Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Published byBranden Palmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:"— Presentation transcript:

1 Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter: Yi Yang 1

2 Agenda ● Motivation ● Transparency Requirements ● Ether Framework ● Experiments and Evaluation ● Conclusion 2

3 Motivation Malware Definition: short for malicious software, is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware Categories: computer viruses, worms, trojan horses, rootkits, spyware, adware, rogue security software, and other malicious programs. Malware Problem: Malware has become the centerpiece of most security threats on the Internet 3

4 Malware Analysis There is a profound need to understand malware behavior: -Forensics and Asset Remediation -Threat Analysis Malware authors make analysis very challenging Direct financial motivation Focal point of malware analysis: how to detect versus,how to hide a malware analyzer from malware during runtime 4

5 Two Types of Malware Analysis Static Analysis What a program would do Complete view of program behavior Requires accurate disassembly of x86 machine code Often impossible to do in practice Dynamic Analysis Shows what a program actually did when executed Only gives a partial view of program behavior Question: How do you hide your analyzer? 5

6 The Malware Uncertainty Principle An important practical problem Observer affecting the observed environment Robust and detailed analyzers are typically invasive Malware will refuse to run 6

7 Solving Malware Uncertainty Principle An analyzer’s aim should be transparent. –Defining transparency The execution of the malware and the malware analyzer is governed by the principle of non- interference. 7

8 Transparency Requirements Higher Privilege No non-privileged side effects Same instruction execution semantics Transparent exception handling Identical notion of time 8

9 Fulfilling Transparency Requirements Reduced Privilege Guests (VMWare, etc) –Non-privileged side effects Emulation (full system emulator:QEMU) –Instruction execution semantics Idea: Use hardware assisted virtualization Poses complex analysis challenges 9

10 Ether Framework Software that can utilize hardware virtualization extensions: Xen hypervisor Hardware virtualization platform: Intel VT Target operating system :Windows XP 10

11 Intel VT hardware Virtualization Extensions 11

12 Architecture of Ether 12

13 Using Intel VT for Malware Analysis Ether should be able to monitor some instructions Instructions executed by a guest process, any memory writes a guest process performs, and any system calls a guest process makes. Intel VT extensions do not provide support for these monitoring activities 13

14 Monitoring Activities Monitoring Instruction Execution Monitoring Memory Writes Monitoring System Call Execution 14

15 Maintaining Analyzer Transparency Despite making several modifications to the guest, Ether maintains transparency of the analyzer by ensuring such changes are undetectable 15

16 Potential Attacks While theoretically resilient against in-guest detection attacks, current architectural restrictions make some of these attacks possible Ether is vulnerable to a class of timing attacks using external timing sources Detection methods : In-Memory Presence CPU Registers Memory Protection Privileged Instruction Handling Instruction Emulation Timing Attacks 16

17 Potential Attacks While theoretically resilient against in-guest detection attacks, current architectural restrictions make some of these attacks possible Ether is vulnerable to a class of timing attacks using external timing sources Detection methods : In-Memory Presence CPU Registers Memory Protection Privileged Instruction Handling Instruction Emulation Timing Attacks 17

18 Architectural Limitation Intel VT suffers from some architectural limitations which may allow Ether to be detected under certain circumstances. Different hardware virtualization extensions exist that do not suffer from such limitations. Intel VT suffers from two main flaws which allow the current implementation to be detected by observing implicit changes to the memory hierarchy: Intel flushed the TLB on every VMExit; Paging mode must be turned on before entering VMX Root code. 18

19 Experiments and Evaluation Two tools based on Ether: EtherUnpack and EtherTrace. EtherUnpack traces memory writes and single instructions (i.e., fine-grained tracing) EtherTrace traces system calls (i.e., coarse- grained tracing). Using these tools to evaluate Ether and compare it against current approaches. 19

20 Experiments and Evaluation Two tools based on Ether: EtherUnpack and EtherTrace. EtherUnpack traces memory writes and single instructions (i.e., fine-grained tracing) EtherTrace traces system calls (i.e., coarse- grained tracing). Using these tools to evaluate Ether and compare it against current approaches. 20

21 Packing vs Unpacking Packing is a term used to describe the obfuscation and encryption of program code to thwart static analysis. The result of packing is that signature-based approaches fail to identify packed malware as malicious. Opposite to packers, unpackers are programs which attempt to obtain the original code hidden by the packer. 21

22 About EtherUnpack 22

23 About EtherUnpack Precision universal automated unpacker Uses instruction-by-instruction tracing (fine grained tracing) to detect unpack execute behavior If code written is later executed, unpack execution occurred Able to handle multiple packing layers Dumps unpacked memory images to disk 23

24 Evaluation: EtherUnpack Looked for a 32 byte string present in the original code section Not a random string 24

25 Evaluation: EtherUnpack Ether is more transparent 25

26 About EtherTrace An implementation of a coarse grained tracer using the Ether framework Traces the Windows equivalent of system calls (Native API) Information Provided: – Call name – Typed arguments – Return values – Context (Process ID, Thread ID) 26

27 Evaluation: EtherTrace Examine trace logs for expected actions – File – Registry 27

28 Evaluation: EtherTrace Ether is more transparent 28

29 Conclusion Ether, a transparent and external malware analyzer that is based on hardware virtualization extensions such as Intel VT. Ether is an implementation of a different approach Evaluation confirms Ether is more transparent Theoretically, can do better: improving resistance to timing attacks and memory hierarchy detection attacks. 29

30 Reference http://ether.gtisc.gatech.edu/ 30

31 Questions? 31

Download ppt "Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:"

Similar presentations

Virtualization Technology

Virtualization Technology
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Saumya Debray The University of Arizona Tucson, AZ 85721.

Saumya Debray The University of Arizona Tucson, AZ
Virtualisation From the Bottom Up From storage to application.

Virtualisation From the Bottom Up From storage to application.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Malware Detection via Virtual Machine Monitoring Wenke Lee.

Malware Detection via Virtual Machine Monitoring Wenke Lee.
Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a technology for the construction of tamper resistant software.”

Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a technology for the construction of tamper resistant software.”
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.

Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Hacker Zombie Computer Reflectors Target.

Hacker Zombie Computer Reflectors Target.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.

CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
COMP25212: Virtualization Learning Objectives: a)To describe aims of virtualization - in the context of similar aims in other software components b)To.

COMP25212: Virtualization Learning Objectives: a)To describe aims of virtualization - in the context of similar aims in other software components b)To.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Similar presentations

Ads by Google