-up.html (Donnerstag, 16 Dezember 2021 03:04).
But this approach is not as secure as the incremental attack. Because the hypervisor has to write the data to the memory of the guest at the time when the guest requests a memory allocation. The hypervisor writes the data to the memory. When the guest restarts the attack would be successful, because the data will not be overwritten.
The hypervisor can be configured in different modes. If the hypervisor is configured with “full” mode, it makes the memory writeable by all guests. If the hypervisor is configured with “logical” mode, the guest can only write data into the corresponding pages. If the hypervisor is configured with “no-page” mode, the guest cannot write data into any memory page. The hypervisor is only able to manage the memory.
The incremental attack can be mounted even if the guest is configured to use the “no-page” mode. The guest must not be configured to run in “no-page” mode when the hypervisor is in “full” mode. The result is that when the hypervisor is configured with “full” mode, the hypervisor writes the guest’s data to the memory and then deletes the data.
Armed with the knowledge about the fundamental differences between the modes, we can now find a suitable operating mode for our attack. We must ensure that the hypervisor is configured with “full” mode. If the hypervisor is configured with “logical” mode, the guest can write to the corresponding memory pages. To find out whether the hypervisor is configured with “full” mode or “logical” mode, we can monitor the hypervisor’s memory write activity. For instance, we can monitor the number of times that the hypervisor writes the memory to its own guest. In case the hypervisor is configured with “full” mode, the hypervisor constantly writes the memory.
In summary, we can perform an incremental attack by infecting the hypervisor and by carefully monitoring the memory write activity.
Install KiSu
When you are logged in as the user “kisu” in the guest, you can run the installation script.
To ensure that the hypervisor is configured with “full” mode, you
Related links: