SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R.Lorch Microsoft Research Publication: Security and Privacy, 2006 IEEE Symposium. Presenter: Radha Maldhure
Goal Attacker run malicious software and avoid detection understand and defend against threat Attacker Defender More control OS Hardware App1App2 Attacker Defender Attacker Defender
VMM Fig: architecture of VMM ( used by VMware and VirtualPC ) VM VM runs guest OS and guest application Host application and host OS provides convenient access to I/O devices and run VM services VMI = set of techniques that enable VM service to understand & modify states\ events in guest
What is the presentation about? Virtual-machine based rootkit (VMBR) – installation – malicious services – maintaining control Defending against VMBR – control below VMBR – control above VMBR
VMBR Hardware Target OS App1App2 VMM Attack system After infection Hardware Target OS App1App2 Before infection Attack system = Attack OS + malware invisible User mode
Installation Gain sufficient privileges Install VMBR’s state on persistent storage Modify system’s boot sequence ( VMBR loads before target OS ) Insert VMBR beneath target OS Manipulate boot sequence Attain privileged level (= modifying boot records) !! Need to be done at final stage of shutdown
Malicious services (MS) There are three types 2.MS observes data from target system e.g. use keystroke loggers to obtain sensitive info like password 3.MS modifies the execution of the target system e.g. delete 1.MS with no communication with target system e.g. phishing web servers
Maintaining Control System powers-up BIOS VMBR state Code VMBR !!! Avoid reboots and shutdowns Handle reboots: restarting the virtual hardware rather than resetting the underlying physical hardware Handle shutdowns: use ACPI sleep states to emulate system shutdown Fig: Booting the System System is compromised
Defense Can see only virtualized state Security Software VMBR Security Software Can see the actual state and state of VMBR
Security Software below VMBR Basic idea: Detector’s view of system does not go through VMBR’s virtualization layer Ways: – Boot from safe medium such as CD-ROM, USB + physically unplug before booting – Use secure VMM
Security Software above VMBR Basic idea: Security Software below VMBR is inconvenient Ways: –Compare running time of software in VM with benchmarks against wall-clock time –Run a program that requires entire memory or disk space
Contribution Explored the design and implementation of VMBR Explored techniques for detecting VMBR
Weakness VMBR is difficult to install VMBR require reboot before they can run Have more impact on the overall system
Suggestions The Ideas suggested by paper is good but needs many implementations both on attacker’s side and defender’s side Defense not convenient for end users Some ideas are not clear
Questions? Quote for the day “No defeat is final until we stop trying”