Monday, April 06, 2015

Common security design issues in privileged hypervisor or in any privileged emulators

Recently I've reviewed nearly 100 Xen Security Advisories (, except some bad security coding practices for any ordinary software, I found there are some specific security issues that we need to take into considerations when designing prvilieged hypervisors or privileged emulators.

"What, How, and Why" on Interrupt Window (or NMI Window) Exiting in Virtualization Technology

More recently, one of my colleagues asked me why there is a feature called "Interrupt Window exiting" in virtualization technology, and how it can be used by VMM? This blog is going to briefly describe its "what, how and why" .

Monday, January 26, 2015

Control-flow processor exceptions (single-stepping on branches) on control-flow branch instructions (jmp/call/ret)

"single-stepping on branches" is processor hardware feature of x86/Intel architecture. When it is enabled, the processor generates a single-step debug exception only after instructions that cause a branch. This mechanism
allows a debugger to single-step on control transfers caused by branches. What does this imply to defense against control-flow hijacking attacks (e.g. ROP or JOP) ? 

Friday, January 16, 2015

How to defend against Stack Pivoting attacks on existing 32-bit x86 processor architecture?

Stack Pivoting is a common technique widely used by vulnerability exploits to bypass hardware protections like NX/SMEP, or to chain ROP (Return-Oriented Programing, the Wikipedia link) gadgets. However, there is NO hardware protection solution to defend against it (at least for now:-). This blog will describe a software solution to detect Stack Pivoting at run time, and I will also point out some limitations due to current processor architecture implementations.  <Please let me know if this is NOT a new idea, or NOT doable.>