Malware: Prevenire (e curare) con strumenti open-source
|
|
- Magnus McGee
- 8 years ago
- Views:
Transcription
1 Malware: Prevenire (e curare) con strumenti open-source Roberto Paleari Linux Day 2011 Modena, 22 ottobre 2011
2 Who am I? PhD Research activities Malware analysis Systems & applications security Laboratorio di Sicurezza e Reti (LaSeR) Senior security consultant Penetration testing Reverse engineering Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 2
3 The rise of malicious code Number of new signatures 21,000,000 17,500,000 14,000,000 10,500,000 7,000,000 3,500, Period Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3
4 The rise of malicious code Today malware is a very lucrative activity Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3
5 The rise of malicious code Who lasts longer earns the most... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3
6 Long lasting malware Spread/replicate fast Hide the presence on the system Obfuscate the code (e.g., encryption, polymorphism, metamorphism) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 4
7 Long lasting malware Spread/replicate fast Hide the presence on the system Obfuscate the code (e.g., encryption, polymorphism, metamorphism) Traditional signature-based approaches are not effective anymore! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 4
8 Wait... +?? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5
9 Wait... +?? Why malware infects? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5
10 Wait... +?? Why malware infects? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5
11 Wait... +?? So, why should we care about malware? Linux is not free from malware! The majority of embedded devices runs Linux Many Linux users use Windows emulators (e.g., WINE) or virtual machines Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5
12 How malware is detected today? Application code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6
13 How malware is detected today? Application code + + A signature is a sequence of bytes that identifies a malicious sample Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6
14 How malware is detected today? Application code Anti-malware tools are shipped with a database of known signatures Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6
15 How malware is detected today? When a signature is found, the application is considered to be infected Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6
16 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7
17 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7
18 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7
19 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Unpacking routine Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7
20 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Unpacking routine Malicious code > 80% malware samples are packed 200 packer families, with 2000 variants Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7
21 Current trend for malware analysis and detection Static analysis is either too onerous or impossible (malware is obfuscated & self-modifying) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 8
22 Current trend for malware analysis and detection Static analysis is either too onerous or impossible (malware is obfuscated & self-modifying) Dynamic, behavior-based malware analysis Run the suspicious program and monitor its execution Does it behave maliciously? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 8
23 Dynamic analysis Run-time monitoring of closed-source applications Suspicious applications should be always executed inside a controlled environment! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 9
24 Dynamic analysis Run-time monitoring of closed-source applications Suspicious applications should be always executed inside a controlled environment! What kind of events can be observed? Interaction with the environment (e.g., files, networking activity, library functions) Interaction with the OS (e.g., system calls) Low-level information (e.g., registers and memory values) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 9
25 Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10
26 Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace $ ltrace /bin/ls 2>&1 head -n 20 libc_start_main(0x804e5f0, 1,... <unfinished...> setlocale(6, ) = it_it.iso @euro bindtextdomain(coreutils, /usr/share/locale) = /usr/share/locale textdomain(coreutils) = coreutils cxa_atexit(0x , 0, 0, 0xb7f01ff4, 0xbf95cf98) = 0 isatty(1) = 0 getenv(quoting_style) = NULL... getenv(block_size) = NULL getenv(columns) = NULL ioctl(1, 21523, 0xbf95cf6c) = Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10
27 Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace strace $ strace /bin/ls 2>&1 head -n 10 execve(/bin/ls, [/bin/ls], [/* 34 vars */]) = 0 brk(0) = 0x8e93000 access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file) mmap2(null, 8192, PROT_READ PROT_WRITE, MAP_PRIVATE MAP_ANON, -1, 0) = 0xb7f74000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat64(3, st_mode=s_ifreg 0644, st_size=58489,...) = 0 mmap2(null, 58489, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f65000 close(3) = 0 access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file)... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10
28 Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace strace... and what about? Most of these tools have a counterpart for For a nifty Windows system call tracer, try WUSSTrace :-) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10
