Merge branch 'lecture' of https://github.com/jimmy-zx/kvmdemo into HEAD

merge detached head

.gitignore

@@ -375,3 +375,5 @@ TSWLatexianTemp*
 #*Notes.bib
 
 *.pdf
+
+.DS_Store

README.md

@@ -10,17 +10,28 @@ toc: true
 
 In CSC347:
 
-- Run another O/S with vulunerbility
+- Run another O/S with vulnerability
 - Emulate network topology
 
 Generally:
 
 - Kernel development (do not want to crash the working system during debugging)
-- Multiple O/S ABI, compatability (Gaming in Windows, Running MS Office on Linux, WSL)
+- Multiple O/S ABI, compatibility (Gaming in Windows, Running MS Office on Linux, WSL)
 - Multiplexing (Cloud computing like AWS)
 - Isolation (Testing a virus in a VM)
 - Multiple versions of a shared library
 
+## Why VM - 2
+
+From Disco (VMWare): run an old OS on a new ccNUMA machine.
+
+Disco handles the NUMA architecture, allowing non-NUMA-aware O/S to be ran efficiently.
+
+You might want to run Windows 10 Home/Pro on a multi-CPU machine, where
+Windows 10 only utilizes up to 4 CPUs.
+
+Or run Windows 7 on a new Intel CPU.
+
 ## VM Vendors
 
 - VMWare Workstation / ESXi (Vmware)
@@ -34,7 +45,7 @@ We will use KVM in the lab.
 
 ### Containers
 
-Depends on OS features, requireing same ABI and ISA.
+Depends on OS features, requiring same ABI and ISA.
 Provides isolation.
 
 - Docker
@@ -44,7 +55,7 @@ Provides isolation.
 ### Other technologies
 
 - Chroot: Changes the `/` directory.
-- Wine: Compatability layer (ABI) for Win32
+- Wine: Compatibility layer (ABI) for Win32
 
 ## What is a VM
 
@@ -99,60 +110,60 @@ Performance! We want the guest to be run with small overheads.
 
 ### Full virtualization
 
-Interpreting the instructions on the fly. (Similar to Python)
+Intercept everything. Interpreting the instructions on the fly. (Similar to Python)
 
 Very slow!
 
 ### Paravirtualization
 
 We want the binary to be executed on the CPU directly.
 
-Guests are executed in isolated domain, but harware are not simulated.
+Guests are executed in isolated domain, but hardware are not simulated.
 Some instructions needs to be handled by the hypervisor.
 
 ## Virtualize priviledged instruction
 
-When the guest wants to execute some priviledge instruction, it must be
+When the guest wants to execute some privileged instruction, it must be
 **intercepted** by the hypervisor so that the request can be
 **interpreted** so that the hypervisor does the request for the guest and
 pass back the control to the guest.
 
 Ideally the guest should not be aware of this process for transparency.
 
-## Interception - Using traps
+## Interception - Trap-and-emulate
 
-When a priviledged instruction is executed in user mode, the CPU will
+When a privileged instruction is executed in user mode, the CPU will
 generate an interrupt (usually Generally Protection) and traps to the kernel.
 
 Problem: some instructions does not get trapped in the original `x86` ISA,
-some gets failed silently while others does not need priviledge.
+some gets failed silently while others does not need privilege.
 
 A guest O/S might see nonsense when executing a `SIDT` instruction, which does
-not require priviledge.
+not require privilege.
 
-Ideally, sensitive instruction should be a subset of priviledged instructions.
+Ideally, sensitive instruction should be a subset of privileged instructions.
 
 ## Interception - Modification of guest code
 
 Intercept the execution of sensitive instructions, by replacing
 them with a call to the hypervisor. (hypercall)
 
-### Binary rewriting
+### Binary translation
 
 Before loading a binary into the memory, examine them
 so that every sensitive instruction is replaced by a hypercall.
 Maintains a cache for performance. (VMWare)
 
 ### Guest modification
 
-Rewrite the kernel such that priviledged instructions
+Rewrite the kernel such that privileged instructions
 are replaced by a hypercall. (Xen)
 
 ## Hypercalls
 
 Now the CPU is virtualized. What about devices?
 
-IO are just privilged instructions `in`, `out` / mmaped IO. Which are trapped
+IO are just privileged instructions `in`, `out` / mmaped IO. Which are trapped
 to the hypervisor when called.
 
 Instead, we can use custom drivers to issue **hypercalls** instead.
@@ -188,7 +199,7 @@ Nested Page Tables (AMD), Extended Page Tables (Intel)
 
 The problem: dynamic analysis of malware is typically automated and done from virtual machine - but what if the malware is aware?
 
-So we need to understand how: 
+So we need to understand how:
 
 1. malware author detect when malware is running in a virtual environment
 2. to harden the security system to reduce the odds of evasion
@@ -235,7 +246,9 @@ CPUID Spoofer, Pafish, al-khaser (bypass vm detection by changing some fields).
 Example:
 - Starting a Windows 11 vm (maybe should change to Windows 10 later for better illustration)
 
-- Run vm detection (Pafish): ![before modification](assets/Screenshot_2024-01-31_12-57-18.png)
+- Run vm detection (Pafish): ![before modification](assets/detection-before.PNG)
+
+## Anti VM detection - Patch
 
 - Shut down vm, go to physical machine, modify `.vmx` file (vmware):
 
@@ -254,10 +267,13 @@ ethernet0.address = "00:10:34:3B:F3:11"
 ethernet1.address = "00:31:34:37:A6:F9"
 ```
 
-- Restart the vm and run pafish, it bypasses some detection:
-![after modification](assets/s2.png)
+## Anti VM detection - Patched (1)
+
+![after modification](assets/detection-after-1.PNG)
 
+## Anti VM detection - Patched (2)
 
+![after modification](assets/detection-after-2.PNG)
 
 
 # VM escape
@@ -284,13 +300,13 @@ Virtual machine escape is an exploit in which the attacker runs code on a VM tha
 
 ![backdoor](assets/backdoor.svg)
 
-### The Vulnerability
+## The Vulnerability
 
 ![dndcp1](assets/dndcp1.svg)
 
 ![dndcp2](assets/dndcp2.svg)
 
-### Overflow
+## Overflow
 
 ![packet](assets/packet.svg)
 
@@ -303,7 +319,7 @@ vmx.capability.dnd_version
 vmx.capability.copypaste_version
 ```
 
-### Defeating ASLR
+## Defeating ASLR
 
 ```
 info-set guestinfo.KEY VALUE
@@ -312,7 +328,7 @@ info-get guestinfo.KEY
 
 `VALUE` is a string and its string length controls the allocation size of a buffer on the heap.
 
-### Code Execution
+## Code Execution
 
 - Send a `unity.window.contents.start` to write a 64-bit address of a stack pivot gadget at a know address with the `height` and `width` parameters.
 - Overwrite the vtable address with a pointer to the 64-bit address (adjusted with the offset of the vtable entry that will be called).
@@ -354,6 +370,7 @@ characters from the hypervisor's STDIN.
 5. [Wikipedia: SLAT](https://en.wikipedia.org/wiki/Second_Level_Address_Translation)
 6. [Wikipedia: Virtualization](https://en.wikipedia.org/wiki/Virtualization)
 7. [Formal requirements for virtualizable third generation architectures](https://dl.acm.org/doi/10.1145/361011.361073)
+8. [Disco: running commodity operating systems on scalable multiprocessors](https://dl.acm.org/doi/10.1145/265924.265930)
 
 ### Graphs