SlideShare a Scribd company logo

AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor

D
Dave Voutila

This document summarizes a talk given by Dave Voutila about hardening emulated devices in OpenBSD's vmd hypervisor. The talk discusses how vmd currently uses a single process model that shares memory between the hypervisor and VMs, presenting security risks. It proposes moving to a multi-process model where each VM is launched via fork and exec to isolate it and remove leftover state. This would help prevent guest-to-host escapes by isolating device emulation and limiting information leaks between VMs. Some initial benchmarks show the changes have little performance impact on disk and network I/O. Future work is planned to further isolate guest memory and expand device support.

Technology
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Dave Voutila <dv@openbsd.org>, AsiaBSDCon 2023 Hardening Emulated Devices in OpenBsd’s vmd(8) Hypervisor fork& exec& fork& exec.
Dave Voutila (dv@) Vermont 🍁, USA 🇺🇸 (40 mins from Québec 🇨🇦)
Hypervisors as High Value Targets Why do you rob a bank? It’s where the money is. 💰 • Shift to multi-tenant public cloud means target rich environments • If it’s networked, it’s vulnerable. • Pop one ESXi instance, now you own many systems • “it’s ok, i’m running it in a vm”
A Potpourri of CVE’s Some classic guest-to-host escapes • QEMU • CVE-2015-3456 — “VENOM” • aka the QEMU fl oppy disk one • CVE-2015-7504 — network device escape • VMWare • CVE-2020-3967 — EHCI heap over fl ow • OpenBSD • DHCP packet handler stack over fl ow (6.8, 6.9) CC BY-SA 4.0, Crowdstrike
Emulated Devices are the Problem When in doubt, cut it out. ✂ • By de fi nition, always handling untrusted (guest) input • Need read/write to guest physical memory • Need read/write to host interfaces (network, fi les, etc.) • Emulating in kernel is asking for trouble, so commonly done in userland • In OpenBSD, only pvclock(4) is handled in the kernel (vmm(4))
Multi-process QEMU First Type-2 open source hypervisor doing this? • Oracle started work in 2017, landed in QEMU December 2020 • Elena U fi mtseva, Jag Raman, John G. Johnson • https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg00268.html • …but, who uses it? • I’d presume Oracle Cloud • ¯_(ツ)_/¯ 🤷 • Documentation is primarily about design, future ideas, & not present day usage. • Additional burden placed upon the poor administrators 😩
vmm(4) / vmd(8) OpenBSD’s native hypervisor • Originally released with OpenBSD 5.9 by mlarkin@ & reyk@ • Currently amd64 only with support for both amd64 and i386 guests • Adopted privilege separation design • fork+exec —> chroot(2) & pledge(2) • drop from root to _vmd • Components • vmm(4) — in kernel monitor • vmd(8) — userland daemon • vmctl(8) — userland control utility
vmd(8) gaps & weaknesses Room for improvement • vm process is fork(2)’d from the vmm process, without execv*(2) • Every vm gets same address space layout • Every vm has junk left over from vmm process (global state) • vm process isn’t chroot’ed & vmm process isn’t running as root • vm process has multiple pledge(2) promises beyond “stdio” • “recvfd” — vm send/recv • “vmm” — vmm(4) ioctl for vcpu, interrupts, registers r/w
Existing Synthetic Mitigations A house is only as good as its foundation. • ASLR — force attackers to need info leaks (3.4) • RETGUARD — control fl ow integrity (6.4 for amd64?) • pledge(2) — minimize syscalls available to attackers (5.9) • unveil(2) — hide parts of the fi le system without root (6.4) • In -current and landing as part OpenBSD 7.3: • mimmutable(2) — prevent changing page permissions or mappings • pinsyscall(2) — minimize allowed call point for syscalls like execve • execute-only — enforce execute-only on .text to prevent ROP (amd64 via kernel PK
Step 1: fork+exec for each vm Minimizing info leaks across vm’s • Switch vmm process from just fork(2) to: fork(2) + execvp(2) • Easy wins 🙌 • Reuse socketpair for IPC between vmm proc and vm • Simply pass the fd number for the channel in argv • Headaches 😖 • vmm process needs absolute path to vmd executable • vm process can’t rely on existing global state for con fi guration
