Bluepilling the Xen Hypervisor
Transcript of Bluepilling the Xen Hypervisor
![Page 1: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/1.jpg)
Bluepilling the Xen Hypervisor
Joanna Rutkowska & Alexander TereshkinInvisible Things Lab
Black Hat USA 2008, August 7th, Las Vegas, NV
![Page 2: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/2.jpg)
Xen 0wning Trilogy
Part Three
![Page 3: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/3.jpg)
Previously on Xen 0wning Trilogy...
![Page 4: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/4.jpg)
Part 1: “Subverting the Xen Hypervisor”by Rafal Wojtczuk (Invisible Things Lab)
Hypervisor attacks via DMA TG3 network card “manual” attack Generic attack using disk controller
“Xen Loadable Modules” framework :) Hypervisor backdooring
“DR” backdoor “Foreign” backdoor
![Page 5: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/5.jpg)
Part II: “Detecting and Preventing the Xen Hypervisor Subversions”
by Rafal Wojtczuk & Joanna Rutkowska
Latest Xen security features How they fail: Q35 exploit How they fail: FLASK exploit The need for hypervisor integrity checks! Introducing HyperGuard!
![Page 6: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/6.jpg)
Now, in this part...
![Page 7: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/7.jpg)
Nested virtualization (“Matrix inside Matrix”)
BluePillBoot
XenBP: Bluepilling the Xen hypervisor on the fly!
Bluepilled Xen detection
1
2
3
4
![Page 8: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/8.jpg)
Nested Virtualization
![Page 9: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/9.jpg)
VM1VM2 (Nested Hypervisor)
Hypervisor (Primary)
VM21
VM3
VM22
VM4
VM221 VM222
![Page 10: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/10.jpg)
Idea of how to handle this situation...
![Page 11: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/11.jpg)
Hypervisor
VM1 VM2 VM3
VM21 VM22
VM221 VM222
Hypervisor
VM1 VM2 VM3VM21 VM22 VM221 VM222
![Page 12: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/12.jpg)
Now, lets look at the actual details :)
![Page 13: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/13.jpg)
Let’s start with AMD-V...
![Page 14: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/14.jpg)
VMRUN
VMCB0
VMRUN
RDMSR
VMCB0VMCB0
![Page 15: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/15.jpg)
VMRUN
VMCB0
VMRUN ?VMCB1
![Page 16: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/16.jpg)
VMRUN
VMCB0
VMRUN
VMCB1
VMRUN
VMCB1’
RDMSR ?
VMCB0
![Page 17: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/17.jpg)
VMRUN
VMCB1
VMRUN
RDMSR
VMRUN
VMCB1’ VMCB0
VMCB1
RAX
VMCB1’
![Page 18: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/18.jpg)
Looks convincing but we also need to take care about some technical details, that are not trivial...
![Page 19: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/19.jpg)
VMRUN
VMCB0
VMRUN
RDMSR
VMCB0VMCB0
GIF=0
GIF=1 GIF=1
![Page 20: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/20.jpg)
RDMSR
VMRUN
Nested Hypervisor
Nested Guest
Hypervisor
GIF=1
GIF=0
![Page 21: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/21.jpg)
• Hypervisors expect to have GIF=1 when VMEXIT occurs...
• They might not be prepared to handle interrupts just after VMEXIT from guests!
• ... but when we resume the nested hypervisor CPU sets GIF=1, because we do this via VMRUN, not VMEXIT...
![Page 22: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/22.jpg)
Getting around the “GIF Problem”
• We need to “emulate” that GIF is 0 for the nested hypervisor
• We stop this emulation when:
• The nested hypervisor executes STGI
• The nested hypervisor executes VMRUN
• How do we emulate it?
![Page 23: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/23.jpg)
GIF0 emulation
• VMCB1’.V_INTR_MASKING = 1
• Host’s RFLAGS.IF = 0
• Intercept NMI, SMI, INIT, #DB and held (i.e. record and reinject) or discard until we stop the emulation
![Page 24: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/24.jpg)
Additional details
• Need to also intercept VMLOAD/VMSAVE
• Need to virtualize VM_HSAVE_PA
• ASID conflicts
![Page 25: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/25.jpg)
Hypervisor: ASID = 0
Nested Hypervisor: ASID = 1(but thinks that has ASID = 0)
Nested Guest: ASID = 1(assigned by the nested hypervisor)
Conflicting ASIDs!
