Hypervisor-Based, Hardware-Assisted System Monitoring



Similar documents
Nested Virtualization

Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Virtual machines and operating systems

Secure In-VM Monitoring Using Hardware Virtualization

Virtualization Technology. Zhiming Shen

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

kvm: Kernel-based Virtual Machine for Linux

Exploiting the x86 Architecture to Derive Virtual Machine State Information

Kernel Virtual Machine

How To Understand The Power Of A Virtual Machine Monitor (Vm) In A Linux Computer System (Or A Virtualized Computer)

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. !

Intel Virtualization Technology Overview Yu Ke

Abstract. 1. Introduction. 2. Threat Model

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

x86 ISA Modifications to support Virtual Machines

Virtual Machine Security

Hybrid Virtualization The Next Generation of XenLinux

Virtual Machines. COMP 3361: Operating Systems I Winter

Full and Para Virtualization

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Virtualization in Linux KVM + QEMU

Virtualization. Jukka K. Nurminen

Nested Virtualization

Machine Virtualization: Efficient Hypervisors, Stealthy Malware

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Jukka Ylitalo Tik TKK, April 24, 2006

Compromise-as-a-Service

Windows Server Virtualization & The Windows Hypervisor

Distributed Systems. Virtualization. Paul Krzyzanowski

Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones May 2011

CS5460: Operating Systems. Lecture: Virtualization 2. Anton Burtsev March, 2013

Storm Worm & Botnet Analysis

Security Challenges in Virtualized Environments

Virtualization for Cloud Computing

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

Windows Kernel Internals for Security Researchers

Brian Walters VMware Virtual Platform. Linux J. 1999, 63es, Article 6 (July 1999).

Hardware Based Virtualization Technologies. Elsie Wahlig Platform Software Architect

Attacking Hypervisors via Firmware and Hardware

Virtualization and the U2 Databases

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

Chapter 5 Cloud Resource Virtualization

Knut Omang Ifi/Oracle 19 Oct, 2015

Implementation of a Purely Hardware-assisted VMM for x86 Architecture

Virtual Hosting & Virtual Machines

Virtualization. Pradipta De

System Virtual Machines

How To Stop A Malicious Process From Running On A Hypervisor

Security Overview of the Integrity Virtual Machines Architecture

Basics of Virtualisation

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Outline. Outline. Why virtualization? Why not virtualize? Today s data center. Cloud computing. Virtual resource pool

Survey On Hypervisors

Control your corner of the cloud.

Virtualization VMware Inc. All rights reserved

Enterprise-Class Virtualization with Open Source Technologies

Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Introduction...1 Overview of x86 Virtualization...2 CPU Virtualization...

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

CS 695 Topics in Virtualization and Cloud Computing. More Introduction + Processor Virtualization

Virtualization Technologies

Attacking Hypervisors via Firmware and Hardware

Distributed and Cloud Computing

Windows Server Virtualization & The Windows Hypervisor. Background and Architecture Reference

Confinement Problem. The confinement problem Isolating entities. Example Problem. Server balances bank accounts for clients Server security issues:

Introduction to Virtual Machines

Virtualization. Types of Interfaces

WHITE PAPER. AMD-V Nested Paging. AMD-V Nested Paging. Issue Date: July, 2008 Revision: 1.0. Advanced Micro Devices, Inc.

Clouds, Virtualization and Security or Look Out Below

IOS110. Virtualization 5/27/2014 1

x86 Virtualization Hardware Support Pla$orm Virtualiza.on

Virtualization. Clothing the Wolf in Wool. Wednesday, April 17, 13

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Virtualization. Jia Rao Assistant Professor in CS

Evading Android Emulator

Bluepilling the Xen Hypervisor

Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Inside Windows Rootkits

Virtualization Technology

Clouds Under the Covers. Elgazzar - CISC Fall

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Lares: An Architecture for Secure Active Monitoring Using Virtualization

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

Intel Virtualization Technology for Directed I/O

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Introduction to Virtual Machines

CPS221 Lecture: Operating System Structure; Virtual Machines

AMD 64 Virtualization

Intel Virtualization Technology and Extensions

ProMoX: A Protocol Stack Monitoring Framework

matasano Hardware Virtualization Rootkits Dino A. Dai Zovi

The Microsoft Windows Hypervisor High Level Architecture

Transcription:

Horst Görtz Institute for IT-Security, Chair for System Security VMRay GmbH Hypervisor-Based, Hardware-Assisted System Monitoring VB2013 October 2-4, 2013 Berlin Carsten Willems, Ralf Hund, Thorsten Holz Ruhr-University Bochum, Horst Görtz Institute for IT-Security VMRay GmbH

