Presentation on theme: "GuestGuard: Dynamic Kernel Tampering Prevention Using a Processor-Assisted Virtual Machine Information & Computer Sciences University of Hawaii at Manoa."— Presentation transcript:
GuestGuard: Dynamic Kernel Tampering Prevention Using a Processor-Assisted Virtual Machine Information & Computer Sciences University of Hawaii at Manoa Yoshiaki Iinuma
Outline I. Problems (Malware, OS, & Anti-Malware) II. GuestGuard (Solution) III. Conclusions
I. Problems 1.Malware Kernel Tampering Malware (KTM) KTM Technologies KTM Classification 2. OS Problems 3. Anti-Malware Problems
1.1 Kernel Tampering Malware (KTM) Malware trying to manipulate kernel code and data Compared with user-land malware More Artful, Powerful, and Stealthy More difficult to detect Kernel-mode Rootkits: 46% increased in 2008 (SOPHOS) Many security vendors indicate the rise of KTM. The Only Target of GuestGuard
1.2 KTM Technologies Hardware Facility Perversion (SMM, APIC, Fast System Call) OS Facility Perversion (Device driver, Windows API, Registry) Hooking (Inline, Function table) Direct Kernel Object Manipulation [DKOM] (PsActiveProcessHead, PsLoadedModuleList, EPROCESS) More difficult to detect
1.3 KTM Classification Type I Type I (HW facility perversion): modifies system resisters or other system components (BIOS). Type II Type II (OS facility perversion): modifies the kernel memory in a legitimate way. Type III Type III (Hooking): modifies the kernel memory that is not supposed to be changed (code and tables). Type IV Type IV (DKOM): modifies the kernel memory that is supposed to be changed (data structures dynamically allocated) in an illegitimate way.
2. OS Problems 1. Difficulty in preventing kernel space intrusion OS facilities (e.g. Device Driver) Hardware Facilities (e.g. SMM, APIC) Software (OS) Vulnerability Human Involvement ← Social Engineering 2. No restriction on kernel space processes Malware can compromise the security system 3. Too much flexibility for processes No distinction between malware and benign software
3. Anti-Malware Problems Limitation of dynamic prevention Sometimes, only for detection Possible circumventions
1. KTM Characteristics Modifying a code segment Executing code in a data segment Illegally accessing a kernel object or different process's address space Preventing them a strong Deterrence against KTM
2. GuestGuard Design Goals Kernel Tampering Prevention (Against KTM) Dynamic Prevention Unknown Malware Tamper Resistance Low Overhead Protection for Current Home Computing (Windows XP and Intel X86)
3. Protection Mechanism Overview Guest OS: Windows XP Host OS: Linux ISA: Intel x86 VMM: KVM CPU: Intel Core 2 Duo (Intel-VT)
4.2 Virtual Memory Virtualization Shadow Page Table Guest Virtual → Host Physical The processor does not refer to the guest page tables. Write-protect guest page tables Dynamic Detection Tamper Resistance
5.1 Evaluation Performance Overhead Futuremark PCMark05 (for home PC usage) CPU, Memory, HDD benchmark suites PCMarks (Score) is calculated from a geometric mean of the individual test results Sample PCMarks in 2005: 1,200 (low) ~ 5,500 (high)
5.2 Evaluation Functional Test Result 11 test samples from GuestGuard detected 6 samples Currently not support Type I, II, IV Worked well against Type III (Hooking) However, circumventable with memory mapping
III. Conclusions Kernel Tampering Malware Prevention Dynamic prevention Tamper resistance Low overhead Overcame OS and Anti-malware problems Works without any modifications to Windows Worked very well for Type III (Hooking) Can overcome the memory mapping problem Extensible to Type I, II, IV
Why Virtual Machine (KVM)? Introduce a new security layer to the current existing computing environment Tamper Resistance – provide isolation for a security system Dynamic Detection – change the execution path of the guest KVM allows the guest OS to run on the native processor. Low overhead Windows XP Intel-VT or AMD-V (processor virtualization) QEMU KVM
Windows Introspection Protects: Table: IDT, GDT, SSDT Code: Interrupt vectors, System services, Loaded modules Automatically detects their locations. Extracts information directly from the guest registers and memory data structures. (no guest portions) Examples: IDTR → IDT base address and size Each IDT entry → Interrupt vector base address and size FS → KPCR → KdVersionBlock → PsLoadedModuleList → All the loaded modules
System Shutdown By Injecting Triple Faults. The safest way (← malware is already running) Might lose user data, but recoverable. Backup and snapshots Damage from data loss < Damage from malware Possible different reactions in the future.