29 Dynamic analysis Do you want something more? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 11
30 Dynamic analysis Do you want something more? Introducing ProcessTap A dynamic tracing framework Leverages dynamic binary instrumentation to intercept the events of interest ProcessTap scripts are written in Python! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 11
31 Dynamic analysis ProcessTap: An example What ProcessTap scripts look like? 1 #!/usr/bin/env processtap 2 3 include("stdlib.h") 4 == "malloc") 6 def malloc_entry(ctx): 7 print "[F] >>> %s called from %.8x with argument %u" % \ 8 (ctx.function_name, ctx.caller, ctx.args[0]) 9 >> ["open", "close"]) 11 def fexit(ctx): 12 print "[S] <<< %s returning to %.8x" % (ctx.syscall_name, ctx.regs.rip) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 12
32 Dynamic analysis ProcessTap: An example What ProcessTap scripts look like? 1 $./examples/malloctrace.pcap -- /usr/bin/id 2 [*] Started parser (listening on 45352) 3 [*] Executable file: /usr/bin/id 4 [*] PTAP file:./examples/malloctrace.pcap 5 [*] Loaded 344 system calls 6 [*] Parsing stdlib.h (123 functions) 7 [*] Loaded probes: 8 [*] function_entry 9 [+] (function_name malloc_entry 10 [*] syscall_exit 11 [+] ((syscall_name == 5) (syscall_name == 6)) fexit 12 [*] Parsing /usr/bin/id [ f544] 13 [*] Parsing /lib/i386-linux-gnu/ld-2.13.so [ b b57ae908] [S] <<< open returning to b771aef4 16 [S] <<< close returning to b771af2d 17 [*] Parsing /lib/i386-linux-gnu/libselinux.so.1 [ b52ef b530dc3c] 18 [*] Parsing /lib/i386-linux-gnu/i686/cmov/libc-2.13.so [ b b526b978] 19 [*] Parsing /lib/i386-linux-gnu/i686/cmov/libdl-2.13.so [ b4bf b4bf9078] [S] <<< open returning to b [S] <<< close returning to b uid=1000(roby) gid=1000(roby) groups=1000(roby),6(disk),20(dialout),24(cdrom),25(floppy), 24 29(audio),40(src),44(video),46(plugdev),107(fuse),109(netdev),110(lpadmin),114(vboxusers) 25 [*] Backend terminated with exit status 0 Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 12
33 Try it!
34 Limitations of dynamic approaches Dynamic solutions are not free from limitations, especially when dealing with malicious applications Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14
35 Limitations of dynamic approaches User-level approaches are not enough often includes kernel-level components In these situations, user-level anti-malware solutions are ineffective Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14
36 Limitations of dynamic approaches User-level approaches are not enough often includes kernel-level components In these situations, user-level anti-malware solutions are ineffective Non-transparency The analysis tool can be detected If detects the analyzer, it behaves like Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14
37 Limitations of dynamic approaches High run-time overhead End hosts have strict real-time constraints If the analysis takes too much, the detector assumes a suspicious program is Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14
38 Limitations of dynamic approaches High run-time overhead End hosts have strict real-time constraints If the analysis takes too much, the detector assumes a suspicious program is How to remediate an infected system? Remediation procedures included in anti-malware tools are often impecise Can we generate these procedures automatically? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14
39 Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15
40 Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Kernel-based analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15
41 Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Kernel-based analysis Out-of-the-box analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15
42 Kernel-based approaches The analysis tool is implemented as a kernel module To analyze kernel-level code, these approaches leverage another kernel-level module... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 16
43 Kernel-based approaches The analysis tool is implemented as a kernel module To analyze kernel-level code, these approaches leverage another kernel-level module it is like a dog chasing its tail! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 16
44 Out-of-the-box approaches The analyzer leverages VM-introspection techniques The target system must be already running inside a VM Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 17
45 Out-of-the-box approaches The analyzer leverages VM-introspection techniques The target system must be already running inside a VM can detect when it is running inside a VM! Source: A fistful of red-pills (R. Paleari, L. Martignoni, G. Fresi Roglia, D. Bruschi) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 17
46 How to analyze kernel-level malware?? Kernel-based analysis Out-of-the-box analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 18
47 How to analyze kernel-level malware? Exploit hardware support for virtualization to achieve both efficiency and transparency Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 18
48 Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R0 Kernel Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19
49 Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R3 App App App R0 Kernel R0 Kernel Root mode Hypervisor Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19
