Software attacks against intel vt d technology comment. Thoughts on intels upcoming software guard extensions part 2. How essential are individual vtd features for qubes os 4. Turn on intel virtualization technology for io vt d. May, 2011 by joanna rutkowska today we publish a new paper which is a result of our several month long indepth evaluation of intel vtd technology. Intel virtualization technology for directed io intel vtd supports remapping of direct memory access dma transfers and devicegenerated interrupts, which helps to improve isolation of io devices. Intel vtd hardware assist for virtualization in the chipset plays a vital role in making this innovation possible. Attacking intel txt txts key functionality, the late launch, is often advertised as a way to load and start a piece of trusted code usually a vmm, no matter what is the state of the system, at the moment just before performing the launch. Subverting the xen hypervisor xen 0wning trilogy part i. Enhanced security with windows 10 and intel core vpro. Sophisticated software has been written to penetrate corporate, government and military networks and servers in order to access proprietary and sensitive information, and to perform malicious and criminal attacks that compromise the integrity of, and.
The relationship between vt and vt d is that the former is an umbrella term referring to all intel virtualization. As part of the intel vpro platform, intel hardware shield helps ensure that the operating system runs on legitimate hardware. Sophisticated software has been written to penetrate corporate, government and military networks and servers in order to access proprietary and sensitive information, and to perform malicious and criminal attacks that compromise the. The following discussion focuses only on virtualization of the x86 architecture protected mode in protected mode the operating system kernel runs at a higher privilege such as ring 0, and applications at a lower privilege such as ring 3. Intel virtualization vtdvtx firmware tpm a firmware version instead of real hardware which provides authenticity to the platform and helps ensure that there are no signs of security breaches. Intel hardware shield is the cornerstone of a more secure pc fleet, delivering protections against firmware attacks for increased platform protection. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy. Intel has been offering intel virtualization technology for directed io intel vt d as of the nehalem microarchitecture xeon 34xx, 55xx and more systems, see intel microarchitecture overview. Although, if vtd virtualization trusted io is also needed. Intel trusted execution technology provides hardwarebased mechanisms that help protect against software based attacks and protects the confidentiality and integrity of data stored or created on the client pc. We will describe how you can activate intel vtd from the bios in this article to use intel vtd, both the chipset and the bios must support vtd.
Malicious io devices might compromise the os using dmas. Software attacks against intel vtd technology, april 2011. Amd firmware tpm intel platform trust technology random number generator a hardwarebased random number generator for cryptographic protocols. Preventing and detecting xen hypervisor subversions xen 0wning. Intel virtualization technology for directed io vtd. This computer was not vulnerable to closedchassis attacks. In vtdamdvi a virtual guest has a direct and dedicated access to a device. The dma virtualization hardware and irq virtualization hardware, built in the north bridge. Intel virtualization technology intel vt provides hardware assist to the virtualization software, reducing its size, cost, and complexity. Sep 23, 20 thoughts on intels upcoming software guard extensions part 2 in the first part of this article published a few weeks ago, i have discussed the basics of intel sgx technology, and also discussed challenges with using sgx for securing desktop systems, specifically focusing on the problem of trusted input and output.
In 2007, intel introduced a new security feature on the business desktop line called trusted execution technology txt. Software attacks against intel r vtd technology we discuss three software attacks that might allow for escaping from a vtdprotected driver. Intel vtd is the latest part of the intel virtualization technology hardware architecture. Software attacks against intel vtd technology comment. Activating the intel vtd virtualization feature thomas. To run a vm the only thing that is required is vtx the basic support for virturalization. The iommu has been included several years ago in intel processor architectures to provide better protection against lowlevel attacks. Design of vtd the key to io virtualization is to solve the problem of dma and irq interrupt request. This technology is coupled with vtd intel virtualization technology for directed io which, among other things, protects certain areas related to txt from dma. While this mechanism has proved to be efficient to cope with several io attacks, this paper shows that it can be bypassed by exploiting a design weakness in its configuration by both firmwares and the linux.
To use intel vt d, both the chipset and the bios must support vt d. Vmms can use vtd to directly assign an io resource to a specific vm. We discuss three software attacks that might allow for escaping from a vtdprotected driver domain in a virtualization system. May, 2011 today we publish a new paper which is a result of our several month long indepth evaluation of intel vt d technology.
