Hypervisor assisted malware

Similar documents
Full and Para Virtualization

Tracing Kernel Virtual Machines (KVM) and Linux Containers (LXC)

Virtualization. Pradipta De

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

kvm: Kernel-based Virtual Machine for Linux

Basics of Virtualisation

Electrical Engineering and Computer Science Department

Hardware Based Virtualization Technologies. Elsie Wahlig Platform Software Architect

matasano Hardware Virtualization Rootkits Dino A. Dai Zovi

IOS110. Virtualization 5/27/2014 1

Hypervisors and Virtual Machines

Virtual machines and operating systems

Virtualization. Jia Rao Assistant Professor in CS

Nested Virtualization

Chapter 5 Cloud Resource Virtualization

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Virtualization for Cloud Computing

x86 ISA Modifications to support Virtual Machines

CS 695 Topics in Virtualization and Cloud Computing. More Introduction + Processor Virtualization

Virtualization Technology. Zhiming Shen

Virtualization. Jukka K. Nurminen

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

Jukka Ylitalo Tik TKK, April 24, 2006

COS 318: Operating Systems. Virtual Machine Monitors

Security and Privacy in Public Clouds. David Lie Department of Electrical and Computer Engineering University of Toronto

Architecture of the Kernel-based Virtual Machine (KVM)

Virtualization. ! Physical Hardware. ! Software. ! Isolation. ! Software Abstraction. ! Encapsulation. ! Virtualization Layer. !

Kernel Virtual Machine

Virtualization in Linux KVM + QEMU

The Xen of Virtualization

Exploiting the x86 Architecture to Derive Virtual Machine State Information

How To Understand The Power Of A Virtual Machine Monitor (Vm) In A Linux Computer System (Or A Virtualized Computer)

Hyper-V R2: What's New?

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Advanced Computer Networks. Network I/O Virtualization

The MIPS architecture and virtualization

INTRODUCING: KASPERSKY SECURITY FOR VIRTUALIZATION LIGHT AGENT

Virtual Machine Security

Detection of virtual machine monitor corruptions

AES Flow Interception : Key Snooping Method on Virtual Machine. - Exception Handling Attack for AES-NI -

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

CS5460: Operating Systems. Lecture: Virtualization 2. Anton Burtsev March, 2013

Bluepilling the Xen Hypervisor

How To Stop A Malicious Process From Running On A Hypervisor

Intro to Virtualization

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

HyperV_Mon 3.0. Hyper-V Overhead. Introduction. A Free tool from TMurgent Technologies. Version 3.0

Installing & Using KVM with Virtual Machine Manager COSC 495

Enabling Technologies for Distributed Computing

How To Make A Virtual Machine Aware Of A Network On A Physical Server

Perfmon Collection Setup Instructions for Windows Server 2008+

Virtualization Technology

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Hybrid Virtualization The Next Generation of XenLinux

Intel Ethernet and Configuring Single Root I/O Virtualization (SR-IOV) on Microsoft* Windows* Server 2012 Hyper-V. Technical Brief v1.

Security Challenges in Virtualized Environments

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

RUNNING vtvax FOR WINDOWS

Bridging the Gap between Software and Hardware Techniques for I/O Virtualization

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Clouds, Virtualization and Security or Look Out Below

Taming Hosted Hypervisors with (Mostly) Deprivileged Execution

Maximizing SQL Server Virtualization Performance

Virtualization VMware Inc. All rights reserved

Virtualization: What does it mean for SAS? Karl Fisher and Clarke Thacher, SAS Institute Inc., Cary, NC

Cloud^H^H^H^H^H Virtualization Technology. Andrew Jones May 2011

A Hypervisor IPS based on Hardware assisted Virtualization Technology

HyperV_Mon. Introduction. A Free Tool From TMurgent Technologies

Virtualization and the U2 Databases

Enabling Technologies for Distributed and Cloud Computing

Chapter 14 Virtual Machines

Hypervisor-Based, Hardware-Assisted System Monitoring

Abstract. 1. Introduction. 2. Threat Model

Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM

Virtualization Technologies

How To Create A Cloud Based System For Aaas (Networking)

