Hackers of India

Back to the Future: A Radical Insecure Design of KVM on ARM

By  Baibhav Singh   Rahul Kashyap  on 08 Aug 2018 @ Blackhat

Presentation Material

Abstract

In ARM there are certain instructions that generates exception. Such instructions are typically executed to request a service from software that runs at a higher privilege level. From the OS kernel (EL1), software can call the Hypervisor (EL2) with the HVC instruction.

The KVM Hypervisor is part of the Linux kernel and by default it is enabled on all supported ARM system. In ARM architecture KVM is implemented through split-mode virtualization and runs across different privileged CPU modes. This talk will discuss about the design and a security issue in a way Linux kernel initializes the KVM Hypervisor. An attacker having access to host EL1 can execute code in EL2. This security issue can be exploited by an attacker to install a Hypervisor root kit on ARM system.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

Security Vulnerability: Hypervisor-Based Rootkit

A security expert discusses a vulnerability in ARM-based systems, that allows an attacker to execute code in EL2 (a higher privileged mode) from EL1 (a lower privileged mode), making it hard to detect. The attacker can exploit this design by migrating their attack from EL1 to EL2, isolating their code using page tables, and configuring L2 to bypass security mechanisms like PatchGuard or Linux Runtime Guard.

Impact:

Demo:

The expert demonstrates the vulnerability using QEMU 2, running a Linux machine with a Cortex A57 processor. They show how an attacker can execute code from EL1 to EL2 by calling reset vector and set vector table functions, and then accessing hardware registers of EL2 from EL1.

Mitigation:

To prevent this attack, it is recommended to patch the bootloader and ensure that Linux starts in EL1 mode with KVM disabled by default. This will prevent an attacker from using L2 as a backdoor to install a hypervisor-based rootkit.