Step 2: Isolate the VirtIO Device “Breaking up is hard to do.” — the Oracle Blog post • vmd uses multiple vm_mem_ranges (bios/reserved, mmio, regular) • The approach: • shm_mkstemp(3) — create temporary fi le for mapping shared memory • ftruncate(2) & shm_unlink(3) — size and remove the temp fi le • fcntl(2) — set the fd to not close on exec • mmap(2) guest memory ranges MAP_SHARED | MAP_CONCEAL • Pass the fd number after exec & re-mmap vm_mem_ranges
Step 3: Wiring up RPC Here’s a dime…call someone who cares. • Sync Channel • Bootstrapping device con fi g post-exec • Virtio PCI register reads/writes • Async Channel • Lifecycle events (vm pause/resume, shutdown) • Assert/Deassert IRQ • Set host MAC (vionet)
Putting it all Together Sorry for my artwork 🧑🎨
High-level Message Flow Sorry for my artwork 🧑🎨 1. Guest fi lls bu ff ers, updates virtqueues, etc. 2. Guest writes to Device register via IO instructions 3. Device is noti fi ed it can process data. Writes it to fd. 4. Device kicks guest via vcpu interrupt to notify bu ff ers are processed
Security! But at what cost? What about the user/admin experience? Does it change? • OpenBSD 7.2 • # vmd -d • # vmctl start -Lc -d disk.raw -m 8g guest • Prototype • # vmd -d • # vmctl start -Lc -d disk.raw -m 8g guest
Security! But at what cost? What about the user/admin experience? Does it change? They’re the same commands.
Security! But at what Cost? vmd(8) has room for performance improvement • zero-copy virtio added only recently • single emulated device thread handles all async io • virtio PCI devices — network, disk, cdrom • ns8250 serial device • i8253 programmable interrupt timer • Mutexes guard device state from competing vcpu & event threads
Quick & Dirty Benchmarking This is not a benchmarking talk 🙅 • Lenovo X1 Carbon (10th gen) • 12th gen Intel i7-1270P @ 2.2 GHz • 32 GiB RAM • 1 TB NVME disk • Guest Operating Systems • OpenBSD 7.2 • Alpine Linux 3.7 (kernel vTKTKT)
vioblk(4) benchmark fi o(1) [ports] performing 8 KiB random writes to 2GiB fi le for 5 minutes • Very little di ff erence in throughput • Very little di ff erence in latency • Long-tail slightly worse on Alpine?? Host Version Guest Version Throughput MiB/s clat avg (usec) clat stdev (usec) 99.90th % (usec) 99.95% (usec) OpenBSD- current OpenBSD- current 90.3 89.9 8730 338 379 Prototype OpenBSD- current 100 76.4 7220 388 429 OpenBSD- current Alpine Linux 3.17 131 11.2 534 32 38 Prototype Alpine Linux 3.17 132 11.7 682 594 685
vio(4) benchmark iperf3(1) [ports] with 1 thread run for 30 seconds, alternating TX/RX • iperf(3) used with 1 thread in alternating client / server modes • Observations • More consistent throughput in OpenBSD guests • Negligible performance decrease for Linux guests (not sure why) Host Version Guest Version Receiving Bitrate (Mbit/s) % Sending Bitrate (MBit/s) % -current OpenBSD 7.2 0.86 — 1.26 — prototype OpenBSD 7.2 1.22 63% 1.35 7% -current Alpine Linux 3.17 1.26 — 4.26 — prototype Alpine Linux 3.17 1.30 5% 3.19 -25%
Headaches! Some things weren’t so easy. 😰 • Dual-channel connectivity • synchronous register io from vcpu thread needs to avoid deadlocks • vcpu vs. event thread isolation • libevent(3) is not thread-safe (OpenBSD bundles v1.x) • Debugging multi-process, async code is often challenging • printf & ktrace can quickly generate lots of noise • nanosleep(2) + gdb attaching directly to device process helps
Future Work & Research Plans for the next hackathon (m2k23) 📋 • Finish lifecycle cleanup (vm send/receive) • QCOW2 disk support — only supports raw images at the moment • Begin merging changes into tree after 7.3 release • vm fork+exec dance • vioblk • vionet • Expand to other devices • ns8250? • Tighten exposure of guest physical memory • guest aware drivers? (is there anything to gain by limiting how much of guest memory we remap?)
Thanks! See you in Ottawa?