Malware Analysis Methods Static analysis Complete results, but time-consuming & complicated Countermeasures: obfuscation, encryption, vmprotect, Dynamic analysis Execute sample to get register & memory values Speeds up analysis, but only one execution path Side-Effect: automatic unpacking, deobfuscation, Countermeasures: anti-debug/emulate/dump/hook/ Behavior analysis Automated dynamic analysis Only monitor interaction between sample system 2

Analysis System Requirements Need to cope with sophisticated malware today Kernel rootkits, targeted attacks, APT, Need better behavior analysis systems, which provide: Transparency Isolation Soundness Monitoring Granularity Performance OS independence 3

Transparency Are emulators the solution? Big performance overhead CISC architecture hard/impossible to emulate Easy to detect Even worse: emulators can be fooled instruction sequence with different semantics in emulator native machine Code inherently acts benign in emulator and malicious on native machine No compare or conditional jump! Run analysis on native hardware 4

Design Virtualization-Based Behavior Analysis 5

Monitoring Module Transitions malware.exe call, ret, jmp, jcc, Code on heap usermode sysenter, sysexit, int, ntdll.dll kernel32.dll malware.drv ntoskrnl.exe APC, DPC, IRP, win32k.sys kernelmode 6

vmenter vmexit & vmenter Most time guest VM runs independent from hypervisor Guest VM Certain events cause vmexit Direct hardware access, external Interrupts, critical faults, certain privileged instructions, vmexit Virtual Machine Monitor Hypervisor After handling the situation Hypervisor calls vmenter Guest VM remains execution Hypervisor becomes inactive until next vmexit 7

Instrumenting the Hypervisor Hypervisor not designed for program analysis how to instrument to control & monitor guest VM? how to enforce vmexit on interesting operations? Possible methods Single Stepping very slow Binary Instrumentation detectable PTE Instrumentation detectable Invalid configuration detectable e.g. invalid syscall/interrupt/context Two Dimensional Paging (TDP) 8

Technical Background Two-Dimensional Paging 9

Guest / Host Memory Isolation VMMs need to ensure memory isolation/containment Protect host memory from guest Protect guest memory from other guests In the past: Shadow Page Tables (SPT) Intercept guest accesses to page tables & CR3 Slow, but transparent to guest Today: Two Dimensional Paging (TDP) Intel: Extended Page Tables (EPT) AMD: Nested Page Tables (NPT) 10

Two Dimensional Paging (TDP) Control Execution from the Outside 63 X D 62 M module 1 module 2 Guest Virtual Memory Guest VM 0 Page Table Base Address Avail G P S Execute Disable M-1 12 11 9 8 7 6 5 4 3 2 1 0 Available for system programmer s use Global page (ignored) Page size (0 indicates 4 KB page) Reserved (set to 0) Accessed Cache Disabled Write-through User/Supervisor Read/Write Present Address Translation Guest Page Tables 0 A P C D module 1 module 2 module 1 Guest Physical Memory P W T U / S R / W P TDP Address Translation TDP Page Tables module 2 module 2 module 1 module 1 Host Physical Memory TDP adds one additional address translation layer: Guest Physical Memory Host Physical Memory 11

TDP to Monitor Module Transitions Modify TDP paging structures Memory of current module = Remaining memory = non-executable executable To intercept transitions between modules Function/system calls and returns Obtain function name and parameters x x other module 1 current module other module 2 x Completely transparent to guest VM Only datastructures of hypervisor are touched Nothing inside the guest is changed kernel module Virtual Memory 12

Prototype Description 13

CXPInspector CXPInspector (academic prototype) Host: Based on KVM Guest: Windows 7, 64-Bit version Also support 32-bit processes Minimum effort to use Windows 8 Performance overhead 1.5x - 5x Depends on configuration Improvable by new VT instructions Main characteristics Hardware VT + TDP extension Monitoring module transitions EPTP Guest CR3 PML4 PDP PDE PTE TDP Page Tables PML4E PDPE PDEE PTEE Host Physical Address (HPA) Guest Virtual Address (GVA) 14

vmenter Operation Overview malware.exe kernel32.dll ntdll.dll ntoskrnl.exe Guest Virtual Memory eip X vmexit Guest VM Virtual Machine Monitor Hypervisor TDP Page Tables on vmexit: execution starts in malware.exe no interception as long as eip stays in current module TDP is configured to vmexit mark when guest other memory module X/NX is called NX for old module check what function is called use prototype information to get function parameters from stack change guest X/NX settings X for new module perform vmenter continues operation in new module until next module transition 15

