Subvirt implementing malware with virtual machines l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

SubVirt: Implementing malware with virtual machines PowerPoint PPT Presentation


  • 140 Views
  • Uploaded on
  • Presentation posted in: General

Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research. SubVirt: Implementing malware with virtual machines. Samuel T. King Peter M. Chen University of Michigan. Attackers. Defenders. Motivation. Attackers and defenders strive for control

Download Presentation

SubVirt: Implementing malware with virtual machines

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Subvirt implementing malware with virtual machines l.jpg

Yi-Min Wang

Chad Verbowski

Helen J. Wang

Jacob R. Lorch

Microsoft Research

SubVirt: Implementing malware with virtual machines

Samuel T. King

Peter M. Chen

University of Michigan


Motivation l.jpg

Attackers

Defenders

Motivation

  • Attackers and defenders strive for control

    • Attackers monitor and perturb execution

      • Avoid defenders

    • Defenders detect and remove attacker

    • Control by lower layers

App1

App2

Operating system

Hardware


Virtual machine based rootkits vmbrs l.jpg

Virtual-machine based rootkits (VMBRs)

  • VMM runs beneath the OS

    • Effectively new processor privilege level

  • Fundamentally more control

  • No visible states or events

  • Easy to develop malicious services


Virtual machine based rootkits vmbrs4 l.jpg

Attack

system

App1

App2

Target OS

VMM

Hardware

After

infection

Virtual-machine based rootkits (VMBRs)

App1

App2

Target OS

Hardware

Before

infection


Outline l.jpg

Outline

  • Installing a VMBR

  • Maintaining control

  • Malicious services

  • Defending against this threat

  • Proof-of-concept VMBRs

Attacker’s

perspective

Defender’s

perspective


Installation l.jpg

Installation

  • Assume attacker has kernel privilege

    • Traditional remote exploit

    • Bribe employee

    • Malicious bootable CD-Rom

  • Install during shutdown

    • Few processes running

    • Efforts to prevent notification of activity


Installing a vmbr l.jpg

Master

boot

record

Boot

sector

OS

Installing a VMBR

  • Modify the boot sequence

BIOS


Installing a vmbr8 l.jpg

Master

boot

record

Boot

sector

BIOS

OS

Installing a VMBR

  • Modify the boot sequence

VMBR

loads

BIOS


Maintaining control l.jpg

Master

boot

record

Boot

sector

OS

Maintaining control

  • Hardware reset VMBR loses control

  • Illusion of reset w/o losing control

  • Reboot easy, shutdown harder

VMBR

loads

BIOS

BIOS


Maintaining control10 l.jpg

Maintaining control

  • ACPI BIOS used for low power mode

    • Spin down disks

    • Display low power mode

    • Change power LED

  • Illusion of power off, emulate shutdown

  • Control the power button

  • System functionally unchanged


Malicious services l.jpg

Malicious services

  • Advantages of high and low layer malware

    • Provides low layer implementation

    • Still easy to implement services

  • Use a separate attack OS to implement

App

App1

App2

Attack OS

Target OS

VMM

Hardware


Malicious services12 l.jpg

Malicious services

  • Zero interaction malicious services

    • E.g., phishing web server

  • Passive monitoring

    • E.g., keystroke logger, file system scanner

  • Active execution modifications

    • E.g., defeat VM detection technique

  • All easy to implement


Defending against vmbrs l.jpg

Defending against VMBRs

  • Detecting VMBRs

    • Perturbations

  • Where to run detection software


Vmbr perturbations l.jpg

VMBR perturbations

  • Inherent

    • Timing of key events

    • Space

  • Hardware artifacts

    • Device differences

    • Processor not fully virtualizable

    • See paper for more details

  • Software artifacts

    • VM icon

    • Device names

Hard to

hide

Easy to

hide


Security software above l.jpg

Security software above

  • Attack state not visible

    • Can only detect side effects, e.g., timing

  • VMBR can manipulate execution

    • Clock controlled by VMBR

    • Prevent security service from running

    • Turn off network

    • Disable notification of intrusion


Security software below l.jpg

Security software below

  • More control, direct access to resources

    • Could detect states or events

  • Secure VMM and/or secure hardware

  • Boot from safe medium

    • Unplug machine from wall


Proof of concept vmbrs l.jpg

Proof-of-concept VMBRs

  • VMware / Linux host

  • Virtual PC / Windows XP host

  • Host OS was attack OS

  • Malware payload ~100MB compressed

  • Non fully virtualizable ISA

    • To defeat would degrade performance

  • Software emulated devices

    • Host OSes had wide range of drivers


Proof of concept vmbrs18 l.jpg

Proof-of-concept VMBRs

  • Implemented four malicious services

    • Phishing web server

    • Keystroke logger + password parser

    • File system scanner

    • Countermeasure to detection tool

  • Installation scripts and modules

  • ACPI shutdown emulation

    • Both sleep states and power button control


Related work l.jpg

Related work

  • Layer below attacks

    • Kernel layer rootkits

  • VMMs for security

    • Trusted VMMs: Terra, NGSCB

    • Detect intrusions: VMI, IntroVirt

    • Isolation: NSA’s NetTop

    • Analyze intrusions: ReVirt

  • Current defenses

    • Secure/trusted boot

    • Pioneer


Conclusion l.jpg

Conclusion

  • Realistic threat

    • Qualitatively more control

    • Still easy to implement service

    • Proof-of-concept VMBRs could be detected

    • HW enhancements might make more effective

  • Defending is possible

    • Best way it for defenders to control low layers


Questions l.jpg

Questions


Hardware artifacts l.jpg

Hardware artifacts

  • Non fully virtualizable processor

  • Computer have diverse hardware

    • Allow target OS to provide drivers

    • Device DMA unsafe, might expose VMBR

    • Results in different / incomplete visible HW

  • Enhancements to MMU

    • Allow target OS to run many drivers directly


Software artifacts l.jpg

Software artifacts

  • Implementations make VMM visible

  • VMware / Virtual PC hypercalls

    • E.g. GetVersion()

  • VMware icon

  • Name of virtual hardware

  • Etc…


Performance l.jpg

Performance

  • Non fully virtualizable hardware tradeoff

    • Performance vs. perfect virtualization

    • Dynamic binary translation

    • Paravirtualization

  • Simplified driver interface

  • Effects of HW enhancements unknown


Impact of vm enhanced hardware l.jpg

Impact of VM enhanced hardware

  • VMBR allow target to run most HW

    • Only emulate devices needed for virt

      • E.g., disk, network

    • Target can drive everything else

      • Display, USB

  • Better device performance

  • Smaller VMBR payload


Defeating the redpill l.jpg

Defeating the “redpill”

  • Easy to detect VM on non-virt. x86

  • “Redpill” uses instructions that leak info

  • Interpose on key windows functions

    • Fixup the “redpill” app to avoid VM detect

  • Uses virtual-machine introspection


  • Login