To compete in the endless race against rootkits, antivirus software vendors are slowly starting to use the Virtualization Extensions offered by commodity CPUs.
The attack surface of AV software has been has been large enough until now, but hypervisor-based AV solutions expose a whole new attack surface. By exploiting flaws in AV software, instead of Ring 0 control or full Administrator privileges, it is now possible to gain Ring -1 permissions, an almost jackpot-like Ring which allows controlling the Virtualization Extensions our CPUs employ.
This talk takes us into the realm of Hypervisor based AVs, to see how well they've managed to walk in the depths or Ring -1 in their attempts to implement a thin hypervisor layer to help in the fight against rootkits.
Why
I worked on a couple of Hypervisor-based AVs and found interesting attack surface points in there. I think that nowadays although most of us are using AVs we're not even aware of the insecurity they're providing.
Other than that, the whole hype of "VMM" or "Ring -1" things makes it even fun, there are not many people around the globe which audit VMM code, mostly because people are afraid of those fancy words like Extended Page Tables, VM Exits and mainly memory handling.
In this presentation I'll try to remove this fear, I'll show the basic architecture of a VM-based AV and how it communicates with the outside world (e.g - usermode) and how it might be possible to abuse it in order to gain code execution and system control.
