Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

Similar documents
CPS221 Lecture: Operating System Structure; Virtual Machines

COS 318: Operating Systems. Virtual Machine Monitors

Symantec Endpoint Protection 11.0 Securing Virtual Environments Best Practices White Paper. Updated 7/20/2010

Attacking Hypervisors via Firmware and Hardware

Virtualization. Michael Tsai 2015/06/08

Virtualization. Types of Interfaces

Virtual Machine Security

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Hyper-V recovery. User Guide

Virtualization. Pradipta De

Virtualization and Windows 7

Virtualization. Explain how today s virtualization movement is actually a reinvention

Virtual machines and operating systems

Basics of Virtualisation

The Xen of Virtualization

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

FRONT FLYLEAF PAGE. This page has been intentionally left blank

A Hypervisor IPS based on Hardware assisted Virtualization Technology

VERITAS Backup Exec TM 10.0 for Windows Servers

Understand Troubleshooting Methodology

Chapter 5 Cloud Resource Virtualization

Virtual Machines. COMP 3361: Operating Systems I Winter

Example of Standard API

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

Comparing Virtualization Technologies

Virtualization with Windows

Virtualization. Jukka K. Nurminen

Attacking Hypervisors via Firmware and Hardware

Abstract. 1. Introduction. 2. Threat Model

VMware vsphere 5.0 Boot Camp

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Run-Time Deep Virtual Machine Introspection & Its Applications

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

2009 AAMGA Automation Conference

Full and Para Virtualization

Instant Recovery for VMware

Understanding Operating System Configurations

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Dell AppAssure Universal Recovery

Chapter 2 Addendum (More on Virtualization)

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

McAfee MOVE / VMware Collaboration Best Practices

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

The Do s and Don ts of Server Virtualization Back to basics tips for Australian IT professionals

The BackTrack Successor

II. Installing Debian Linux:

Hypervisor-Based, Hardware-Assisted System Monitoring

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Windows Operating Systems. Basic Security

Introduction to Virtual Machines

Khóa học dành cho các kỹ sư hệ thống, quản trị hệ thống, kỹ sư vận hành cho các hệ thống ảo hóa ESXi, ESX và vcenter Server

What is virtualization

Virtualization Technologies

Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009

EXPLORING LINUX KERNEL: THE EASY WAY!

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Hypervisor Software and Virtual Machines. Professor Howard Burpee SMCC Computer Technology Dept.

Core Protection for Virtual Machines 1

APPLICATION VIRTUALIZATION TECHNOLOGIES WHITEPAPER

EMC Backup Solutions for Virtualized Environments

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

Chapter 3: Operating-System Structures. Common System Components

Paragon Protect & Restore

ReactOS is (not) Windows. Windows internals and why ReactOS couldn t just use a Linux kernel

9/26/2011. What is Virtualization? What are the different types of virtualization.

VMware vsphere 5.1 Advanced Administration

Symantec Virtual Machine Management 7.1 User Guide

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

VMware vcenter Update Manager Performance and Best Practices VMware vcenter Update Manager 4.0

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

JOB ORIENTED VMWARE TRAINING INSTITUTE IN CHENNAI

Virtualization for Cloud Computing

PassTest. Bessere Qualität, bessere Dienstleistungen!

Installing and Upgrading to Windows XP

Microkernels, virtualization, exokernels. Tutorial 1 CSC469

Full System Emulation:

Team Foundation Server 2013 Installation Guide

Virtualization Technologies (ENCS 691K Chapter 3)

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

Endpoint protection for physical and virtual desktops

Process Description and Control william stallings, maurizio pizzonia - sistemi operativi

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

VMware Certified Professional 5 Data Center Virtualization (VCP5-DCV) Exam

Planning and Managing Windows 7 Desktop Deployments and Environments

Team Foundation Server 2010, Visual Studio Ultimate 2010, Team Build 2010, & Lab Management Beta 2 Installation Guide

Operating System Overview. Otto J. Anshus

Networking for Caribbean Development

C. Implementing, Managing and Troubleshooting Hardware Devices and Drivers

Report on virtualisation technology as used at the EPO for Online Filing software testing

Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)

Oracle Database Solutions on VMware High Availability. Business Continuance of SAP Solutions on Vmware vsphere

Transcription:

Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

SADE: SteAlthy Deployment and Execution Introduction A typical enterprise environment, what s wrong with it, and how SADE improves it Implementation How SADE is using VMsafe Performance In-guest agents versus SADE injected agents 2

