現行各種雲端運算之彈性仰賴於虛擬化技術的支持，然而虛擬化之安全建構於其技術所能提供之隔離性，若雲端平台上使用者打破虛擬化隔離性，則雲端平台所有共用使用者將一併受害。本論文以Xen Hypervisor所提供之半虛擬化技術為對象，探討使用虛擬化技術時隔離議題之重要性，歸納出虛擬化技術中實作顯示暫存區常發生之共同漏洞，並以半虛擬化顯示暫存區漏洞的實際漏洞CVE-2008-1943，展示虛擬機器脫逸(Virtual Machine Escape)實驗，取得Xen中的Domain 0之Root Shell，來證明虛擬化的隔離非牢不可破。最後在其他Domain U不知情的情況下，以竄改該Domain U的開機磁區，使其開機程序受到綁架，由此說明隔離性失效之後帶來的影響及損失。研究貢獻在於歸納出虛擬化技術中實作顯示暫存之共同漏洞，並以實際半虛擬化顯示暫存區進行虛擬機器脫逸實驗，以實驗結果證明虛擬化隔離性失效。此外更提供開機磁區竄改實驗作為後續攻擊之案例，以說明隔離性失效後可能帶來之損失，作為未來雲端安全核心研究之基礎。

The on-demand feature of cloud computing is rely on supporting of virtualization technology, it is worth to know that security in virtualization is built upon the isolation. Thus, once the user of the cloud platform break the isolation, then all the users in the cloud platform will become victims. In this thesis, I focus on paravirtualization which is provided by Xen hypervisor to discuss about the importance of isolation in virtualization technology. It conclude that there are common vulnerability in many implementation of video-related device in virtualization technology. Moreover, with a practical exploitation about CVE-2008-1943, this thesis show that user can escape from an unpriviedge domain to the privilege domain''s root shell (Virtual Machine Escape). Finally, this thesis show that attacker can easily hijack other user''s virtual machine by modifying the virtual machine''s master boot record. The major contributions are conclude the common vulnerability which is the implementation of video device in virtualization technology, and provide an hand-on VM escape experiment to prove the fail of isolation in virtualization. Moreover, this thesis provide an attack model, Master Boot Record Hijacking, to explain the impact after the fail of isolation.

[1] S. Ried, H. Kisker, P. Matzke, A. Bartels, and M. Lisserman, “Sizing the cloud: Understanding and quantifying the future cloud computing,” in Forrester Research Report, 2011.
[2] T. Dillon, C. Wu, and E. Chang, “Cloud computing: Issues and challenges,” in 24th IEEE International Conference on Advanced Information Networking and Applica- tions (AINA), Perth, Australia, April 2010, pp. 27 –33.
[3] L. M. Vaquero, L. Rodero-Merino, J. Caceres, and M. Lindner, “A break in the clouds: towards a cloud definition,” SIGCOMM Comput. Commun. Rev., vol. 39, no. 1, pp. 50–55, Dec. 2008.
[4] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, “Xen and the art of virtualization,” in Proceedings of the nineteenth ACM symposium on Operating systems principles, ser. SOSP ’03. New York, NY, USA: ACM, 2003, pp. 164–177.
[5] R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. C. M. Martins, A. V. Anderson, S. M. Bennett, A. Kagi, F. H. Leung, and L. Smith, “Intel virtualization technology,” IEEE Computer Magazine, vol. 38, no. 5, pp. 48–56, May 2005.
[6] K. Adams and O. Agesen, “A comparison of software and hardware techniques for x86 virtualization,” in Proceedings of the 12th international conference on Architectural support for programming languages and operating systems, ser. ASPLOS-XII. New York, USA: ACM, 2006, pp. 2–13.
[7] Amazon, “Amazon ec2,” 2011. [Online]. Available: http://aws.amazon.com/ec2
[8] Y. M. Chen, C. E. Chuang, H. C. Liu, C. Y. Ni, and C. T. Wang, “Using agent in virtual machine for interactive security training,” in FGIT-SecTech, Jeju Island, Korea, 2011, pp. 65–74.
[9] J. Rhoton, Cloud Computing Explained. Recursive Press, 2010. [10] Google, “Google apps engine,” 2012. [Online]. Available: https://developers.google.
com/appengine/
[11] D. Hubbard and M. Sutton, “Top threats to cloud computing,” in Cloud Security Al liance, Mar. 2010. [Online]. Available: http://www.cloudsecurityalliance.org/ topthreats.html
[12] C. E. Chuang and Y. M. Chen, “使雲端運算中虛擬機器隔離性失效之實作,” 第二 十二屆資訊安全會議, 中興大學, 台中, 2012.
[13] Citrix, “Xenserver.” [Online]. Available: http://www.citrix.com/English/ps2/ products/product.asp?contentID=683148
[14] J. Sahoo, S. Mohapatra, and R. Lath, “Virtualization: A survey on concepts, taxon- omy and associated security issues,” in Second International Conference on Computer and Network Technology (ICCNT), Bangkok, Thailand, April 2010, pp. 222 –226.
[15] Intel. (2006) Intel virtualization technology and intel active management technology in retail infrastructure. [Online]. Available: http://www.intel.com/design/intarch/ papers/316087.pdf
[16] A. One, “Smashing the stack for fun and profit,” Phrack, vol. 7, no. 49, Nov. 1996. [Online]. Available: http://phrack.com/issues.html?issue=49&id=14#article
[17] Nergal, “The advanced return-into-lib(c) exploits: PaX case study,” Phrack, vol. 11, no. 58, Dec 2001. [Online]. Available: http://phrack.org/phrack/58/p58-0x04
[18] E. Bhatkar, D. C. Duvarney, and R. Sekar, “Address obfuscation: an efficient ap- proach to combat a broad range of memory error exploits,” in Proceedings of the 12th USENIX Security Symposium, Washington, DC, USA, August 2003, pp. 105–120.