Feature Summary Monitor usermode & kernelmode code Principle is the identical Monitor 32 & 64-bit processes Monitor operating system Kernel / Driver routines Monitor function / API / system calls All Windows API functions detected 16

Evaluation TDSS/TDL4 64bit kernel rootkit for Windows 7 Modifies MBR to be loaded before OS Disables Patchguard Disables kernel debugger (by replacing kdcom.dll) Maintains its own encrypted filesystem Installs hooks on the kernel to hide and protect MBR and hidden filesystem inject code into new processes / loaded images 17

Code Injection from=fffff800026216e9 to=fffff800027d51d2 ntoskrnl.exe:etwtracecontextswap+92 from=fffff800026da15f to=fffffa8002949edc???:+edc generate filename from=fffffa8002949f36 to=fffff800026c5920 ntoskrnl.exe:zwopenprocess+0 from=fffff800026cc301 to=fffffa8002949f3c???:+f3c of hidden ZwOpenProcess( kernel function from=fffffa800294c6fa to=fffff800026da300 ntoskrnl.exe:rtlinitunicodestring+0 hooked kernel ProcessHandle=0xfffff88002fabcb0, configuration filedesiredaccess=0x1fffff, from=fffff800026da352 to=fffffa800294c700???:+700 called rootkit on code RtlInitUnicodeString( ObjectAttributes=0xfffff88002fabc70, ClientId=0xfffff88002fabc60 ) calls into to=fffff800026c5f00 ntoskrnl.exe:zwcreatefile+0 from=fffffa800294c75e DestinationString=0xfffff88002fab900, process calls creation several to=fffffa800294c420???:+420 SourceString="\\device\\ from=fffffa800294962e rootkit code ZwCreateFile( 00000abb\\{752492e1-ed26-91d2-750b-04be2c7925eb" from=fffffa800294c481 to=fffff8000271a740 ntoskrnl.exe:_snprintf+0) kernel functions FileHandle=0xfffff88002fabc58, DesiredAccess=0x100003, Object from=fffff8000271a7e4???:+487 _snprintf(to=fffffa800294c487 get process Attributes=0xfffff88002fab928, IoStatusBlock=0xfffff88002fab8f0, from=fffffa800294c491 to=fffff8000271b1e0 ntoskrnl.exe:strrchr+0 str=0xfffff88002fab050, size=0x00000103 (259), format="%.*s" ) AllocationSize=0x0, FileAttributes=0x00000000 (0), ShareAccess= from=fffff8000271b205 to=fffffa800294c497???:+497 object of new generate object _snprintf returns 0x0000002d ntoskrnl.exe:keentercriticalregion+0 (45) ( from=fffffa800294c4ef to=fffff800026d8c70 0x00000001 (1), CreateDisposition=0x00000003 (3), CreateOptions= created process name of hidden str="{752492e1-ed26-91d2-750b-04be2c7925eb}\\phdata" ) ) from=fffff800026d8c80 to=fffffa800294c4f5???:+4f5 0x00000022 (34), EaBuffer=0x0, EaLength=0x00000000 (0) from=fffffa800294c4fc to=fffff800026e2aa0 ntoskrnl.exe:exacquirefastmutexunsafe+0 filesystem device from=fffff800026e2acb to=fffffa800294c502???:+502 from=fffffa8002949158 to=fffff800026e40e0 ntoskrnl.exe:ioallocateirp+0 get object from=fffff800026dc115 to=fffffa800294915e???:+15e from=fffffa800294917a to=fffff800026dcb70 ntoskrnl.exe:ioallocatemdl+0 of hidden from=fffff800026dcc9d to=fffffa8002949180???:+180 filesystem device from=fffffa8002949191 to=fffff800026ecd30 ntoskrnl.exe:mmprobeandlockpages+0 from=fffff800026ed388 to=fffffa8002949197???:+197 from=fffffa80029491a0 to=fffff800026d8be0 ntoskrnl.exe:keinitializeevent+0 from=fffff800026d8bfc to=fffffa80029491a6???:+1a6 18

Discussion Summary Virtualization-based malware analysis Monitor module transitions Utilize Two-Dimensional Paging Can analyze user- and kernelmode code No changes to analysis system Future Commercial product VMRay Currently rewriting prototype Available mid 2014 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information