__ ___ _ _
_ __ _| | / _|__ _ (_) |
\ \/ /| '_ ` _ \| |_ / _` | | | |
\ / | | | | | | _| (_| |_| | |
\/ |_| |_| |_|_| \__,_(_)_|_|
vm.fail {low-level systems research}
about
systems security research. hypervisors, rootkits, cache manipulation, shellcode. arm64 and x86_64. occasionally firmware.
contact: torsten.oehlenschlager@tutanota.de
code search
projects
~ nebula arm64 linux position-independent shellcode framework
resolves symbols at runtime via /proc/self/maps parsing. djb2 hash for module/symbol lookup. inline syscalls.
~ icekit cache-as-ram + CAT L3 cache line locking on x86_64
___ ___ ___
/\__\ /\__\ /| |
___ /:/ / /:/ _/_ |:| | ___ ___
/\__\ /:/ / /:/ /\__\ |:| | /\__\ /\__\
/:/__/ /:/ / ___ /:/ /:/ _/_ _|:| | /:/__/ /:/ /
/::\ \ /:/__/ /\__\ /:/_/:/ /\__\ /\ |:|__|____ /::\ \ /:/__/
\/:\ \__ \:\ \ /:/ / \:\/:/ /:/ / \:\/::::/__/ \/:\ \__ /::\ \
\:\/\__\ \:\ /:/ / \::/_/:/ / \::/~~/~ \:\/\__\ /:/\:\ \
\::/ / \:\/:/ / \:\/:/ / \:\__\ /:/ / \:\__\
/:/ / \::/ / \::/ / \:\__\ /:/ / \:\__\
\/__/ \/__/ \/__/ \/__/ \/__/ \/__/
port of CacheKit to x86_64. evades memory introspection via cache incoherence using AMD l3_cat.
~ checkm8 coreboot + tboot measured launch research
__ __ _______
.----| |--.-----.----| |--.--------| _ |
| __| | -__| __| <| |. | |
|____|__|__|_____|____|__|__|__|__|__|. _ |
|: 1 |
|::.. . |
`-------'
intel TXT measured launch with coreboot firmware. trusted boot chain experiments.
~ icevmm[wip] minimal arm64 hypervisor
#################################
___ ___ _____ ____ __ __ __
|_ _/ __| __\ \ / / \/ | \/ |
| | (__| _| \ V /| |\/| | |\/| |
|___\___|___| \_/ |_| |_|_| |_|
#################################
baremetal type-1 hypervisor for arm64. EL2 virtualization experiments.
~ linebacker[wip] kernel-level defense research
____ ___ _____ _____ _____ _____ _____ __ ___ _____ _____ / _/ /___\/ _ \/ __\/ _ \/ _ \/ \| | // __\/ _ \ | |---| || | || __|| _ <| _ || |--|| _ < | __|| _ < \_____\/___/\__|__/\_____\/_____\/__|__/\_____/|__|__\\_____\/__|\__/
kernel-level defense research.
~ kvmrsk rust rewrite of kvmrk KVM exploitation PoC
based on Singh's paper on KVM's insecure design on ARM.
collaborators
~ wintermute
kvmrk KVM exploitation PoC for ARM
.------..------..------..------..------. |K.--. ||V.--. ||M.--. ||R.--. ||K.--. | | :/\: || :(): || (\/\) || :(): || :/\: | | :\/:: || ()() || :\/:: || ()() || :\/:: | | '--'K|| '--'V|| '--'M|| '--'R|| '--'K| `------'`------'`------'`------'`------'
original implementation of Singh's KVM ARM security research.
hvICE hypervisor-based introspection evasion
___ ___ ___
/\ \ /\ \ /\ \
_\:\ \ _\:\ \ _\:\ \
/\/::\__\ /\/::\__\ /\/::\__\
\::/\/__/ \::/\/__/ \::/\/__/
\:\__\ \:\__\ \:\__\
\/__/ \/__/ \/__/\
/::\ /::\ /::\
/:/\:\ /:/\:\ /:/\:\
\:\ \:\ \:\ \:\ \:\ \:\
\:\/::\ \:\/::\ \:\/::\
\/__/ \/__/ \/__/\
/::\ /::\ /::\
/::\:\ /::\:\ /::\:\
\:\:\/ \:\:\/ \:\:\/
\:\/ \:\/ \:\/
\/__/ \/__/ \/__/
hypervisor techniques for evading memory introspection.
arm64_silent_syscall_hook silent syscall hooking on arm64
_ __ _
_______ _(_)__ / /__ (_)__ ___ _
/ __/ _ `/ / _ \ / '_// / _ \/ _ `/
/_/ \_,_/_/_//_/ /_/_\_\/__/\_, /
/___/
stealthy syscall interception without modifying syscall table.
ramiel arm64 rootkit research
#
.%%( (
/%%%%%% *#
,%%%%%%%% (
%%%%%%%%%%%% ,(
*%%%%%%%%%%%%%%, (
#&%%%%%%%%%%%%%%%&@@ /
#%%%%%%%%%%&@ %%%% %%%%%%@, &
%%%%%%@.*%%%%%%%%%%%%% (%%%%%%%%%%%%%@ *
*%%%%%%%%%%%%%%%%%%%%%%% &&%%%%%%%%%%%%%%%%%%%&*/
/@@@@%%%%%%%%%%%%%%%%& %&%%%%%%%%%%%%%%%%%%&,
,#@@@@@@@&%%%%%%%%%&.%&%%%%%%&%%%%%%%%% (
@@@@@@@@@@@@%%%& %%%%%%%%%%%%%%%,
#@@@@@@@@@@&@% %%%%%%%%%%%%&/
(@@@@@@&@@@ %%%%%%%%%%,
*@@@@@@@@ %%%%%%%//
&@@@@ %%%%%/
/@@*%%*
@
kernel-level persistence and evasion techniques for arm64 linux.