Virtually Networkless - A dive into VSOCKs - Izzy Whistlecroft

so as CLA mentioned I'm Izzy and I'm G to talk to you a bit about VX so uh this is a method which uh VM host and guest can use to communicate with each other without using a network um so before we dive too much into this I do have a few goals for this talk so uh the first is that you come out with an understanding of broadly what a bck is what they're used for and a little bit on how you might use them practically in a project thinking V socks are kind of cool and neat and underused perhaps and also as CLA mentioned about the Shilling rust maybe thinking rust is good

um so uh what do I do um so I uh I do triage incoming bug Bounty reports for Microsoft so it means I spent quite a lot of time looking at blue screens of death and then working out what actually caused that um so this requires me to set up a lot of Windows instances and so once we've triaged the book we do some variant finding and we validate the fix once it's been written I do some research as well so I have this nice automation project which I'll talk about in a couple of minutes I shall rust and in case anyone wants to ask me questions about these I don't have anything to do with Azure teams

anything web or online related I don't know about bug Bounty payout and and I also don't write fixes so the uh the automation project that I just mentioned so this um so because we are getting proof of concept code from researchers we don't know if it's malicious or not and we don't want environments to be corrupted by other proof of Concepts so we have to spin up a single use Network for a VM every time and they ideally are not internet connected either so to do this uh I have this nice project which will set up a whole network it has a little Linux rout on it and that uses anible um if anyone hasn't

heard of that is mainly used for orchestrating like large networks more permanently but we can use it here to do automated configuration of things like domain controllers and it's really nice so perhaps more helpfully this slide has a nice diagram so the main thing I want to focus on here is actually that SSH here is on the network and this is actually a weakness because if it's on the network other people on the same network as it can just ssh in if they can guess the password and that's not ideal if it then has access to like a potential zero day so like I like so in this initial instance we do the setup and then we

disconnect it from the internet and then we run the proof of concept once we know the environment is configured correctly not quite ideal but hopefully we can fix it so to fix this I discovered there's this thing called vso and as I mentioned earlier it does allow communication between a guest and host without a network so it does this using the vmus and the way that the vmus works is it presents a device to the virtual machine and the virtual machine will then communicate with it with a protocol so no network um which is kind of neet there are two main address families there is AF hyperv um and AFV soog the main difference here is that one of them is

more

windowsyoutube Powershell direct is another way of using this um which is just supported in Powershell if you've installed hyperv sorry I do use hyperv um so if you came here for Linux sorry and hvbc which I'll go into briefly as well so that's hyperv connect that is talked about a little bit further on in this talk first I thought I'd talk a little bit about how the Cali tweets Works which configures uh xrdp to use V socket um because this is probably what most people in the audience have used right um so the first thing it does is it configures xrdp so it installs it it's not installed and then it just changes the configuration to use

vet and then you run one power shell command to tell it to use uh a vsock instead of a HV vck uh in the host and that's it so what does config change look like well this is what it does all it does is replace the port number uh with vsock Co on SL slash um and then that number again which seems pretty simple um I won't show the Powershell command that's used as well uh you have to turn off the VM run the command and then restart it uh or if you think ahead run it before you start the BM um so can we do this for SSH it turns out yes yes we can so if anyone knows what the

SSH config looks like it looks exactly like this except that we just add this vso colon colon and um then if we restart the service it will now listen on the vsock instead we can test this by using hvc as I mentioned it earlier so it comes with hyperv and it's basically just a wrapper around SSH SCP serial and a couple of other commands and it's really nice not many people actually know it exists it's super handy and uh so I have a demonstration on the next slide so here all I've done is I've run hvvc and then the normal SSH command the only difference is that after the empa where you normally specify the IP or the

