Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Boris Yurovitsky

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by Boris Yurovitsky"— Presentation transcript:

1 Presented by Boris Yurovitsky boris.yurovitsky@gmail.com

2 SubVirt: Implementing malware(*) with virtual machines By –S. King, P. Chen University of Michigan –Y. Wang, C. Verbowski, H. Wang, J. Lorch Microsoft Research Appears On –2006 IEEE Symposium on Security and Privacy Topics in Information Security 2007 2 (*) Malware – malicious software

3 Introduction Virtualization Technology VM-Based Rootkit Implementation Defense Topics in Information Security 2007 3

4 Introduction Virtualization Implementation Defense A tool used to hide malicious activities Goals of the Attacker –More capability –Less visibility Goals of the Defender –Detect –Prevent Topics in Information Security 2007 4 Introduction

5 Introduction Virtualization Implementation Defense Topics in Information Security 2007 5 Attack TechniqueDefense Technique Application Level Replace user-level applicationMonitor critical file system entries For example: replace ps, ls etc.TripWire Kernel Level Modify kernel data structures Monitor kernel integrity, detect system hooks FU, hxdefVICE Introduction

6 Introduction Virtualization Implementation Defense Topics in Information Security 2007 6 Introduction Whoever controls a lower level – wins Rootkits and detection SW migrate to lower layers Both stop at the OS level Whoever is smarter – wins Attackers must sacrifice functionality for invisibility

7 Introduction Virtualization Implementation Defense Manage underlying hardware Provide an abstraction of a virtual-machine Common practices –Run several OSes on the same system –Test and Debug –Live machine migration Topics in Information Security 2007 7 Virtualization

8 Introduction Virtualization Implementation Defense The Semantic Gap –VM: disk blocks, network packets, memory –Guest SW: files, TCP connections, variables Read guest OS symbol and page tables Use breakpoints to control execution Invoke guest OS or application code Topics in Information Security 2007 8 Virtualization

9 Introduction Virtualization Implementation Defense Virtual Machine-Based Rootkit (VMBR) –Use the virtual-machine technologies –Gain maximum control –Allow arbitrary malware yet stay invisible Topics in Information Security 2007 9 Implementation

10 Introduction Virtualization Implementation Defense How do we get there?-Installation What can we do?-Malicious Services Looks nice, so… How long can we stay? -Maintaining Control What is the price?-Performance Topics in Information Security 2007 10 Implementation How do we get there?-Installation

11 Introduction Virtualization Implementation Defense Topics in Information Security 2007 11 Implementation

12 Introduction Virtualization Implementation Defense Acquire root level access –Exploit remote vulnerability –Corrupt a software / bootable image on a P2P network Save to persistent storage –Use the file system –Use low-level access Modify boot sequence (and avoid detection) –Run at shutdown –Take over the low-level disk controller Topics in Information Security 2007 12 Microsoft Security Bulletin MSxx-xxx: “A remote code execution vulnerability exists in … that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by … An attacker … could take complete control of an affected system.”Implementation

13 Introduction Virtualization Implementation Defense How do we get there?-Installation What can we do?-Malicious Services Looks nice, so… How long can we stay? -Maintaining Control What is the price?-Performance Topics in Information Security 2007 13 Implementation

14 Introduction Virtualization Implementation Defense Class I – No interaction with the target system –Spam relays –Phishing servers (*) –Distributed DoS zombies Topics in Information Security 2007 14 (*) denotes services implemented by the authors Implementation

15 Introduction Virtualization Implementation Defense Class II – Observe the target system –Hardware Key loggers (*) Packet Monitor –Using VMI Intercept SSL packets before encrypt Scan for sensitive data (e. g. ~user/.ssh/id_dsa) (*) Topics in Information Security 2007 15 Implementation

16 Introduction Virtualization Implementation Defense Class III – Deliberately modify the target system –Can either modify HW level data or use VMI –Examples: Modify execution of target applications (*) Modify network traffic Topics in Information Security 2007 16 Implementation

