Presentation is loading. Please wait.

Presentation is loading. Please wait.

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.

Published byLawrence Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J."— Presentation transcript:

1 SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R.Lorch Microsoft Research Publication: Security and Privacy, 2006 IEEE Symposium. Presenter: Radha Maldhure

2 Goal Attacker run malicious software and avoid detection understand and defend against threat Attacker Defender More control OS Hardware App1App2 Attacker Defender Attacker Defender

3 VMM Fig: architecture of VMM ( used by VMware and VirtualPC ) VM VM runs guest OS and guest application Host application and host OS provides convenient access to I/O devices and run VM services VMI = set of techniques that enable VM service to understand & modify states\ events in guest

4 What is the presentation about? Virtual-machine based rootkit (VMBR) – installation – malicious services – maintaining control Defending against VMBR – control below VMBR – control above VMBR

5 VMBR Hardware Target OS App1App2 VMM Attack system After infection Hardware Target OS App1App2 Before infection Attack system = Attack OS + malware invisible User mode

6 Installation Gain sufficient privileges Install VMBR’s state on persistent storage Modify system’s boot sequence ( VMBR loads before target OS ) Insert VMBR beneath target OS Manipulate boot sequence Attain privileged level (= modifying boot records) !! Need to be done at final stage of shutdown

7 Malicious services (MS) There are three types 2.MS observes data from target system e.g. use keystroke loggers to obtain sensitive info like password 3.MS modifies the execution of the target system e.g. delete email 1.MS with no communication with target system e.g. phishing web servers

8 Maintaining Control System powers-up BIOS VMBR state Code VMBR !!! Avoid reboots and shutdowns Handle reboots: restarting the virtual hardware rather than resetting the underlying physical hardware Handle shutdowns: use ACPI sleep states to emulate system shutdown Fig: Booting the System System is compromised

9 Defense Can see only virtualized state Security Software VMBR Security Software Can see the actual state and state of VMBR

10 Security Software below VMBR Basic idea: Detector’s view of system does not go through VMBR’s virtualization layer Ways: – Boot from safe medium such as CD-ROM, USB + physically unplug before booting – Use secure VMM

11 Security Software above VMBR Basic idea: Security Software below VMBR is inconvenient Ways: –Compare running time of software in VM with benchmarks against wall-clock time –Run a program that requires entire memory or disk space

12 Contribution Explored the design and implementation of VMBR Explored techniques for detecting VMBR

13 Weakness VMBR is difficult to install VMBR require reboot before they can run Have more impact on the overall system

14 Suggestions The Ideas suggested by paper is good but needs many implementations both on attacker’s side and defender’s side Defense not convenient for end users Some ideas are not clear

15 Questions? Quote for the day “No defeat is final until we stop trying”

Download ppt "SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J."

Similar presentations

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Virtualization 101.

Virtualization 101.
To run the program: To run the program: You need the OS: You need the OS:

To run the program: To run the program: You need the OS: You need the OS:
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
SubVirt: Implementing malware with virtual machines

SubVirt: Implementing malware with virtual machines
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
1 UCR Firmware Attacks and Security introduction.

1 UCR Firmware Attacks and Security introduction.

Similar presentations

Ads by Google