![Page 26: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/26.jpg)
But we can always reassign the ASID in the VMCB “prim” that we use to run the nested guest.
![Page 27: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/27.jpg)
Performance Impact
• One additional #VMEXIT on every #VMEXIT that would occur in a non-nested scenario
• One additional #VMEXIT when the nested hypervisor executes: STGI, CLGI, VMLOAD, VMSAVE
• Lots of space for optimization though
![Page 28: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/28.jpg)
Intel VT-x
![Page 29: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/29.jpg)
Nested virtualization on VT-x
• No GIF bit - no need to emulate “GIF0” for the nested hypervisor :)
• No Tagged TLB - No ASID conflicts :)
• However:
• VMX instructions can take memory operands - need to use complex operand parser
• No tagged TLB - potentially bigger performance impact
![Page 30: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/30.jpg)
Nested VT-x: Status
• We have that working!
• The VT-x nesting code cannot be published though :(
![Page 31: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/31.jpg)
Who else does Nested (hardware-based) Virtualization?
![Page 32: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/32.jpg)
IBM z/VM hypervisor on IBM System z™ mainframe
“Running z/VM in a virtual machine (that is, z/VM as a guest of z/VM, also known as “second-level” z/VM) is functionally supported but is intended only for testing purposes for the second-level z/VM system and its guests (called “third-level” guests).”-- http://www.vm.ibm.com/pubs/hcsf8b22.pdf
IBM System z10, source: ibm.com
![Page 33: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/33.jpg)
Blue Pill Boot
![Page 34: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/34.jpg)
VM1 VM1 VM1Management
Domain
Xen hypervisor
MBR/BIOS
![Page 35: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/35.jpg)
VM1 VM1 VM1Management
Domain
Xen hypervisor
MBR/BIOS
BluePill
Dom0 modifies the MBR
![Page 36: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/36.jpg)
Blue Pill Boot =MBR infector +
Blue Pill loader +Blue Pill that supports nested virtualization
![Page 37: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/37.jpg)
BPB’s MBR
Original MBR
bootcode.sys(BluePill)
Disk
Sector 1
Sector 2
Sectors 3...n
![Page 38: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/38.jpg)
Memory
BluePill (stage 1)0x10000
0x0
BluePill (stage 2)
BPB’s MBR0x7c00 Original MBR
0x00x7c00
Star
t ha
rdw
are
VM
ex
ecut
ing
from
0x7
c00
in R
eal M
ode
Enable Long Mode
![Page 39: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/39.jpg)
BluePill
Original MBR
0x00x7c00
Xen
MBR starts Xen which now runs in a hardware virtual machine controlled by the
BluePill
Int 15h/e820h queries are intercepted by BluePill
int
15h
![Page 40: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/40.jpg)
Demo: BluePillBootting the Xen
(please excuse the recording quality)
![Page 41: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/41.jpg)
![Page 42: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/42.jpg)
Ensure hypervisor integrity via SRTM or DRTM
![Page 43: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/43.jpg)
Xen Blue Pill
![Page 44: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/44.jpg)
VM1 VM1 VM1Management
Domain
Xen hypervisor
MBR/BIOS
![Page 45: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/45.jpg)
VM1 VM1 VM1Management
Domain
Xen hypervisor
MBR/BIOS
BluePill
SRTM/DRTM do not protect the already loaded hypervisor!
SRTM/DRTM
![Page 46: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/46.jpg)
VM1 VM1 VM1Management
Domain
Xen hypervisor
MBR/BIOS
SRTM/DRTM
BluePill
SRTM/DRTM do not protect the already loaded hypervisor!
![Page 47: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/47.jpg)
The details
![Page 48: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/48.jpg)
Loading using Rafal’s XLM framework...