17 Introduction Virtualization Implementation Defense The redpill VM detection tool – sidt instruction is not emulated for user-mode apps Avoid detection –Detect the redpill executable being loaded by monitoring Windows XP kernel function –Break target application on sidt –Emulate the sidt instruction Back to the arms race… – sidt can be generated dynamically –Can be detected using binary translation Topics in Information Security 2007 17 Implementation

18 Introduction Virtualization Implementation Defense How do we get there?-Installation What can we do?-Malicious Services Looks nice, so… How long can we stay? -Maintaining Control What is the price?-Performance Topics in Information Security 2007 18 Implementation

19 Introduction Virtualization Implementation Defense VMBR has full control of the system while powered up. No control from system power-up until load of the VMBR –User can boot from an alternate media Avoiding power-up –Emulate restarts – only restart the VM (*) Alternate boot media is loaded under the VMBR! –Avoid complete shutdown (*) Emulate shutdown using ACPI Topics in Information Security 2007 19 Implementation

20 Introduction Virtualization Implementation Defense How do we get there?-Installation What can we do?-Malicious Services Looks nice, so… How long can we stay? -Maintaining Control What is the price?-Performance Topics in Information Security 2007 20 Implementation

21 Introduction Virtualization Implementation Defense Size Compressed / Uncompressed Download Time 725kbps / 5Mbps VMware-based VMBR 95MB / 228MB18 min / 2.5 min Virtual PC-based VMBR 106MB / 251MB20 min / 3 min System performance is hardly affected –About 3% RAM usage for the Virtual PC-based VMBR –Video intensive applications may suffer degraded performance Solution: graphics card doesn’t have to be virtualized… Topics in Information Security 2007 21 Implementation

22 Introduction Virtualization Implementation Defense Installation Target Boot without VMBR Target Boot Emulated Reboot Target Boot Emulated Shutdown Host Boot after Power-Off Host + Target Boot after Power-Off VMware (Linux Target) 2453749652145 Virtual PC (Windows XP Target) 2622354N/A45101 Topics in Information Security 2007 22 All times are given in seconds All measurements have variance less than 3% Implementation

23 Introduction Virtualization Implementation Defense Hardware based defense –Intel’s Trusted Execution Technology (formerly LaGrande) –AMD’s platform for trustworthy computing initiative –Copilot – PCI-based integrity monitor Secure boot from CD or network –Do not forget to unplug… Secure VMM –Detect and prevent VMBRs at the installation stage Topics in Information Security 2007 23 Defense

24 Introduction Virtualization Implementation Defense Detect VMM impact on the system –Memory: VMBR can hide memory usage by paging –Disk: VMBR can hide disk usage by emulating bad blocks –CPU: VMBR can slow down target’s clock Run benchmarks against wall-mount clock Detect modifications to I/O drivers –VMBR can emulate only what it needs Topics in Information Security 2007 24 Defense

25 VMBR is a new form of a layer-below attack VMBRs can provide features unavailable to traditional rootkits VMBRs are easy to implement VMBRs are difficult to detect and remove Future of VMBRs –Widespread use of virtualization –Hardware support for virtualization Topics in Information Security 2007 25

26 Topics in Information Security 2007 26 Thank You

27 What are the advantages of a VM-based rootkit over an OS level rootkit from the attacker’s point of view. If complete control over the hardware is achieved, why VMI is still required? Discuss the differences between HW level based and VMI based key loggers. Suppose a secure file system is deployed on the host. Would user data remain secure from a malicious service running within a VMBR? Explain. How hardware support for virtualization would affect VMBRs? Topics in Information Security 2007 boris.yurovitsky@gmail.com

Download ppt "Presented by Boris Yurovitsky"

Similar presentations

Microsoft Windows NT Embedded 4.0

Microsoft Windows NT Embedded 4.0
Virtualization Dr. Michael L. Collard

Virtualization Dr. Michael L. Collard
Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.

Virtual Machine Technology Dr. Gregor von Laszewski Dr. Lizhe Wang.
Virtualisation From the Bottom Up From storage to application.

Virtualisation From the Bottom Up From storage to application.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Virtualization and Cloud Computing

Virtualization and Cloud Computing
V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?

V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?
Network Implementation for Xen and KVM Class project for E6998-01: Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.

Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Virtualization 101.

Virtualization 101.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.
Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.

Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.

Similar presentations

Ads by Google