More Related Content

PDF
Sustainable architecture in the united arab emirates past and present
Galala University
 
PDF
James Joyce - Landscape Architecture Portfolio
James Joyce, RLA
 
PDF
Free workshop: Sustainable Building with LEED certification
Sasin SEC
 
PDF
Landscape
GAW Consultants
 
PPTX
Process engineering of chemical plant
Pankaj Khandelwal
 
PPTX
Visual dimension.pptx
MoonLight285528
 
PPTX
Plate type heat exchanger by vikas saini
Vikas Saini
 
PPTX
The Role of the Architect
Jonathan Holloway
 
Sustainable architecture in the united arab emirates past and present
Galala University
 
James Joyce - Landscape Architecture Portfolio
James Joyce, RLA
 
Free workshop: Sustainable Building with LEED certification
Sasin SEC
 
Landscape
GAW Consultants
 
Process engineering of chemical plant
Pankaj Khandelwal
 
Visual dimension.pptx
MoonLight285528
 
Plate type heat exchanger by vikas saini
Vikas Saini
 
The Role of the Architect
Jonathan Holloway
 

Similar to AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor (20)

PDF
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
bsdvirt
 
PPTX
Server virtualization
Kingston Smiler
 
PPTX
virtualization and hypervisors
Gaurav Suri
 
PDF
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
PDF
Storage-Performance-Tuning-for-FAST-Virtual-Machines_Fam-Zheng.pdf
aaajjj4
 
PDF
Libvirt/KVM Driver Update (Kilo)
Stephen Gordon
 
PPTX
Virtualization of computing and servers
pooranionline
 
PPT
Linux virtualization
Google
 
PDF
Rmll Virtualization As Is Tool 20090707 V1.0
guest72e8c1
 
PDF
RMLL / LSM 2009
Franck_Villaume
 
PPT
ppt
webhostingguy
 
PDF
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Takuya ASADA
 
PDF
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi
 
PDF
OSv at Usenix ATC 2014
Don Marti
 
ODP
Kvm and libvirt
plarsen67
 
PDF
Achieving the Ultimate Performance with KVM
data://disrupted®
 
PPTX
Virtualization technolegys for amdocs
Samuel Dratwa
 
PDF
Breaking paravirtualized devices
Priyanka Aash
 
PDF
2virtualizationtechnologyoverview 13540659831745-phpapp02-121127193019-phpapp01
Vietnam Open Infrastructure User Group
 
PPTX
17-virtualization.pptx
KowsalyaJayakumar2
 
Extending bhyve beyond FreeBSD guests - EuroBSDCon 2013
bsdvirt
 
Server virtualization
Kingston Smiler
 
virtualization and hypervisors
Gaurav Suri
 
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
Storage-Performance-Tuning-for-FAST-Virtual-Machines_Fam-Zheng.pdf
aaajjj4
 
Libvirt/KVM Driver Update (Kilo)
Stephen Gordon
 
Virtualization of computing and servers
pooranionline
 
Linux virtualization
Google
 
Rmll Virtualization As Is Tool 20090707 V1.0
guest72e8c1
 
RMLL / LSM 2009
Franck_Villaume
 
ppt
webhostingguy
 
Implements BIOS emulation support for BHyVe: A BSD Hypervisor
Takuya ASADA
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi
 
OSv at Usenix ATC 2014
Don Marti
 
Kvm and libvirt
plarsen67
 
Achieving the Ultimate Performance with KVM
data://disrupted®
 
Virtualization technolegys for amdocs
Samuel Dratwa
 
Breaking paravirtualized devices
Priyanka Aash
 
2virtualizationtechnologyoverview 13540659831745-phpapp02-121127193019-phpapp01
Vietnam Open Infrastructure User Group
 
17-virtualization.pptx
KowsalyaJayakumar2
 
Ad

Recently uploaded (20)

PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Encapsulation theory and applications.pdf
gurumoop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Ad

