Remote Virtual Machine Monitor Detection Jason Franklin, Mark Luk, Jonathan McCune, Arvind Seshadri, Adrian Perrig, Leendert van Doorn.

Slides:



Advertisements
Similar presentations
Computer Architecture Instruction Level Parallelism Dr. Esam Al-Qaralleh.
Advertisements

Popek & Goldberg’s notation
Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
Limits on ILP. Achieving Parallelism Techniques – Scoreboarding / Tomasulo’s Algorithm – Pipelining – Speculation – Branch Prediction But how much more.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
1 Minimal TCB Code Execution Jonathan McCune, Bryan Parno, Adrian Perrig, Michael Reiter, and Arvind Seshadri Carnegie Mellon University May 22, 2007.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?
1 Soft Timers: Efficient Microsecond Software Timer Support For Network Processing Mohit Aron and Peter Druschel Rice University Presented By Jonathan.
1 How Low Can You Go? Recommendations for Hardware- Supported Minimal TCB Code Execution Bryan Parno Arvind Seshadri Adrian Perrig Carnegie Mellon University.
Chapter 1 Introduction. Chapter Overview Overview of Operating Systems Secure Operating Systems Basic Concepts in Information Security Design of a Secure.
1 Pioneer: Dynamic Root of Trust for Measurement and Verifiable Executable Invocation Arvind Seshadri, Mark Luk, Elaine Shi, Adrian Perrig (CMU), Leendert.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Virtualization for Cloud Computing
Distributed Systems CS Virtualization- Overview Lecture 22, Dec 4, 2013 Mohammad Hammoud 1.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
HyperSpector: Virtual Distributed Monitoring Environments for Secure Intrusion Detection Kenichi Kourai Shigeru Chiba Tokyo Institute of Technology.
Disco : Running commodity operating system on scalable multiprocessor Edouard et al. Presented by Jonathan Walpole (based on a slide set from Vidhya Sivasankaran)
CS533 Concepts of Operating Systems Jonathan Walpole.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Virtualization Concepts Presented by: Mariano Diaz.
COMP25212: Virtualization Learning Objectives: a)To describe aims of virtualization - in the context of similar aims in other software components b)To.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.
Improving Network I/O Virtualization for Cloud Computing.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Virtual Machine Monitors: Technology and Trends Jonathan Kaldor CS614 / F07.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
CS533 Concepts of Operating Systems Jonathan Walpole.
Outline Basic VM Concepts Formal Definitions Virtualization Theorems
Virtualization Part 2 – VMware. Virtualization 2 CS5204 – Operating Systems VMware: binary translation Hypervisor VMM Base Functionality (e.g. scheduling)
Scheduling policies for real- time embedded systems.
Formal Requirements for Virtualizable Third Generation Architectures
CS533 Concepts of Operating Systems Jonathan Walpole.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming  To allocate scarce memory resources.
Super computers Parallel Processing By Lecturer: Aisha Dawood.
Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard et al. Madhura S Rama.
G53SEC 1 Reference Monitors Enforcement of Access Control.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Disco : Running commodity operating system on scalable multiprocessor Edouard et al. Presented by Vidhya Sivasankaran.
By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.
Navigation Timing Studies of the ATLAS High-Level Trigger Andrew Lowe Royal Holloway, University of London.
Full and Para Virtualization
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.
Information Security - 2
1 Virtualization "Virtualization software makes it possible to run multiple operating systems and multiple applications on the same server at the same.
Limited Direct Execution
Virtualization Dr. Michael L. Collard
Virtual Memory - Part II
Formal Virtual Machines
Virtual Servers.
Chapter 2. Malware Analysis in VMs
Lecture 8: ILP and Speculation Contd. Chapter 2, Sections 2. 6, 2
Virtualization Techniques
CSE 451: Operating Systems Autumn 2005 Memory Management
CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management
How to improve (decrease) CPI
Xen and the Art of Virtualization
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
System Virtualization
Presentation transcript:

Remote Virtual Machine Monitor Detection Jason Franklin, Mark Luk, Jonathan McCune, Arvind Seshadri, Adrian Perrig, Leendert van Doorn

Remote Virtual Machine Monitor Detection  Problem Statement Determine if a remote machine is virtual or real  Challenges VMM provides an accurate abstraction of the underlying hardware VMM controls execution of code and may return arbitrary values External Verifier Remote Machine Are you virtual?

