Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.

Published byKristian Russell Modified over 8 years ago

Similar presentations

Presentation on theme: "Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy."— Presentation transcript:

1 Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. npetroni@cs.umd.edu Timothy Fraser tfraser@umiacs.umd.edu Jesus Molina chus@cs.umd.edu William A. Arbaugh waa@cs.umd.edu

2 Maryland Information Systems Security Lab 2 Copilot Kernel Integrity Monitor Compatible - works on commodity GNU/Linux x86 PCs Effective - detected tampering by 12 real-world rootkits - check every 30 seconds = 1% performance penalty Isolated - implemented on its own PCI add-in card Independent - operates even if host kernel is compromised

3 Maryland Information Systems Security Lab 3 Integrity Threat Example system call vector IDT Host RAM other kernel data and process pages 1. Attacker gains entry kernel text kernel page tables 2. Attacker inserts/modifies code 3. Attacker gets his code executed

4 Maryland Information Systems Security Lab 4 Copilot Integrity Protection kernel text system call vector IDT CPU/ cache bridge/ memory controller PCI local bus system call vector modified Copilot Admin Station other kernel data and process pages

5 Maryland Information Systems Security Lab 5 Copilot Protection Strategy Copilot currently uses the following traditional methods: –Hash of Linux kernel text –Linux system call vector –Linux interrupt descriptor table –Linux module list –Hash of Linux module text Compare the above with a “known-good” state Adding hashing/jump table targets simple Copilot improves these methods by providing an isolated & independent platform for kernel monitoring

6 Maryland Information Systems Security Lab 6 PCI add-in card requirements Unrestricted access to bus - EBSA-285 has bus mastering capability Independence from host - EBSA-285 has a mode that ignores host commands Sufficient processing power, memory - StrongARM SA-110 CPU, 16MB RAM Independent communication channel for reporting - RS-232 serial port

7 Maryland Information Systems Security Lab 7 Architecture/OS Requirements All kernel data structures must be available to monitor –Linux provides virtual addresses for data structures –Linux x86 virtual address translation easy to replicate –Linux kernel memory is never paged out of RAM –PC PCI bus addresses, physical addresses identical –PC PCI bus can address all of physical memory

8 Maryland Information Systems Security Lab 8 Virtual memory translation 0x00000000 end of RAM virtual addresses used by kernel: physical addresses used during DMA: kernel text, page tables linear map nonlinear map via page tables vmalloc area, module cores 0xc0000000 high_memory 0xfe000000

9 Maryland Information Systems Security Lab 9 Experimental Results Typical rootkit implementation: An LKM that interposes on the system call vector: Adore, rial, rkit, synapsis, modhide1, phide, kbd, linspy… More sophisticated, more stealthy: SucKIT - loads via /dev/kmem instead of LKM Phantasmagoria - modifies kernel text, not syscall vector Insecurity by Obscurity: Taskigt - adds a hook to /proc filesystem Knark - adds inet protocol handler

10 Maryland Information Systems Security Lab 10 STREAM memory throughput benchmarks Penalty: 10% 10% 7% 7%

11 Maryland Information Systems Security Lab 11 WebStone HTTP throughput benchmark Cycle (in seconds): off 30 15 5 continuous Penalty: 0% 1% 2% 4% 14% MB/s

12 Maryland Information Systems Security Lab 12 Related Work Existing approaches: Userspace tools –Tripwire, AIDE, chkrootkit, checkps, Rkscan… Kernel space tools –Saint Jude (St. Michael), KSTAT, Carbonite, Samhain Challenge-response protocols for remote genuinity –Kennell/Jamieson, SWATT Other hardware approaches –TCG-based approaches

13 Maryland Information Systems Security Lab 13 Limitations and Future Work Problems with a PCI-based approach –Inability to monitor execution –Relocation/cache attacks –Memory race conditions Future directions –In-memory image prediction from trusted binary –Extending coverage to most (all?) jumps –Data/non-text auditing (e.g. process table, open files…) –Protect host-kernel-resident protection mechanisms

14 Maryland Information Systems Security Lab 14 Copilot Summary Proven effective in lab tests: - Detected the 12 rootkits listed on earlier slide - 30-second detection window - Less than 1% application performance penalty Advantages over existing technologies: - Applicable to commodity GNU/Linux x86 hosts - No reliance on host software for correctness - Plugs into unmodified commodity host - Can be extended to support dynamic data

Download ppt "Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy."

Similar presentations

Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
System Area Network Abhiram Shandilya 12/06/01. Overview Introduction to System Area Networks SAN Design and Examples SAN Applications.

System Area Network Abhiram Shandilya 12/06/01. Overview Introduction to System Area Networks SAN Design and Examples SAN Applications.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.

Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Avishai Wool lecture 8 - 1 Introduction to Systems Programming Lecture 8 Input-Output.

Avishai Wool lecture Introduction to Systems Programming Lecture 8 Input-Output.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Memory Management (II)

Memory Management (II)
04/16/2010CSCI 315 Operating Systems Design1 I/O Systems Notice: The slides for this lecture have been largely based on those accompanying an earlier edition.

04/16/2010CSCI 315 Operating Systems Design1 I/O Systems Notice: The slides for this lecture have been largely based on those accompanying an earlier edition.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.

1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Copyright ©: Nahrstedt, Angrave, Abdelzaher

Copyright ©: Nahrstedt, Angrave, Abdelzaher
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.

Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Input/Output. Input/Output Problems Wide variety of peripherals —Delivering different amounts of data —At different speeds —In different formats All slower.

Input/Output. Input/Output Problems Wide variety of peripherals —Delivering different amounts of data —At different speeds —In different formats All slower.

Similar presentations

Ads by Google