50 Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R3 App App App R0 Kernel R0 Kernel Root mode Hypervisor The OS needs not to be modified The hardware guarantees transparency & isolation Minimal overhead Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19
51 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20
52 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The framework is installed as the target system runs. It is completely separated and more privileged than the analyzed OS Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20
53 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The analyzed OS needs not to be modified at all (i.e., the approach can be applied to closed-source OSes) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20
54 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The analysis tool runs in an isolated execution environment (a defect in the tool does not affect the stability of the OS) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20
55 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Non-root mode Root mode Analysis tool Framework At the end of the analysis, the infrastructure can be removed on-the-fly Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20
56 HyperDbg Implementation User interface We cannot rely on the guest OS graphic libraries A small VGA driver to interact with the system s video card The driver is neither OS nor hardware dependent Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 21
57 HyperDbg Implementation User interface We cannot rely on the guest OS graphic libraries A small VGA driver to interact with the system s video card The driver is neither OS nor hardware dependent User interaction An user can activate HyperDbg by pressing an hot-key In non-root mode keystrokes are intercepted by leveraging VT-x functionalities (i.e., IOOperationPort events) In root mode a simple driver reads the keystrokes Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 21
58 HyperDbg Graphical user interface Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 22
59 Try it! It supports both and
60 Remediation of a system infected by a malware Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24
61 Remediation of a system infected by a malware To reinstall the system or to remediate the infection? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24
62 Remediation of a system infected by a malware To reinstall the system or to remediate the infection? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24
63 -specific material!
64 A sample malware 1. Generates random file and key names file = po + rand() + rand() + rand() +.exe key = rand() % 2? qv : vq 2. Drop malicious exe c:\windows\ + file 3. Start the new exe at boot KEY LOCAL MACHINE +...\Windows\CurrentVersion\Run\ + key, file 4. Infect system dll user32.dll 5. Hijack network traffic c:\windows\system32\drivers\etc\hosts, Delete main exe Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 26
65 Sound and complete remediation of malware infection 1. Generates random file and key names file = po + rand() + rand() + rand() +.exe key = rand() % 2? qv : vq 2. Drop malicious exe Remove malicious exe c:\windows\ + file 3. Start the new exe at boot Remove registry key KEY LOCAL MACHINE +...\Windows\CurrentVersion\Run\ + key, file 4. Infect system dll Restore original dll user32.dll 5. Hijack network traffic Remove malicious mappings c:\windows\system32\drivers\etc\hosts, Delete main exe Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 27
66 Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28
67 Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28
68 Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28
69 Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28
70 Does it work? % activities reverted Files (primary) Files (ancillary) Reg. keys (primary) Reg. keys (ancillary) Processes (primary) Processes (ancillary) Our approach Nod32 Panda Kaspersky Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 29
71 Want to try it? Drop me a line ;-)
72 Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31
73 Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31
74 Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31
75 Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31
76 Questions? Roberto Paleari
Software Development Tools for Embedded Systems. Hesen Zhang
Software Development Tools for Embedded Systems Hesen Zhang What Are Tools? a handy tool makes a handy man What Are Software Development Tools? Outline Debug tools GDB practice Debug Agent Design Debugging
More informationFull and Para Virtualization
Full and Para Virtualization Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF x86 Hardware Virtualization The x86 architecture offers four levels
More informationA Survey on Virtual Machine Security
A Survey on Virtual Machine Security Jenni Susan Reuben Helsinki University of Technology jreubens@cc.hut.fi Abstract Virtualization plays a major role in helping the organizations to reduce the operational
More informationMcAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012
McAfee Deep Safe Security beyond the OS Kai-Ping Seidenschnur Senior Security Engineer October 16, 2012 Intel/McAfee Initiatives: epo Deep Command and Deep Defender McAfee epo Deep Command Security Management
More informationIntroduction to Virtual Machines
Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization Computer system architecture Process virtual machines System virtual machines 1 Abstraction Mechanism to manage complexity
