Skip to content

Latest commit

 

History

History
115 lines (70 loc) · 8.4 KB

attack-tree.md

File metadata and controls

115 lines (70 loc) · 8.4 KB

Attack Tree Analysis for firecracker-microvm/firecracker

Objective: Gain Unauthorized Root-Level Access to Host or Another MicroVM

Attack Tree Visualization

Goal: Gain Unauthorized Root-Level Access to Host or Another MicroVM ├── 1. Escape the MicroVM Sandbox [HIGH RISK] │ ├── 1.1 Exploit Firecracker VMM Vulnerabilities [HIGH RISK] │ │ └── 1.1.1 Device Emulation Bugs (e.g., virtio) [CRITICAL] │ │ ├── 1.1.1.1 Buffer Overflow in virtio-net device handling │ │ ├── 1.1.1.2 Use-After-Free in virtio-blk device handling │ │ ├── 1.1.1.3 Integer Overflow in virtio ring handling │ │ └── 1.1.1.4 Race Condition in virtio device access │ │ └── 1.1.2.1 Incorrect Seccomp Filter Configuration [CRITICAL] │ ├── 1.2 Exploit Kernel Vulnerabilities (via System Calls) [HIGH RISK] │ │ ├── 1.2.1 Bypass Seccomp Filters (if misconfigured or a kernel bug exists) │ │ └── 1.2.2 Exploit a 0-day Kernel Vulnerability [CRITICAL] │ └── 1.3 Exploit Misconfigured Firecracker API [HIGH RISK] │ └── 1.3.1 Insufficient Authentication/Authorization on API Socket [CRITICAL] ├── 2. Lateral Movement (After Escaping One MicroVM) [HIGH RISK] ├── 2.1 Exploit Shared Resources (if any) [HIGH RISK] │ ├── 2.1.1 Shared Filesystem (if configured) [CRITICAL] │ ├── 2.1.2 Shared Memory (if explicitly configured) [CRITICAL] │ └── 2.1.3 Shared Network Namespace (if misconfigured) [CRITICAL] └── 2.2 Exploit Host Vulnerabilities (from Escaped MicroVM) └── 2.2.1 Kernel Vulnerabilities (same as 1.2) [HIGH RISK]

Attack Tree Path: 1. Escape the MicroVM Sandbox [HIGH RISK]

  • Description: This is the overarching goal of breaking out of the Firecracker microVM's isolation. Success here means the attacker has gained code execution outside the intended sandbox.
  • Sub-Vectors:

Attack Tree Path: 1.1 Exploit Firecracker VMM Vulnerabilities [HIGH RISK]

  • 1.1 Exploit Firecracker VMM Vulnerabilities [HIGH RISK]: Attacking the Firecracker Virtual Machine Monitor (VMM) directly.

Attack Tree Path: 1.1.1 Device Emulation Bugs (e.g., virtio) [CRITICAL]

  • 1.1.1 Device Emulation Bugs (e.g., virtio) [CRITICAL]:
    • Description: Firecracker emulates hardware devices (like network and block devices) using the virtio standard. Bugs in this emulation code are a prime target for attackers.
    • Specific Examples:

Attack Tree Path: 1.1.1.1 Buffer Overflow in virtio-net

  • 1.1.1.1 Buffer Overflow in virtio-net: Sending malformed network packets that cause a buffer overflow in the VMM's handling of the virtio-net device.

Attack Tree Path: 1.1.1.2 Use-After-Free in virtio-blk

  • 1.1.1.2 Use-After-Free in virtio-blk: Triggering a use-after-free condition in the virtio-blk device emulation by manipulating block device requests.

Attack Tree Path: 1.1.1.3 Integer Overflow in virtio ring

  • 1.1.1.3 Integer Overflow in virtio ring: Causing an integer overflow in the data structures used for communication between the guest and the VMM (the virtio ring).

