Summary of security threats on the xen Platform

This article classifies software and hardware attacks on the xen platform, and provides simple attack methods for each type of attacks. In fact, hackers, viruses, and other attack methods are far more than that, this section only summarizes some common attack methods.

The first is to summarize the hardware security threats on the xen platform.

L CPU threats: 1) the attacker updates and modifies the microcode through the microcode of the CPU. As a result, the CPU executes the command to assume that it is currently in the privileged level (RING 0 ), attackers can access the hypervisor's physical memory illegally. 2) the malicious VM controls the CPU cache content, causing the CPU to inadvertently execute the hypervisor modified in the cacheCode. 3) attackers modify the SMI handler in the bios and have sufficient permissions to execute the code in the SMM to modify the physical memory area of the hypervisor.

L Northbridge DMA attack: IEEE 1394 (FireWire) allows the terminal to send a serial bus for remote DMA requests. attackers can send DMA requests to read and write the entire memory area of the system through the FireWire controller, to attack hypervisor.

L Southbridge attacks: SMI (System Management Interrupt) is an interrupt processing function running in system management mode (SMM), which is stored in System Management RAM (smram ). Attackers can use the I/O operations on the nanqiao chip to control access to smram. Therefore, attackers can construct malicious SMI handler to destroy hypervisor.

 

Then there is the software security threats on the xen platform. Here we will focus on the security threats to the firmware. For example, hypervisor software vulnerabilities, the attacks caused by OS bugs also fall within this scope. As there are too many attack methods in this regard, we will not summarize them.

Bios/UEFI threats: 1) rewrite malicious code through normal BIOS firmware to crack hypervisor integrity. 2) If the bios/EFI Manufacturer uses the updated code signature method, you can modify the custom section of the BIOS of the OEM manufacturer to launch an attack.

Ø threat from option ROM: Option ROMs includes the firmware (also known as the BIOS of these devices) of devices such as SCSI Storage controllers, raid, Nic, and video controllers, different from primary BIOS ). Attackers can use malicious code to replace these option Roms. When the OS is running, they can call these Malicious firmware codes to access the hypervisor memory area.

Ø ACPI threats: Advanced confirmation and Power Interface (ACPI) is a Power Management Specification for existing commercial PCs. It uses the AML (ACPI machine language) script to manage the Point Resource Status of various devices. These AML scripts are read and parsed by the OS in kernel mode (RING 0). Attackers can insert malicious AML scripts to access the hypervisor memory area.

Other software code: malicious code in the VM controls the Cache Policy of the hypervisor to obtain access to the memory area of the hypervisor.

http://hi.baidu.com/mars208/blog/item/0ec3413aaf9e333071cf6c1a.html/cmtid/fdfd13f155e1712abd31096c