Malware Detection by Signature Matching in a Hypervisor



Similar documents
How To Stop A Malicious Process From Running On A Hypervisor

A Hypervisor-Based Bus System for Usage Control

Evasion Resistant Intrusion Detection Framework at Hypervisor Layer in Cloud

Secure Out-of-band Remote Management Using Encrypted Virtual Serial Consoles in IaaS Clouds

Survey on virtual machine security

Varshapriya J N Asst. Professor, Dept. of Computer Engineering and IT Veermata Jijabai Technological Institute Mumbai, India

Virtualisation Without a Hypervisor in Cloud Infrastructures: An Initial Analysis

Design and Implementation of Techniques for Secure Virtualization in Cloud Environment

Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections

Lecture and Presentation Topics (tentative) CS 7301: Recent Advances in Cloud Computing

SecureSwitch: BIOS-Assisted Isolation and Switch between Trusted and Untrusted Commodity OSes!

Securely Isolating Malicious OS Kernel Modules Using Hardware Virtualization Support

LSM-based Secure System Monitoring Using Kernel Protection Schemes

Emerging Security Challenges of Cloud Virtual Infrastructure

DACSA: A Decoupled Architecture for Cloud Security Analysis

A Study on Detection of Hacking and Malware Codes in Bare Metal Hypervisor for Virtualized Internal Environment of Cloud Service

Hypervisor-based Background Encryption

A Threat Model for a Cloud Infrastructure with no Hypervisor

IOS110. Virtualization 5/27/2014 1

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

Implementation of a Purely Hardware-assisted VMM for x86 Architecture

OSes. Arvind Seshadri Mark Luk Ning Qu Adrian Perrig SOSP2007. CyLab of CMU. SecVisor: A Tiny Hypervisor to Provide

Survey On Hypervisors

Leveraging Thin Hypervisors for Security on Embedded Systems

Performance Measuring and Comparison of VirtualBox and VMware

Advanced Computer Networks. Network I/O Virtualization

Procedia Computer Science

Virtual Computing and VMWare. Module 4

Virtualization for Cloud Computing

Virtualization of Wireless LAN Infrastructures

Enabling Technologies for Distributed and Cloud Computing

Enabling Technologies for Distributed Computing

A Survey on Virtual Machine Security

CMPS223 Final Project Virtual Machine Introspection Techniques

Virtual Machines. COMP 3361: Operating Systems I Winter

Guardian: Hypervisor as Security Foothold for Personal Computers

Monitoring VirtualBox Performance

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

4-2 A Load Balancing System for Mitigating DDoS Attacks Using Live Migration of Virtual Machines

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Full and Para Virtualization

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Multi-core Programming System Overview

PERFORMANCE ANALYSIS OF KERNEL-BASED VIRTUAL MACHINE

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.

Virtualization. Pradipta De

Outline. Introduction. State-of-the-art Forensic Methods. Hardware-based Workload Forensics. Experimental Results. Summary. OS level Hypervisor level

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

SLA Driven Load Balancing For Web Applications in Cloud Computing Environment

VON/K: A Fast Virtual Overlay Network Embedded in KVM Hypervisor for High Performance Computing

COS 318: Operating Systems. Virtual Machine Monitors

Lares: An Architecture for Secure Active Monitoring Using Virtualization

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Cloud Computing through Virtualization and HPC technologies

Virtualization. Types of Interfaces

Red Hat enterprise virtualization 3.0 feature comparison

Toward a practical HPC Cloud : Performance tuning of a virtualized HPC cluster

Comparison of Memory Balloon Controllers

Virtualization. Jukka K. Nurminen

Distributed Systems. Virtualization. Paul Krzyzanowski

Workstation Virtualization Software Review. Matthew Smith. Office of Science, Faculty and Student Team (FaST) Big Bend Community College

Dynamic Load Balancing of Virtual Machines using QEMU-KVM

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

Abstract. 1. Introduction. 2. Threat Model

Resource usage monitoring for KVM based virtual machines

Data Centers and Cloud Computing

Intro to Virtualization

SVAC Firewall Restriction with Security in Cloud over Virtual Environment

Cisco Prime Home 5.0 Minimum System Requirements (Standalone and High Availability)

Secure In-VM Monitoring Using Hardware Virtualization

Virtual machines and operating systems

x86 ISA Modifications to support Virtual Machines

VMDriver: A Driver-based Monitoring Mechanism for Virtualization

Dynamic resource management for energy saving in the cloud computing environment

Virtualization with Windows

Transcription:

Computer Security Symposium 2012 30 October 1 November 2012 182-8585 1-5-1 oyama@inf.uec.ac.jp kawasaki@ol.inf.uec.ac.jp BVMD MWS 2012 BVMD BitVisor BVMD OS Malware Detection by Signature Matching in a Hypervisor Yoshihiro Oyama Yudai Kawasaki The University of Electro-Communications 1-5-1 Chofugaoka, Chofu-shi, Tokyo 182-8585, JAPAN oyama@inf.uec.ac.jp kawasaki@ol.inf.uec.ac.jp Abstract We report the result of experiments in which we detected malware in the MWS 2012 malware dataset by using BVMD, a hypervisor that provides a malware detection mechanism. BVMD is implemented by extending a parapass-through hypervisor BitVisor. BVMD applies signature matching against data blocks that are transmitted between the guest OS and devices such as hard disks. 1 OS OS PC OS Conficker [8] OS BVMD [6] BVMD VMM OS - 122 -

