mavmm lightweight and purpose built vmm for malware analysis
Download
Skip this Video
Download Presentation
MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

Loading in 2 Seconds...

play fullscreen
1 / 25

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. Yang Feng Jan 6 th 2011. Outline. Introduction Design Implementation Evaluation Conclusion. Introduction. Traditional tools: Disassembling Dynamic black box analysis Debugging Virtualization Technology

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' MAVMM: Lightweight and Purpose Built VMM for Malware Analysis' - ingo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • Introduction
  • Design
  • Implementation
  • Evaluation
  • Conclusion
introduction
Introduction
  • Traditional tools:
    • Disassembling
    • Dynamic black box analysis
    • Debugging
  • Virtualization Technology
    • Strong isolation, take snapshots and roll back the guest’s state
    • Monitor virtual machine based rootkits
introduction1
Introduction
  • Virtualization Technology
    • Evade detection and prevent analysis
      • Side channels, artifacts of platform
    • General purpose VMM is not suitable for malware analysis
      • Designed for functionality and performance
      • Complexity virtual device emulation, expose many vulnerabilities
introduction2
Introduction
  • MAVMM
    • A VMM focus on malware analysis
    • Hardware-support for virtualization
    • Keep VMM small and simple
    • Smaller TCB(trusted computing base)
    • Function: execution trace, memory dump, system call, disk access and network interaction
    • Detectability
design
Design
  • Independent of virtualization platform and guest operating system
  • Use hardware virtualization technology
    • Faster virtualization performance
    • Simplify VMM implementation
    • Advantage:
      • Additional CPU mode for hypervisor
      • Nested paging-Memory virtualization
      • Address space identifiers(ASID)-reduce TLB switches
      • IOMMU-I/O virtualization
      • Event interception and injection-Instruction virtualization
design1
Design
  • Special Purpose Hypervisor
    • Thin and lean->simplicity->transparency and security
    • Xen, KVM or VMware: too complex->bugs

General purpose VMM

MAVMM

design2
Design
  • Boot-strapping the Hypervisor
    • Start earlier and run at a higher CPU privilege level
    • Two options:
      • Boot directly from a boot loader (*) -> small and simple
      • Run on top of or alongside a host OS
  • Protecting Hypervisor Memory
    • Nested paging table(NPT) <-> EPT
    • input/output memory management unit(IOMMU) <-> VT-d
design3
Design
  • Feature Extraction
    • Execution trace -> run-time debugger
      • TF flag in rflags register, set it to 1
    • Memory page
      • Fetch guest pointers from memory
      • Guest logical address -> host physical address
        • Segmentation unit and paging unit, with the help of NPT
    • System calls
    • Network and disk access -> system calls
design4
Design
  • Getting analysis data
    • Use the same hard disk
    • Use a separated hard disk
    • Use an USB flash drive
    • Use a system port such as serial port
  • Selective analysis
    • Compact mode: keep activated a few interceptions
    • Full mode: all features mentioned
    • Monitor specific processes: processes list, intercept write to paging base pointer(CR3 register)
    • Track sub-processes: system call tracing
  • -> minimize detectability

-> bios service or

simple driver

implementation
Implementation
  • Use AMD SVM technology
  • Started with TVMM
    • http://venus.is.s.u-tokyo.ac.jp/~kaneda/tvmm/
  • NPT, IOMMU, AMD Simnow
implementation1
Implementation
  • Boot-strapping
    • Use grub boot loader
      • Grub starts -> MAVMM -> Grub
    • Why not MAVMM load the guest OS directly?
      • Initialize the booting environment expected by Guest OS
      • Be sure it’s not overwrite the guest OS image
      • Too complicated
    • Set initial instruction pointer address of the guest to 0x7c00:
      • 0x7c00: beginning address of loaded master boot record
implementation2
Implementation
  • Protecting Hypervisor Memory
    • Create NPT and fill with ID mapping
    • NP fault exception, handle the fault and hide
    • Use an external USB drive to virtualize VMM region
    • Hide query of the USB port
    • Use Device Exclusion Vector(DEV) to protect VMM from being affected by external device DMA
implementation3
Implementation
  • Feature Extraction
    • System call
      • int 0x80 or sysenter
      • iret or sysexit
      • For int 0x80: use control bit in VMCB, read EAX register
      • Using iret interception with thread ID mapping to handle some system call (useful data is after handler)
      • For sysenter: modify index in SYSENTER_CS_MSR to point to some unmapped segment -> #GP fault
implementation4
Implementation
  • Feature Extraction
    • Network and File Access
      • Network:
        • sys_socketcall -> func and args -> EBX & ECX
        • sockaddr_in structure
        • Record IP addresses, port number and data
      • File
        • sys_read and sys_write
        • Mapping from descriptor numbers of opened files to pathnames
        • sys_open and sys_close
implementation5
Implementation
  • Feature Extraction
    • Getting Analysis Data
      • Bind a virtual serial port in Simnow to a real port on Host
      • External USB drive -> hiding device and I/O access mechanism
    • Selective Analysis
      • Using a guest program mavmm-u and VMMCALL instructions
      • Compact mode and full mode
      • Remove binary file and its existence before executing malware
implementation6
Implementation
  • Transparent Event Forwarding
    • Track system call, no hardware virtualization support
    • Intercept iret instruction and modification of CR3
    • Set TF flag to 1 in rflags register -> DB fault
    • Works well for most interceptions except interrupt and exception
    • Forwarding these two events already supported
evaluation
Evaluation
  • In AMD Simnow simulator
  • Simulate a machine with 900MHz processor and 256MB of RAM
  • Run Simnow on 2.4GHz Intel Core 2 CPU with 2.5GB RAM
  • On x86_64 Ubuntu Linux 8.04
  • Kernel 2.6.24-24
evaluation1
Evaluation
  • Functionality
    • Fine-grained tracking
    • A simple “Hello world” program
evaluation2
Evaluation
  • Functionality
    • High-level tracking
      • Monitor the booting process of tty Linux 8.0 -> 21953 system calls
      • Rootkit.Linux.Agent.30.Chsh
evaluation3
Evaluation
  • Detectability
    • Red Pill: sensitive but not-privileged instruction
    • Local descriptor tables register check
    • VMWare I/O Channel
    • Virtual PC Special Inst.
    • Machine state word check
    • Xen CPUID Check
evaluation4
Evaluation
  • Security
    • About TLB profiling attack
      • MAVMM does not support multiple guest VM instances
      • Smaller, fewer TLB entries written
    • About external timing attack
      • Complex and expensive
      • Root privilege, huge amount of CPU cycles, an external timing source and prior knowledge about target system
    • About trusted computing base
evaluation5
Evaluation
  • Performance Overhead
    • Compact mode and full mode, outside hypervisor
    • Each program five times and show average
    • Future: switch to USB logging, batch data dumps
conclusion
Conclusion
  • A lightweight VMM designed specially for malware analysis
  • Hardware virtualization support
    • Simplicity, security and transparency
  • Extract useful information
  • Easy to add new functions
ad