Improvements: Against Memory Mapping GuestGuard can be easily subverted. X86 page protection is based on virtual memory Solution: write-protecting a newly mapped page based on physical memory #5 and #9 uses the mapping circumvention technique.
Improvements: Against Type II Easy to detect by hooking OS legitimate functions Difficult to decide whether a usage of a function is acceptable. (← Too much process flexibility) Should be dealt with by the OS Solution for the filter driver perversion Define preferable information flows for each I/O Track the information flow of each I/O Policies & Policy enforcement mechanism → GuestGuard #3 perverts a filter driver.
Improvements: Against Type I Not difficult to detect Type I. Monitor a specific privileged instruction or procedure. SMM rootkits: SMI handler in SMRAM ← write-protection SMI generation through Local APCI register ← write-protection #4 is an SMM rootkit
Improvements: Against Type IV (DKOM) Hook functions to create and delete a kernel object. Set write-protection on a kernel object. Check the range of the current IP (object manager). #6 uses DKOM
Bibliography Fu rootkit. N. A. Quynh and Y. Takefuji. A novel approach for a ﬁle system integrity monitor tool of xen virtual machine. Keith Adams and Ole Agesen. A comparison of software and hardware techniques for x86 virtualization. Starr Andersen. Microsoft technet: Part 3: Memory protection technologies. September Technical Report Alex Ho, Michael Fetterman, Christopher Clark, Andrew Warﬁeld, and Steven Hand. Practical taint-based protection using demand emulation, April 2006 Intel Corporation. Intel Virtualization Technology Speciﬁcation for the IA-32 Intel Architecture, April Intel Corporation. Intel 64 and IA-32 Architectures Software Developer’s Manual Volume 3A & 3B System Programming Guide, 2008.
Bibliography Arati Baliga, Pandurang Kamat, and Liviu Iftode. Lurking in the shadows: Identifying systemic threats to kernel data IEEE. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warﬁeld. Xen and the art of virtualization. Fabrice Bellard. Qemu, a fast and portable dynamic translator. In Proceedings of the 2005 USENIX Annual Technical Conference, Jamie Butler and Greg hoglund. VICE catch the hookers! Black Hat USA, Futuremark Corporation. Futuremark corporation PCMark IBM Corporation. Ibm internet security systems x-force 2007 trend statistics. IBM Corporation. Ibm internet security systems x-force 2008 mid-year trend statistics.
Bibliography Symantec Corporation. Symantec internet security threat report trends for B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In SP ’08 Mila Dalla Preda, Mihai Christodorescu, Somesh Jha, and Saumya Debray. A semantics-based approach to malware detection. Mark E. Russinovich and David A. Solomon. Microsoft WINDOWS INTERNALS (4th Edition): Microsoft Windows Server 2003, Windows XP, and Windows Microsoft Press, 4 th edition, January F-Secure. Blacklight. T. Garnkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection Hoglund Greg. ROOTKIT. Flavio Lombardi and Roberto Di Pietro. Kvmsec: A security extension for linux kernel virtual machines ACM.
