Reading
The power of virtualization and kernel extension can be used by anyone. These papers explore how virtual machine monitors and eBPF can be used for evil as well as good.
-
“SubVirt: Implementing malware with virtual machines”, Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch (IEEE Security and Privacy 2006)
-
“An Analysis of Speculative Type Confusion Vulnerabilities in the Wild”, Ofek Kirzner and Adam Morrison (USENIX Security 2021; Best Paper, Internet Defense Prize winner) (presentation available)
- Like many attack-oriented papers, this paper involves a lot of deep detail. I recommend watching the (12-minute) presentation to get situated.
Further reading
Speculative type confusion uses eBPF, but the form of its attack (Spectre) is not eBPF-specific. We read it nevertheless because it’s a high-impact paper and it demonstrates how eBPF can change the kernel’s attack surface. In contrast, this leverages eBPF directly to attack networked applications:
- “Cross Container Attacks: The Bewildered eBPF on Clouds” Yi He, Roland Guo, Yunlong Xing, Xijia Che, Kun Sun, Zhuotao Liu, Ke Xu, Qi Li (USENIX Security 2023) (presentation available)
This one shows how eBPF can help leverage a kernel memory vulnerability into privilege escalation and full system compromise. That’s interesting, but there are always lots of ways to leverage kernel memory vulnerablities into privilege escalation.
- “EPF: Evil Packet Filter”, Di Jin, Vaggelis Atlidakis, Vasileios P. Kemerlis (USENIX ATC 2023) (presentation available)
Reading questions
-
Which of the attacks (SubVirt or speculative type confusion) are more worrisome for today’s systems, and why?
-
Both papers also discuss mitigations. Do their mitigations seem worth their performance cost?