Advanced Threat Research

Increasingly, people around the world depend on technology for their daily activities. Making this technology trustworthy involves a deep understanding of how attacks work. By researching security vulnerabilities, the Advanced Threat Research (ATR) team in Intel Security discovers opportunities to drive toward more secure technology.

Home | Research | Threat Intelligence | CHIPSEC

Security of Virtualization Technologies

Last updated: 2016-04-18

Reaching Far Corners of Matrix: Generic VMM Fingerprinting | 2015-10-15

Last years there were not many studies on fingerprinting the virtualized environment. This talk is to fill the gap and provide generalized approach for VMM fingerprinting and detection. The approach exploits ISA corner cases handling by VMMs. The results for the most popular modern VMMs will be presented. They show that all the popular modern VMMs can be reliably identified just with several instructions from user mode.

SOURCE Seattle 2015 presentation

Attacking Hypervisors via Firmware and Hardware | 2015-08-05

At Black Hat USA 2015, the ATR team presented multiple attacks against hypervisors by targeting vulnerabilities in firmware and hardware.
This research builds on analysis of hypervisor implementations as well as vulnerabilities in system firmware. If the hypervisor does not fully isolate the system firmware from attacks within a guest VM, security issues in the underlying system may be exposed. This research presented multiple real-world bypasses of hypervisor security using already-known firmware vulnerabilities that happened to be exposed.

Black Hat USA 2015 presentation.

Demos from the presentation are available here:
PoC UEFI firmware rootkit stealing sensitive data from VMs.
PoC attack on Xen using a vulnerability in firmware S3 boot script.
PoC attack on Microsoft Hyper-V through SMI handler firmware.