subvirt implementing malware with virtual machines
Download
Skip this Video
Download Presentation
SubVirt: Implementing malware with virtual machines

Loading in 2 Seconds...

play fullscreen
1 / 26

SubVirt: Implementing malware with virtual machines - PowerPoint PPT Presentation


  • 164 Views
  • Uploaded on

Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research. SubVirt: Implementing malware with virtual machines. Samuel T. King Peter M. Chen University of Michigan. Attackers. Defenders. Motivation. Attackers and defenders strive for control

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SubVirt: Implementing malware with virtual machines' - tory


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
subvirt implementing malware with virtual machines
Yi-Min Wang

Chad Verbowski

Helen J. Wang

Jacob R. Lorch

Microsoft Research

SubVirt: Implementing malware with virtual machines

Samuel T. King

Peter M. Chen

University of Michigan

motivation
Attackers

Defenders

Motivation
  • Attackers and defenders strive for control
    • Attackers monitor and perturb execution
      • Avoid defenders
    • Defenders detect and remove attacker
    • Control by lower layers

App1

App2

Operating system

Hardware

virtual machine based rootkits vmbrs
Virtual-machine based rootkits (VMBRs)
  • VMM runs beneath the OS
    • Effectively new processor privilege level
  • Fundamentally more control
  • No visible states or events
  • Easy to develop malicious services
virtual machine based rootkits vmbrs4
Attack

system

App1

App2

Target OS

VMM

Hardware

After

infection

Virtual-machine based rootkits (VMBRs)

App1

App2

Target OS

Hardware

Before

infection

outline
Outline
  • Installing a VMBR
  • Maintaining control
  • Malicious services
  • Defending against this threat
  • Proof-of-concept VMBRs

Attacker’s

perspective

Defender’s

perspective

installation
Installation
  • Assume attacker has kernel privilege
    • Traditional remote exploit
    • Bribe employee
    • Malicious bootable CD-Rom
  • Install during shutdown
    • Few processes running
    • Efforts to prevent notification of activity
installing a vmbr
Master

boot

record

Boot

sector

OS

Installing a VMBR
  • Modify the boot sequence

BIOS

installing a vmbr8
Master

boot

record

Boot

sector

BIOS

OS

Installing a VMBR
  • Modify the boot sequence

VMBR

loads

BIOS

maintaining control
Master

boot

record

Boot

sector

OS

Maintaining control
  • Hardware reset VMBR loses control
  • Illusion of reset w/o losing control
  • Reboot easy, shutdown harder

VMBR

loads

BIOS

BIOS

maintaining control10
Maintaining control
  • ACPI BIOS used for low power mode
    • Spin down disks
    • Display low power mode
    • Change power LED
  • Illusion of power off, emulate shutdown
  • Control the power button
  • System functionally unchanged
malicious services
Malicious services
  • Advantages of high and low layer malware
    • Provides low layer implementation
    • Still easy to implement services
  • Use a separate attack OS to implement

App

App1

App2

Attack OS

Target OS

VMM

Hardware

malicious services12
Malicious services
  • Zero interaction malicious services
    • E.g., phishing web server
  • Passive monitoring
    • E.g., keystroke logger, file system scanner
  • Active execution modifications
    • E.g., defeat VM detection technique
  • All easy to implement
defending against vmbrs
Defending against VMBRs
  • Detecting VMBRs
    • Perturbations
  • Where to run detection software
vmbr perturbations
VMBR perturbations
  • Inherent
    • Timing of key events
    • Space
  • Hardware artifacts
    • Device differences
    • Processor not fully virtualizable
    • See paper for more details
  • Software artifacts
    • VM icon
    • Device names

Hard to

hide

Easy to

hide

security software above
Security software above
  • Attack state not visible
    • Can only detect side effects, e.g., timing
  • VMBR can manipulate execution
    • Clock controlled by VMBR
    • Prevent security service from running
    • Turn off network
    • Disable notification of intrusion
security software below
Security software below
  • More control, direct access to resources
    • Could detect states or events
  • Secure VMM and/or secure hardware
  • Boot from safe medium
    • Unplug machine from wall
proof of concept vmbrs
Proof-of-concept VMBRs
  • VMware / Linux host
  • Virtual PC / Windows XP host
  • Host OS was attack OS
  • Malware payload ~100MB compressed
  • Non fully virtualizable ISA
    • To defeat would degrade performance
  • Software emulated devices
    • Host OSes had wide range of drivers
proof of concept vmbrs18
Proof-of-concept VMBRs
  • Implemented four malicious services
    • Phishing web server
    • Keystroke logger + password parser
    • File system scanner
    • Countermeasure to detection tool
  • Installation scripts and modules
  • ACPI shutdown emulation
    • Both sleep states and power button control
related work
Related work
  • Layer below attacks
    • Kernel layer rootkits
  • VMMs for security
    • Trusted VMMs: Terra, NGSCB
    • Detect intrusions: VMI, IntroVirt
    • Isolation: NSA’s NetTop
    • Analyze intrusions: ReVirt
  • Current defenses
    • Secure/trusted boot
    • Pioneer
conclusion
Conclusion
  • Realistic threat
    • Qualitatively more control
    • Still easy to implement service
    • Proof-of-concept VMBRs could be detected
    • HW enhancements might make more effective
  • Defending is possible
    • Best way it for defenders to control low layers
hardware artifacts
Hardware artifacts
  • Non fully virtualizable processor
  • Computer have diverse hardware
    • Allow target OS to provide drivers
    • Device DMA unsafe, might expose VMBR
    • Results in different / incomplete visible HW
  • Enhancements to MMU
    • Allow target OS to run many drivers directly
software artifacts
Software artifacts
  • Implementations make VMM visible
  • VMware / Virtual PC hypercalls
    • E.g. GetVersion()
  • VMware icon
  • Name of virtual hardware
  • Etc…
performance
Performance
  • Non fully virtualizable hardware tradeoff
    • Performance vs. perfect virtualization
    • Dynamic binary translation
    • Paravirtualization
  • Simplified driver interface
  • Effects of HW enhancements unknown
impact of vm enhanced hardware
Impact of VM enhanced hardware
  • VMBR allow target to run most HW
    • Only emulate devices needed for virt
      • E.g., disk, network
    • Target can drive everything else
      • Display, USB
  • Better device performance
  • Smaller VMBR payload
defeating the redpill
Defeating the “redpill”
  • Easy to detect VM on non-virt. x86
  • “Redpill” uses instructions that leak info
  • Interpose on key windows functions
    • Fixup the “redpill” app to avoid VM detect
  • Uses virtual-machine introspection
ad