May 21st, 2021 – Alisa Esage
This 2-day intermediate level training will introduce students to the system internals of a widely dominant desktop virtualisation product for MacOS, Parallels Desktop.
In complex systems such as hypervisors, knowledge of system internals is an essential prerequisite for effective vulnerability discovery, be it by static analysis or fuzzing. If you don't know your target's threat model and how it maps to the actual implementation low-level details, your work would be constrained to publicly known attack vectors for bug hunting, which is rarely a good idea.
Much of the content in this training is based on the original research that I did for Pwn2Own 2021. For those who attended the "Hypervisor Vulnerability Research" training, everything would be very familiar and easily falling into place, as we'll follow essentially the same theoretical models (the hypervisor threat model, subsystems, attack vectors, as well as the general structure of the training...) and the same pedagogical approach. For those who didn't, it's up to you to prep yourself, as we will not have time to explore general basics (aside from the first 2-hour block dedicated for that purpose) in the two days of this specialized training.
The training is split in eight 1.5-2 hour blocks, each one focused on one specific topic and complete with an exercise or a lab.
Topics:
1. The Big Picture and the Hypervisor Threat Model. A brief recap of the general and technical hypervisor theory, attack surfaces and vectors. 2. Mapping Parallels Desktop to the Hypervisor Threat Model. Implementation details as it pertains to specific subsystems and attack vectors that we know theoretically. 3. Parallels Tools. Guest OS tools/additions is always a gateway to many interesting hypervisor subsystems. 4. RE platform set up. Symbolizing the unsymbolized, where to get started, key anchor points in the binary, and so on. 5. Subsystem: Guest Services. Deep dive into the subsystem which provides shared capabilities with the host and other non-essential but handy functionality. 6. Subsystem: Virtual Hardware. As expected, Parallels uses a lot of emulated peripheral devices which represent a timeless attack surface in virtualisation providers. 7. Subsystem: Interfaces. The hypercall interface, the Toolgate (low level part of it), and other technical glue which puts together the guest OS, the host OS, and the Hypervisor. 8. Subsystem: VMM. CPU & MMU virtualization.
In each block of Day 2 (blocks 4-8) I will put it in the broad perspective of the industry: how this subsystem is typically implemented in other hypervisors, common security issues and case studies.
Note that this training is primarily focused on reverse-engineering and system internals without much emphasize on fuzzing or static analysis, though we will touch upon threat models and examples of security issues.
Essential prerequisites:
• C language • x86_64 assembly at reading level • Python • Linux • IDA
Recommended prerequisites:
• "Hypervisor Vulnerability Research" training, or an equivalent theoretical foundation. • Some background in binary vulnerability research.
As I mentioned above, this training will follow the general structure and theoretical models of the "Hypervisor Vulnerability Research" training, so you may want to check out the details of the latter.
Training dates and booking will be announced soon.