Home / Research / Abyme recursive hypervisor library

Abyme is a tiny bare-metal recursive hypervisor library (type-0, as in bare-metal and tiny).

Github repository for UEFI version

Motivation

It has been developped for four purposes :

• reach a good understanding of x86 virtualization architecture ;
• use it as a reverse / debug tool ;
• use it as an offensive gadget to ease exploits construction ;
• use it as a prover in a remote attestation protocol.

Statement

This project has been funded by the Secure Virtual Cloud French PIA project and is part of the contribution from my Ph.D. thesis.

Many thanks to Éric Alata, Vincent Nicomette and Julien Marchand with whom we got the motivation to start this adventure :

dd if=/dev/life | sed -e 's/sleep-and-jerk//g'

Basic usage

The user get the hability to hook VMExits to interact with the hypervisor in order to implement a custom behavior.

Kiddie example

The following listings define three hypervisors we stack at boot time. The only purpose of those three hypervisors is to set a string in three GPRs when the VM execute a specific vmcall.

sources/drivers/vmm_rec_0/ids.c

const char *msg = "SSTIC-AWESOME-ROCKS-BABE";

int cpuid_pre(struct registers *gr) {
  if (gr->rax == 0xaaaaaaaa) {
    INFO("Modifying rbx\n");
    gr->rbx = (uint64_t)msg[7] << 56 |
      (uint64_t)msg[6] << 48 |
      (uint64_t)msg[5] << 40 |
      (uint64_t)msg[4] << 32 |
      (uint64_t)msg[3] << 24 |
      (uint64_t)msg[2] << 16 |
      (uint64_t)msg[1] << 8 |
      (uint64_t)msg[0] << 0;
  }
  return 0;
}

void hook_main(void) {
  // Install some hooks
  hook_boot[EXIT_REASON_CPUID] = &cpuid_pre;
}

sources/drivers/vmm_rec_1/ids.c

const char *msg = "SSTIC-AWESOME-ROCKS-BABE";

int cpuid_pre(struct registers *gr) {
  if (gr->rax == 0xaaaaaaaa) {
    INFO("Modifying rcx\n");
    gr->rcx = (uint64_t)msg[15] << 56 |
      (uint64_t)msg[14] << 48 |
      (uint64_t)msg[13] << 40 |
      (uint64_t)msg[12] << 32 |
      (uint64_t)msg[11] << 24 |
      (uint64_t)msg[10] << 16 |
      (uint64_t)msg[9] << 8 |
      (uint64_t)msg[8] << 0;
  }
  return 0;
}

void hook_main(void) {
  // Install some hooks
  hook_boot[EXIT_REASON_CPUID] = &cpuid_pre;
}

sources/drivers/vmm_rec_2/ids.c

const char *msg = "SSTIC-AWESOME-ROCKS-BABE";

int cpuid_pre(struct registers *gr) {
  if (gr->rax == 0xaaaaaaaa) {
    gr->rax = 0x0;
    INFO("Modifying rdx\n");
    gr->rdx = (uint64_t)msg[23] << 56 |
      (uint64_t)msg[22] << 48 |
      (uint64_t)msg[21] << 40 |
      (uint64_t)msg[20] << 32 |
      (uint64_t)msg[19] << 24 |
      (uint64_t)msg[18] << 16 |
      (uint64_t)msg[17] << 8 |
      (uint64_t)msg[16] << 0;
    // Override VMM behavior
    return 1;
  }
  return 0;
}

void hook_main(void) {
  // Install some hooks
  hook_pre[EXIT_REASON_CPUID] = &cpuid_pre;
}

Development environment

It comes with its own minimal c library and a debug server running a custom procotol which supports remote virtual core modifiation.

Python debug client

Legacy version

Github repository for bios legacy version

The legacy version is no longuer maintained but contains tons of efforts to deal with big real mode and trampolines to go back and forth ia32e mode. This version has been used to analyse our target machine’s UEFI firmware and debug non reentrant int $0x19 bios interruption.

Associated publications

This tools has been illustrated in the following papers

• Benoît Morgan, Éric Alata, Vincent Nicomette, Mohamed Kâaniche, Guillaume Averlant - Design and Implementation of a Hardware Assisted Security Architecture for Software Integrity Monitoring, IEEE 21^st Pacific Rim International Symposium on Dependable Computing 2015
• Benoît Morgan, Éric Alata, Vincent Nicomette - Abyme, a travel down the heart of recursive hypervisors (French), Symposium sur la sécurité des technologies de l’information et des communications 2015

Presentations

• SSTIC 2014 : protection d’hyperviseurs assistée par le matériel
• SSTIC 2015 : hyperviseurs récursifs