UFO: Operating System Fingerprinting for Virtual Machines

Similar documents
Operating System Fingerprinting for Virtual Machines

Outline. Outline. Why virtualization? Why not virtualize? Today s data center. Cloud computing. Virtual resource pool

Virtual Machine Security

Full and Para Virtualization

Detecting the Presence of Virtual Machines Using the Local Data Table

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

Comparing Free Virtualization Products

matasano Hardware Virtualization Rootkits Dino A. Dai Zovi

CHAPTER 6 TASK MANAGEMENT

Virtualization. Pradipta De

CS5460: Operating Systems. Lecture: Virtualization 2. Anton Burtsev March, 2013

Virtualization for Cloud Computing

Virtualization. Types of Interfaces

Cloud Computing CS

COS 318: Operating Systems. Virtual Machine Monitors

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

Chapter 5 Cloud Resource Virtualization

Advanced Operating Systems and Virtualization MS degree in Computer Engineering Sapienza University of Rome Lecturer: Francesco Quaglia

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

Virtualization Technologies

Exploiting the x86 Architecture to Derive Virtual Machine State Information

COS 318: Operating Systems

Open Source Virtualization

Full System Emulation:

IOS110. Virtualization 5/27/2014 1

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Virtual machines and operating systems

Intel Virtualization Technology and Extensions

Compromise-as-a-Service

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Operating System Structures

Date: December 2009 Version: 1.0. How Does Xen Work?

KVM on S390x. Revolutionizing the Mainframe

Virtualization. Explain how today s virtualization movement is actually a reinvention

The Art of Virtualization with Free Software

Practical Applications of Virtualization. Mike Phillips IAP 2008 SIPB IAP Series

W4118: segmentation and paging. Instructor: Junfeng Yang

Virtualization Technology. Zhiming Shen

Virtualization. Jia Rao Assistant Professor in CS

Virtualization: Concepts, Applications, and Performance Modeling

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

A Hypervisor IPS based on Hardware assisted Virtualization Technology

The Xen of Virtualization

Virtual Machines. Virtual Machine (VM) Examples of Virtual Systems. Types of Virtual Machine

StACC: St Andrews Cloud Computing Co laboratory. A Performance Comparison of Clouds. Amazon EC2 and Ubuntu Enterprise Cloud

Hypervisor-Based, Hardware-Assisted System Monitoring

Anh Quach, Matthew Rajman, Bienvenido Rodriguez, Brian Rodriguez, Michael Roefs, Ahmed Shaikh

Virtualization. Jukka K. Nurminen

Performance tuning Xen

Understanding a Simple Operating System

W4118 Operating Systems. Instructor: Junfeng Yang

Solaris Virtualization and the Xen Hypervisor Frank Hofmann

Subverting the Xen hypervisor

Enabling Technologies for Distributed and Cloud Computing

Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM

Architecture of the Kernel-based Virtual Machine (KVM)

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Securing Your Cloud with Xen Project s Advanced Security Features

Chapter 14 Virtual Machines

Enabling Technologies for Distributed Computing

Virtualizare sub Linux: avantaje si pericole. Dragos Manac

Virtualization. Clothing the Wolf in Wool. Wednesday, April 17, 13

KVM Security Comparison

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

Hardware Assisted Virtualization Intel Virtualization Technology

Virtual Computing and VMWare. Module 4

Clouds, Virtualization and Security or Look Out Below

Distributed System Monitoring and Failure Diagnosis using Cooperative Virtual Backdoors

Table of Contents. Server Virtualization Peer Review cameron : modified, cameron

ProMoX: A Protocol Stack Monitoring Framework

Virtualization Technology

Comparing Virtualization Technologies

Attacking Hypervisors via Firmware and Hardware

kvm: Kernel-based Virtual Machine for Linux

Lesson Objectives. To provide a grand tour of the major operating systems components To provide coverage of basic computer system organization

CPS221 Lecture: Operating System Structure; Virtual Machines

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Host-based Intrusion Prevention System (HIPS)

Attacking Hypervisors via Firmware and Hardware

Red Hat Linux Internals

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

W4118 Operating Systems. Junfeng Yang

Multi-core Programming System Overview

Advanced Computer Networks. Network I/O Virtualization

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

Hybrid Virtualization The Next Generation of XenLinux

OS Virtualization Frank Hofmann

CS 695 Topics in Virtualization and Cloud Computing. More Introduction + Processor Virtualization

Virtual Machines. COMP 3361: Operating Systems I Winter

COS 318: Operating Systems. Virtual Machine Monitors

IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Hyper-V Server Agent Version Fix Pack 2.

