Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Slides:



Advertisements
Similar presentations
Virtualization Technology
Advertisements

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Saumya Debray The University of Arizona Tucson, AZ
Virtualisation From the Bottom Up From storage to application.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Malware Detection via Virtual Machine Monitoring Wenke Lee.
Tamper Resistant Software An Implementation By David Aucsmith, IAL “This paper describes a technology for the construction of tamper resistant software.”
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Hacker Zombie Computer Reflectors Target.
CS 325: Software Engineering April 14, 2015 Software Security Security Requirements Software Security in the Life Cycle.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
COMP25212: Virtualization Learning Objectives: a)To describe aims of virtualization - in the context of similar aims in other software components b)To.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
CS533 Concepts of Operating Systems Jonathan Walpole.
High Performance Computing on Virtualized Environments Ganesh Thiagarajan Fall 2014 Instructor: Yuzhe(Richard) Tang Syracuse University.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.
Contents Introduction Available OSF Solutions for VM UFO Design Implementation Evaluation Discussion Conclusions References.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Operating Systems Security
Security Vulnerabilities in A Virtual Environment
security breakthrough INTRODUCING hypervisor memory introspection
Full and Para Virtualization
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Presented by: Dr. Munam Ali Shah
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.
Matt Broman Kodiac Gamble Devin Nichol SECTION 4.2 INFORMATION SECURITY.
CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
October 20-23rd, 2015 FEEBO: A Framework for Empirical Evaluation of Malware Detection Resilience Against Behavior Obfuscation Sebastian Banescu Tobias.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Tool Support for Testing
Botnets A collection of compromised machines
Virtualization.
Virtual Machine Monitors
Manuel Brugnoli, Elisa Heymann UAB
3.6 Fundamentals of cyber security
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
Techniques, Tools, and Research Issues
Botnets A collection of compromised machines
Backtracking Intrusions
Part 1: Basic Analysis Chapter 1: Basic Static Techniques
OS Virtualization.
Virtualization Techniques
Computer Security: Art and Science, 2nd Edition
CMSC 491/691 Malware Analysis
Shielding applications from an untrusted cloud with Haven
Xen and the Art of Virtualization
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Presentation transcript:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter: Yi Yang 1

Agenda ● Motivation ● Transparency Requirements ● Ether Framework ● Experiments and Evaluation ● Conclusion 2

Motivation Malware Definition: short for malicious software, is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware Categories: computer viruses, worms, trojan horses, rootkits, spyware, adware, rogue security software, and other malicious programs. Malware Problem: Malware has become the centerpiece of most security threats on the Internet 3

Malware Analysis There is a profound need to understand malware behavior: -Forensics and Asset Remediation -Threat Analysis Malware authors make analysis very challenging Direct financial motivation Focal point of malware analysis: how to detect versus,how to hide a malware analyzer from malware during runtime 4

Two Types of Malware Analysis Static Analysis What a program would do Complete view of program behavior Requires accurate disassembly of x86 machine code Often impossible to do in practice Dynamic Analysis Shows what a program actually did when executed Only gives a partial view of program behavior Question: How do you hide your analyzer? 5

The Malware Uncertainty Principle An important practical problem Observer affecting the observed environment Robust and detailed analyzers are typically invasive Malware will refuse to run 6

Solving Malware Uncertainty Principle An analyzer’s aim should be transparent. –Defining transparency The execution of the malware and the malware analyzer is governed by the principle of non- interference. 7

Transparency Requirements Higher Privilege No non-privileged side effects Same instruction execution semantics Transparent exception handling Identical notion of time 8

Fulfilling Transparency Requirements Reduced Privilege Guests (VMWare, etc) –Non-privileged side effects Emulation (full system emulator:QEMU) –Instruction execution semantics Idea: Use hardware assisted virtualization Poses complex analysis challenges 9

Ether Framework Software that can utilize hardware virtualization extensions: Xen hypervisor Hardware virtualization platform: Intel VT Target operating system :Windows XP 10

Intel VT hardware Virtualization Extensions 11

Architecture of Ether 12

Using Intel VT for Malware Analysis Ether should be able to monitor some instructions Instructions executed by a guest process, any memory writes a guest process performs, and any system calls a guest process makes. Intel VT extensions do not provide support for these monitoring activities 13

Monitoring Activities Monitoring Instruction Execution Monitoring Memory Writes Monitoring System Call Execution 14

Maintaining Analyzer Transparency Despite making several modifications to the guest, Ether maintains transparency of the analyzer by ensuring such changes are undetectable 15

Potential Attacks While theoretically resilient against in-guest detection attacks, current architectural restrictions make some of these attacks possible Ether is vulnerable to a class of timing attacks using external timing sources Detection methods : In-Memory Presence CPU Registers Memory Protection Privileged Instruction Handling Instruction Emulation Timing Attacks 16

Potential Attacks While theoretically resilient against in-guest detection attacks, current architectural restrictions make some of these attacks possible Ether is vulnerable to a class of timing attacks using external timing sources Detection methods : In-Memory Presence CPU Registers Memory Protection Privileged Instruction Handling Instruction Emulation Timing Attacks 17

Architectural Limitation Intel VT suffers from some architectural limitations which may allow Ether to be detected under certain circumstances. Different hardware virtualization extensions exist that do not suffer from such limitations. Intel VT suffers from two main flaws which allow the current implementation to be detected by observing implicit changes to the memory hierarchy: Intel flushed the TLB on every VMExit; Paging mode must be turned on before entering VMX Root code. 18

Experiments and Evaluation Two tools based on Ether: EtherUnpack and EtherTrace. EtherUnpack traces memory writes and single instructions (i.e., fine-grained tracing) EtherTrace traces system calls (i.e., coarse- grained tracing). Using these tools to evaluate Ether and compare it against current approaches. 19

Experiments and Evaluation Two tools based on Ether: EtherUnpack and EtherTrace. EtherUnpack traces memory writes and single instructions (i.e., fine-grained tracing) EtherTrace traces system calls (i.e., coarse- grained tracing). Using these tools to evaluate Ether and compare it against current approaches. 20

Packing vs Unpacking Packing is a term used to describe the obfuscation and encryption of program code to thwart static analysis. The result of packing is that signature-based approaches fail to identify packed malware as malicious. Opposite to packers, unpackers are programs which attempt to obtain the original code hidden by the packer. 21

About EtherUnpack 22

About EtherUnpack Precision universal automated unpacker Uses instruction-by-instruction tracing (fine grained tracing) to detect unpack execute behavior If code written is later executed, unpack execution occurred Able to handle multiple packing layers Dumps unpacked memory images to disk 23

Evaluation: EtherUnpack Looked for a 32 byte string present in the original code section Not a random string 24

Evaluation: EtherUnpack Ether is more transparent 25

About EtherTrace An implementation of a coarse grained tracer using the Ether framework Traces the Windows equivalent of system calls (Native API) Information Provided: – Call name – Typed arguments – Return values – Context (Process ID, Thread ID) 26

Evaluation: EtherTrace Examine trace logs for expected actions – File – Registry 27

Evaluation: EtherTrace Ether is more transparent 28

Conclusion Ether, a transparent and external malware analyzer that is based on hardware virtualization extensions such as Intel VT. Ether is an implementation of a different approach Evaluation confirms Ether is more transparent Theoretically, can do better: improving resistance to timing attacks and memory hierarchy detection attacks. 29

Reference 30

Questions? 31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.