SADE: SteAlthy Deployment and Execution This project is focused on enterprise environments. Let me start with a higher-level vision A simplified enterprise environment (pre-sade): Workstation: one desktop computer per employee Agents: software components (anti-virus, update programs, etc.) installed on each workstation Domain: all enterprise workstations are part of a domain (e.g., Active Directory) Domain server: controls authentication, policies, and software updates of workstations Domain administrator: maintains all of the workstations 3

SADE: Introduction What s wrong with this model? 1.Administrative headache 2.Wasted resources (disk space, electricity, CPU time, etc.) 3.Security risk 4

SADE: Introduction Administrative headache Domain administrator needs to keep all machines updated Need to install separate agents for everything (an anti-virus agent, a software update agent, etc.) Less-than-seamless: if the user gets infected with a virus, it may disable the anti-virus. Then what? Administrator needs to manually clean the machine 5

SADE: Introduction Wasted resources Why does each desktop need an update program when the enterprise desktops are all fairly homogenous? Antivirus scans all files at least once per workstation, although each workstation mostly has the same files. The agent of each workstation is working in isolation. Having the same software installed on each machine wastes disk space Performing the same scans on each machine wastes electricity and CPU resources 6

SADE: Introduction Security risk The classic problem of security software and threats operating at the same privilege level If the security agent lives on the workstation, it can be disabled by undetected malware. There is no way to real way to remediate this except to boot from a rescue CD 7

SADE: Project Goal Eliminate the need for agents running on the user s machine Instead of having agents everywhere, do all of these steps from a central location Make targeted deployments when necessary How? Use virtual machines instead of workstations Do software updates from the hypervisor Do security checks from the hypervisor Do file scans from the hypervisor 8

SADE: Project Goal Benefits Simplifies the whole design Don t need to maintain agents in each workstation Scanning files can be done once globally from the hypervisor rather than once per machine 9

SADE: Project Goal You might know that VMWare already has a tool to load an executable file inside the guest virtual machine Why not just use VMware tools to load an executable? This is not meant to be used in a hostile environment. It will mount the program as an ISO (use the CDROM) and run a usermode executable from the CD This is very easy for a malware to detect and prevent (i.e., kernelmode rootkit hooking NtCreateProcess). Our approach never touches the disk of the guest. The code runs directly from kernel-mode and doesn t require the OS driver loader. This is a much better approach for a hostile environment 10

SADE: Project Goal Benefits Malware on the workstation can t disable the agents, because they aren t even there. They can pop in, at anytime, unexpectedly 11

SADE: Project Goal A simplified enterprise environment (post-sade): Workstation: each desktop computer replaced by a virtual machine Domain: all virtual machines run under a hypervisor Agents: stored in a central repository of the domain and deployed to the workstation only when necessary Team Symantec! 12

SADE in a Nutshell The agent only exists in the guest while it is executing Once the agent finishes executing, it is removed from the guest and the memory is wiped clean. Can be completed in less than second The window for malware to detect or disable our agent is very small 13

SADE in a Nutshell SADE can inject an agent into the guest virtual machine without the help of the OS. SADE will load the driver itself, it does not rely on the native OS driver loader Development is easy The agent is a standard Windows kernel driver compiled using standard tools (Windows DDK, written in C) The agent can use all the standard kernel APIs like DbgPrint 14

Our Prototype In our implementation we used VMware s ESX server as our hypervisor and VMsafe APIs to interface with the hypervisor VMsafe gives us a way to detect when a memory page is about to be read, written, or executed. Our prototype: Implemented an anti-virus scanner on the hypervisor which then injects a remediation driver into the guest virtual machine to remove a virus once detected. 15

Our Prototype Our prototype protecting two virtual machines (User VM 1&2) 16

Scenario Here s the scenario I ll be describing during the rest of the talk.. Using anti-virus definitions running on security VM to scan the user VMs for malware. Use memory scanning rather than file scans A virus (W32.Gammima) is run in the user VM and detected. We want to remediate this virus by terminating the process We ll inject code into the guest to do this. To be absolutely safe, we ll do the remediation in kernel-mode (protect against kernel rootkits) 17

Step 1: Detect the Threat Uses page execution trigger on all memory pages to detect when a page is about to be executed Scans the memory page If the page is clean, remove the execution trigger from that page and replace it with a write trigger No future attempts to execute that page will trigger the page execution trigger If the page is modified, the page write trigger will be executed and we ll again scan the page. 18