The Microsoft Windows Hypervisor High Level Architecture

Virtualization Technologies. Embrace the new world of healthcare

Cloud Computing CS

Intel Virtualization Technology Overview Yu Ke

NetScaler VPX FAQ. Table of Contents

Intel Virtualization Technology (VT) in Converged Application Platforms

HRG Assessment: Stratus everrun Enterprise

OS Virtualization Frank Hofmann

Malware: Prevenire (e curare) con strumenti open-source

OS Virtualization. CSC 456 Final Presentation Brandon D. Shroyer

End to End Defense against Rootkits in Cloud Environment. Design- Part 2

Code Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs

KVM: Kernel-based Virtualization Driver

Distributed Systems. Virtualization. Paul Krzyzanowski

Virtualization. P. A. Wilsey. The text highlighted in green in these slides contain external hyperlinks. 1 / 16

x86 Virtualization Hardware Support Pla$orm Virtualiza.on

Outline. Outline. Why virtualization? Why not virtualize? Today s data center. Cloud computing. Virtual resource pool

StACC: St Andrews Cloud Computing Co laboratory. A Performance Comparison of Clouds. Amazon EC2 and Ubuntu Enterprise Cloud

Security Overview of the Integrity Virtual Machines Architecture

OPEN-XCHANGE. Open-Xchange and SUSE Linux Enterprise 10 Whitepaper

Virtual Machines. COMP 3361: Operating Systems I Winter

Virtualization and Performance NSRC

GUEST OPERATING SYSTEM BASED PERFORMANCE COMPARISON OF VMWARE AND XEN HYPERVISOR

Transcription:

Hypervisor assisted malware detection (analysis) Gábor Pék (CrySyS) Budapest University of Technology and Economics

Outline Basics of hardware assisted virtualization Conventional malware detection Signature based Heuristics Malware analysis in ring -1 Performance as a No.1 bottleneck Malware detection in ring -1 Statistics as a prospering tool 2

Basics of hardware assisted virtualization Introduced in 2006 (Intel VT-x and AMD-V) Same theoretical basics, differences only in the implementation A new CPU privilegue level (ring -1) for the hypervisor Hypervisor mediates between the hardware and (virtualized) operating systems. Main tasks: management of resources, virtualizing processors and states Examples: XenServer, Hyper-V Server, Blue Pill CPU can operate in root and non-root mode Root mode - CPU executes the hypervisor Non-root mode CPU executes the guest operating systems 3

More details about hardware ass. virtualization Saving guest states VMCB - Virtuali Machine Control Block VMCS Virtual Machine Control Structure VM Exits : switching between root and non-root mode Exceptions Faults Privileged instruction execution Invalid opcode execution VM Exits can be intercepted and handled by the hypervisor Basics of malware analysis and detection 4

Conventional malware detection Current AVs run at the same priv. level as malware do (ring 0, ring 3) Signature based - searching for static patterns E.g., Byte sequences, header information Difficult to handle new variants Requires large databases Low false positive rate Heuristics searching for behaviour based patterns E.g., Memory pages with specific information New variants can be detected easily Higher false positive rate 5

Malware analysis in ring -1 Many research papers about hypervisor assisted malware analysis Ether Pyrenée MAVMM Patagonix, etc Using a properiatory or existing virtualization software Xen KVM TVMM All of them requires a reboot is it a problem? Performance problems 6

Perfomance problems Guests being analysed are unusable Cause: No native support for decreasing the semantic gap between the hypervisor and the operating system E.g., No CPU support for system call tracing heavy use of syscalls by user-space malware Current solution for syscall tracing uses page faults Problems: Excessive number of page faults by design Filtering is not a efficient solution 7

Goals Goals Detecting unknown parasitic malware in real time Transparency Low performance overhead Using heuristics (many advantages) False positives? Solution: Stastics or Machine Learning Separating benign and malicious syscall sequences Creating stastics from benign and infected systems We can use hypothesis theory to differentiate them 8

Challenges Decreasing the semantic gap Reconstructing operating system level structures in the hypervisor: process names, process features, memory protections, etc Solving performance issues (new syscall method) Automatically record benign and a lot of (>1000) malicious traces A system should be build to Fetch malicious samples and execute them Save and record syscall logs from the hypervisor (not trivial) Revert the system Start everything again 9

Performance issues Important to show that there is no significant performance degradation Create samples (performance counters) from native and monitored systems Sampling is relatively time consuming Questions: What is the lowest number of sample elements required to draw conclusion? Is there a significant difference between performances? Compare 3 methods (unmonitored, old syscall methods, new approach) 10

Thank you 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information