Safety measures in Linux

Distributed Systems. Virtualization. Paul Krzyzanowski

Cloud Architecture and Virtualisation. Lecture 4 Virtualisation

Cooperation of Operating Systems with Hyper-V. Bartek Nowierski Software Development Engineer, Hyper-V Microsoft Corporation

The future is in the management tools. Profoss 22/01/2008

Transcription:

UFO: Operating System Fingerprinting for Virtual Machines Syscan Taipei, August 19 th, 2010 NGUYEN Anh Quynh, Kuniyasu SUZAKI AIST, Japan

Who am I? From the National Institute of Advanced Industrial Science and Technology (AIST), Japan NGUYEN Anh Quynh, Postdoc researcher VNSecurity member (http://vnsecurity.net) Multiple interests: Operating System, Virtualization, Trusted computing, malware analysis, forensic, rootkits, IDS,...

Motivation Problems of available Operating System Fingerprinting (OSF) tools against Virtual Machine (VM) A new approach and new tool named UFO to fingerprint OS inside VM, and fix some problems Super fast Accurately identify guest OS, regardless of OS tweaking VM independence

Agenda Problems of available OSF solutions for OS in VM environment UFO solution Live demo Design & Implementation Main features Discussions Conclusions Q & A

5 Part I Problems of available OSF solutions for OS in VM environment UFO solution Live demo Design & Implementation Main features Discussions Conclusions Q & A

6 Traditional OSF problem Indentifying the OS (variant, version, Service Pack, ) without the access to the target Why? Traditionally mean fingerprinting remote target via network To defense To attack An well known problem in computer security field

7 Virtual Machine Concept Running multiple virtual systems on a physical machine at the same time Privilege VM Guest VM Multiple Operating Systems are supported Windows, Linux, BSD, MacOSX,...

8 Xen Virtual Machine Host VM: Dom0 Guest: DomU Paravirtualized guest Full virtualized guest (HVM)

9 OSF problem for VM Indentifying the guest OS (variant, version, Service Pack, ), with legitimate access to the host Why? To defense First step to solve VM instrospection problem A new problem in a very hot field

OSF for VM? 10

11 Network based OSF Traditional approach Craft network packets to send to guest OS, and analyze the returned packets Multiple problems with modern OS es Port filtered/closed by default firewall nmap fails to work ICMP packets are dropped xprobe fails to work Sometimes slower than desired Over 30 seconds for one guest OS, even on the same physical machine Tweaking network stack is trivial

12 VM specific solutions (1) Extract out information from guest's filesystem Feasible on VM Multiple problems, however Understanding guest filesystem is far from trivial Hyper V? Require good understanding on OS & FS Encrypted disk?

13 VM specific solutions (2) Extract out information from memory Feasible on VM VM instrospection problem Multiple problems VM introspection always requires to know OS first, not the other way Signature based on code & data value depends on compiler

14 Part II Problems of debugger in malaware analysis UFO solution Design & Implementation Main features Live demo Discussions Conclusions Q & A

15 UFO solution Look into where nobody looks at that yet! Network? Memory? Filesystem? Anything else?

16 CPU context Characteristic of OS in protected mode Memory segments segment registers CS, DS, SS, ES, GS, FS Global Descriptor Table (GDT): segment information Segment's selector, base & limit Local Descriptor Table (LDT) Interrupt Descriptor Table (IDT) Task register (TR) Features 64 bit, Non Executable, Fast syscall

17 CPU parameters Segment parameters: CS, DS, ES, FS, GS, SS Selector, Base, Limit Distinguish by ring levels: CS0.Sel, CS0.Base, CS0.Limit, CS3.Sel, CS3.Base, CS3.Limit,... Task Register (TR) parameter Selector, Base, Limit (ring 0 only) TR.Selector, TR.Limit Global Descriptor Table (GDT) parameter Base, Limit (ring 0 only) Interrupt Descriptor Table (IDT) parameter Base, Limit (ring 0 only) Feature parameters 64 bit, Fast Syscall, Non Executable (CR4 & MSR_EFER values)

