Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Seminar of “Virtual Machines” course By : F. Zahmatkesh University of Science and Technology of Mazandaran, Babol [email protected] December 24,2009 Preview Malware Short for malicious software Software acts on computer system W/O the knowledge of user A general term Implementing malware with virtual machines 2/29 Preview(cont’d) Control Major goal of malware, to Monitor, Intercept, Modify states and action of other software. Allows malware to remain invisible by Lying to Disabling intrusion detection software. Implementing malware with virtual machines 3/29 Preview(cont’d) Rootkit A malware A software system designed to obscure this fact: System has been compromised. Tools used to hide malicious activities Types: 1. 2. 3. 4. 5. 6. Hardware/Firmware level Hypervisor level Boot loader level Kernel level Library level Application level Implementing malware with virtual machines 4/29 Agenda Attackers and defenders strive for control Attackers monitor and perturb execution Avoid defenders Defenders detect and remove attacker Control by lower layers Both migrated to low-level OS code Attackers App1 App2 Defenders Operating system Hardware Hope to help defenders Implementing malware with virtual machines 5/29 Outline Virtual Machines advantages Subvirt Project VMBRs, a new class of threat Installing a VMBR Maintaining control Attacker’s perspective Malicious services Proof-of-concept VMBRs Example malicious services Defending against this threat Trends toward virtualization Related Work Conclusion Implementing malware with virtual machines 6/29 Virtual Machines Multiplexing HW Powerful platform to add service o Debug OS o Migrate live machine o Detect/prevent intrusion o Attest for code integrity A problem o Non-Visible states/events of guest VMI is the solution. Implementing malware with virtual machines 7/29 BUT… Despite all of it’s advantages “Technology of Virtual Machine” can provide a powerful platform to build malware. Implementing malware with virtual machines 8/29 Virtual-Machine Based Rootkits (VMBRs) App1 App2 Attack system App1 Target OS Target OS VMM Hardware Hardware Before infection App2 After infection Implementing malware with virtual machines 9/29 Virtual-Machine Based Rootkits (VMBRs) (cont’d) Hypervisor level Rootkit Classic VM Architecture VMM runs beneath the OS o Effectively new processor privilege level Fundamentally more control Target system into a virtual machine Little to no difference Run of malware in the VMM or Attack System(2nd VM) Implementing malware with virtual machines 10/29 Virtual-Machine Based Rootkits (VMBRs) (cont’d) Isolation Visible states or events of target system o Easy to modify No visible states or events of VMBR Easy to develop malicious services Run in Separate, general-purpose OS Invisible to detection software in target Uses VMI Hard to detect and remove Implementing malware with virtual machines 11/29 Installing VMBR Attacker => kernel privilege Traditional remote exploit Fool user to install malware Bribe OEM or vendor VMBR’s state on persistent storage. VMBR modifies system boot sequence. Master Boot record Final stages of shut down Few processes running Efforts to prevent notification of activity Implementing malware with virtual machines 12/29 Installing VMBR(cont’d) The boot sequence Master Boot boot BIOS record sector OS Implementing malware with virtual machines 13/29 Installing VMBR(cont’d) Modify the boot sequence BIOS VMBR loads Master boot Boot BIOS record sector OS Implementing malware with virtual machines 14/29 Maintaining control To avoid being removed Must protect its state Only time VMBR loses control Period of time after the sys powers up until the VMBR starts System BIOS BIOS VMBR loads Master boot Boot BIOS record sector OS Implementing malware with virtual machines 15/29 Maintaining control(cont’d) Loses control when the system is powered-off Reboots ○ Restarting the virtual hardware Shutdowns ○ The system appears to shutdown ACPI sleep states - Switch hardware into a low-power mode Spin down hard disks Turning off fans Place monitor into a power-saving mode Implementing malware with virtual machines 16/29 Malicious services Use a separate attack OS to implement Run invisible malicious services Traditional malware with no fear of detection App App1 Attack OS App2 Target OS VMM Hardware Implementing malware with virtual machines 17/29 Malicious services(cont’d) Malicious