Sushi (public)
Livrables
PEPR SecurEval
virtual-machine-introspection

Repository

title: "A prototype for introspection of virtual machines using a modified hypervisor"
author: "Lionel Hemmerlé and Frédéric Tronel"
date: "March 2025"
geometry: a4paper,margin=2cm
colorlinks: true
numbersections: true
podman  build -v $(pwd)/artefacts:/artefacts:rw --tag=pepr-vmi --ulimit=nofile=2048:2048 .
apt update
apt install -y build-essential git libtool autoconf automake bison flex gcc-aarch64-linux-gnu\
        python3-pip python3-sphinx meson\
        libglib2.0-dev libgcrypt20-dev zlib1g-dev libpixman-1-dev libslirp-dev\
        device-tree-compiler gperf texinfo wget unzip help2man gawk\
        libtool-bin libncurses-dev libgnutls28-dev pahole libssl-dev libelf-dev bc cargo
export REPO=https://gitlab-research.centralesupelec.fr/sushi-public/livrables/\
    pepr-secureval/virtual-machine-introspection.git
git clone ${REPO}
git submodule update --init
export PROJECT=$(pwd)
export ARTEFACTS=$(pwd)/artefacts/
export NPCPUS=$(cat /proc/cpuinfo | grep processor | wc -l)
pushd qemu
# git tag to see all available versions
git checkout xilinx_v2024.2
mkdir -p build
cd build
../configure --target-list="aarch64-softmmu,microblazeel-softmmu" --enable-fdt \
            --disable-kvm --disable-xen --enable-gcrypt
make -j $NBCPUS
ln -f qemu-system-aarch64 ${ARTEFACTS}/
ln -f qemu-system-microblazeel ${ARTEFACTS}/
popd
pushd qemu-devicetrees
make
ln -f ${PROJECT}/qemu-devicetrees/LATEST/MULTI_ARCH/zynqmp-pmu.dtb ${ARTEFACTS}
ln -f ${PROJECT}/qemu-devicetrees/LATEST/MULTI_ARCH/zcu102-arm.dtb ${ARTEFACTS}
popd
pushd crosstool-ng
./bootstrap
./configure --enable-local
make
popd
- binutils 2.42
- lib GMP, MPFR, MPC, zlib
- gcc 12.4.0
- newlib 4.5.0
pushd crosstool-ng
cp ${PROJECT}/ct-ng-microblaze.defconfig defconfig
./ct-ng defconfig
./ct-ng build
popd
pushd crosstool-ng
cp ${PROJECT}/ct-ng-aarch64.defconfig defconfig
./ct-ng defconfig
./ct-ng build
popd
wget https://www.xilinx.com/bin/public/openDownload?filename=PMU_ROM.tar.gz -O PMU_ROM.tgz
tar zxvf PMU_ROM.tgz
ln -f PMU_ROM/pmu-rom.elf ${ARTEFACTS}/
pushd embeddedsw
pushd lib/sw_apps/zynqmp_pmufw/src
PATH=$PATH:${PROJECT}/x-tools/microblazeel-xilinx-elf/bin/ make -j$NPCPUS
popd
ln -f ${PROJECT}/embeddedsw/lib/sw_apps/zynqmp_pmufw/src/executable.elf ${ARTEFACTS}/pmu.elf
pushd lib/sw_apps/zynqmp_fsbl/src/
PATH=$PATH:${PROJECT}/x-tools/aarch64-none-elf/bin/ make -j$NPCPUS
popd
ln -f ${PROJECT}/embeddedsw/lib/sw_apps/zynqmp_fsbl/src/fsbl.elf ${ARTEFACTS}/
popd
pushd arm-trusted-firmware
CROSS_COMPILE=aarch64-linux-gnu- make -j$NPCPUS PLAT=zynqmp all
popd
ln -f ${PROJECT}/arm-trusted-firmware/build/zynqmp/release/bl31/bl31.elf ${ARTEFACTS}/
pushd u-boot-xlnx
make distclean
export CROSS_COMPILE=aarch64-linux-gnu-
make xilinx_zynqmp_virt_defconfig
export DEVICE_TREE="zynqmp-zcu104-revC"
make -j $NBCPUS
popd
ln -f u-boot.elf ${ARTEFACTS}/
mkdir -p ./linux-build-5.15.1
wget http://ftp.lip6.fr/pub/linux/kernel/sources/v5.x/linux-5.1.15.tar.xz
unxz linux-5.15.1.tar.xz
tar xf linux.5.15.1.tar
pushd linux-5.15.1
patch -p1 < ../kernel-5.1.15.patch
cp ../linux-defconfig-5.15.1 arch/arm64/configs/zcu104_defconfig
make O=${PROJECT}/linux-build-5.15.1 ARCH=arm64 \
    CROSS_COMPILE=${PROJECT}/x-tools/aarch64-none-elf/bin/aarch64-none-elf- zcu104_defconfig
make -j$NBCPUS  O=${PROJECT}/linux-build-5.15.1 ARCH=arm64 \
    CROSS_COMPILE=${PROJECT}/x-tools/aarch64-none-elf/bin/aarch64-none-elf- Image dtbs modules
ln -f ${PROJECT}/linux-build-5.15.1/arch/arm64/boot/Image ${ARTEFACTS}/
ln -f ${PROJECT}/linux-build-5.15.1/arch/arm64/boot/dts/xilinx/zynqmp-zcu104-revC.dtb ${ARTEFACTS}/
