====== HVM security research ======

{{template>:project:infobox|
name=HVM security research|
image=pills.jpg?200|
founder=[[user:fissie]]|
interested=|
sw=TBD|
hw=N/A|
status=postponed}

~~META:
status = postponed
&relation firstimage = :project:pills.jpg
~~

The aim of this project is to research security implications of hardware virtualization extensions. Such extensions are present in almost every modern x86 CPU (under marketing names AMD-V/SVM and Intel VT-x) and although they are very useful, it is believed that they can be used by malicious software to become virtually (no pun intended) undetectable. This has first been shown possible by the [[wp>Blue Pill]] rootkit by [[wp>Joanna Rutkowska]].

Goal of this project is to research the theory around the technology, implement very thin "hypervisor" layer suitable for security research and go from there... 

===== Status and Roadmap =====

  * [DONE] Gather information and links related to the technology
  * [IN PROGRESS] Gather already published papers, articles and code on HVM security
  * [PENDING] Discuss and design framework on which we will base our research. Should it be standalone hypervisor that loads before the OS, or something that loads on runtime KVM-style? Can we switch already running OS into a VM somehow?

===== Resources ====

Hardware virtualization in general:

  * [[wp>Hardware_virtual_machine]]
    * [[wp>X86_virtualization]]

Instruction sets specifications:

  * Intel Software Developer's Manual: http://www.intel.com/products/processor/manuals/index.htm
    * especially Volume 3B: System Programming Guide: http://www.intel.com/Assets/PDF/manual/253669.pdf
  * AMD64 Architecture Programmer's Manual: http://developer.amd.com/documentation/guides/Pages/default.aspx
    * especially Volume 2: System Programming: http://support.amd.com/us/Processor_TechDocs/24593.pdf
  * Status of the following is unclear, use with care. When in doubt, use the official manuals
    * Hardware Support for Efficient Processor Virtualization: http://download.intel.com/technology/itj/2006/v10i3/v10-i3-art01.pdf
    * Secure Virtual Machine Architecture Reference Manual: http://www.mimuw.edu.pl/~vincent/lecture6/sources/amd-pacifica-specification.pdf

Security research:

  * [[wp>Joanna_Rutkowska]]
    * [[wp>Blue_Pill_(malware)]]
    * [[wp>Red_pill#Other_uses]]

  * [[http://secunia.com/advisories/product/15863/|Xen 3.x vuln stats]]
  * [[http://secunia.com/advisories/product/17812/|kvm vuln stats]]

  * [[http://secdocs.lonerunners.net/documents/details/2794-subverting-the-xen-hypervisor|BH_US_08_Wojtczuk_Subverting_the_Xen_Hypervisor]]