services into three categories: 1. Zero interaction malicious services ○ 2. Passive monitoring ○ 3. E.g., phishing web server E.g., keystroke logger, network packets Active execution modifications ○ E.g., delete e-mail, modify network communication VMBR supports all above All easy to implement Implementing malware with virtual machines 18/29 Evaluate:Proof-of-concept VMBRs Disk Space VMM+ Attack OS Memo Space Install Time Target Boot w/o VMBR Target Boot After Emulated Reboot Target Boot After Emulated Shutdown Host Boot After Power-Off Host Boot+ Target Boot After Power-Off VMWare Based VMBR (Linux Target) 228 MB 3% 24 53 74 96 52 145 Virtual PC Based VMBR (Win XP Target) 251 MB 3% 262 23 54 N/A 45 101 Evaluate Experimental setup: All experiments for the VMware-based VMBR run on a Dell Optiplex Workstation with a 2.8 GHz Pentium 4 and 1 GB of RAM. All experiments for the Virtual PC-based VMBR run on a Compaq Deskpro EN with a 1 GHz Pentium 4 and 256 MB of RAM. Our VMware-based VMBR compromises a RedHat Enterprise Linux 4 target system, and our Virtual PC-based VMBR compromises a Windows XP target system. Implementing malware with virtual machines 19/29 Example Malicious Services Using proof-of-concept VMBR’s, we implemented four malicious services. Phishing web server 2. Keystroke logger 3. File system Scanner 4. Countermeasure to detection tool 1. Implementing malware with virtual machines 20/29 Defending against VMBRs Detecting VMBR’s presence Hard to detect virtualizes state seen by target Ideal VMBR modifies no state inside target Does leave signs Intrusion detection system can observe Where to run detection software o Below VMBR o Above VMBR Implementing malware with virtual machines 21/29 Security software below More control, direct access to resources Could observe/detect states or events Ways to gain control below 1. Secure hardware • • • E.g., Intel’s LaGrande E.g., AMD’s platform for trustworthy computing E.g., Copilot all propose hardware Implementing malware with virtual machines 22/29 Security software below(cont’d) 2. Secure VMM • VMBR between VMM and target OS • Stops VMBR from modifying the boot sequence above secure VMM 3. Secure boot • Ensures integrity of the boot sequence 4. Boot from safe medium • CD-ROM, USB drive or network boot server VMBR can avoid it ! • • • Unplug machine from wall E.g., Strider GhostBuster Implementing malware with virtual machines 23/29 Security software above Traditional techniques aren’t able to detect VMBR. Attack state not visible Can only detect side effects VMBR perturbations(side effects) include: 1. Increase in CPU overhead ○ Timing differences Implementing malware with virtual machines 24/29 Security software above(cont’d) 2. Use of memory and disk space Run a program that requires entire machine’s memo/disk space o 3. Not virtualizing all I/O devices o Directly access to non-virtualized devices • Drivers access physical memo 4. Leak of VMM’s information by Sensitive, non-privileged instructions o Execute them at a lower processor privilege level (rings 1 - 3) Implementing malware with virtual machines 25/29 Trends toward virtualization Towards hardware virtualization support Intel and AMD More practical VMBRs Reduce the amount of state needed to support VMBRs Reduce the amount of time needed to boot VMBRs Allow hardware devices to perform at full capacity Towards widespread VMM use Helps defenders detect/prevent VMBRs Secure VMM Implementing malware with virtual machines 26/29 Related work 1. Layer below attacks 2. Projects use VMMs for security 3. Kernel layer rootkits Trusted VMMs: Terra, NGSCB Detect intrusions: VMI, IntroVirt Isolation: NSA’s NetTop Analyze intrusions: ReVirt Project detect presence of VMM Pioneer Implementing malware with virtual machines 27/29 Conclusion VMBR Qualitatively more control Still easy to implement service HW enhancements might make more effective Defending is possible by controlling low layers When compared to traditional malwares, ○ More state ○ More difficult to install ○ Reboot needed to run ○ More of an impact Implementing malware with virtual machines 28/29 Reference ST. King, PM. Chen, YM. Wang, C. Verbowski, HJ. Wang, JR. Lorch, "SubVirt : Implementing malware with Virtual Machines" ,In the Proceedings of the IEEE Symposium on Security and Privacy,May 2006. Implementing malware with virtual machines 29/29 Thanks for paying attention. Implementing malware with virtual machines