ln -f ${PROJECT}/linux-build-5.15.1/System.map ${ARTEFACTS}/
popd
pushd buildroot
# Patch which allows to have GCC installed inside the target system ...
# wget https://luplab.cs.ucdavis.edu/assets/buildroot-gcc/gcc-target.patch
cp ../zynqmp_zcu104_defconfig configs/
make zynqmp_zcu104_defconfig
make
ln -f ${PROJECT}/buildroot/output/images/rootfs.ext2 ${ARTEFACTS}/
popd
push system-device-tree
echo "Building system device tree"
make
ln -f ${PROJECT}/system-device-tree/system-top.dtb ${ARTEFACTS}/
popd
apt install repo
mkdir yocto-2023.3
cd yocto-2023.2
repo init -u https://github.com/Xilinx/yocto-manifests.git -b rel-v2023.2
repo sync
source setupsdk
MACHINE=zcu104-zynqmp bitbake core-image-minimal
sudo apt install guestfish u-boot-tools genext2fs
chmod u+x ./build-sdcard-linux.sh
./build-sdcard-linux.sh
chmod u+x ./qemu-linux.sh
./qemu-linux.sh
Creating temporary directory: /tmp/tmp.vTH6JvxoTl
Launching the PMU
Launching the CPU
qemu-system-microblazeel: info: QEMU waiting for connection on: disconnected:unix:/tmp/tmp.vTH6JvxoTl/qemu-rport-_pmu@0,server=on
PMU Firmware 2024.2	Jan 11 2025   17:31:42
PMU_ROM Version: xpbr-v8.1.0-0
NOTICE:  BL31: Non secure code at 0x8000000
NOTICE:  BL31: v2.10.0	(release):xilinx-v2024.2
NOTICE:  BL31: Built : 13:43:05, Jan 10 2025
U-Boot 2024.01 (Feb 27 2025 - 11:06:22 +0100)
[...]
Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.15.1 (ftronel@sashimi) (aarch64-none-elf-gcc (crosstool-NG 1.26.0.143_32f288e) 5.5.0, GNU ld (crosstool-NG 1.26.0.143_32f288e) 2.27) #11 SMP Wed Feb 26 14:44:06 CET 2025
[    0.000000] Machine model: ZynqMP ZCU104 RevC
[...]
Welcome to Buildroot
buildroot login: root
#
push xvisor
zcat ${PROJECT}/vmi.patch.gz | patch -p1
cat ${PROJECT}/xvisor-qemu.patch | patch -p1
CROSS_COMPILE=aarch64-linux-gnu- make ARCH=arm generic-v8-defconfig
CROSS_COMPILE=aarch64-linux-gnu- make -j$NBCPUS
popd
pushd rust-parser
cargo build
popd
fun f_syscall_alert(l: listener) {
    alert();
}

fun init_syscall_protections() {
    register_write($sys_call_table, 439*8, f_syscall_alert); # sys call table
}
./target/debug/parser  -i programs/syscall-protection.src -s ../linux-build-5.15.1/System.map -o syscall-protection.S
aarch64-linux-gnu-as syscall-protection.S -o syscall-protection.o
aarch64-linux-gnu-objcopy -O binary -j .text ./syscall-protection.o  syscall-protection.bin
pushd kernel-modules
make
ln -f ${PROJECT}/module/send-vmi.ko ${ARTEFACTS}/
ln -f ${PROJECT}/module/syscall-rootkit.ko ${ARTEFACTS}/
popd
./build-sdcard-xvisor-linux.sh
./qemu-xvisor-linux.sh
Creating temporary directory:
Launching the PMU
Launching the CPU
qemu-system-microblazeel: info: QEMU waiting for connection on: disconnected:unix:/tmp/tmp.2H07QFr2vx/qemu-rport-_pmu@0,server=on
PMU Firmware 2024.2	Mar 26 2025   17:46:27
PMU_ROM Version: xpbr-v8.1.0-0
NOTICE:  BL31: Non secure code at 0x8000000
NOTICE:  BL31: v2.10.0	(release):xilinx-v2024.2
NOTICE:  BL31: Built : 17:46:52, Mar 26 2025
[...]
