Attacking Firecracker: AWS' MicroVM Monitor Written in Rust

This is a pretty good writeup of a long-fixed Firecracker bug (CVE-2019-18960).<p>Firecracker is a KVM hypervisor, and so a Firecracker VM is a Linux process (running Firecracker). The guest OS sees &quot;physical memory&quot;, but that memory is, of course, just mapped pages in the Firecracker process (the &quot;host&quot;).<p>Modern KVM guests talk to their hosts with virtio, which is a common abstraction for a bunch of different device types that consists of queues of shared buffers. Virtio queues are used for network devices, block devices, and, apropos this bug, for vsocks, which are a sort of generic host-guest socket interface (vsock : host&#x2F;guest :: netlink : user&#x2F;kernel, except that Netlink is much better specified, and people just do sort of random stuff with vsocks. They&#x27;re handy.)<p>The basic deal with managing virtio vsock messages is that the guest is going to fill in and queue buffers on its side expecting the host to read from them, which means that when the host receives them, it needs to dereference pointers into guest memory. Which is not that big of a deal; this is, like, some of the basic functioning of a hypervisor. A running guest has a &quot;regions&quot; of physical memory that correspond to mapped pages in Firecracker on the host side; Firecracker just needs to keep tables of regions and their corresponding (host userland) memory ranges.<p>This table is usually pretty simple; it&#x27;s 1 entry long if the VM has less than 3.5G, and 2 entries if more. Unless you&#x27;re on ARM, in which case it&#x27;s always 1 entry, and the bug wasn&#x27;t exploitable.<p>The only tricky problem here for Firecracker is that we can&#x27;t trust the guest --- that&#x27;s the premise of a hypervisor! --- and a guest can try to create fucky messages with pointers into invalid memory, hoping that they&#x27;ll correspond to invalid memory ranges in the host that Firecracker will deference. And, indeed, in 2019, there was a case where that would happen: if you sent a vsock message, which is a tuple (header, base, size), where:<p>1. The guest had more than 3.5G of memory, so that Firecracker would have more than one region table entry<p>2. The base address landed in some valid entry in the table of regions<p>3. base+size lands in some other valid entry in the table of regions<p>There are two bugs: first, a validity check on virtio buffers doesn&#x27;t check to make sure that <i>both</i> base <i>and</i> base+size are in the same, valid region, and second, code that extracts the virtio vsock message does an address check on the buffer address with a size of 1 (in other words, just checking to see if the base address is valid, without respect to the size).<p>At any rate, because the memory handling code here deals with raw pointers, this was done in Rust `unsafe{}` blocks, and so this bug combination would theoretically let a guest trick Firecracker into writing into host memory outside of a valid guest memory range.<p>The hitch, which is as far as I know fatal: there&#x27;s nothing mapped in between regions in x86 Firecracker that you can write to: between a memory region and the no-mans-land memory region outside it, there always happen to be PROT_NONE guard pages†, so an overwrite will simply kill the Firecracker process. Since the attacker here already controls the guest kernel, crashing the guest this way doesn&#x27;t win you anything you didn&#x27;t already have.<p>† <i>And now, post-fix, there&#x27;s deliberately PROT_NONE guard pages around regions</i>

The fact that this doesn&#x27;t seem exploitable shows the value of defense in depth: although numerous safety measures were defeated, exploitation was ultimately blocked by a guard page. If that guard page hadn&#x27;t been there, the outcome could have been very bad. Still, it got closer to exploitable than anyone is comfortable with.

&gt; Currently, io_uring system calls are included in Firecracker’s seccomp filter. Because it redefines how system calls are executed, io_uring offers a seccomp bypass for the supported system calls. This is because seccomp filtering occurs on system call entry after a thread context switch, but system calls executed via io_uring do not go through the normal system call entry. Therefore, Firecracker’s seccomp policy should be treated as its union with all system calls supported by io_uring.<p>...<p>&gt; Because of the nature of system call filtering via seccomp, io_uring still presents a major security disruption in sandboxing.<p>This is pretty interesting as io_uring has been seen a lot of press as the hot new thing.

A lot of people have proposed using Rust for OS development. There are even plans to write Linux kernel modules in Rust.<p>I think this article is a very good demonstration of why Rust is not a silver bullet. It was created with userspace applications in mind and a system application is an entirely different beats.<p>Think about it this way: in C it is easy to shoot yourself in the foot. But in kernel space you can easily blow up the entire building.

Long story short: unsafe code can still be a source of vulnerabilities, even in a memory and thread-safe language. To me this sounds glaringly obvious.

tl;dr: The article describes the details of Firecrackers architecture and CVE-2019-18960, which (as you can imagine) got fixed long ago.

I was expecting a demo of an exploit, but what I got was code analysis and verbal handwaving. Anyone else feel like something was missing here?<p>Edit, I did learn cool new stuff tho, thanks.

&gt; Firecracker is comparable to QEMU; they are both VMMs that utilize KVM, a hypervisor built into the Linux kernel.<p>That&#x27;s not accurate: While KVM is mandatory for Firecracker, it isn&#x27;t for QEMU.