AsiaBSDCon2023 - Hardening Emulated Devices in OpenBSD’s vmd(8) Hypervisor

  • 1. Dave Voutila <dv@openbsd.org>, AsiaBSDCon 2023 Hardening Emulated Devices in OpenBsd’s vmd(8) Hypervisor fork& exec& fork& exec.
  • 2. Dave Voutila (dv@) Vermont 🍁, USA 🇺🇸 (40 mins from Québec 🇨🇦)
  • 3. Hypervisors as High Value Targets Why do you rob a bank? It’s where the money is. 💰 • Shift to multi-tenant public cloud means target rich environments • If it’s networked, it’s vulnerable. • Pop one ESXi instance, now you own many systems • “it’s ok, i’m running it in a vm”
  • 4. A Potpourri of CVE’s Some classic guest-to-host escapes • QEMU • CVE-2015-3456 — “VENOM” • aka the QEMU fl oppy disk one • CVE-2015-7504 — network device escape • VMWare • CVE-2020-3967 — EHCI heap over fl ow • OpenBSD • DHCP packet handler stack over fl ow (6.8, 6.9) CC BY-SA 4.0, Crowdstrike
  • 5. Emulated Devices are the Problem When in doubt, cut it out. ✂ • By de fi nition, always handling untrusted (guest) input • Need read/write to guest physical memory • Need read/write to host interfaces (network, fi les, etc.) • Emulating in kernel is asking for trouble, so commonly done in userland • In OpenBSD, only pvclock(4) is handled in the kernel (vmm(4))
  • 6. Multi-process QEMU First Type-2 open source hypervisor doing this? • Oracle started work in 2017, landed in QEMU December 2020 • Elena U fi mtseva, Jag Raman, John G. Johnson • https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg00268.html • …but, who uses it? • I’d presume Oracle Cloud • ¯_(ツ)_/¯ 🤷 • Documentation is primarily about design, future ideas, & not present day usage. • Additional burden placed upon the poor administrators 😩
  • 7. vmm(4) / vmd(8) OpenBSD’s native hypervisor • Originally released with OpenBSD 5.9 by mlarkin@ & reyk@ • Currently amd64 only with support for both amd64 and i386 guests • Adopted privilege separation design • fork+exec —> chroot(2) & pledge(2) • drop from root to _vmd • Components • vmm(4) — in kernel monitor • vmd(8) — userland daemon • vmctl(8) — userland control utility
  • 8. vmd(8) gaps & weaknesses Room for improvement • vm process is fork(2)’d from the vmm process, without execv*(2) • Every vm gets same address space layout • Every vm has junk left over from vmm process (global state) • vm process isn’t chroot’ed & vmm process isn’t running as root • vm process has multiple pledge(2) promises beyond “stdio” • “recvfd” — vm send/recv • “vmm” — vmm(4) ioctl for vcpu, interrupts, registers r/w
  • 9. Existing Synthetic Mitigations A house is only as good as its foundation. • ASLR — force attackers to need info leaks (3.4) • RETGUARD — control fl ow integrity (6.4 for amd64?) • pledge(2) — minimize syscalls available to attackers (5.9) • unveil(2) — hide parts of the fi le system without root (6.4) • In -current and landing as part OpenBSD 7.3: • mimmutable(2) — prevent changing page permissions or mappings • pinsyscall(2) — minimize allowed call point for syscalls like execve • execute-only — enforce execute-only on .text to prevent ROP (amd64 via kernel PK
  • 10. Step 1: fork+exec for each vm Minimizing info leaks across vm’s • Switch vmm process from just fork(2) to: fork(2) + execvp(2) • Easy wins 🙌 • Reuse socketpair for IPC between vmm proc and vm • Simply pass the fd number for the channel in argv • Headaches 😖 • vmm process needs absolute path to vmd executable • vm process can’t rely on existing global state for con fi guration
  • 11. Step 2: Isolate the VirtIO Device “Breaking up is hard to do.” — the Oracle Blog post • vmd uses multiple vm_mem_ranges (bios/reserved, mmio, regular) • The approach: • shm_mkstemp(3) — create temporary fi le for mapping shared memory • ftruncate(2) & shm_unlink(3) — size and remove the temp fi le • fcntl(2) — set the fd to not close on exec • mmap(2) guest memory ranges MAP_SHARED | MAP_CONCEAL • Pass the fd number after exec & re-mmap vm_mem_ranges
