Presentation is loading. Please wait.

Presentation is loading. Please wait.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M."— Presentation transcript:

1 SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M. Chen University of Michigan

2 2/23 Motivation Attackers and defenders strive for control –Attackers monitor and perturb execution Avoid defenders –Defenders detect and remove attacker –Control by lower layers Hardware Operating system App1App2 AttackersDefenders

3 3/23 Virtual-machine based rootkits (VMBRs) VMM runs beneath the OS –Effectively new processor privilege level Fundamentally more control No visible states or events Easy to develop malicious services

4 4/23 Virtual-machine based rootkits (VMBRs) Hardware Target OS App1App2 Before infection Hardware Target OS App1App2 VMM Attack system After infection

5 5/23 Outline Installing a VMBR Maintaining control Malicious services Defending against this threat Proof-of-concept VMBRs Attacker’s perspective Defender’s perspective

6 6/23 Installation Assume attacker has kernel privilege –Traditional remote exploit –Bribe employee –Malicious bootable CD-Rom Install during shutdown –Few processes running –Efforts to prevent notification of activity

7 7/23 Installing a VMBR Modify the boot sequence BIOS Master boot record Boot sector OS

8 8/23 Installing a VMBR Modify the boot sequence BIOS Master boot record Boot sector OS VMBR loads

9 9/23 Maintaining control Hardware reset VMBR loses control Illusion of reset w/o losing control Reboot easy, shutdown harder BIOS Master boot record Boot sector OS VMBR loads

10 10/23 Maintaining control ACPI BIOS used for low power mode –Spin down disks –Display low power mode –Change power LED Illusion of power off, emulate shutdown Control the power button System functionally unchanged

11 11/23 Malicious services Advantages of high and low layer malware –Provides low layer implementation –Still easy to implement services Use a separate attack OS to implement Hardware Target OS App1App2 VMM Attack OS App

12 12/23 Malicious services Zero interaction malicious services –E.g., phishing web server Passive monitoring –E.g., keystroke logger, file system scanner Active execution modifications –E.g., defeat VM detection technique All easy to implement

13 13/23 Defending against VMBRs Detecting VMBRs –Perturbations Where to run detection software

14 14/23 VMBR perturbations Inherent –Timing of key events –Space Hardware artifacts –Device differences –Processor not fully virtualizable –See paper for more details Software artifacts –VM icon –Device names Easy to hide Hard to hide

15 15/23 Security software above Attack state not visible –Can only detect side effects, e.g., timing VMBR can manipulate execution –Clock controlled by VMBR –Prevent security service from running –Turn off network –Disable notification of intrusion

16 16/23 Security software below More control, direct access to resources –Could detect states or events Secure VMM and/or secure hardware Boot from safe medium –Unplug machine from wall

17 17/23 Proof-of-concept VMBRs VMware / Linux host Virtual PC / Windows XP host Host OS was attack OS Malware payload ~100MB compressed Non fully virtualizable ISA –To defeat would degrade performance Software emulated devices –Host OSes had wide range of drivers

18 18/23 Proof-of-concept VMBRs Implemented four malicious services –Phishing web server –Keystroke logger + password parser –File system scanner –Countermeasure to detection tool Installation scripts and modules ACPI shutdown emulation –Both sleep states and power button control

19 19/23 Related work Layer below attacks –Kernel layer rootkits VMMs for security –Trusted VMMs: Terra, NGSCB –Detect intrusions: VMI, IntroVirt –Isolation: NSA’s NetTop –Analyze intrusions: ReVirt Current defenses –Secure/trusted boot –Pioneer

20 20/23 Conclusion Realistic threat –Qualitatively more control –Still easy to implement service –Proof-of-concept VMBRs could be detected –HW enhancements might make more effective Defending is possible –Best way it for defenders to control low layers

21 21/23 Questions

22 22/23 Hardware artifacts Non fully virtualizable processor Computer have diverse hardware –Allow target OS to provide drivers –Device DMA unsafe, might expose VMBR –Results in different / incomplete visible HW Enhancements to MMU –Allow target OS to run many drivers directly

23 23/23 Software artifacts Implementations make VMM visible VMware / Virtual PC hypercalls –E.g. GetVersion() VMware icon Name of virtual hardware Etc…

24 24/23 Performance Non fully virtualizable hardware tradeoff –Performance vs. perfect virtualization –Dynamic binary translation –Paravirtualization Simplified driver interface Effects of HW enhancements unknown

25 25/23 Impact of VM enhanced hardware VMBR allow target to run most HW –Only emulate devices needed for virt E.g., disk, network –Target can drive everything else Display, USB Better device performance Smaller VMBR payload

26 26/23 Defeating the “redpill” Easy to detect VM on non-virt. x86 “Redpill” uses instructions that leak info Interpose on key windows functions –Fixup the “redpill” app to avoid VM detect Uses virtual-machine introspection

Download ppt "SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M."

Similar presentations

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Network Implementation for Xen and KVM Class project for E6998-01: Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Distributed Systems CS 15-440 Virtualization- Overview Lecture 22, Dec 4, 2013 Mohammad Hammoud 1.

Distributed Systems CS Virtualization- Overview Lecture 22, Dec 4, 2013 Mohammad Hammoud 1.
Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.

Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.

Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
SubVirt: Implementing malware with virtual machines

SubVirt: Implementing malware with virtual machines
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
1 UCR Firmware Attacks and Security introduction.

1 UCR Firmware Attacks and Security introduction.
A Survey on Virtualization Technologies. Virtualization is “HOT” Microsoft acquires Connectix Corp. EMC acquires VMware Veritas acquires Ejascent IBM,

A Survey on Virtualization Technologies. Virtualization is “HOT” Microsoft acquires Connectix Corp. EMC acquires VMware Veritas acquires Ejascent IBM,

Similar presentations

Ads by Google