Attack Tree Path: 1.1.1.4 Race Condition in virtio device access

  • 1.1.1.4 Race Condition in virtio device access: Exploiting a race condition in how the VMM handles concurrent access to the emulated devices.

Attack Tree Path: 1.1.2.1 Incorrect Seccomp Filter Configuration [CRITICAL]

  • 1.1.2.1 Incorrect Seccomp Filter Configuration [CRITICAL]:
    • Description: Firecracker uses seccomp to restrict the system calls that the microVM can make. If the seccomp profile is too permissive (or has a flaw), it allows the attacker to make dangerous system calls that could lead to an escape.

Attack Tree Path: 1.2 Exploit Kernel Vulnerabilities (via System Calls) [HIGH RISK]

  • 1.2 Exploit Kernel Vulnerabilities (via System Calls) [HIGH RISK]: Even if Firecracker itself is secure, the underlying kernel can still be vulnerable.

Attack Tree Path: 1.2.1 Bypass Seccomp Filters

  • 1.2.1 Bypass Seccomp Filters: If seccomp is misconfigured or a kernel bug allows bypassing it, the attacker can make arbitrary system calls.

Attack Tree Path: 1.2.2 Exploit a 0-day Kernel Vulnerability [CRITICAL]

  • 1.2.2 Exploit a 0-day Kernel Vulnerability [CRITICAL]: A previously unknown kernel vulnerability. This is the most dangerous but also the least likely scenario.

Attack Tree Path: 1.3 Exploit Misconfigured Firecracker API [HIGH RISK]

  • 1.3 Exploit Misconfigured Firecracker API [HIGH RISK]: Attacking the API used to manage Firecracker microVMs.

Attack Tree Path: 1.3.1 Insufficient Authentication/Authorization on API Socket [CRITICAL]

  • 1.3.1 Insufficient Authentication/Authorization on API Socket [CRITICAL]: If the API socket (used for communication with the Firecracker process) lacks proper authentication or authorization, an attacker could gain control over Firecracker and create, modify, or delete microVMs.

Attack Tree Path: 2. Lateral Movement (After Escaping One MicroVM) [HIGH RISK]

  • 2. Lateral Movement (After Escaping One MicroVM) [HIGH RISK]

    • Description: After successfully escaping one microVM, the attacker attempts to compromise other microVMs or the host system.
    • Sub-Vectors:

Attack Tree Path: 2.1 Exploit Shared Resources (if any) [HIGH RISK]

  • 2.1 Exploit Shared Resources (if any) [HIGH RISK]: Taking advantage of any resources shared between microVMs or between a microVM and the host.

Attack Tree Path: 2.1.1 Shared Filesystem (if configured) [CRITICAL]

  • 2.1.1 Shared Filesystem (if configured) [CRITICAL]: If a filesystem is mounted in multiple microVMs (or the host), an attacker can use it to read or write data, potentially compromising other systems.

Attack Tree Path: 2.1.2 Shared Memory (if explicitly configured) [CRITICAL]

  • 2.1.2 Shared Memory (if explicitly configured) [CRITICAL]: Similar to shared filesystems, shared memory regions can be used for inter-process communication and, if misconfigured, can be exploited for lateral movement.

Attack Tree Path: 2.1.3 Shared Network Namespace (if misconfigured) [CRITICAL]

  • 2.1.3 Shared Network Namespace (if misconfigured) [CRITICAL]: If microVMs share a network namespace, they can directly communicate with each other, bypassing network isolation.

Attack Tree Path: 2.2 Exploit Host Vulnerabilities (from Escaped MicroVM)

  • 2.2 Exploit Host Vulnerabilities (from Escaped MicroVM)

Attack Tree Path: 2.2.1 Kernel Vulnerabilities (same as 1.2) [HIGH RISK]

  • 2.2.1 Kernel Vulnerabilities (same as 1.2) [HIGH RISK]: After escaping a microVM, the attacker is essentially running code on the host, and can then attempt to exploit kernel vulnerabilities to gain root privileges.