[19] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks,” in Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, USA, January 1998, pp. 63–78.
[20] CoreLabs, “Path traversal vulnerability in vmware’s shared folders implementation.” [Online]. Available: http://www.coresecurity.com/content/advisory-vmware
[21] CERT, “Cve-2007-1744.” [Online]. Available: http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2007-1744
[22] K. Kortchinsky, “Cloudburst – hacking 3d and breaking out of vmware,” in BlackHat USA, Las Vegas, 2009.
[23] “Virtunoid: A kvm guest → host privilege escalation exploit,” in Black Hat USA, N. Elhage, Ed., Las Vegas, 2011.
[24] CERT, “Cve-2011-1751.” [Online]. Available: http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2011-1751
[25] “Cwe-416: Use after free.” [Online]. Available: http://cwe.mitre.org/data/ definitions/416.html
[26] D. Chisnall, The definitive guide to the xen hypervisor, 1st ed. Upper Saddle River, NJ, USA: Prentice Hall Press, 2007.
[27] E. Skoudis and T. Liston, Counter hack reloaded, second edition: a step-by-step guide to computer attacks and effective defenses, 2nd ed. Upper Saddle River, NJ, USA: Prentice Hall Press, 2005.
[28] F. Bellard, “Qemu, a fast and portable dynamic translator,” in Proceedings of the an- nual conference on USENIX Annual Technical Conference, ser. ATEC ’05. Berkeley, CA, USA: USENIX Association, 2005, pp. 41–41.
[29] R. Wojtczuk, “Adventures with a certain xen vulnerability (in the pvfb backend),” October 2008. [Online]. Available: http://invisiblethingslab.com/resources/misc08/ xenfb-adventures-10.pdf
[30] Xen. How does xen work? [Online]. Available: http://www.xen.org/files/Marketing/ HowDoesXenWork.pdf
[31] D. Blazakis, “Interpreter exploitation,” in Proceedings of the 4th USENIX conference on Offensive technologies, ser. WOOT’10. Berkeley, CA, USA: USENIX Association, 2010, pp. 1–9.
[32] J. Erickson, Hacking: the art of exploitation, 2nd edition, 2nd ed. San Francisco, CA, USA: No Starch Press, 2008.
[33] R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Wal- ter, “Breaking the memory secrecy assumption,” in Proceedings of the ACM Second European Workshop on System Security, Nuremburg, Germany, 2009, pp. 1–8.
[34] VMware, “Transparent paravirtualization (vmi),” 2005. [Online]. Available: http://www.vmware.com/technical-resources/interfaces/paravirtualization.html
[35] Xen.org. Xen hypervisor. [Online]. Available: http://xen.org/
[36] Amazon.com, “Amazon web services: Overview of security processes,” 2008. [Online]. Available: http://aws.amazon.com/articles/1697
[37] CERT, “Cve-2008-3431.” [Online]. Available: http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2008-3431
[38] cert, “Cve-2009-0876.” [Online]. Available: http://cve.mitre.org/cgi-bin/cvename. cgi?name=CVE-2009-0876
[39] T. Mandt, “Oracle virtualbox integer overflow vulnerabili- ties,” 2011. [Online]. Available: http://mista.nu/blog/2011/07/19/ oracle-virtualbox-integer-overflow-vulnerabilities/
[40] Xen-Devel, “Vt-d (pci passthrough) msi trap injection,” 2011. [Online]. Available: http://old-list-archives.xen.org/archives/html/xen-devel/2011-05/msg00687.html
[41] dunlapg. (2012) The intel sysret privilege escalation. [Online]. Available: http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/
[42] R. Wojtczuk and J. Rutkowska, “Following the white rabbit: Software attacks against intel vt-d technology,” 2011. [Online]. Available: http://www.invisiblethingslab. com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf
[43] CERT, “Cve-2012-1515,” 2012. [Online]. Available: http://www.cve.mitre.org/ cgi-bin/cvename.cgi?name=CVE-2012-1515
[44] Xen-Devel, “Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation,” 2012. [Online]. Available: http://lists.xen.org/archives/html/ xen-announce/2012-02/msg00000.html
[45] S. Bahram, X. Jiang, Z. Wang, M. Grace, J. Li, D. Srinivasan, J. Rhee, and D. Xu, “Dksm: Subverting virtual machine introspection for fun and profit,” in Proceedings of the 29th IEEE International Symposium on Reliable Distributed Systems (SRDS 2010), New Delhi, India, October 2010.
[46] B. D. Payne, M. D. P. de Carbone, and W. Lee, “Secure and flexible monitoring of virtual machines,” in Twenty-Third Annual Computer Security Applications Confer- ence, Miami Beach, FL, USA, December 2007, pp. 385–397.
[47] R. Wojtczuk, “Subverting the xen hypervisor,” in Black Hat USA, Las Vegas, USA, August 2008.
[48] P. Kleissner, “Stoned bootkit,” 2011. [Online]. Available: http://www.stoned-vienna. com/
[49] P. Rubin, D. MacKenzie, and S. Kemp., “dd,” in Linux man page, 2012.
[50] B. Salamat, T. Jackson, G. Wagner, C. Wimmer, and M. Franz, “Runtime defense against code injection attacks using replicated execution,” IEEE Transactions on Dependable and Secure Computing, vol. 8, pp. 588–601, 2011.
[51] VulneraPedia, “Symlink attacks.” [Online]. Available: http://minsky.gsi.dit.upm.es/ semanticwiki/index.php/Symlink_Attacks