Mavmm lightweight and purpose built vmm for malware analysis
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. Yang Feng Jan 6 th 2011. Outline. Introduction Design Implementation Evaluation Conclusion. Introduction. Traditional tools: Disassembling Dynamic black box analysis Debugging Virtualization Technology

Download Presentation

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Mavmm lightweight and purpose built vmm for malware analysis

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

Yang Feng

Jan 6th 2011


Outline

Outline

  • Introduction

  • Design

  • Implementation

  • Evaluation

  • Conclusion


Introduction

Introduction

  • Traditional tools:

    • Disassembling

    • Dynamic black box analysis

    • Debugging

  • Virtualization Technology

    • Strong isolation, take snapshots and roll back the guest’s state

    • Monitor virtual machine based rootkits


Introduction1

Introduction

  • Virtualization Technology

    • Evade detection and prevent analysis

      • Side channels, artifacts of platform

    • General purpose VMM is not suitable for malware analysis

      • Designed for functionality and performance

      • Complexity virtual device emulation, expose many vulnerabilities


Introduction2

Introduction

  • MAVMM

    • A VMM focus on malware analysis

    • Hardware-support for virtualization

    • Keep VMM small and simple

    • Smaller TCB(trusted computing base)

    • Function: execution trace, memory dump, system call, disk access and network interaction

    • Detectability


Design

Design

  • Independent of virtualization platform and guest operating system

  • Use hardware virtualization technology

    • Faster virtualization performance

    • Simplify VMM implementation

    • Advantage:

      • Additional CPU mode for hypervisor

      • Nested paging-Memory virtualization

      • Address space identifiers(ASID)-reduce TLB switches

      • IOMMU-I/O virtualization

      • Event interception and injection-Instruction virtualization


Design1

Design

  • Special Purpose Hypervisor

    • Thin and lean->simplicity->transparency and security

    • Xen, KVM or VMware: too complex->bugs

General purpose VMM

MAVMM


Design2

Design

  • Boot-strapping the Hypervisor

    • Start earlier and run at a higher CPU privilege level

    • Two options:

      • Boot directly from a boot loader (*) -> small and simple

      • Run on top of or alongside a host OS

  • Protecting Hypervisor Memory

    • Nested paging table(NPT) <-> EPT

    • input/output memory management unit(IOMMU) <-> VT-d


Design3

Design

  • Feature Extraction

    • Execution trace -> run-time debugger

      • TF flag in rflags register, set it to 1

    • Memory page

      • Fetch guest pointers from memory

      • Guest logical address -> host physical address

        • Segmentation unit and paging unit, with the help of NPT

    • System calls

    • Network and disk access -> system calls


Design4

Design

  • Getting analysis data

    • Use the same hard disk

    • Use a separated hard disk

    • Use an USB flash drive

    • Use a system port such as serial port

  • Selective analysis

    • Compact mode: keep activated a few interceptions

    • Full mode: all features mentioned

    • Monitor specific processes: processes list, intercept write to paging base pointer(CR3 register)

    • Track sub-processes: system call tracing

  • -> minimize detectability

-> bios service or

simple driver


Implementation

Implementation

  • Use AMD SVM technology

  • Started with TVMM

    • http://venus.is.s.u-tokyo.ac.jp/~kaneda/tvmm/

  • NPT, IOMMU, AMD Simnow


Implementation1

Implementation

  • Boot-strapping

    • Use grub boot loader

      • Grub starts -> MAVMM -> Grub

    • Why not MAVMM load the guest OS directly?

      • Initialize the booting environment expected by Guest OS

      • Be sure it’s not overwrite the guest OS image

      • Too complicated

    • Set initial instruction pointer address of the guest to 0x7c00:

      • 0x7c00: beginning address of loaded master boot record


Implementation2

Implementation

  • Protecting Hypervisor Memory

    • Create NPT and fill with ID mapping

    • NP fault exception, handle the fault and hide

    • Use an external USB drive to virtualize VMM region

    • Hide query of the USB port

    • Use Device Exclusion Vector(DEV) to protect VMM from being affected by external device DMA


Implementation3

Implementation

  • Feature Extraction

    • System call

      • int 0x80 or sysenter

      • iret or sysexit

      • For int 0x80: use control bit in VMCB, read EAX register

      • Using iret interception with thread ID mapping to handle some system call (useful data is after handler)

      • For sysenter: modify index in SYSENTER_CS_MSR to point to some unmapped segment -> #GP fault


Implementation4

Implementation

  • Feature Extraction

    • Network and File Access

      • Network:

        • sys_socketcall -> func and args -> EBX & ECX

        • sockaddr_in structure

        • Record IP addresses, port number and data

      • File

        • sys_read and sys_write

        • Mapping from descriptor numbers of opened files to pathnames

        • sys_open and sys_close


Implementation5

Implementation

  • Feature Extraction

    • Getting Analysis Data

      • Bind a virtual serial port in Simnow to a real port on Host

      • External USB drive -> hiding device and I/O access mechanism

    • Selective Analysis

      • Using a guest program mavmm-u and VMMCALL instructions

      • Compact mode and full mode

      • Remove binary file and its existence before executing malware


Implementation6

Implementation

  • Transparent Event Forwarding

    • Track system call, no hardware virtualization support

    • Intercept iret instruction and modification of CR3

    • Set TF flag to 1 in rflags register -> DB fault

    • Works well for most interceptions except interrupt and exception

    • Forwarding these two events already supported


Evaluation

Evaluation

  • In AMD Simnow simulator

  • Simulate a machine with 900MHz processor and 256MB of RAM

  • Run Simnow on 2.4GHz Intel Core 2 CPU with 2.5GB RAM

  • On x86_64 Ubuntu Linux 8.04

  • Kernel 2.6.24-24


Evaluation1

Evaluation

  • Functionality

    • Fine-grained tracking

    • A simple “Hello world” program


Evaluation2

Evaluation

  • Functionality

    • High-level tracking

      • Monitor the booting process of tty Linux 8.0 -> 21953 system calls

      • Rootkit.Linux.Agent.30.Chsh


Evaluation3

Evaluation

  • Detectability

    • Red Pill: sensitive but not-privileged instruction

    • Local descriptor tables register check

    • VMWare I/O Channel

    • Virtual PC Special Inst.

    • Machine state word check

    • Xen CPUID Check


Evaluation4

Evaluation

  • Security

    • About TLB profiling attack

      • MAVMM does not support multiple guest VM instances

      • Smaller, fewer TLB entries written

    • About external timing attack

      • Complex and expensive

      • Root privilege, huge amount of CPU cycles, an external timing source and prior knowledge about target system

    • About trusted computing base


Evaluation5

Evaluation

  • Performance Overhead

    • Compact mode and full mode, outside hypervisor

    • Each program five times and show average

    • Future: switch to USB logging, batch data dumps


Conclusion

Conclusion

  • A lightweight VMM designed specially for malware analysis

  • Hardware virtualization support

    • Simplicity, security and transparency

  • Extract useful information

  • Easy to add new functions


Mavmm lightweight and purpose built vmm for malware analysis

Thanks!


  • Login