  • 12. Step 3: Wiring up RPC Here’s a dime…call someone who cares. • Sync Channel • Bootstrapping device con fi g post-exec • Virtio PCI register reads/writes • Async Channel • Lifecycle events (vm pause/resume, shutdown) • Assert/Deassert IRQ • Set host MAC (vionet)
  • 13. Putting it all Together Sorry for my artwork 🧑🎨
  • 14. High-level Message Flow Sorry for my artwork 🧑🎨 1. Guest fi lls bu ff ers, updates virtqueues, etc. 2. Guest writes to Device register via IO instructions 3. Device is noti fi ed it can process data. Writes it to fd. 4. Device kicks guest via vcpu interrupt to notify bu ff ers are processed
  • 15. Security! But at what cost? What about the user/admin experience? Does it change? • OpenBSD 7.2 • # vmd -d • # vmctl start -Lc -d disk.raw -m 8g guest • Prototype • # vmd -d • # vmctl start -Lc -d disk.raw -m 8g guest
  • 16. Security! But at what cost? What about the user/admin experience? Does it change? They’re the same commands.
  • 17. Security! But at what Cost? vmd(8) has room for performance improvement • zero-copy virtio added only recently • single emulated device thread handles all async io • virtio PCI devices — network, disk, cdrom • ns8250 serial device • i8253 programmable interrupt timer • Mutexes guard device state from competing vcpu & event threads
  • 18. Quick & Dirty Benchmarking This is not a benchmarking talk 🙅 • Lenovo X1 Carbon (10th gen) • 12th gen Intel i7-1270P @ 2.2 GHz • 32 GiB RAM • 1 TB NVME disk • Guest Operating Systems • OpenBSD 7.2 • Alpine Linux 3.7 (kernel vTKTKT)
  • 19. vioblk(4) benchmark fi o(1) [ports] performing 8 KiB random writes to 2GiB fi le for 5 minutes • Very little di ff erence in throughput • Very little di ff erence in latency • Long-tail slightly worse on Alpine?? Host Version Guest Version Throughput MiB/s clat avg (usec) clat stdev (usec) 99.90th % (usec) 99.95% (usec) OpenBSD- current OpenBSD- current 90.3 89.9 8730 338 379 Prototype OpenBSD- current 100 76.4 7220 388 429 OpenBSD- current Alpine Linux 3.17 131 11.2 534 32 38 Prototype Alpine Linux 3.17 132 11.7 682 594 685
  • 20. vio(4) benchmark iperf3(1) [ports] with 1 thread run for 30 seconds, alternating TX/RX • iperf(3) used with 1 thread in alternating client / server modes • Observations • More consistent throughput in OpenBSD guests • Negligible performance decrease for Linux guests (not sure why) Host Version Guest Version Receiving Bitrate (Mbit/s) % Sending Bitrate (MBit/s) % -current OpenBSD 7.2 0.86 — 1.26 — prototype OpenBSD 7.2 1.22 63% 1.35 7% -current Alpine Linux 3.17 1.26 — 4.26 — prototype Alpine Linux 3.17 1.30 5% 3.19 -25%
  • 21. Headaches! Some things weren’t so easy. 😰 • Dual-channel connectivity • synchronous register io from vcpu thread needs to avoid deadlocks • vcpu vs. event thread isolation • libevent(3) is not thread-safe (OpenBSD bundles v1.x) • Debugging multi-process, async code is often challenging • printf & ktrace can quickly generate lots of noise • nanosleep(2) + gdb attaching directly to device process helps
  • 22. Future Work & Research Plans for the next hackathon (m2k23) 📋 • Finish lifecycle cleanup (vm send/receive) • QCOW2 disk support — only supports raw images at the moment • Begin merging changes into tree after 7.3 release • vm fork+exec dance • vioblk • vionet • Expand to other devices • ns8250? • Tighten exposure of guest physical memory • guest aware drivers? (is there anything to gain by limiting how much of guest memory we remap?)