VMM Detection and Botnets (1/2)  Scenario 1 Bots may install a stealthy virtual machine based rootkit (VMBR) to avoid detection by traditional malware scanners Stealthy rootkits prevent administered machines from removing bots You run an AV, update, patch, yet never locate/remove the bot Detecting VMMs allows us to detect bots

VMM Detection and Botnets (2/2)  Scenario 2 Bots may check for the existence of a VMM in order to prevent dynamic analysis “Detecting the sandbox” Real threat & mentioned several times yesterday Agobot uses a heuristic to check for VMWare Studying VMM detection helps us understand how to enable VMM-based dynamic analysis

State of the Art in VMM Detection  Check for software-implementation artifacts Redpill checks the location of the IDT (different location under VMWare) VMWare’s Back checks for VMWare I/O port  Other approaches Make restrictive assumptions Easy to thwart Require benchmarking

Our Goals  Develop a VMM detection algorithm: VMM implementation independent Accurate Practical/relies on few assumptions  Leverage fundamental differences between virtual and real machines

VMM Model  Popek and Goldberg ’74 formally defined the properties a control program must satisfy to be deemed a VMM Efficiency Property Resource Control Property Equivalence Property Program execution in a virtual environment must be indistinguishable from execution in a real environment

Indistinguishable? Oh no!  If a program executes indistinguishably, we can’t detect a virtual execution environment  Don’t worry! There are exceptions to the equivalence property Timing dependency exception Certain sequences of instructions may take longer to execute Resource availability exception

Does the timing dependency exception necessarily exist?  Empirically, yes. Programs executing in a VMM experience VMM overhead  In theory, yes. Intuition is that VMM must maintain control of executing code by interposing on the operations or rewrite the binary

Exploiting the timing dependency exception to detect a VMM  Algorithm: Given: Real machine R with configuration C e.g., C={Pentium IV, 2.0GHz} Remote machine M with configuration C Program P with control-modifying instructions 1: Time the execution of P on R and store the value in r 2: Time the execution of P on M and store the value in m 3: IF m > r + k THEN M is virtual [note: k is the detection constant] 4: ELSE M is real

Tasks Remaining  Achieve accurate high-integrity execution timing  Construct program P with externally noticeable VMM overhead  Determine configuration of remote machine  Determine detection constant k

Accurate High-Integrity Execution Timing  Can’t trust the integrity of the timing measurements returned by the VMM  Use an external source of time (e.g., remote machine, watch, etc…)

Constructing P with VMM Overhead  P is a sequence of sensitive (potentially control modifying) instructions that requires VMM interposition  P is designed to invoke VMM overhead  Design decisions in developing P include: Sensitive instruction selection Number of instructions

Selecting Sensitive Instructions R/W cr3R/W cr2 R/W cr0cli

Number of Instructions in P  Assume we have complete configuration information for remote machine M  Easy to determine the number of instructions required to overcome experimental noise Variance in execution time Variance in network latency

Complete Configuration Information  Given an estimate of the noise N in the environment (i.e., 10 ms variation in network latency)  Select x s.t. FV(x) – RM(x) >> N Fastest VMM = FV(x) Real Machine = RM(x)

Incomplete Configuration Information  Unreasonable to assume complete configuration information is available for a remote machine  Use “hardware discovery” heuristic Intuition: certain properties of the underlying hardware are difficult to mask through the VMM and are unique to a particular architecture Discovering these hardware artifacts gives us partial configuration information about a remote machine

Incomplete Configuration Information  Given a subset C’ of the complete configuration information C C = {Pentium IV, 2.0 GHz} and C’ = {Pentium IV}  Bound the execution time of P on the fastest and slowest machines that satisfy C’ Works because P is CPU bound We can time the execution of P on a x GHz machine and then use the ratio of the fastest and slowest machines to bound the execution times

Hardware Discovery on the Pentium IV  P4 has a unique trace cache which “shines” through the VMM  With sequences of register-to-register arithmetic instructions without data hazards populate the trace cache of the Intel Pentium IV, a CPI of 1/3 is attainable  Once an instruction sequence exceeds the trace cache’s size of 12KB, the CPI becomes 1

Remote Trace Cache Discovery  instructions fit in the trace cache  instructions exceeds the size of the trace cache  A considerable jump in overhead occurs when the trace cache overflows

Putting it All Together  Remotely timed overhead from reading and writing x86 Control Register 3 multiple times consecutively  Despite not being included in our analysis, remote detection works against a machine running Xen with hardware virtualization support (HVM Xen) We conclude that hardware virtualization support is not sufficient to prevent VMM detection

Detection Algorithm Limitations  VMM could tamper with execution of detection code Countermeasure: Leverage software-based attestation (Pioneer)  VMM could prevent communication to external timer Countermeasure: Containment policy-based detection  Receive incorrect response from hardware discovery heuristic  VMM may be incorporated with OS Malware can still own the lowest layer Virtual-machine-based rootkits are a threat today

Conclusion  Developed a remote VMM detection algorithm Attempts to be independent of VMM software implementation details Practical/relies on fewer assumptions than previous schemes Accurate, configurable, and effective over the Internet  Hardware virtualization support is not sufficient to mask differences between real and virtual environments

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.