guest OS device driver control I/O hypervisor data I/O parapass-through driver monitoring/ verification enforcing security hardware 1: BitVisor BVMD OS OS OS BVMD BitVisor [10] BitVisor BVMD OS 1 BVMD PC BVMD BVMD BVMD OS OS OS BVMD OS OS BitVisor BVMD OS 2012 (MWS2012) [5] BVMD BVMD OS BVMD 2 BitVisor BVMD 3 4 5 2 2.1 BitVisor BVMD BitVisor BitVisor VMM OS VMM BitVisor Trusted Computing Base (TCB) BitVisor 1 hypervisor BitVisor BitVisor I/O I/O I/O OS - 123 -

parapass-through driver data I/O signatures 52fd5f403040 003c3140... 5c7836665c78 35315c... 65f85b5ec9c3 655589e5...... automaton generation module signature automaton matching module 2: I/O BitVisor parapass-through driver OS I/O I/O I/O I/O I/O I/O I/O BitVisor I/O I/O BitVisor VPN 2.2 BVMD BVMD OS BVMD BitVisor I/O 2 automaton generation module matching module Aho-Corasick [1] BVMD ClamAV [2] BVMD VMM BitVisor BVMD VMM BVMD [14] BVMD OS BVMD I/O I/O BVMD OS OS OS [6] OS Windows - 124 -

main.hdb: d0e0c049ed7056eac8bb396429795010:162516:worm.kido-160 main.mdb: 12288:b0df5fa4a5e588c6e8643326536ca29c:Trojan.Agent-71044 main.db: Worm.Blaster.A (Clam)=2077616e04edffffff746f20736179204c4f564520594f55... main.ndb: Trojan.Dropper-18535:1:EP+0:807c2408010f85c201000060be005000108dbe00c0ffff57 3: ClamAV Linux VMM BVMD BVMD 1. 2. OS 3. 1 2 OS VRAM VMM [13] OS 3 OS OS OS OS 3 2.3 ClamAV ClamAV.hdb.mdb.db.ndb ClamAV 3 main.hdb main.mdb PE main.db main.ndb BVMD ClamAV.db.ndb - 125 -

disk blocks malware signature combined blocks 4: BVMD BVMD.ndb BVMD 2.4 false positive false negative BVMD 1 4 1 2 BVMD OS BVMD OS BVMD Linux ext3 Windows NTFS 3 BVMD MWS 2012-126 -

1: computer Dell Optiplex 990 CPU chipset memory hard disk Intel Core i7-2600 3.8 GHz Intel Q67 Express 16 GB Seagate ST3320413AS VMM BitVisor 1.2 guest OS Ubuntu 12.04, Linux 3.2.0-29-generic-pae 1 10538 BVMD OS ClamAV ClamAV 0.97.5 ClamAV 2012 8 16 10527 11 10527 1 425 425 ClamAV 202 223 218 5 5 Trojan.Crypt-106, Trojan.Downloader-59911, Trojan.Dropper- 18535, Trojan.Dropper-20380, Worm.Autorun- 1883 5 Trojan.Downloader-59911, Trojan.Dropper-20380, Worm.Autorun-1883 3 UPX ClamAV UPX ClamAV 2 ClamAV 10538 ClamAV 114 Trojan. Crypt-106 1 Trojan.Dropper-18535 113 BVMD BVMD OS BVMD 114 4 VMwatcher [4] VM OS OS VMwatcher OS BVMD VMM BVMD OS OS OS OS VMM VMwatcher Zhang [12] Trend Micro Deep Security [11] Livewire [3] Lares [7] BitVisor BVMD TCB SecVisor [9] BitVisor BVMD VMM SecVisor OS integrity - 127 -

OS 5 BitVisor BVMD MWS 2012 1 2 JSPS 23700032 [1] Alfred V. Aho and Margaret J. Corasick. Efficient String Matching: An Aid to Bibliographic Search. Communications of the ACM, 18(6):333 340, 1975. [2] Clam AntiVirus. http://www.clamav. net/. [3] Tal Garfinkel and Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 10th Annual Network and Distributed System Security Symposium, 2003. [4] Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. Stealthy Malware Detection and Monitoring through VMM- Based Out-of-the-Box Semantic View Reconstruction. ACM Transactions on Information and System Security, 13(2), 2010. [5] MWS2012. MWS 2012 Datasets. http://www.iwsec.org/mws/2012/ about.html#datasets. [6] Yoshihiro Oyama, Tran Truong Duc Giang, Yosuke Chubachi, Takahiro Shinagawa, and Kazuhiko Kato. Detecting Malware Signatures in a Thin Hypervisor. In Proceedings of the 27th ACM Symposium on Applied Computing, pages 1807 1814, 2012. [7] Bryan D. Payne, Martim Carbone, Monirul Sharif, and Wenke Lee. Lares: An Architecture for Secure Active Monitoring Using Virtualization. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 233 247, 2008. [8] Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. An Analysis of Conficker Logic and Rendezvous Points. Technical report, SRI International, 2009. http: //mtc.sri.com/conficker/. [9] Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles, pages 335 350, 2007. [10] Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, Kenji Kono, Shigeru Chiba, Yasushi Shinjo, and Kazuhiko Kato. BitVisor: A Thin Hypervisor for Enforcing I/O Device Security. In Proceedings of the 2009 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE 2009), pages 121 130, 2009. - 128 -

[11] Trend Micro. Deep Security. http:// emea.trendmicro.com/emea/products/ enterprise/deep-security/. [12] Youhui Zhang, Yu Gu, Hongyi Wang, and Dongsheng Wang. Virtual-Machinebased Intrusion Detection on File-aware Block Level Storage. In Proceedings of the 18th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD 06), pages 185 192, 2006. [13],. ADvisor: OS. OS, volume 2011-OS-118, 2011. [14],. VMM. OS, volume 2012-OS-122, 2012. - 129 -