1 / 15

SubVirt: Implementing malware with virtual machines

SubVirt: Implementing malware with virtual machines. Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R.Lorch Microsoft Research Publication: Security and Privacy, 2006 IEEE Symposium. Presenter: Radha Maldhure. Goal.

harriet-pittman
Download Presentation

SubVirt: Implementing malware with virtual machines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R.Lorch Microsoft Research Publication: Security and Privacy, 2006 IEEE Symposium. Presenter: Radha Maldhure

  2. Goal Attacker run malicious software and avoid detection understand and defend against threat Attacker Defender Attacker Defender More control Defender Attacker OS App1 App2 Hardware

  3. VMM VM VM runs guest OS and guest application Host application and host OS provides convenient access to I/O devices and run VM services Fig: architecture of VMM ( used by VMware and VirtualPC ) VMI = set of techniques that enable VM service to understand & modify states\ events in guest

  4. What is the presentation about? • Virtual-machine based rootkit (VMBR) • installation • malicious services • maintaining control • Defending against VMBR • control below VMBR • control above VMBR

  5. Attack system App1 App2 Target OS VMM Hardware After infection VMBR invisible User mode App1 App2 Target OS Hardware Before infection Attack system = Attack OS + malware

  6. Installation Install VMBR’s state on persistent storage Gain sufficient privileges Insert VMBR beneath target OS Manipulate boot sequence (= modifying boot records) Attain privileged level Modify system’s boot sequence ( VMBR loads before target OS ) !! Need to be done at final stage of shutdown

  7. Malicious services (MS) 1.MS with no communication with target system e.g. phishing web servers There are three types • 2.MS observes data from target system • e.g. use keystroke loggers to obtain • sensitive info like password • 3.MS modifies the execution of the target system • e.g. delete email

  8. Maintaining Control Fig: Booting the System System powers-up BIOS System is compromised VMBR state Code VMBR !!! Avoid reboots and shutdowns Handle reboots: restarting the virtual hardware rather than resetting the underlying physical hardware Handle shutdowns: use ACPI sleep states to emulate system shutdown

  9. Defense Can see only virtualized state Security Software VMBR Security Software Can see the actual state and state of VMBR

  10. Security Softwarebelow VMBR Basic idea: Detector’s view of system does not go through VMBR’s virtualization layer Ways: • Boot from safe medium such as CD-ROM, USB + physically unplug before booting • Use secure VMM

  11. Security Softwareabove VMBR Basic idea: Security Software below VMBR is inconvenient Ways: • Compare running time of software in VM with benchmarks against wall-clock time • Run a program that requires entire memory or disk space

  12. Contribution • Explored the design and implementation of VMBR • Explored techniques for detecting VMBR

  13. Weakness • VMBR is difficult to install • VMBR require reboot before they can run • Have more impact on the overall system

  14. Suggestions • The Ideas suggested by paper is good but needs many implementations both on attacker’s side and defender’s side • Defense not convenient for end users • Some ideas are not clear

  15. Questions? Quote for the day “No defeat is final until we stop trying”

More Related