Malware Detection by Signature Matching in a Hypervisor

Transcription

1 Computer Security Symposium October 1 November oyama@inf.uec.ac.jp kawasaki@ol.inf.uec.ac.jp BVMD MWS 2012 BVMD BitVisor BVMD OS Malware Detection by Signature Matching in a Hypervisor Yoshihiro Oyama Yudai Kawasaki The University of Electro-Communications Chofugaoka, Chofu-shi, Tokyo , JAPAN oyama@inf.uec.ac.jp kawasaki@ol.inf.uec.ac.jp Abstract We report the result of experiments in which we detected malware in the MWS 2012 malware dataset by using BVMD, a hypervisor that provides a malware detection mechanism. BVMD is implemented by extending a parapass-through hypervisor BitVisor. BVMD applies signature matching against data blocks that are transmitted between the guest OS and devices such as hard disks. 1 OS OS PC OS Conficker [8] OS BVMD [6] BVMD VMM OS

2 guest OS device driver control I/O hypervisor data I/O parapass-through driver monitoring/ verification enforcing security hardware 1: BitVisor BVMD OS OS OS BVMD BitVisor [10] BitVisor BVMD OS 1 BVMD PC BVMD BVMD BVMD OS OS OS BVMD OS OS BitVisor BVMD OS 2012 (MWS2012) [5] BVMD BVMD OS BVMD 2 BitVisor BVMD BitVisor BVMD BitVisor BitVisor VMM OS VMM BitVisor Trusted Computing Base (TCB) BitVisor 1 hypervisor BitVisor BitVisor I/O I/O I/O OS

3 parapass-through driver data I/O signatures 52fd5f c c c c... 65f85b5ec9c e automaton generation module signature automaton matching module 2: I/O BitVisor parapass-through driver OS I/O I/O I/O I/O I/O I/O I/O BitVisor I/O I/O BitVisor VPN 2.2 BVMD BVMD OS BVMD BitVisor I/O 2 automaton generation module matching module Aho-Corasick [1] BVMD ClamAV [2] BVMD VMM BitVisor BVMD VMM BVMD [14] BVMD OS BVMD I/O I/O BVMD OS OS OS [6] OS Windows

4 main.hdb: d0e0c049ed7056eac8bb :162516:worm.kido-160 main.mdb: 12288:b0df5fa4a5e588c6e ca29c:Trojan.Agent main.db: Worm.Blaster.A (Clam)= e04edffffff746f c4f f55... main.ndb: Trojan.Dropper-18535:1:EP+0:807c f85c be dbe00c0ffff57 3: ClamAV Linux VMM BVMD BVMD OS OS VRAM VMM [13] OS 3 OS OS OS OS ClamAV ClamAV.hdb.mdb.db.ndb ClamAV 3 main.hdb main.mdb PE main.db main.ndb BVMD ClamAV.db.ndb

5 disk blocks malware signature combined blocks 4: BVMD BVMD.ndb BVMD 2.4 false positive false negative BVMD BVMD OS BVMD OS BVMD Linux ext3 Windows NTFS 3 BVMD MWS

6 1: computer Dell Optiplex 990 CPU chipset memory hard disk Intel Core i GHz Intel Q67 Express 16 GB Seagate ST AS VMM BitVisor 1.2 guest OS Ubuntu 12.04, Linux generic-pae BVMD OS ClamAV ClamAV ClamAV ClamAV Trojan.Crypt-106, Trojan.Downloader-59911, Trojan.Dropper , Trojan.Dropper-20380, Worm.Autorun Trojan.Downloader-59911, Trojan.Dropper-20380, Worm.Autorun UPX ClamAV UPX ClamAV 2 ClamAV ClamAV 114 Trojan. Crypt Trojan.Dropper BVMD BVMD OS BVMD VMwatcher [4] VM OS OS VMwatcher OS BVMD VMM BVMD OS OS OS OS VMM VMwatcher Zhang [12] Trend Micro Deep Security [11] Livewire [3] Lares [7] BitVisor BVMD TCB SecVisor [9] BitVisor BVMD VMM SecVisor OS integrity

7 OS 5 BitVisor BVMD MWS JSPS [1] Alfred V. Aho and Margaret J. Corasick. Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM, 18(6): , [2] Clam AntiVirus. net/. [3] Tal Garfinkel and Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 10th Annual Network and Distributed System Security Symposium, [4] Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. Stealthy Malware Detection and Monitoring through VMM- Based Out-of-the-Box Semantic View Reconstruction. ACM Transactions on Information and System Security, 13(2), [5] MWS2012. MWS 2012 Datasets. about.html#datasets. [6] Yoshihiro Oyama, Tran Truong Duc Giang, Yosuke Chubachi, Takahiro Shinagawa, and Kazuhiko Kato. Detecting Malware Signatures in a Thin Hypervisor. In Proceedings of the 27th ACM Symposium on Applied Computing, pages , [7] Bryan D. Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages , [8] Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. An Analysis of Conficker Logic and Rendezvous Points. Technical report, SRI International, http: //mtc.sri.com/conficker/. [9] Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, pages , [10] Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2009), pages ,

8 [11] Trend Micro. Deep Security. emea.trendmicro.com/emea/products/ enterprise/deep-security/. [12] Youhui Zhang, Yu Gu, Hongyi Wang, and Dongsheng Wang. Virtual-Machinebased Intrusion Detection on File-aware Block Level Storage. In Proceedings of the 18th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD 06), pages , [13],. ADvisor: OS. OS, volume 2011-OS-118, [14],. VMM. OS, volume 2012-OS-122,