Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Published byMegan Short Modified over 8 years ago

Similar presentations

Presentation on theme: "Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor."— Presentation transcript:

1 Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor

2  Motivation  Our approach  Prototype Implementation  Evaluation  Future work 2

3  Virtualization is widely deployed for servers and desktops. ◦ In 2009, 18% server workloads were virtualized ◦ Expected to grow to more than 50% by 2012 (Gartner Inc.)  Hypervisors (also called Virtual Machine Monitors or VMM) are the core component to enforce policy.  Hypervisors are the new attack target. Hardware Hypervisor (Virtual Machine Monitor) Privileged Domain Guest OS 2 (Linux) Kernel 2 Guest OS 1 (Windows) Kernel 1 … Kernel 0 3

4  Xen vulnerabilities: ◦ Allow the attacker to run arbitrary code in the privileged domain. E.g. CVE-2007-4993, CVE-2007-1320, CVE-2007-4993 CVE-2007-1320  DMA attack (Invisible Things Lab, Blackhat 08) ◦ Modify the device driver to write arbitrary data to the hypervisor via DMA ◦ E.g. Interrupt Descriptor Table (IDT). HyperCall table. 4

5  Modify IDT directly 5 1 2 3... Org IDT Code in memory

6  Copy and change attack 6 1 2 3... 1 2 3 Org IDT New IDT Code in memory

7  Copilot ( Petroni et al. USENIX security ‘04 ). ◦ Cannot get execution state. Copy and change attack. ◦ Can be subverted by DMA remapping attack.  HyperGuard ( Rutkowska, Blackhat ‘08 ). ◦ Use SMM to get the execution state. ◦ The OS is frozen when CPU in SMM –- high overhead.  HyperSentry, (Azab et al. CCS’ 10) ◦ Use SMM to monitor the hypervisor integrity.  DeepWatch ( Bulygin, Blackhat ‘08 ). ◦ Based on micro-controller existed on some motherboard. ◦ Need the signature of the malware. 7 Out-of-VMM defense mechanisms

8  HyperSafe, ( Wang, Oakland ’10) ◦ Method: non-modifiable memory lockdown and restricted pointer indexing ◦ Drawbacks: need to modify the kernel; aliasing problem 8 In-VMM defense mechanisms

9  Design goals: ◦ To monitor the hypervisor code and static data ◦ Complete execution view ◦ Low performance overhead ◦ No hardware modification ◦ No software changes to the hypervisor or kernel ◦ Provide out-of-box view that cannot be subverted 9

10 ◦ SMM + COTS network card (NIC) ◦ SMM existed in all x86 CPU after 486. 10 (1) Acquiring module (2) Register Checking module

11  System Management Mode (SMM) is another CPU mode for x86  To enter SMM, a System Management Interrupt (SMI) is required.  SMM has a special RAM—SMRAM, and can be LOCKED.  SMM code is included in the BIOS. Real- address mode Protected mode SMM SMRAM 11

12  SMRAM cannot be modified: ◦ Locked by hardware in flash and memory  Can be integrated with BIOS code  Can be set up by a trusted boot module  Other software on the target machine is not trusted. ◦ Network card driver is put into SMM.  The attacker will modify some portion of the hypervisor kernel in the memory. 12

13 PCI NIC triggers SMI SMM check the CPU registers SMM send the memory out via NIC Analysis module rcv the data Different from the previous? Alarm YES 13

14 Two prototypes: – HyperCheck-I : QEMU based, easy debugging – HyperCheck-II: on real hardware. For performance evaluation. Protect static part of the VMM or OS – VMM code – Dom 0 code – Linux or Windows kernel code – Static control data (such as Interrupt Descriptor Table) 14

15  PCI devices with DMA support  Use commercial network cards ◦ Challenge: they need drivers, and drivers normally reside in untrusted OS, Driver Domain, or VMM. ◦ Solution: put the driver into SMM.  We used Intel e1000 NIC. 15

16  Resides in SMM  Previous CPU registers are saved in SMRAM before switching to SMM.  Check two registers: ◦ IDTR (Interrupt Descriptor Table Register): static ◦ CR3: page directory base register. Used to translate virtual addresses to physical ones. 16

17  Receive the packets from the acquiring module.  Compare the current memory snapshot with the clean state (obtained when the system just boot).  If different, potential attack. 17

18  Verifying the static property: ◦ Monitored the target code and data for one hour and didn’t find any changes. ◦ They do change when the system is booting  Detection ◦ Detected all the simulated attacks to the Xen hypervisor, Dom0, Linux and Windows kernels. 18

19 staticDetected modification Xen IDT tableYY Hypercall tableYY Exception tableYY Hypervisor codeYY Dom 0 System call tableYY Kernel codeYY Linux IDT tableYY System call tableYY Kernel codeYY Windows IDT tableYY System call tableYY 19

20 Network overhead for variable packet size when sending 2.7MB data. 20

21 Network overhead for variable data size. 21

22 22

23 code size(MB) time(ms) HyperCheck SMM- onlyTPM Linux2312031022 Xen+Dom02.740274>1022 Window XP1.828183>972 Hyper-V+root2.436244>1022 VMwareESXi 3.52.233223>1022 MemoryRegistersOverhead HyperCheckxxlow SMMxxhigh PCIxlow TPMxxhigh Table 1, CPU overhead comparison Table 2, features comparison 23

24  Scrubbing attack ◦ Modify the hypervisor between two scans interval and recover before the next scan. ◦ -- Randomize scan interval.  Dynamic data ◦ Current analysis module does not know how to check them, such as stack, heap. ◦ -- Syntax analysis. 24

25 Thank you! Questions? 25

Download ppt "Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor."

Similar presentations

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Diagnosing Performance Overheads in the Xen Virtual Machine Environment Aravind Menon Willy Zwaenepoel EPFL, Lausanne Jose Renato Santos Yoshio Turner.

Diagnosing Performance Overheads in the Xen Virtual Machine Environment Aravind Menon Willy Zwaenepoel EPFL, Lausanne Jose Renato Santos Yoshio Turner.
Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,

Unmodified Device Driver Reuse and Improved System Dependability via Virtual Machines J. LeVasseur V. Uhlig J. Stoess S. G¨otz University of Karlsruhe,
Virtualization Technology

Virtualization Technology
Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.

Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.
XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.

XEN AND THE ART OF VIRTUALIZATION Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, lan Pratt, Andrew Warfield.
Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T.King University of Illionis at Urbana-Champaign Hai D. Nguyen Hanoi University of.

Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T.King University of Illionis at Urbana-Champaign Hai D. Nguyen Hanoi University of.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
1 Ally: OS-Transparent Packet Inspection Using Sequestered Cores Jen-Cheng Huang 1, Matteo Monchiero 2, Yoshio Turner 3, Hsien-Hsin Lee 1 1 Georgia Tech.

1 Ally: OS-Transparent Packet Inspection Using Sequestered Cores Jen-Cheng Huang 1, Matteo Monchiero 2, Yoshio Turner 3, Hsien-Hsin Lee 1 1 Georgia Tech.
A Secure System-wide Process Scheduling across Virtual Machines Hidekazu Tadokoro (Tokyo Institute of Technology) Kenichi Kourai (Kyushu Institute of Technology)

A Secure System-wide Process Scheduling across Virtual Machines Hidekazu Tadokoro (Tokyo Institute of Technology) Kenichi Kourai (Kyushu Institute of Technology)
X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT

X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT
Network Implementation for Xen and KVM Class project for E6998-01: Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Virtualization for Cloud Computing

Virtualization for Cloud Computing

Similar presentations

Ads by Google