Intel vtd, a hardware technology for device virtualization, also known as iommu, is one of the several key technologies that together comprise the matrix intel. Virtualization is the use of hardwareassisted virtualization capabilities on an x86x8664 cpu. On the feasibility of software attacks on commodity. Intel vt d technology does not protect against certain class of software. We are the first to present a novel method for detecting and preventing dmabased attacks. We discuss three software attacks that might allow for escaping from a vtd protected driver domain in a virtualization system. Finally, we discuss how new hardware from intel offers a potential for protection against our attacks in the form of interrupt. By using the vtd hardware assistance built into intel s. Intel virtualization technology is the companys hardware assistance for processors running virtualization platforms like vm ware and virtual box. Intel virtualization technology intel vt represents a growing portfolio of technologies and features that make virtualization practical by eliminating performance overheads and improving security. Hardware virtualization technology and its security. A primitive for revealing stealthy peripheralbased attacks.
Oct 19, 2017 intel virtualization technology is the companys hardware assistance for processors running virtualization platforms like vm ware and virtual box. Intel trusted execution technology trusted execution technology, or txt, is just one of the ways intel is working to keep your system more safe. Vt d should decrease the latency and cpu overhead of the network connection of the guest. Could you please point me to the chapters or other sources relevant to the demonstration or investigation of an attack on a system without vt d. We will describe how you can activate intel vt d from the bios in this article. Mar 05, 2012 intel vtd is the latest part of the intel virtualization technology hardware architecture. In general, enclave operations that require an ocall, such as thread synchronization, io, etc. Vtd helps the vmm better utilize hardware by improving application compatibility and reliability, and providing additional levels of manageability, security, isolation, and io performance. Software attacks against intelr vtd technology or that it means that something will not work. Without intel vt d the graphics card is emulated in the vmm in software and all the acceleration like open gl and directx is not possible. A primitive for revealing stealthy peripheralbased. Joanna rutkowskas 5 research works with 315 citations and 533 reads, including. We are not aware of any previous work on software attacks against intel vtd technology, nor against any other iommu technology. Finally, we discuss how new hardware from intel offers a potential for protection against our attacks in the form of interrupt remapping for.
Software attacks against intel r vtd technology we discuss three software attacks that might allow for escaping from a vtd protected driver. The attacks discussed in this paper abuse devices ability to send malicious interrupts, and, as discussed at the end of the paper, can be prevented with interrupt remapping, technology available on recent intel. This technology is coupled with vt d intel virtualization technology for directed io which, among other things, protects certain areas related to txt from dma. Thoughts on intels upcoming software guard extensions. By using the vtd hardware assistance built into intels. Jan 30, 2020 in the case of the hp laptop, eclypsium conducted a successful openchassis preboot dma attack using pcileech, despite the presence of protections such as hp sure start, which should protect the bios, and intels vtd implementation of iommu. Vt d stands for intel virtualization technology for directed io. Trusted execution technology, or txt, is just one of the ways intel is working to keep your system more safe. Sep 22, 2008 intel vt d hardware assist for virtualization in the chipset plays a vital role in making this innovation possible. Software attacks against intel r vt d technology or that it means that something will not work. Attacking intel txt txts key functionality, the late launch, is often advertised as a way to load and start a piece of trusted code usually a vmm, no matter what is the state of the system, at the moment just before performing the. Vtd should decrease the latency and cpu overhead of the network connection of the guest. Jun 01, 2009 intel virtualization technology for directed io intel vt d supports remapping of direct memory access dma transfers and devicegenerated interrupts, which helps to improve isolation of io devices. Intel trusted execution technology provides hardwarebased mechanisms that help protect against softwarebased attacks and protects the confidentiality and integrity of data stored or created on the client pc.
Intel hardware shield intel vpro platform bios security. In the late 1990s x86 virtualization was achieved by complex software techniques, necessary to compensate for the processors lack of hardwareassisted virtualization capabilities while attaining reasonable performance. Devices still vulnerable to dma attacks despite protections. Intel platform trust technology intel ptt intel platform trust technology intel ptt is a platform functionality for credential storage and key management used by windows 8 and windows 10. Security features over the last several years, computer security has become a major concern for all users and manufacturers around the world.
Attacking intel trusted execution technology by rafal wojtczuk and joanna rutkowska software attacks coming through devices. Many of the most sophisticated attacks against pc equipment nowadays. I do admit that there is a vtd scenario that could be fun at home. The os therefore utilizes the iommu to map and unmap every target buffer right before and after its dma is processed, thereby restricting dmas to their designated locations. Intel has been offering intel virtualization technology for directed io intel vtd as of the nehalem microarchitecture xeon 34xx, 55xx and more systems, see intel microarchitecture overview. Software attacks against intel vtd invisible things lab.
