capable of preventing all attacks from current research and our own code
injection attack. Further, we analyze if guests can avert the leakage of data and secrets through
known attacks using the capabilities of the current version of SEV and additional software-based
protection.
Overall, we show that memory encryption is not sufficient for protecting guest VMs in a
virtualization environment and we need strong integrity protection which also prevents remapping
attacks.
|