More informationFine-grained covert debugging using hypervisors and analysis via visualization
Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Fine-grained covert debugging using hypervisors and analysis via visualization Daniel A. Quist Lorie M. Liebrock Offensive
More informationRootkit: Analysis, Detection and Protection
Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica Prof. Bistarelli 1/34 Definition of Rootkit A rootkit is malware which consists of a set of programs designed to hide or obscure
More informationParasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips
Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips Agenda Overview W32/Xpaj analysis Overview of a virtual machine Software protection trends W32/Winemmem analysis W32/Induc
More informationFile Disinfection Framework (FDF) Striking back at polymorphic viruses
File Disinfection Framework (FDF) Striking back at polymorphic viruses 1 CONTENTS Introduction 3 File Disinfection Framework (FDF) 4 Disinfection solution development today 5 Goals 6 Target audience 6
More informationVMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D
ware and CPU Virtualization Technology Jack Lo Sr. Director, R&D This presentation may contain ware confidential information. Copyright 2005 ware, Inc. All rights reserved. All other marks and names mentioned
More informationMulti-core Programming System Overview
Multi-core Programming System Overview Based on slides from Intel Software College and Multi-Core Programming increasing performance through software multi-threading by Shameem Akhter and Jason Roberts,
More informationVirtualization for Cloud Computing
Virtualization for Cloud Computing Dr. Sanjay P. Ahuja, Ph.D. 2010-14 FIS Distinguished Professor of Computer Science School of Computing, UNF CLOUD COMPUTING On demand provision of computational resources
More informationWHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security
Introduction to Container Security Table of Contents Executive Summary 3 The Docker Platform 3 Linux Best Practices and Default Docker Security 3 Process Restrictions 4 File & Device Restrictions 4 Application
More informationKaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking
Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking Today s bank customers can perform most of their financial activities online. According to a global survey
More informationVirtualization Technology. Zhiming Shen
Virtualization Technology Zhiming Shen Virtualization: rejuvenation 1960 s: first track of virtualization Time and resource sharing on expensive mainframes IBM VM/370 Late 1970 s and early 1980 s: became
More informationUses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:
Virtual Machines Uses for Virtual Machines Virtual machine technology, often just called virtualization, makes one computer behave as several computers by sharing the resources of a single computer between
More informationHypervisor-Based, Hardware-Assisted System Monitoring
Horst Görtz Institute for IT-Security, Chair for System Security VMRay GmbH Hypervisor-Based, Hardware-Assisted System Monitoring VB2013 October 2-4, 2013 Berlin Carsten Willems, Ralf Hund, Thorsten Holz
More informationDistributed and Cloud Computing
Distributed and Cloud Computing K. Hwang, G. Fox and J. Dongarra Chapter 3: Virtual Machines and Virtualization of Clusters and datacenters Adapted from Kai Hwang University of Southern California March
More informationBasics of Virtualisation
Basics of Virtualisation Volker Büge Institut für Experimentelle Kernphysik Universität Karlsruhe Die Kooperation von The x86 Architecture Why do we need virtualisation? x86 based operating systems are
More informationAnalysis of a Suspect Program: Linux
Chapter 10 Analysis of a Suspect Program: Linux Solutions in this chapter: Analysis Goals Guidelines for Examining a Malicious Executable Program Establishing the Environment Baseline Pre-Execution Preparation:
More informationVirtual Machines. www.viplavkambli.com
1 Virtual Machines A virtual machine (VM) is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software
More informationHow To Stop A Malicious Process From Running On A Hypervisor
Hypervisor-Based Systems for Malware Detection and Prevention Yoshihiro Oyama ( 大 山 恵 弘 ) The University of Electro-Communications ( 電 気 通 信 大 学 ), Tokyo, Japan This Talk I introduce two hypervisor-based
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationHypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:
Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D. Chisnall The definitive guide to Xen Hypervisor G. Kesden Lect. 25 CS 15-440 G. Heiser UNSW/NICTA/OKL Virtualization is a technique
More informationReverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis
Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing Hypervisor Based Malware Analysis and Visualization Danny Quist Lorie Liebrock New Mexico Tech Computer
More informationVirtualization Technologies
12 January 2010 Virtualization Technologies Alex Landau (lalex@il.ibm.com) IBM Haifa Research Lab What is virtualization? Virtualization is way to run multiple operating systems and user applications on
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g Virtualization: Architectural Considerations and Implementation Options Virtualization Virtualization is the
More informationVIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS. 100356010@nccu.edu.tw Advisor: yuf@nccu.edu.tw Software Security Lab.