host name you specify the VM name instead and then you SSH is normal so I've got net start here and that shows SSH is just not listening on the network um but we've ssh in which is kind of nice um so could we do this programmatically and in Rust well it turns out hvc must be doing this so we can um but AF hyperv isn't supported by any crates at the minute um V sock is supported by the socket 2 crate I believe but not this one um so unfortunately my rather messy code which I opted not to include um is using some rather nasty raw Cy calls from the windows crate um some sad

bindings to see but importantly it did in fact work and so what this gives us quite a few bonuses I think that I get to talk about that slightly more later but here's nice diagram from earlier so now we can just SV vck no network connection needed we can do all our configuration with no network involved this lets us have like better control over the network uh well o over that Linux router without the network and so what we've got is a few project wins so it's more reliable or um some people would argue more predictable um we have no network attack surface anymore we gain some potential new features um so in terms of more reliable

we get this cool new feature where when you connect the network adapter to the VM again uh it sometimes might take a few seconds to get any network which kind of annoying it's acting as a router I actually want the internet connection now so we can reconnect it and then ssh in over the vso before it's got an IP address and then run DH climent Magic instant connection maybe there shouldn't be that delay but so nice just going to drop back into this one so the less attack service yeah like I said we now just have no network we've got new features so we can now copy FS to VMS using po shell direct that is just a feature of Po shell

direct it's super nice you can copy files you run arbitrary po shell and it just works and yeah so I use this a lot for copying case files over [Music] and yeah so unfortunately what I did want to add to this talk but it didn't quite get time to was I wanted to be like yes great we now have support for AF hyperb in socket 2 or similar but haven't had time to quite publish it so I think this would be quite a simple change if anyone would like to take it on uh otherwise I will eventually get R to it um so this uh socket 2 it's quite an important crate for rust because it's

used in basically everything and adding crate that support there would be pretty great but um also no one really is aware of vsx I think even though a lot of things use them quietly under the hood and I think it'd be really cool if we started to see them more because it's so nice to be able to gain like reliability usability and more security just having this removed um from the network entirely is magical um the other benefit that you get in terms of predictability is if for example your VM gets put on a different VLAN which does happen you now can't ssh in because that's just not there so we are no longer relying on the external

network conditions at all and it's just fabulous and yeah as I mentioned to copy files directly to the guest and run power commands directly and yep perfect um this is a bit where I wish that I had slightly more content because I dramatically overestimated the red time that I would have had I'm very sorry but I'm really hoping in this apparently rather brief talk that you've learned that vxs are cool and that we can actually gain usability and security and also yeah that's just kind of neat um so yep in lie of more content does anyone have any

questions one of your points was that service was achieved

bywork did so the question was do I to see uh vsx becoming an attack surface so one of the things about vsx is it to open them you already need to have hyperv admin on the host and so I think at this point you would have already compromised the VM but I do wonder about whether it could be attackable going the other way uh if a b already exists and possibly I think you'd be looking more for a problem with the protocol itself though so you'd be looking like for an issue in SSH potentially or the the carrier protocols say

IPv6 TC there just something uh the question was is it encapsulated by TCP still so you sorry um so um effectively what I got hope this ansers to the question uh so effectively what I got from my all my horrible raw Cy calls was just a wi sock socket and so I then just passed it to the SSH library that I was already using so in exchange for an open socket via the network I just passed it and open vsock socket does that answer the question uh it was very seamless in magical when I could just go here's a different number use that

a lot of your a lot of your talk was using is it possible to do the same things with Linux uh so the question is is it possible to do the same thing with Linux uh I believe that it is because you can have enhanced sessions on Linux and Linux does have support for vsx in the kernel code um because guess what I ended up reading a bit of when I was uh writing this code um so I believe that it should be it's just a slightly different address family on it uh but because I was mainly focused on Windows and hyperb didn't spend as much time on this anyone else um if anyone has any questions

about B bcy triage or anything like I can ask questions about this as well um otherwise it might be a rather early um break uh Michelle asks has anyone asked about the Ducks what Ducks Michelle nope chicken back there though and we do have a a q

mu yep sorry this is underrun but hope it was informative anyway