1 / 22

Using Virtual Machines to Do Cross-Layer Damage Assessment

Xiaoqi Jia, Shengzhi Zhang, Jiwu Jing, Peng Liu Presenter: Shengzhi Zhang. VMSec’08, Fairfax, VA, October 31 st , 2008. Using Virtual Machines to Do Cross-Layer Damage Assessment. Outline. Motivation Solution- PEDA Details about Offline Damage Assessment Preliminary Evaluation

adamma
Download Presentation

Using Virtual Machines to Do Cross-Layer Damage Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Xiaoqi Jia, Shengzhi Zhang, Jiwu Jing, Peng Liu Presenter: Shengzhi Zhang VMSec’08, Fairfax, VA, October 31st, 2008 Using Virtual Machines to Do Cross-Layer Damage Assessment

  2. Outline Motivation Solution- PEDA Details about Offline Damage Assessment Preliminary Evaluation Contribution

  3. Motivation Scope Enterprise system Information assets: data and code Multi-level Damage Assessment System administrator CEO Damage assessment in business world Hate to shut down the service Availability loss is unavoidable Exactly record what had happened

  4. Motivation (cont’) • Do some kind of ‘auditing’ • System call level • Lightweight • Insufficient • Instruction level • Overhead • Fine grained • Conflicting • Response Time • Accuracy • Multi-level DA information

  5. Outline • Motivation • Solution- PEDA • Details about PEDA • Preliminary Evaluation • Contribution

  6. PEDA PEDA-Production Environment Damage Assessment: solving the conflict Accuracy: Fine grained QEMU: an instruction translator Response Time: Offline damage assessment Back end: QEMU Front end: Xen Replay Initial state + non-deterministic events Multi-level DA d

  7. PEDA (cont’) d

  8. Outline • Motivation • Solution- PEDA • Details about Offline DA • Preliminary Evaluation • Contribution

  9. Taint seed 0xb80b5bd0 Taint data %eax Taint data %ebx Taint data 0xb80cd672 Details about Offline DA (1) • Instruction level taint analysis addl 0xb80b5bd0 %ebx movl 0xb80b5bd0 %eax d movl %eax 0xb80cd672

  10. Details about Offline DA (2) • Data flow and control flow d

  11. Details about Offline DA (3) • Integrate multi-level taint analysis • Instruction level taint analysis • Which part of memory/file • How to propagate • Process level taint analysis • Which process/transaction • How to propagate • Reconstruction • Semantic gap • Maintain a mapping d

  12. Details about Offline DA (4) • Process descriptor locating CPU registers Kernel stack task_struct { … struct list_head tasks; struct mm_struct *mm; … pid_t pid; … } d

  13. Outline • Motivation • Solution- PEDA • Details about Offline DA • Preliminary Evaluation • Contribution

  14. Preliminary Evaluation (1) • Fidelity • Response time • Offline Damage assessment Future work d

  15. Preliminary Evaluation (2) Overhead of offline DA d

  16. Outline • Motivation • Solution- PEDA • Details about Offline DA • Preliminary Evaluation • Contribution

  17. Contribution • Conflicting requirements of DA in Enterprise system • Response time • Accuracy • PEDA addresses the conflict • Lightweight online logging • Replay based offline DA • Combination of instruction level and OS level taint tracking d

  18. Questions?

  19. Thanks For Your Attention!

  20. Guest kernel is compromised • Clean initial state • If taint propagation flows into kernel,record the original values • Use pre-tainting version of kernel to do reconstruction • Infected initial state • Not related to reconstruction • Otherwise ??

  21. We can go further • What if the attack had not happen d

  22. We can go further (cont’) • Per process checkpoint • Execution domain • Interaction with kernel • Communication with other processes • State rollback • Resort to taint analysis • sustain these uninfected processes • Rollback those infected processes

More Related