Bibliography Greg Hoglund and James Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, August Markus Jakobsson and Zulﬁkar Ramzan. Crimeware: Understanding New Attacks and Defenses. Addison Wesley Professional, April Bernhard Jansen, Hari-Govind. V. Ramasamy, and Matthias Schunter. Policy enforcement and compliance proofs for xen virtual machines ACM. Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. Stealthy malware detection through vmm-based ”out-of-the-box” semantic view reconstruction A. Joshi, S. King, G. Dunlap, and P. Chen. Past and present intrusions through vulnerability specic predicates. October Kaspersky Lab. Malware evolution 2008 kaspersky security bulletin. Technical report, Jr. N. L. Petroni, T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a coprocessor- based kernel runtime integrity monitor
Bibliography Koichi Onoue, Yoshihiro Oyama, and Akinori Yonezawa. Control of system calls from outside of virtual machines ACM. Opc0de. Bypassing vice 2. June 2004.http://rootkit.com/newsread.php?newsid=197 Sophos Plc. Security threat report: Technical report, Qumranet. Main page: KVM - Kernel Based Virtual Machine. kvm.org/page/Main_Page. J. Rutkowska. Subverting vista kernel for fun and prot, August Blackhat. A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes
Bibliography w3schools. OS platform statistics: What is the trend in operating systems usage? Semptember Yanfang Ye, Dingding Wang, Tao Li, and Dongyi Ye. Imds: Intelligent malware detection system ACM. Heng Yin, Zhenkai Liang, and Dawn Song. HookFinder: Identifying and understanding malware hooking behaviors Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. Panorama: Capturing system-wide information ﬂow for malware detection and analysis Jeremy Z. Kolter and Marcus A. Maloof. Learning to detect malicious executables in the wild ACM. Qinghua Zhang and Doublas S. Reeves. Metaaware: Identifying metamorphic malware. ACSAC
Windows Introspection Details IDT, GDT – IDTR, GDTR (base, limit) SSDT – fs → KPRCB → KdVersionBlock → KeServiceDescriptorTable Interrupt Service Routines – IDT → each ISR code segment (base, limit) System Services – SSDT → each SS base address Loaded Modules - fs → KPRCB → KdVersionBlock → PsLoadedModuleList System service dispatcher – MSR: IA32_SYSENTER_CS→ SYSENTER code segment
OpenProcess() VirutalAllocEx() WriteProcessMemory() CreateRemoteThread() Code Injection using WinAPI Malware Loader Target Process Process ID GetThreadContext() SetThreadContext() CreateRemoteThread() or SetWindowsHookEx() Malicious code Dispatcher Start Malware Loader Thread Target Process Thread Info New context DLL loader Kernel32::LoadLibrary() Malicious DLL Load DLL loader Malicious Code kernel32::LoadLibrary()
Malware Techniques III Layered Device Driver A device driver comprises several layered drivers. I/O request packets to communicate with each other Any number of filter drivers can be added between the layers. Can modify the behavior of an existing driver. Keylogger, network sniffer Class Driver Device Driver Request Handler Port Driver Bus Driver Hardware Filter Driver
Hiding Processes using Hooking GetSystemInfo → NtQuerySystemInformation Returns the linked list of the process information Malware hooking this function could change the result. SSDT NtQuerySystemInformation Fake NtQuerySystemInformation Kernel32.DLL Ntdll.DLL User Application (Taskmgr.exe) processmalware process System Service Dispatcher
Malware Technique 5 Inline Hook (Runtime Patching) Copy the target's function preamble to the trampoline function. Write JMP destination address of the trampoline function. Write JMP destination address of the malicious function. Replace the original preamble with the far JMP instruction to the trampoline function. Original code Trampoline Function Preamble Malicious Function Copied Preamble JMP to Malicious Malicious Body JMP to original
Hooking Detection Search for branches that fall outside of an acceptable range. (VICE, Blacklight) IAT: each loaded module containing imported functions has a defined start address in memory and a size. IRP handler TBL: functions are within a given driver's address range. SSDT: all the system services are contained in Ntoskernel.exe.
Other Hooking Detection Integrity based detection Keep hash values calculated from each protected executable image and function table Periodically recalculate those hash values and compare them with their originals. Find extra instructions executed by hooks. (PatchFinder) Keep the number of instructions of each function. Periodically call each function and compare the results. Using the x86 single step mode.
Malware Technique V DKOM Direct Kernel Object Manipulation. Windows manages all the kernel objects through the Object Manager. Bypasses the Object Manager, thereby bypassing all the access checks on the object. Extreamely hard to detect. difficult to implement (must understand how, where, when a kernel object is created, deleted and modified as well as the object format)
Hiding Processes using DKOM Malicious EPROCESS Head EPROCESS Malicious EProcess Head EPROCESS Before After PsActiveProcessHead KPRCB Malicious ETHREAD FS Process List
DKOM Detection Cross-View Based Find a system discrepancy through multiple views of the same system information. Compare the result from a Windows API with the information extracted through other low level methods (e.g. directly check the underlying kernel objects) Disadvantages Complexity to support all hardware Duplication of some parts of OS Possible bypassing techniques