Step 2: Prepare the Agent Read the agent driver into memory from disk This a Windows Portable Executable (PE) format driver The imports of the agent need to be resolved. Read the import table of the agent. For each API used (such as DbgPrint), we need to find the runtime address of the API in the guest. Locate the export tables of the guest kernel (NTOSLRKNL and HAL). 19

Step 3: Find Memory for the Agent We need to inject the agent into the guest virtual machine Where should we put the agent? None of the memory inside the guest virtual machine belongs to us Use a trick: put a page execution trigger on ExAllocatePool The equivalent of kmalloc on Windows When EIP register (the instruction pointer) is at the RET instruction, look at the functions return value (in the EAX register) This points to memory just allocated, but not yet used Temporarily hijack this memory, inject bootstrap code to allocate permanent memory. After bootstrap code finishes, restore control to ExAllocatePool 20

Step 3: Find Memory for the Agent #1: Detect when ExAllocatePool API is about to return Security VM Guest VM ExAllocatePool SADE Just allocated memory Some kernel driver 21

Step 3: Find Memory for the Agent #2 Insert our bootstrap (allocation) code into the hijacked memory Security VM Guest VM ExAllocatePool SADE Hijack Memory (temporarily) 22

Step 3: Find Memory for the Agent #3 Allocate agent s permanent memory using bootstrap Security VM Guest VM ExAllocatePool SADE Bootstrap Code Agent s Permanent Memory (not used yet) 23

Step 4: Invoke the Agent At the time the malware is detected, there are two possible execution states: If the malware was running in ring 0 (a kernel mode rootkit), we can just directly change EIP to point to the where the injected agent driver is located. If the malware is running at ring 3 (which is usually the case), this won t work. User-mode code obviously cannot access kernel-mode APIs or memory. In this case, we need to use a trick to force an immediate transition to ring 0 We force a fault (CPU exception) to force this transition 24

Step 4: Invoke the Agent Insert an invalid opcode at EIP (points into the malware page). Place an execution trigger on the invalid opcode fault handler. When the guest VM resumes execution, instead of executing the malware, it will immediately produce an invalid opcode fault. Now the guest is running at ring 0, change EIP to point to the agent s code 25

Step 4: Invoke the Agent Overwrite the malware code with an invalid opcode Security VM Guest VM Invalid Opcode Fault Handler SADE Malware (replaced with invalid opcode) Agent s Permanent Memory 26

Step 4: Invoke the Agent Guest VM causes an invalid opcode fault Security VM Guest VM Invalid Opcode Fault Handler SADE Invalid opcode (causes fault) Agent s Permanent Memory 27

Step 4: Invoke the Agent Execution event on invalid opcode handler triggered Security VM Guest VM Invalid Opcode Fault Handler SADE Invalid opcode Agent s Permanent Memory 28

Step 4: Invoke the Agent Inject agent code into the allocated memory Security VM Guest VM SADE Injected Agent Driver 29

Step 4: Invoke the Agent Invalid opcode fault handler is hijacked to execute agent Security VM Guest VM Invalid Opcode Fault Handler SADE Injected Agent Driver 30

Step 5: Return from the Agent Hypervisor detects when agent is finished Security VM Guest VM SADE Injected Agent Driver 31

Step 5: Return from the Agent Machine is back to the original state (no agent present) Security VM Guest VM SADE Agent code removed again 32

Demo Run W32.Gammima virus Detected by SADE Inject remediation driver Remediation driver calls NtTerminateProcess(NtCurrentProcess()) 33

Performance Startup (1 time cost) 17 ms: Discover NTOSKRNL and parse export table 1 ms: Install bootstrap code (calls ExAllocatePool) 1.1 ms: Execute bootstrap code 2 ms: Relocate and load agent driver Inject and execute agent driver (for each malware event) 4.7 ms: Trigger and handle invalid opcode exception 0.1 ms: Ring3-to-ring0 transition 1 ms: In-guest function execution Restore original state (for each malware event) 1.9 ms: Restore original program context 0.1 ms: Ring0-to-ring3 transition Total time (for each malware event): 7.8 milliseconds Disclaimer: These numbers are specific to our prototype s implementation. This is not a VMware benchmark. 34

Closing Remarks The prototype is finished, stable, and works like a charm! This prototype: Can be used to inject a legacy driver into the guest. It can handle a hostile guest virtual machine. It doesn t eliminate the possibility of the agent being detected/disabled, but it makes the window very small Significantly raises the bar for malware running in a virtualized environment to detect or disable security agents This prototype demonstrates one of the security benefits of virtualization over legacy hardware 35

Questions? Thanks! matthew_conover @ symantec.com 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information