VIRTUALIZATION INTROSPECTION SYSTEM ON KVM-BASED CLOUD COMPUTING PLATFORMS 100356010@nccu.edu.tw Advisor: yuf@nccu.edu.tw Software Security Lab. Motivation The era of cloud computing Motivation In the
More informationOperating System Interface Obfuscation and the Revealing of Hidden Operations
Operating System Interface Obfuscation and the Revealing of Hidden Operations Abhinav Srivastava 1 Andrea Lanzi 1,2 Jonathon Giffin 1 1 School of Computer Science, Georgia Institute of Technology 2 Dipartimento
More informationSolution Paper. Virtualization security solutions provide a competitive advantage to service providers IaaS, PaaS and SaaS
Solution Paper Virtualization security solutions provide a competitive advantage to service providers IaaS, PaaS and SaaS Contents About this Document...3 Executive Overview...3 Introduction...4 Brief
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 2 Systems Threats and Risks Objectives Describe the different types of software-based attacks List types of hardware attacks Define
More informationCOS 318: Operating Systems. Virtual Machine Monitors
COS 318: Operating Systems Virtual Machine Monitors Kai Li and Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall13/cos318/ Introduction u Have
More informationHow do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself
How do Users and Processes interact with the Operating System? Users interact indirectly through a collection of system programs that make up the operating system interface. The interface could be: A GUI,
More informationVirtualization in Linux
Virtualization in Linux Kirill Kolyshkin September 1, 2006 Abstract Three main virtualization approaches emulation, paravirtualization, and operating system-level virtualization are covered,
More informationCIT 480: Securing Computer Systems. Malware
CIT 480: Securing Computer Systems Malware Topics 1. Anti-Virus Software 2. Virus Types 3. Infection Methods 4. Rootkits 5. Malware Analysis 6. Protective Mechanisms 7. Malware Factories 8. Botnets Malware
More informationExploiting the x86 Architecture to Derive Virtual Machine State Information
2010 Fourth International Conference on Emerging Security Information, Systems and Technologies Exploiting the x86 Architecture to Derive Virtual Machine State Information Jonas Pfoh, Christian Schneider,
More informationCOM 444 Cloud Computing
COM 444 Cloud Computing Lec 3: Virtual Machines and Virtualization of Clusters and Datacenters Prof. Dr. Halûk Gümüşkaya haluk.gumuskaya@gediz.edu.tr haluk@gumuskaya.com http://www.gumuskaya.com Virtual
More informationChapter 14 Analyzing Network Traffic. Ed Crowley
Chapter 14 Analyzing Network Traffic Ed Crowley 10 Topics Finding Network Based Evidence Network Analysis Tools Ethereal Reassembling Sessions Using Wireshark Network Monitoring Intro Once full content
More informationOS Security. Malware (Part 2) & Intrusion Detection and Prevention. Radboud University Nijmegen, The Netherlands. Winter 2015/2016
OS Security Malware (Part 2) & Intrusion Detection and Prevention Radboud University Nijmegen, The Netherlands Winter 2015/2016 A short recap Different categories of malware: Virus (self-reproducing, needs
More informationLASTLINE WHITEPAPER. In-Depth Analysis of Malware
LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).
More informationVirtualization. Jukka K. Nurminen 23.9.2015
Virtualization Jukka K. Nurminen 23.9.2015 Virtualization Virtualization refers to the act of creating a virtual (rather than actual) version of something, including virtual computer hardware platforms,
More informationReal World and Vulnerability Protection, Performance and Remediation Report
Real World and Vulnerability Protection, Performance and Remediation Report A test commissioned by Symantec Corporation and performed by AV-Test GmbH Date of the report: September 17 th, 2014, last update:
More informationIntel Virtualization Technology Overview Yu Ke
Intel Virtualization Technology Overview Yu Ke SSG System Software Division Agenda Virtualization Overview Intel Virtualization Technology 2 What is Virtualization VM 0 VM 1 VM n Virtual Machines (VMs)
More informationIntel Embedded Virtualization Manager
White Paper Kelvin Lum Fee Foon Kong Platform Application Engineer, ECG Penang Intel Corporation Kam Boon Hee (Thomas) Marketing Development Manager, ECG Penang Intel Corporation Intel Embedded Virtualization
More informationEvading Android Emulator
Evading Android Emulator Thanasis Petsas petsas@ics.forth.gr petsas@ics.forth.gr - www.syssec-project.eu 1 What is a Virtual Machine? A software based computer that functions like a physical machine A
More informationWindows Server Virtualization & The Windows Hypervisor
Windows Server Virtualization & The Windows Hypervisor Brandon Baker Lead Security Engineer Windows Kernel Team Microsoft Corporation Agenda - Windows Server Virtualization (WSV) Why a hypervisor? Quick
More informationEnd to End Defense against Rootkits in Cloud Environment. Design- Part 2
End to End Defense against Rootkits in Cloud Environment Design- Part 2 Sachin Shetty Associate Professor Electrical and Computer Engineering Director, Cybersecurity Laboratory Tennessee State University
More informationEnd to End Defense against Rootkits in Cloud Environment Sachin Shetty
End to End Defense against Rootkits in Cloud Environment Sachin Shetty Associate Professor Electrical and Computer Engineering Director, Cybersecurity Laboratory Tennessee State University Tennessee State
More informationChapter 5 Cloud Resource Virtualization
Chapter 5 Cloud Resource Virtualization Contents Virtualization. Layering and virtualization. Virtual machine monitor. Virtual machine. Performance and security isolation. Architectural support for virtualization.