Intel ptt supports bitlocker for hard drive encryption and supports all microsoft requirements for firmware trusted platform module ftpm 2. Jan 25, 2011 in 2007, intel introduced a new security feature on the business desktop line called trusted execution technology txt. In a virtualization environment the system software is the vmm. Another way to circumvent intel trusted execution technology 200912. Intel vtd technology does not protect against certain class of software. Protection from sidechannel attacks intel software. Hardware pagetable walkers reduce addresstranslation overheads, and there is no longer any need for shadow page tables, which saves on memory requirements. On the feasibility of software attacks on commodity virtual. To run a vm the only thing that is required is vt x the basic support for virturalization. Current approaches that secure hypervisors mainly focus on code or controldata integrity, without paying attention to noncontrol data integrity. And to answer second half of your question it will not do anything to graphics performance. It also provides hardwareto software security visibility, so the. In windows 10 version 1803, only intel vt d is supported. Finally, as a proof of concept, a linux rootkit based on the attack presented in.
This set of cpu instructions provides applications the ability to create a secure area in which to protect data from access by other rogue software. Vmms can use vt d to directly assign an io resource to a specific vm. It is the enclave developers responsibility to address sidechannel attack concerns. In the desktop and laptop space for the vast majority of people vtd only real value is that it is part of the requirements for a computer based on the intel vpro technology for use in a business environment.
Windows hello windows hello is a biometric technology that uses the face, iris, or fingerprint as password alternatives to launching windows. Software attacks against intel vtd by rafal wojtczuk and joanna rutkowska, april 2011 on formally verified microkernels and on attacking them by joanna rutkowska, may 2010. To defend against such attacks, hardware vendors introduced. A primitive for revealing stealthy peripheralbased attacks on the computing platforms main memory. Vtd stands for intel virtualization technology for directed io. Intel virtualization technology roadmap and vtd support in xen.
Inspired by the standard x86 mmutlb, intel vtd uses a radix tree for. In the desktop and laptop space for the vast majority of people vt d only real value is that it is part of the requirements for a computer based on the intel vpro technology for use in a business environment. Recent successful attacks against hypervisors indicate that they face the similar integrity threats as traditional operating systems. It also creates the ability to isolate malicious attacks to a single. Thoughts on intels upcoming software guard extensions part 2 in the first part of this article published a few weeks ago, i have discussed the basics of intel sgx technology, and also discussed challenges with using sgx for securing desktop systems, specifically focusing on the problem of trusted input and output. Direct memory access dma is a technology that allows inputoutput io devices. Txt is the foundation of a new generation of safe computers. This technology, when combined with an intel txt enabled operating system, uses hardware enhancements to protect your data and your privacy by defending against softwarebased attacks. Hypervisors are becoming a widespread virtualisation layer in current computer systems.
Intel vt provides hardware assist to the virtualization software, reducing its size, cost, and complexity. Today we publish a new paper which is a result of our several month long indepth evaluation of intel vtd technology. Txt was added to intel vpro notebooks in 2008 and to the server platform in 2010. Software attacks against intel vtd, 2011, paper another way to circumvent intel trusted execution technology, 2009, paper virtualization insecurity traning at black hat, 2009, agenda. In the case of the hp laptop, eclypsium conducted a successful openchassis preboot dma attack using pcileech, despite the presence of protections such as hp sure start, which should protect the bios, and intels vtd implementation of iommu. I do admit that there is a vt d scenario that could be fun at home. Intel h410 chipset quick reference guide including specifications, features, pricing, compatibility, design documentation, ordering codes, spec codes and more. Intel vtd technology is based on hardwareassisted virtualization technology of north bridge. Txt provides hardware and firmware security against software intended attacks. We discuss three software attacks that might allow for escaping from a vt d protected driver domain in a virtualization system. Could you please point me to the chapters or other sources relevant to the demonstration or investigation of an attack on a system without vtd.
Jan 09, 2011 in vt d amdvi a virtual guest has a direct and dedicated access to a device. Kernel dma protection for thunderbolt 3 windows 10. The relationship between vt and vtd is that the former is an umbrella term referring to all intel virtualization. There is no longer any need for pagetable shadowing in software, and it is possible to avoid io emulation for directmapped io devices. If the current state of kernel dma protection is off and virtualization technology in firmware is no. Without intel vtd the graphics card is emulated in the vmm in software and all the acceleration like open gl and directx is not possible. We then focus on one of those attacks, and demonstrate practical and reliable code execution exploit against a xen system.
1435 1192 1147 477 23 827 141 353 160 537 349 427 587 1096 1503 812 1306 151 237 1310 12 663 1065 604 826 891 280 598 78 907 1400 326 197 285 338 1348 100 1313 547 667 246 66 584 486 1223 1087 628 857