Presentation is loading. Please wait.

Presentation is loading. Please wait.

security breakthrough INTRODUCING hypervisor memory introspection

Published byPatience West Modified over 8 years ago

Similar presentations

Presentation on theme: "security breakthrough INTRODUCING hypervisor memory introspection"— Presentation transcript:

1 security breakthrough INTRODUCING hypervisor memory introspection
Bo Skeel, Chief Evangelist @Bo_Skeel

2 Root-kit explained A root-kit is designed to attack the kernel and hide itself at the lowest possible level. Use cases: Provide attacker with a backdoor Bypass authentication and authorization mechanisms Conceal other malware, like for instance key loggers Use system to perform attacks on other systems Modify boot sector, for instance to attack full disk encryption or to intercept encryption keys and passwords Make system part of botnets that can launch denial-of-service attacks, distribute spam, conduct click fraud, etc.

3 Security trends Advanced Persistent Threats (APTs),
botnets, cyber-espionage heavily rely on: Rootkits Kernel exploits 0-day

4 Advanced Persistant Threat (aPT) Action-Flow
• Spear phishing • Drive-by downloads • Trojans 3. user-app payload • Code injection → Energetic Bear, Epic Turla, Regin, Zeus, etc. • API hooking → Dyreza, GameOver… 5. remote control of victim • Espionage & data exfiltration • Identity theft • Sabotage 1. infection vector 2. exploit • CVE → APT28 • CVE → Energetic Bear • CVE → DarkHotel 4. kernel payload • Stealthiness & Persistence → kernel rootkits (Necurs, TDL), bootkits

5 Why Does Advanced Malware succeed?
Common Malware App 1 (office) App 2 (Browser) Security solution Drivers OS kernel Security filter ISOLATION kernel controlled

6 Why Does Advanced Malware succeed?
Common Malware App 1 (office) App 2 (Browser) Security solution Drivers OS kernel Security filter ISOLATION kernel controlled

7 Why Does Advanced Malware succeed?
Common Malware Advanced Malware App 1 (office) App 2 (Browser) Security solution App 1 (office) App 2 (Browser) Security solution Drivers OS kernel Security filter Drivers OS kernel Security filter . ISOLATION kernel controlled ISOLATION kernel controlled

8 Why Does Advanced Malware succeed?
Common Malware Advanced Malware App 1 (office) App 2 (Browser) Security solution App 1 (office) App 2 (Browser) Security solution Drivers OS kernel Security filter Drivers OS kernel Security filter ISOLATION kernel controlled ISOLATION kernel controlled

9 Why Does Advanced Malware succeed?
Common Malware Advanced Malware App 1 (office) App 2 (Browser) Security solution App 1 (office) App 2 (Browser) Security solution Drivers OS kernel Security filter Drivers OS kernel Security filter ISOLATION kernel controlled ISOLATION kernel controlled ISOLATION bypassed Malware has control

10 Why Does Advanced Malware succeed?
Common Malware Advanced Malware App 1 (office) App 2 (Browser) Security solution App 1 (office) App 2 (Browser) Security solution Drivers OS kernel Security filter Drivers OS kernel Security filter ISOLATION kernel controlled ISOLATION kernel controlled ISOLATION bypassed Malware has control

11 Why Does Advanced Malware succeed?
Common Malware Advanced Malware App 1 (office) App 2 (Browser) Security solution App 1 (office) App 2 (Browser) Security solution Drivers OS kernel Security filter Drivers OS kernel Security filter ISOLATION kernel controlled ISOLATION kernel controlled ISOLATION bypassed Malware has control Advanced attacks evade traditional in-OS security approaches

12 Why Does Advanced Malware succeed?
Security solution

13 Why Does Advanced Malware succeed?
Security solution ? ? ?

14 Evasive malware behavior

15 Introducing: Hypervisor memory introspection

16 What is hypervisor memory introspection?
Provide security from outside the guest OS Not relying on OS for isolation of security services Not exposed to advanced threats Direct access to analyse memory of guest OS and applications Hook memory as non-execute or non-writable using hardware extensions Hooking & notification must be supported efficiently by CPU Audit access by code running in guest OS Write attempts, Execution attempts Allow or deny attempts – decision provided by security logic

17 What is hypervisor memory introspection?
Extended Page Table (EPT) protected areas Provide detection of alteration attempts, ensuring protection of critical code & data Guest VM Physical memory space OS kernel code data User mode stacks & heaps data Kernel driver code and data User mode code data Critical kernel data System Service Dispatch Table, Interrupt Descriptor Table, etc. Extended Page Table (EPT) protected areas detection of operations & events (ex. module load, process start, paging structure change, etc.)