More informationELEC 377. Operating Systems. Week 1 Class 3
Operating Systems Week 1 Class 3 Last Class! Computer System Structure, Controllers! Interrupts & Traps! I/O structure and device queues.! Storage Structure & Caching! Hardware Protection! Dual Mode Operation
More informationAnalysis of advanced issues in mobile security in android operating system
Available online atwww.scholarsresearchlibrary.com Archives of Applied Science Research, 2015, 7 (2):34-38 (http://scholarsresearchlibrary.com/archive.html) ISSN 0975-508X CODEN (USA) AASRC9 Analysis of
More informationVirtualization. Types of Interfaces
Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform diversity
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More informationSecurity Intelligence Services. Cybersecurity training. www.kaspersky.com
Kaspersky Security Intelligence Services. Cybersecurity training www.kaspersky.com CYBERSECURITY TRAINING Leverage Kaspersky Lab s cybersecurity knowledge, experience and intelligence through these innovative
More informationVirtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University
Virtual Machine Monitors Dr. Marc E. Fiuczynski Research Scholar Princeton University Introduction Have been around since 1960 s on mainframes used for multitasking Good example VM/370 Have resurfaced
More informationOS Security. Malware. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Malware Radboud University Nijmegen, The Netherlands Winter 2014/2015 Last week... OS Security Malware 2 A short recap Important concept to reduce covert channels and possible damage by an
More informationx86 ISA Modifications to support Virtual Machines
x86 ISA Modifications to support Virtual Machines Douglas Beal Ashish Kumar Gupta CSE 548 Project Outline of the talk Review of Virtual Machines What complicates Virtualization Technique for Virtualization
More informationmatasano Hardware Virtualization Rootkits Dino A. Dai Zovi
Hardware Virtualization Rootkits Dino A. Dai Zovi Agenda Introductions Virtualization (Software and Hardware) Intel VT-x (aka Vanderpool ) VM Rootkits Implementing a VT-x based Rootkit Detecting Hardware-VM
More informationKVM: Kernel-based Virtualization Driver
KVM: Kernel-based Virtualization Driver White Paper Overview The current interest in virtualization has led to the creation of several different hypervisors. Most of these, however, predate hardware-assisted
More informationNested Virtualization
Nested Virtualization Dongxiao Xu, Xiantao Zhang, Yang Zhang May 9, 2013 Agenda Nested Virtualization Overview Dive into Nested Virtualization Details Nested CPU Virtualization Nested MMU Virtualization
More informationMicrokernels, virtualization, exokernels. Tutorial 1 CSC469
Microkernels, virtualization, exokernels Tutorial 1 CSC469 Monolithic kernel vs Microkernel Monolithic OS kernel Application VFS System call User mode What was the main idea? What were the problems? IPC,
More informationVirtualization. Jia Rao Assistant Professor in CS http://cs.uccs.edu/~jrao/
Virtualization Jia Rao Assistant Professor in CS http://cs.uccs.edu/~jrao/ What is Virtualization? Virtualization is the simulation of the software and/ or hardware upon which other software runs. This
More informationHardware-Assisted Virtualization and its Applications to Systems Security
UNIVERSITÀ DEGLI STUDI DI MILANO Facoltà di Scienze Matematiche, Fisiche e Naturali Dipartimento di Informatica DOTTORATO DI RICERCA IN INFORMATICA XXVI CICLO SETTORE SCIENTIFICO DISCIPLINARE INF/01 INFORMATICA
More informationSubVirt: Implementing malware with virtual machines
SubVirt: Implementing malware with virtual machines Samuel T. King Peter M. Chen University of Michigan {kingst,pmchen}@umich.edu Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research
More informationChapter 3 Operating-System Structures
Contents 1. Introduction 2. Computer-System Structures 3. Operating-System Structures 4. Processes 5. Threads 6. CPU Scheduling 7. Process Synchronization 8. Deadlocks 9. Memory Management 10. Virtual
More informationCPS221 Lecture: Operating System Structure; Virtual Machines
Objectives CPS221 Lecture: Operating System Structure; Virtual Machines 1. To discuss various ways of structuring the operating system proper 2. To discuss virtual machines Materials: 1. Projectable of
More informationCAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY
CAS : A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY ABHILASH SREERAMANENI DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING SEOUL NATIONAL UNIVERSITY OF SCIENCE AND TECHNOLOGY
More informationIntro to NSX. Network Virtualization. 2014 VMware Inc. All rights reserved.
