Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area.

Slides:

Advertisements

Similar presentations

Operating Systems (CSCI2413) Lecture 2 Overview phones off (please)

Advertisements

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

OS/2 Warp Chris Ashworth Cameron Davis John Weatherley.

Operating System Security : David Phillips A Study of Windows Rootkits.

Lecture 12 Page 1 CS 111 Online Devices and Device Drivers CS 111 On-Line MS Program Operating Systems Peter Reiher.

Chapter 101 Virtual Memory Chapter 10 Sections and plus (Skip:10.3.2, 10.7, rest of 10.8)

Memory Management (II)

03/09/2007CSCI 315 Operating Systems Design1 Memory Management Notice: The slides for this lecture have been largely based on those accompanying the textbook.

CS 300 – Lecture 22 Intro to Computer Architecture / Assembly Language Virtual Memory.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

Memory Management April 28, 2000 Instructor: Gary Kimura.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Segmentation CS 537 – Introduction to Operating Systems.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Dr. Richard Ford  Szor 11  Virus Scanners – how they work, why they matter, how to write one…

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Windows 2000 Memory Management Computing Department, Lancaster University, UK.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

A+ Guide to Software Managing, Maintaining and Troubleshooting THIRD EDITION Chapter 9 Managing Memory.

Secure Operating Systems Lesson B: Let’s go break something.

1. Memory Manager 2 Memory Management In an environment that supports dynamic memory allocation, the memory manager must keep a record of the usage of.

Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.

Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.

Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.

2001 Networking Operating Systems (CO32010) 1. Operating Systems 2. Processes and scheduling 3.

Win32 Programming Lesson 1: Why We’re All Here. Why We’re Here…  Okay, maybe that’s too grandiose  Windows – in particular Win32 Thirty-what?  What.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

April 2000Dr Milan Simic1 Network Operating Systems Windows NT.

Windows 2000 Course Summary Computing Department, Lancaster University, UK.

Windows Memory Architecture 井民全製作. A Process ’ s Virtual Address Space Every Process has its own private virtual address 32-bits processes  4 GB address.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Chapter 4 Memory Management Virtual Memory.

Computer Systems Week 14: Memory Management Amanda Oddie.

1 Some Real Problem  What if a program needs more memory than the machine has? —even if individual programs fit in memory, how can we run multiple programs?

Mac OS X December 5, 2005 Fall 2005 Term Project CS450 Operating Systems (Section 2) Darrell Hall, Ryan Lanman, Chris Sanford, John Suarez {halldl, lanmanrm,

Operating Systems Security

Operating Systems CSE 411 CPU Management Sept Lecture 10 Instructor: Bhuvan Urgaonkar.

Lecture 18 Windows – NT File System (NTFS)

security breakthrough INTRODUCING hypervisor memory introspection

Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.

Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.

Memory Management Chapter 5 Advanced Operating System.

Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.

Dr. Richard Ford  Szor  A.k.a. Stealth Viruses  “How viruses hide”

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Welcome to Intro to Operating Systems Course Website:

Introduction to Operating Systems Concepts

Virtual Machine Monitors

Chapter 1. Basic Static Techniques

Paging COMP 755.

Some Real Problem What if a program needs more memory than the machine has? even if individual programs fit in memory, how can we run multiple programs?

Lecture 28: Virtual Memory-Address Translation

Practical Rootkit Detection with RAI

Chap 10 Malicious Software.

CSE451 Memory Management Introduction Autumn 2002

CSCE 313 – Introduction to UNIx process

CSE 451: Operating Systems Autumn 2005 Memory Management

Chap 10 Malicious Software.

CSE451 Virtual Memory Paging Autumn 2002

CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management

CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management

Chapter-1 Computer is an advanced electronic device that takes raw data as an input from the user and processes it under the control of a set of instructions.

Virtual Memory Use main memory as a “cache” for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs share main.

Presentation transcript:

Dr. Richard Ford

 Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area

 Look for “known” viruses  But they also must scan memory for viruses… why?  Why isn’t just using an “on-access” scanner good enough?

 Speed of spread (more infection opportunity)  Longevity of infection: active stealth  Imagine an integrity checker or virus scanner operating with a virus in memory…

 DOS uses the Intel Processor in Real Mode!  Which means what?  DOS does not protect or differentiate memory from any process  No support for “virtual” memory

 Can scan memory byte by byte  Effective  Not too slow (not much memory)  Direct access by the virus scanner (no OS involvement)  Problem is false positive rate – so scans using MCBs to reduce memory coverage  Safe?

 Later versions of MS OSes changed things around a lot  Virtual memory (basically, unlimited memory) makes life much harder  To understand why, need to understand how Windows NT and above manages memory

 Not a requirement for an OS  But…  Allows an application to not worry about usage (i.e. makes overlays uneccessary)  Provides process isolation  Provides memory protection  No memory limitation  Really needs dedicated CPU support – and Intel provides it

 In NT, memory is broken down into pages, each 4096 bytes in size  The operating system handles how these pages are stored and translates into physical memory  This means that two processes can access the “same” address but two totally different physical pieces of memory  Introduces the idea of a “page fault”

 If Process A is isolated from Process B how can you scan memory globally?  One solution: ReadProcessMemory()  API used by Debuggers, requires a “Handle” to a particular process  How to list processes… non-trivial!  Problem: requires us to basically provide global access to the user doing the scanning – that’s foolish!  Better to use kernel-mode… but this is hard too!

 A virus can hook itself into the OS in a few different ways  User-mode and kernel-mode  Infect a DLL that’s used everywhere (like KERNEL32.DLL)

 In order to scan memory in user-mode, the OS will have to generate a page fault for swapped memory pages  Slow!  Tempting to enumerate process and scan the disk images – why is this not a good idea?

 How?  Yeah, really… it’s not easy at all  Terminate the process that is infected  Detect and terminate remote threads  Patch “in memory” to deactivate (useful when the virus is loaded into every process)  Think carefully how memory protection on shared DLLs works

 Let’s think about a virus which is a File System Filter Driver  Can’t unhook safely  How to disinfect?

 Can now mark memory as “Read Only”  How to disinfect?  Can use assembly within the kernel – but requires us to be kernel-mode

 Encryption!  In-memory polymorphic code  Metamorphic in-memory  Code which “moves about” in memory (ouch)  Inject into multiple processes at once  In-memory stealth techniques

 Many ways to detect malware “generically”  Checksummers  Behavioral analysis  However, both have issues with false positives  Can create a more “optimistic” set of rules  Both these detection techniques appeared VERY early in the game

 Not confined to static analysis, but most common there  Typically, we define a heuristic as a rule of thumb  Heuristic analysis was also used pretty early on in the detection game  If you think about it, a heuristic to detect our polymorphic hello world programs isn’t a bad idea…

 Botnets and other loose ends