Mavmm lightweight and purpose built vmm for malware analysis
1 / 25

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis - PowerPoint PPT Presentation

  • Uploaded on

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. Yang Feng Jan 6 th 2011. Outline. Introduction Design Implementation Evaluation Conclusion. Introduction. Traditional tools: Disassembling Dynamic black box analysis Debugging Virtualization Technology

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' MAVMM: Lightweight and Purpose Built VMM for Malware Analysis' - ingo

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Outline Analysis

  • Introduction

  • Design

  • Implementation

  • Evaluation

  • Conclusion

Introduction Analysis

  • Traditional tools:

    • Disassembling

    • Dynamic black box analysis

    • Debugging

  • Virtualization Technology

    • Strong isolation, take snapshots and roll back the guest’s state

    • Monitor virtual machine based rootkits

Introduction Analysis

  • Virtualization Technology

    • Evade detection and prevent analysis

      • Side channels, artifacts of platform

    • General purpose VMM is not suitable for malware analysis

      • Designed for functionality and performance

      • Complexity virtual device emulation, expose many vulnerabilities

Introduction Analysis


    • A VMM focus on malware analysis

    • Hardware-support for virtualization

    • Keep VMM small and simple

    • Smaller TCB(trusted computing base)

    • Function: execution trace, memory dump, system call, disk access and network interaction

    • Detectability

Design Analysis

  • Independent of virtualization platform and guest operating system

  • Use hardware virtualization technology

    • Faster virtualization performance

    • Simplify VMM implementation

    • Advantage:

      • Additional CPU mode for hypervisor

      • Nested paging-Memory virtualization

      • Address space identifiers(ASID)-reduce TLB switches

      • IOMMU-I/O virtualization

      • Event interception and injection-Instruction virtualization

Design Analysis

  • Special Purpose Hypervisor

    • Thin and lean->simplicity->transparency and security

    • Xen, KVM or VMware: too complex->bugs

General purpose VMM


Design Analysis

  • Boot-strapping the Hypervisor

    • Start earlier and run at a higher CPU privilege level

    • Two options:

      • Boot directly from a boot loader (*) -> small and simple

      • Run on top of or alongside a host OS

  • Protecting Hypervisor Memory

    • Nested paging table(NPT) <-> EPT

    • input/output memory management unit(IOMMU) <-> VT-d

Design Analysis

  • Feature Extraction

    • Execution trace -> run-time debugger

      • TF flag in rflags register, set it to 1

    • Memory page

      • Fetch guest pointers from memory

      • Guest logical address -> host physical address

        • Segmentation unit and paging unit, with the help of NPT

    • System calls

    • Network and disk access -> system calls

Design Analysis

  • Getting analysis data

    • Use the same hard disk

    • Use a separated hard disk

    • Use an USB flash drive

    • Use a system port such as serial port

  • Selective analysis

    • Compact mode: keep activated a few interceptions

    • Full mode: all features mentioned

    • Monitor specific processes: processes list, intercept write to paging base pointer(CR3 register)

    • Track sub-processes: system call tracing

  • -> minimize detectability

-> bios service or

simple driver

Implementation Analysis

  • Use AMD SVM technology

  • Started with TVMM


  • NPT, IOMMU, AMD Simnow

Implementation Analysis

  • Boot-strapping

    • Use grub boot loader

      • Grub starts -> MAVMM -> Grub

    • Why not MAVMM load the guest OS directly?

      • Initialize the booting environment expected by Guest OS

      • Be sure it’s not overwrite the guest OS image

      • Too complicated

    • Set initial instruction pointer address of the guest to 0x7c00:

      • 0x7c00: beginning address of loaded master boot record

Implementation Analysis

  • Protecting Hypervisor Memory

    • Create NPT and fill with ID mapping

    • NP fault exception, handle the fault and hide

    • Use an external USB drive to virtualize VMM region

    • Hide query of the USB port

    • Use Device Exclusion Vector(DEV) to protect VMM from being affected by external device DMA

Implementation Analysis

  • Feature Extraction

    • System call

      • int 0x80 or sysenter

      • iret or sysexit

      • For int 0x80: use control bit in VMCB, read EAX register

      • Using iret interception with thread ID mapping to handle some system call (useful data is after handler)

      • For sysenter: modify index in SYSENTER_CS_MSR to point to some unmapped segment -> #GP fault

Implementation Analysis

  • Feature Extraction

    • Network and File Access

      • Network:

        • sys_socketcall -> func and args -> EBX & ECX

        • sockaddr_in structure

        • Record IP addresses, port number and data

      • File

        • sys_read and sys_write

        • Mapping from descriptor numbers of opened files to pathnames

        • sys_open and sys_close

Implementation Analysis

  • Feature Extraction

    • Getting Analysis Data

      • Bind a virtual serial port in Simnow to a real port on Host

      • External USB drive -> hiding device and I/O access mechanism

    • Selective Analysis

      • Using a guest program mavmm-u and VMMCALL instructions

      • Compact mode and full mode

      • Remove binary file and its existence before executing malware

Implementation Analysis

  • Transparent Event Forwarding

    • Track system call, no hardware virtualization support

    • Intercept iret instruction and modification of CR3

    • Set TF flag to 1 in rflags register -> DB fault

    • Works well for most interceptions except interrupt and exception

    • Forwarding these two events already supported

Evaluation Analysis

  • In AMD Simnow simulator

  • Simulate a machine with 900MHz processor and 256MB of RAM

  • Run Simnow on 2.4GHz Intel Core 2 CPU with 2.5GB RAM

  • On x86_64 Ubuntu Linux 8.04

  • Kernel 2.6.24-24

Evaluation Analysis

  • Functionality

    • Fine-grained tracking

    • A simple “Hello world” program

Evaluation Analysis

  • Functionality

    • High-level tracking

      • Monitor the booting process of tty Linux 8.0 -> 21953 system calls

      • Rootkit.Linux.Agent.30.Chsh

Evaluation Analysis

  • Detectability

    • Red Pill: sensitive but not-privileged instruction

    • Local descriptor tables register check

    • VMWare I/O Channel

    • Virtual PC Special Inst.

    • Machine state word check

    • Xen CPUID Check

Evaluation Analysis

  • Security

    • About TLB profiling attack

      • MAVMM does not support multiple guest VM instances

      • Smaller, fewer TLB entries written

    • About external timing attack

      • Complex and expensive

      • Root privilege, huge amount of CPU cycles, an external timing source and prior knowledge about target system

    • About trusted computing base

Evaluation Analysis

  • Performance Overhead

    • Compact mode and full mode, outside hypervisor

    • Each program five times and show average

    • Future: switch to USB logging, batch data dumps

Conclusion Analysis

  • A lightweight VMM designed specially for malware analysis

  • Hardware virtualization support

    • Simplicity, security and transparency

  • Extract useful information

  • Easy to add new functions

Thanks! Analysis