[guest0/uart0] Welcome to Buildroot
[guest0/uart0] buildroot login: root
[guest0/uart0] Password:
[guest0/uart0] Login incorrect
[guest0/uart0] buildroot login: root
[guest0/uart0] Password:
[guest0/uart0] Welcome to Buildroot
[guest0/uart0] buildroot login: root
[guest0/uart0] Password:
[guest0/uart0] # ls
[guest0/uart0] send-vmi.ko             syscall-protection.bin  syscall-rootkit.ko
[guest0/uart0] #
[guest0/uart0] insmod ./syscall-rootkit.ko
[guest0/uart0] [   65.983340] syscall_rootkit: loading out-of-tree module taints kernel.
[guest0/uart0] [   66.052385] Syscall rootkit!
[guest0/uart0] [   66.080298] syscall table address: 0xffff800010e50988
[guest0/uart0] [   66.082599] kill syscall entry address: 0xffff800010e50d90
[guest0/uart0] [   66.086953] getdents64 syscall entry address: 0xffff800010e50b70
[guest0/uart0] [   66.093098] kill syscall previous function address: 0xffff80001006da40
[guest0/uart0] [   66.097082] new function address: 0xffff800008e50280
[guest0/uart0] [   66.099379] getdents64 syscall previous function address: 0xffff8000102c56a4
[guest0/uart0] [   66.102384] new function address: 0xffff800008e50000
[guest0/uart0] # ps aux
[guest0/uart0] PID   USER     COMMAND
[guest0/uart0]     1 root     init
[guest0/uart0]     2 root     [kthreadd]
[...]
[guest0/uart0]   210 root     /sbin/syslogd -n
[guest0/uart0]   214 root     /sbin/klogd -n
[guest0/uart0]   234 root     /usr/sbin/crond -f
[guest0/uart0]   235 root     -sh
[guest0/uart0]   239 root     ps aux
[guest0/uart0] # kill -64 235
[guest0/uart0] [   70.176904] kill: 64
[guest0/uart0] [   70.179545] pid: 235
[guest0/uart0] # ps aux
[guest0/uart0] PID   USER     COMMAND
[guest0/uart0] [   81.630838] offset: 2880, name: 235
[guest0/uart0]     1 root     init
[guest0/uart0]     2 root     [kthreadd]
[...]
[guest0/uart0]   210 root     /sbin/syslogd -n
[guest0/uart0]   214 root     /sbin/klogd -n
[guest0/uart0]   234 root     /usr/sbin/crond -f
[guest0/uart0]   240 root     ps aux
[guest0/uart0] Welcome to Buildroot
[guest0/uart0] buildroot login: root
[guest0/uart0] Password:
[guest0/uart0] # ls
[guest0/uart0] send-vmi.ko             syscall-protection.bin  syscall-rootkit.ko
[guest0/uart0] # insmod ./send-vmi.ko filename=./syscall-protection.bin
[guest0/uart0] [   27.190629] send_vmi: loading out-of-tree module taints kernel.
[guest0/uart0] written from 0x4a0b7000 to 0x10beca00 (504 bytes)
fundef: f_syscall_alert at 0x10becb88 (size: 9)
need injecting address of alert in register 9
fundef: init_syscall_protections at 0x10becbac (size: 13)
need injecting address of f_syscall_alert in register 9
need injecting address of register_write in register 12
funcall: init_syscall_protections
function returned
[guest0/uart0] # insmod ./syscall-rootkit.ko
[guest0/uart0] [   40.649004] Syscall rootkit!
[guest0/uart0] [   40.679240] syscall table address: 0xffff800010e50988
[guest0/uart0] [   40.684798] kill syscall entry address: 0xffff800010e50d90
[guest0/uart0] [   40.687854] getdents64 syscall entry address: 0xffff800010e50b70
[guest0/uart0] alert
alert
alert
alert
[guest0/uart0] kill syscall previous function address: 0xffff80001006da40
[guest0/uart0] [   40.700322] new function address: 0xffff800008e55280
[guest0/uart0] [   40.702803] getdents64 syscall previous function address: 0xffff8000102c56a4
[guest0/uart0] [   40.709713] new function address: 0xffff800008e55000
[guest0/uart0] #