18 memory introspection via xen
Implementation A Hypervisor controlled, hardware enforced STRONG ISOLATION dom0 Security domU Guest VM 1 Guest VM 2 Guest VM N Introspection Engine ----- policy events Altp2m + Vm_event Extensions part of Xen 4.6 (ongoing) OpenXen/Citrix XenServer 4.6 (ongoing)

19 memory introspection via xen
Implementation B Hypervisor controlled, hardware enforced STRONG ISOLATION dom0 Security domU Guest VM 1 Guest VM 2 Guest VM N Introspection Engine ----- policy events Altp2m + Vm_event Extensions part of Xen 4.6 (ongoing) OpenXen/Citrix XenServer 4.6 (ongoing)

20 Hypervisor memory introspection Xen extensions
PATCHES SUBMITTED BY INTEL Enables alternate EPT domains via addition of altp2m capability in Xen HVM Hypercalls to manage altp2m without conflicting with Xen memory management for other use cases Both, in-guest and out-of guest agents can utilize altp2m capabilities Enable VMFUNC for in.-guest agents to switch altp2m for various usages Report guest-specific EPT memory access events via #VE Enabling CPU acceleration automatically if VMFUNC and #VE CPU enumerated and emulated if not available

21 Hypervisor memory introspection Xen extensions
PATCHES SUBMITTED BY BITDEFENDER Emulate an instruction and discard the written data to prevent patching Attach the guest state 8vCPU registers) to the memory sent Generate VMexits for introspection-relevant Model Specific Register (MSR) accesses by the guest OS Disable the REP prefix support in the emulator when introspecting Deny Model Specific Register & Control Register writes by the guest Introspection specific VMCALL support (hypercall), used when injecting an application into the guest Support for memory content hiding (compatible with PatchGuard) Various other clean-ups in the VM event subsystem

22 scenarios memory introspection

23 Memory introspection scenarios
Advanced Malware Protected by user-mode introspection App 1 (office) App 2 (Browser) Security solution Protected by kernel-mode introspection Drivers OS kernel Security filter Hypervisor Introspection Engine ISOLATION – HVMI controlled & Enforced by hardware

24 Memory introspection scenarios
Advanced Malware Protected by user-mode introspection App 1 (office) App 2 (Browser) Security solution Protected by kernel-mode introspection Drivers OS kernel Security filter Hypervisor Introspection Engine ISOLATION – HVMI controlled & Enforced by hardware

25 Memory introspection scenarios
Advanced Malware Protected by user-mode introspection App 1 (office) App 2 (Browser) Security solution Protected by kernel-mode introspection Drivers OS kernel Security filter Hypervisor Introspection Engine ISOLATION – HVMI controlled & Enforced by hardware

26 User-mode memory Introspection
Monitor user applications (such as web-browsers, Microsoft* Office, Adobe* Reader, …) for detection of code injection detection of function detouring enforcement of generic Write-XOR-eXecute (W⊕X) policy specific events, e.g. detection of malicious code unpacking Injection of remediation tools into the guest runtime on-the-fly (no help from ‘within’ guest needed)

27 FIGHTING aPTs with hvmi
USER-MODE HVMI • Spear phishing • Drive-by downloads • Trojans 3. user-app payload • Code injection → Energetic Bear, Epic Turla, Zeus, etc. • API hooking → Dyreza, GameOver… 5. remote control of victim • Espionage & data exfiltration • Identity theft • Sabotage KERNEL-MODE HVMI 1. infection vector 2. exploit • CVE → APT28 • CVE → Energetic Bear • CVE → DarkHotel 4. kernel payload • Stealthiness & Persistence → kernel rootkits (Necurs, TDL), bootkits UM HVMI is strongly isolated (enforced by hardware) and provides generic detection mechanisms

28 recorded DEMO

29 Typical questions What is the performance cost of HVMI?
Performance emulation software (LoginVSI), show performance impact of less than 2% on response time and latency. Will HVMI make my hypervisor less stable? Not at all. We are able to detect all memory instructions related to the hypervisor domain and are not interfering with these functions at all.

30 Whats next? memory introspection
Products will be released H1 2016: Hypervisor protection for Xen Project, Citrix XenServer and KVM Solution for physical computers (all operating systems) Will be delivered as a new type of hypervisor, where we are only virtualizing the CPU and the memory.

31 Thank you!

Download ppt "security breakthrough INTRODUCING hypervisor memory introspection"

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.

Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Vivek-Vijayan University of Tennessee at Chattanooga.

Vivek-Vijayan University of Tennessee at Chattanooga.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?

V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영 2015. 04. 21.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
1 UCR Firmware Attacks and Security introduction.

1 UCR Firmware Attacks and Security introduction.

Similar presentations

Ads by Google