![Page 49: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/49.jpg)
XBPhy
perv
isor
dom
ains
Dom0
xenp
gallo
c
xenr
unpr
oc
![Page 50: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/50.jpg)
XBPhy
perv
isor
dom
ains
Dom0
xenp
gallo
c
xenr
unpr
oc
BluePill
![Page 51: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/51.jpg)
We allocate a block of memory for XBP inside Xen hypervisor -- this memory is used for both the XBP’s code
and data and heap
![Page 52: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/52.jpg)
Demo: Bluepilling the Xen on the fly...
![Page 53: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/53.jpg)
![Page 54: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/54.jpg)
On Xen 3.3 we need to use Q35 exploit
instead of direct hdd(see the talk #2)
![Page 55: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/55.jpg)
Bluepilled Xen: Detection
![Page 56: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/56.jpg)
Detecting a VMM is now not enough...
![Page 57: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/57.jpg)
... as we know there is already one VMM in the system already (i.e. the Xen)...
![Page 58: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/58.jpg)
We can only try direct timing analysis to see if #VMEXITs will take longer time to execute...(then on “non-bluepilled” Xen)
![Page 59: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/59.jpg)
Impact on PV domains
![Page 60: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/60.jpg)
hype
rvis
orPV
dom
ains
Dom0
BluePillri
ng
3
VMRUN
#G
P
#GP, not #VMEXIT!
We don’t need to intercept anything besides VMRUN (and optionally VMLOAD, VMSAVE, STGI, CLGI) -- all those instructions cause #GP when
executed in PV guests (including Dom0)
![Page 61: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/61.jpg)
0On AMD!
On Intel we have obligatory intercepts (CPUID, INVD, MOV CR3).
![Page 62: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/62.jpg)
Impact on HVM domains
![Page 63: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/63.jpg)
0
7.5
15.0
22.5
30.0
HVM domains: impact on #vmexit time (RDMSR intercept on AMD)
kcyc
les
Full Nested Virtualization
- VMCB rewriting
- CLGI/STGI interception
- VMLOAD/VMSAVE
interception
Native Xen (baseline)
5
![Page 64: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/64.jpg)
0
2.5
5.0
7.5
10.0
Xen Bluepilled Xen
5k cycles (Native Xen) vs. 7k cycles (Bluepilled Xen)
![Page 65: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/65.jpg)
2000 cycles from the Holy Grail ;)
![Page 66: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/66.jpg)
But that you can observe only in a HVM domain;on PV domains it is: 0 cycles (on AMD)!
![Page 67: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/67.jpg)
HyperGuard vs. BluePill?
![Page 68: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/68.jpg)
Summary(of the whole trilogy)
![Page 69: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/69.jpg)
Talk #1 (Rafal)
![Page 70: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/70.jpg)
Modifying Xen via DMA attacks
![Page 71: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/71.jpg)
“Xen Loadable Modules” Framework
![Page 72: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/72.jpg)
Hypervisor Rootkits/Backdoors for Xen
(don’t confuse with virtualization-based rootkits!)
![Page 73: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/73.jpg)
Talk #2 (Joanna & Rafal)
![Page 74: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/74.jpg)
DMA protections (IOMMU/VT-d) on recent Xens
![Page 75: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/75.jpg)
Getting around VT-d Xen protection
(BONUS: on the fly SMM modification, despite D_LCK set)
![Page 76: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/76.jpg)
Other Xen protection mechanisms...
![Page 77: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/77.jpg)
... and how they sometimes might be bypassed...
Exploiting a heap overflow in Xen hypervisor
![Page 78: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/78.jpg)
HyperGuard - integrity scanner for a hypervisor
![Page 79: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/79.jpg)
Talk #3 (Alex & Joanna)
![Page 80: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/80.jpg)
Hardware Nested Virtualization
![Page 81: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/81.jpg)
Blue Pill Boot
![Page 82: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/82.jpg)
Xen Blue Pill: Bluepilling the Xen on the fly
![Page 83: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/83.jpg)
Discussed the XBP detection
![Page 84: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/84.jpg)
Slides available at:http://invisiblethingslab.com/bh08
Demos and code will be available from the same address after Intel releases the patch.
![Page 85: Bluepilling the Xen Hypervisor](https://reader036.fdocuments.us/reader036/viewer/2022071602/613d5d9f736caf36b75c78af/html5/thumbnails/85.jpg)
Thank you!