Intro to NSX Network Virtualization 2014 VMware Inc. All rights reserved. Agenda Introduction NSX Overview Details: Microsegmentation NSX Operations More Information SDDC/Network Virtualization Security
More informationEnterprise-Class Virtualization with Open Source Technologies
Enterprise-Class Virtualization with Open Source Technologies Alex Vasilevsky CTO & Founder Virtual Iron Software June 14, 2006 Virtualization Overview Traditional x86 Architecture Each server runs single
More informationComprehensive Security for Internet-of-Things Devices With ARM TrustZone
Comprehensive Security for Internet-of-Things Devices With ARM TrustZone Howard Williams mentor.com/embedded Internet-of-Things Trends The world is more connected IoT devices are smarter and more complex
More informationA Unified View of Virtual Machines
A Unified View of Virtual Machines First ACM/USENIX Conference on Virtual Execution Environments J. E. Smith June 2005 Introduction Why are virtual machines interesting? They allow transcending of interfaces
More informationSurvey on virtual machine security
Survey on virtual machine security Bright Prabahar P Post Graduate Scholar Karunya university Bijolin Edwin E Assistant professor Karunya university Abstract Virtualization takes a major role in cloud
More informationVirtual Servers. Virtual machines. Virtualization. Design of IBM s VM. Virtual machine systems can give everyone the OS (and hardware) that they want.
Virtual machines Virtual machine systems can give everyone the OS (and hardware) that they want. IBM s VM provided an exact copy of the hardware to the user. Virtual Servers Virtual machines are very widespread.
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationFRONT FLYLEAF PAGE. This page has been intentionally left blank
FRONT FLYLEAF PAGE This page has been intentionally left blank Abstract The research performed under this publication will combine virtualization technology with current kernel debugging techniques to
More informationSECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES
SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES Contents Introduction... 3 DRM Threat Model... 3 DRM Flow... 4 DRM Assets... 5 Threat Model... 5 Protection of
More informationChapter 2 System Structures
Chapter 2 System Structures Operating-System Structures Goals: Provide a way to understand an operating systems Services Interface System Components The type of system desired is the basis for choices
More informationSome Anti-Worm Efforts at Microsoft. Acknowledgements
Some Anti-Worm Efforts at Microsoft Helen J. Wang System and Networking Research Group Microsoft Research Oct 29, 2004 1 Acknowledgements Matt Braverman, Opher Dubrovsky, John Dunagan, Louis Lafreniere,
More informationIntel s Virtualization Extensions (VT-x) So you want to build a hypervisor?
Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Mr. Jacob Torrey February 26, 2014 Dartmouth College 153 Brooks Road, Rome, NY 315.336.3306 http://ainfosec.com @JacobTorrey
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationKVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com
KVM: A Hypervisor for All Seasons Avi Kivity avi@qumranet.com November 2007 Virtualization Simulation of computer system in software Components Processor: register state, instructions, exceptions Memory
More informationBHyVe. BSD Hypervisor. Neel Natu Peter Grehan
BHyVe BSD Hypervisor Neel Natu Peter Grehan 1 Introduction BHyVe stands for BSD Hypervisor Pronounced like beehive Type 2 Hypervisor (aka hosted hypervisor) FreeBSD is the Host OS Availability NetApp is
More informationHow To Understand The Power Of A Virtual Machine Monitor (Vm) In A Linux Computer System (Or A Virtualized Computer)
KVM - The kernel-based virtual machine Timo Hirt timohirt@gmx.de 13. Februar 2010 Abstract Virtualization has been introduced in the 1960s, when computing systems were large and expensive to operate. It
More informationHacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List
Hacker s Perspective on your Windows Infrastructure: Windows 10 Mandatory Check List Paula Januszkiewicz CQURE: CEO, Penetration Tester CQURE Offices: New York, Dubai, Warsaw MVP: Enterprise Security,
More informationTechnical Brief Distributed Trusted Computing
Technical Brief Distributed Trusted Computing Josh Wood Look inside to learn about Distributed Trusted Computing in Tectonic Enterprise, an industry-first set of technologies that cryptographically verify,
More informationPFP Technology White Paper
PFP Technology White Paper Summary PFP Cybersecurity solution is an intrusion detection solution based on observing tiny patterns on the processor power consumption. PFP is capable of detecting intrusions
More informationVISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation
VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook
More informationThe Microsoft Windows Hypervisor High Level Architecture
The Microsoft Windows Hypervisor High Level Architecture September 21, 2007 Abstract The Microsoft Windows hypervisor brings new virtualization capabilities to the Windows Server operating system. Its
More informationVirtualization in Linux KVM + QEMU
CS695 Topics in Virtualization and Cloud Computing KVM + QEMU Senthil, Puru, Prateek and Shashank 1 Topics covered KVM and QEMU Architecture VTx support CPU virtualization in KMV Memory virtualization
More informationJukka Ylitalo Tik-79.5401 TKK, April 24, 2006
Rich Uhlig, et.al, Intel Virtualization Technology, Computer, published by the IEEE Computer Society, Volume 38, Issue 5, May 2005. Pages 48 56. Jukka Ylitalo Tik-79.5401 TKK, April 24, 2006 Outline of
More informationMODULE 3 VIRTUALIZED DATA CENTER COMPUTE
MODULE 3 VIRTUALIZED DATA CENTER COMPUTE Module 3: Virtualized Data Center Compute Upon completion of this module, you should be able to: Describe compute virtualization Discuss the compute virtualization
More informationIntel Virtualization Technology (VT) in Converged Application Platforms
Intel Virtualization Technology (VT) in Converged Application Platforms Enabling Improved Utilization, Change Management, and Cost Reduction through Hardware Assisted Virtualization White Paper January
More informationAdvanced Computer Networks. Network I/O Virtualization
Advanced Computer Networks 263 3501 00 Network I/O Virtualization Patrick Stuedi Spring Semester 2014 Oriana Riva, Department of Computer Science ETH Zürich 1 Outline Last week: Today: Software Defined
More informationCloud Computing. Up until now
Cloud Computing Lecture 11 Virtualization 2011-2012 Up until now Introduction. Definition of Cloud Computing Grid Computing Content Distribution Networks Map Reduce Cycle-Sharing 1 Process Virtual Machines
More informationRun-Time Deep Virtual Machine Introspection & Its Applications
Run-Time Deep Virtual Machine Introspection & Its Applications Jennia Hizver Computer Science Department Stony Brook University, NY, USA Tzi-cker Chiueh Cloud Computing Center Industrial Technology Research
More informationInternational Journal of Scientific & Engineering Research, Volume 5, Issue 1, January-2014 ISSN 2229-5518 1299
1299 TITLE Virtualization security in Data Centres & cloud Prof Sarita Dhawale. Ashoka Center for Business & Computer Studies,Nashik Head of Department of Computer Science University of Pune, Maharashtra.
More informationVirtualization: Hypervisors for Embedded and Safe Systems. Hanspeter Vogel Triadem Solutions AG
1 Virtualization: Hypervisors for Embedded and Safe Systems Hanspeter Vogel Triadem Solutions AG 2 Agenda Use cases for virtualization Terminology Hypervisor Solutions Realtime System Hypervisor Features
More information