Understanding DMA Malware

Transcription

1 Technische Universität Berlin Security in Telecommunications Weiss Understanding DMA Malware DIMVA2012 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment Patrick Stewin and Iurii Bystrov,, Heraklion, Greece

2 Malicious Software Arms Race top secret (wwwhsbccouk) Countermeasures Anti-virus, firewalls, etc Stealth attacks, see rootkit evolution 2

3 Dedicated Hardware Video Card NIC Memory Access Memory Access µcontroller Memory Access Memory Controller Controller Memory CPU Main Memory Separated Execution Environments 3

4 Common Hardware (HW) Features Host CPU Applications OS Kernel Direct Memory Access DMA Engine DMA capable Device Runtime Memory Runtime Memory Firmware Processor In/Outgoing Data Direct Memory Access (DMA) capable Computer Platform Precondition for stealth malware 1st party DMA: CPU CPU 2 IRQ Dedicated HW Dedicated HW DMA DMA Memory Memory 1 DMA Dedicated HW Dedicated HW DMA 4

5 DMA Malware Definition More than controlling a DMA engine Malware functionality executed on dedicated HW No physical access Rootkit/stealth capabilities Optional: Survival of power off mode 5

6 DMA Malware Properties Three phases Search Process data Exfiltration/infiltration MCH MCH (Northbridge) (Northbridge) Management Engine (embedded µcontroller) SRAM ARC4 Core 1110 ROM DMA DMA Malware RAM RAM DMA Capable Device Integrated in Intel Chipsets Core functionality Virtual/physical memory address mapping Overcoming address randomization Search space restriction 6

7 Comparison of DMA Attacks USB [Maynor '05] no Without Physical Access no no Survives Reboot/ Standby/ Power off Firewire [Dornseif et al'04/'05] & [Boileau'06] no no NIC [Delugre'10] no no () Video+NIC [Triulzi'08/'10] this work () Malware Functionality PCMCIA [Aumaitre et al'10] ME [Tereshkin'09] NIC [Duflot et al'10] Rootkit/Stealth Capabilities 7

8 DAGGER Our DMA Malware Example MCH (Northbridge) DmA based keylogger Management Engine ARC4 Core Implements all three phases Search keyboard buffer Monitor keyboard buffer Exfiltrate keystroke codes DAGGER SRAM ROM DMA RAM RAM ICH (Southbridge) LAN Controller Wired Wireless OOB OOB PHY Evaluation of core functionalities Network DAGGER Monitoring the Host's Keyboard Buffer Proof of concept for stealing short-living runtime data stealthily! Infiltration via security vulnerability 8

9 DAGGER Implementation Different search strategies Virtual/physical memory address mapping Windows Linux page tables offset Address randomization randomization mechanism in place no randomization Search space Object Manager restrictions Namespace Directory address ranges Platform: Intel Q35 chipset, 2GB RAM, 4-core 3GHz CPU 9

10 Search Time in ms (scale type: log10) Evaluation Several Operating System Kernels Test Run 10

11 Evaluation Attacking Linux Harddisk Encryption Aggressive search mode Linux Unified Key Setup (LUKS)/ Device Mapper's crypt (dm-crypt) setup DAGGER can catch pre boot authentication passphrase 11

12 Evaluation Anti-virus software, firewalls, Wireshark, Mamutu, etc Several USB keyboards Windows swap behavior Performance overhead for host system Manageability Engine firmware condition Status tools Active Management Technology webserver 12

13 Countermeasures Input/Output Memory Management Unit (I/OMMU) Intel: Virtualization Technology for Directed I/O (VT-d) Issues Missing (Windows) or experimental (Linux) drivers CoPilot [Petroni et al'04]/deepwatch [Bulygin'08] or DAGGER? policy conflict Attack with DAGGER's execution environment DMA Malware DMA Malware 1a DMA DMA #DMAR' = #DMAR 1 1 #DMAR BIOS 2 4 Memory Memory Bootloader 3 #DMAR' VT-d VT-d configure System Software 5 DMA Malware Modifying the Number of DMA Remapping Engines (DMAR, part of VT-d) 13

14 Conclusion DMA Malware definition Focus on stealth attacks Evaluation of DMA Malware core functionalities DMA Malware is Effective Efficient enough for real attacks Specialized countermeasures must be developed 14

15 Technische Universität Berlin Security in Telecommunications Weiss Understanding DMA Malware DIMVA2012 9th Conference on Detection of Intrusions and Malware & Vulnerability Assessment Patrick Stewin and Iurii Bystrov,, Heraklion, Greece

16 Technische Universität Berlin Security in Telecommunications Backup

17 Background x86 Platform CPU Video Video Card Card GPU VRAM MCH MCH (Northbridge) (Northbridge) RAM Manageability Engine (embedded µcontroller) VT-d NIC NIC Processor RAM SATA Controller Flash BIOS Firmware: ME, NIC ICH ICH (Southbridge) (Southbridge) FireWire Controller USB Controller Further Further PCIe Add-in Card(s) Card(s) PCI-to-PCIe Bridge 17

18 DAGGER Example DmA based KeyloGGER Malware Implementation based on Intel Manageability Engine (ME) Executes firmware such as Active Management Technology, Identity Protection Technology, Integrated Trusted Platform Module, etc Objectives Find keyboard buffer Permanently monitor keyboard buffer Exfiltrate keystroke codes MCH (Northbridge) Manageability Engine ARC4 Core SRAM ROM DMA ICH (Southbridge) LAN Controller Wired Wireless OOB PHY Normal System RAM ME RAM Flash Flash BIOS ME FW OOB

19 Windows Attack Details BIOS MBR Memory Buffer bootmgr winloadexe? OslpLoadAllModules Buffer address stable for one system May vary from system to system Step I haldll Image Kernel Image KiInitialPCR Constant relative virtual address Step II OMND (Hash Table) 19: KdVersionBlock KiInitialPCR 16: Driver Device 24: Object Directory Driver (Hash Table) 36: ObpRootDirectoryObject KdDebuggerDataBlock kbdhid i8042prt Device Object DeviceExtension Driver Object kbdhid Driver Object i8042prt DeviceExtension Structure Keystroke Code Buffer 19

20 Linux Attack Details If pointer mod 0x400 == 0 Constant offset struct usb_device *dev Start URB signature scan dma_addr_t transfer_dma && 2 If field mod 0x20 == 0 Check physical buffer address for garbage 3 1 Check substrings USB and Keyboard USB Device Structure Constant offset USB Request Block Structure char *product If substrings USB and Keyboard found 20

21 DAGGER Evaluation Performance Overhead, Windows Host 21

22 Evaluation Performance Overhead, Linux Host 22

23 Evaluation Effectiveness and Efficiency Several Operating System Kernels Windows 7 Windows Vista Linux 300 Linux 2632 Several Keyboards Logitech Dell FujitsuSiemens Swap file behavior Windows 7 23

24 Evaluation Several Keyboards, Windows Host 24

25 Evaluation Several Keyboards, Linux Host 25

26 Evaluation Swap File Behavior, Windows Host 26

27 Evaluation ME Firmware Condition Different hooking strategies for Windows and Linux attacks Windows Local Manageability Service driver AMT Status Tool Manageability Developer Toolkit Manageability Connector Tool Linux Intel AMT Open-source Tools and Drivers ME Status ZTCLocalAgent AMT webserver 27