18 CPU params Example (1) GDT.limit Windows: 0x3ff Linux: 0xff CS0.Selector & CS3.Selector DS3.Limit Sun Solaris: 0x158 & 0x168 Haiku: 0x8 & 0x1b OpenBSD: 0xcfbfdfff (for W^X trick) Everybody else: 0xffffffff

19 CPU params Example (2) Features Fast syscall (Sysenter) Windows XP+, Linux 2.6+ *BSD: None Non Executable (NX bit) Windows XP SP2+ Linux 2.6.14+

20 OS signagture for UFO Retrieve CPU params can be done by UFO All hypervisors should provide interface for this Xen, KVM, Qemu, Hyper V VMWare with VMSafe API CPU params of OS represent OS! OS variant, OS version, ServicePack OS signature!

UFO architecture 21

Generate OS signature? 22

23 Generate OS signature (1) Run related OS inside QEMU Query for CPU context at run time Done from outside Preodically inquiry for new CPU context Tight loop Pros: easy to implement Save new CPU context Cons: miss CPU context Automatically generate OS signature from gathered CPU context

24 Generate OS signature (2) Run related OS inside QEMU Instrument QEMU to profile OS to create OS signature Instrument instructions that can change OS context mov, int, iret, sysenter, sysexit, syscall, sysret, jmp far, call far lds, les, lfs, lgs lgdt, lidt, ltr wrmsr, loadall Instrument system events modifying OS context Task switching Interrupt handling Gather all the context value and generate signature automatically

25 Signature on GDT table The only exception on signature relying on memory content List all of non zero selectors of GDT table Optional to avoid being fooled by attacker from inside guest VM gdt: [3ff, 8, 10, 1b, 23, 28, 30, 3b, 43, 50, 58, 60, 68, 70, 78, 80, 88]

26 Invariant OS params To combine similar params into one So the signature is as small as possible Only focus on segment params Segment.Sel, Segment.Base, Segment.Limit Simple invariant patterns Special constant values Base of 0, Limit of 0xFFFFFFFF Base values with more than 5 different values counted as anything Limit has same modulo on 0x10, 0x100, 0x1000, 0x10000, 0x1000000, 0x10000000

27 Sample OS signature Text file of signatures No special tool is needed to edit signatures JSON like format Intuitive and easy to modify

28 Option to modify OS params OS might have options to change its OS params Linux PAX UDEREF Dedicate last part of memory segments to trap NULLdereference exploitation Exec Shield (Ubuntu, RedHat) Turn off NX & Fast syscall feature Support OS option in signature option signature Same syntax as normal OS signature Reduce the number of OS signatures by applying the option signature on top of other OS signatures

Sample OS signature + option 29

30 Fingerprint OS Retrieve CPU context from guest OS Using interface provided by hypervisors Match CPU params against signature database Match against every signature, one by one Fuzzy matching method +1 for one param matching, +0 for unmatched param If options param is specified, match signature with and without options Highest score is the right OS!

Demo

Advantages Fuzzy matching can report best match OS Good in case signature is missing Performance: Lightening fast Accuracy is high No OS tweaking available to modify OS context We cover possible problems with options signature Signature is hypervisor independent

Problems of UFO Attacker might have full control on guest OS from inside to defeat UFO Selectively modify OS context Need to mess with OS kernel Modify OS code (source?) to change OS context A range of OS versions might have OS context unchanged Report as a whole

Detecting future OS Feasible because OS continuosly evolves Thread Environment Block (TIB) is addressed by FS segment in Windows OS Containing information about process Windows XP FS0.Limit = 0x1FFF Windows Vista FS0.Limit = 0x2128 Windows 7 FS0.Limit = 0x3748

Conclusions UFO is a new OSF tool specially designed to fingerprint the OS running inside VM Extremely fast Highly accuracy Resistance against OS tweaking Hypervisor independent Pre release available under LGPL license at http://force.vnsecurity.net/download/aquynh/ufo 0.1.tgz

UFO: Operating System Fingerprinting for Virtual Machine Q & A NGUYEN Anh Quynh <aquynh @ gmail.com>

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information