320 likes | 549 Views
Seminar of “Virtual Machines” course By : F. Zahmatkesh U niversity of S cience and T echnology of M azandaran , B abol F_zahmatkesh@ustmb.ac.ir December 24,2009. Implementing malware with virtual machines. Preview. Malware Short for malicious software
E N D
Seminar of “Virtual Machines” course By : F. Zahmatkesh University of Science and Technology of Mazandaran, Babol F_zahmatkesh@ustmb.ac.ir December 24,2009 Implementing malware with virtual machines
Preview • Malware • Short for malicious software • Software acts on computer system • W/O the knowledge of user • A general term Implementing malware with virtual machines
Preview(cont’d) • Control • Major goal of malware, to • Monitor, • Intercept, • Modify states and action of other software. • Allows malware to remain invisible by • Lying to • Disabling intrusion detection software. Implementing malware with virtual machines
Preview(cont’d) • Rootkit • A malware • A software system designed to obscure this fact: • System has been compromised. • Tools used to hide malicious activities • Types: • Hardware/Firmware level • Hypervisor level • Boot loader level • Kernel level • Library level • Application level Implementing malware with virtual machines
Attackers Defenders Agenda • Attackers and defenders strive for control • Attackers monitor and perturb execution • Avoid defenders • Defenders detect and remove attacker • Control by lower layers • Both migrated to low-level OS code App1 App2 Operating system Hardware • Hope to help defenders Implementing malware with virtual machines
Outline • Virtual Machines advantages • Subvirt Project • VMBRs, a new class of threat • Installing a VMBR • Maintaining control • Malicious services • Proof-of-concept VMBRs • Example malicious services • Defending against this threat • Trends toward virtualization • Related Work • Conclusion Attacker’s perspective Implementing malware with virtual machines
Virtual Machines • Multiplexing HW • Powerful platform to add service • Debug OS • Migrate live machine • Detect/prevent intrusion • Attest for code integrity • A problem • Non-Visible states/events of guest • VMI is the solution. Implementing malware with virtual machines
BUT… • Despite all of it’s advantages “Technology of Virtual Machine” can provide a powerful platform to build malware. Implementing malware with virtual machines
Attack system App1 App2 Target OS VMM Hardware After infection Virtual-Machine Based Rootkits (VMBRs) App1 App2 Target OS Hardware Before infection Implementing malware with virtual machines
Virtual-Machine Based Rootkits (VMBRs)(cont’d) • Hypervisor level Rootkit • Classic VM Architecture • VMM runs beneath the OS • Effectively new processor privilege level • Fundamentally more control • Target system into a virtualmachine • Little to no difference • Run of malware in the VMM or Attack System(2nd VM) Implementing malware with virtual machines
Virtual-Machine Based Rootkits (VMBRs)(cont’d) • Isolation • Visible states or events of target system • Easy to modify • No visible states or events of VMBR • Easy to develop malicious services • Run in Separate, general-purpose OS • Invisible to detection software in target • Uses VMI • Hard to detect and remove Implementing malware with virtual machines
Installing VMBR • Attacker => kernel privilege • Traditional remote exploit • Fool user to install malware • Bribe OEM or vendor • VMBR’s state on persistent storage. • VMBR modifies system boot sequence. • Master Boot record • Final stages of shut down • Few processes running • Efforts to prevent notification of activity Implementing malware with virtual machines
Master boot record Boot sector OS Installing VMBR(cont’d) • The boot sequence BIOS Implementing malware with virtual machines
Master boot record Boot sector BIOS OS Installing VMBR(cont’d) • Modify the boot sequence VMBR loads BIOS Implementing malware with virtual machines
Master boot record Boot sector OS Maintaining control • To avoid being removed • Must protect its state • Only time VMBR loses control • Period of time after the sys powers up until the VMBR starts • System BIOS VMBR loads BIOS BIOS Implementing malware with virtual machines
Maintaining control(cont’d) • Loses control when the system is powered-off • Reboots • Restarting the virtual hardware • Shutdowns • The system appears to shutdown • ACPI sleep states • Switch hardware into a low-power mode Spin down hard disks Turning off fans Place monitor into a power-saving mode Implementing malware with virtual machines
Malicious services • Use a separate attack OS to implement • Run invisible malicious services • Traditional malware with no fear of detection App App1 App2 Attack OS Target OS VMM Hardware Implementing malware with virtual machines
Malicious services(cont’d) • Malicious services into three categories: • Zero interaction malicious services • E.g., phishing web server • Passive monitoring • E.g., keystroke logger, network packets • Active execution modifications • E.g., delete e-mail, modify network communication • VMBR supports all above • All easy to implement Implementing malware with virtual machines
Evaluate:Proof-of-concept VMBRs Experimental setup: All experiments for the VMware-based VMBR run on a Dell Optiplex Workstation with a 2.8 GHz Pentium 4 and 1 GB of RAM. All experiments for the Virtual PC-based VMBR run on a Compaq Deskpro EN with a 1 GHz Pentium 4 and 256 MB of RAM. Our VMware-based VMBR compromises a RedHat Enterprise Linux 4 target system, and our Virtual PC-based VMBR compromises a Windows XP target system. Implementing malware with virtual machines
Example Malicious Services • Using proof-of-concept VMBR’s, we implemented four malicious services. • Phishing web server • Keystroke logger • File system Scanner • Countermeasure to detection tool Implementing malware with virtual machines
Defending against VMBRs • Detecting VMBR’s presence • Hard to detect • virtualizes state seen by target • Ideal VMBR modifies no state inside target • Does leave signs • Intrusion detection system can observe • Where to run detection software • Below VMBR • Above VMBR Implementing malware with virtual machines
Security software below • More control, direct access to resources • Could observe/detect states or events • Ways to gain control below • Secure hardware • E.g., Intel’s LaGrande • E.g., AMD’s platform for trustworthy computing • E.g., Copilot all propose hardware Implementing malware with virtual machines
Security software below(cont’d) • Secure VMM • VMBR between VMM and target OS • Stops VMBR from modifying the boot sequence above secure VMM • Secure boot • Ensures integrity of the boot sequence • Boot from safe medium • CD-ROM, USB drive or network boot server • VMBR can avoid it ! • Unplug machine from wall • E.g., Strider GhostBuster Implementing malware with virtual machines
Security software above • Traditional techniques aren’t able to detect VMBR. • Attack state not visible • Can only detect side effects • VMBR perturbations(side effects) include: • Increase in CPU overhead • Timing differences Implementing malware with virtual machines
Security software above(cont’d) • Use of memory and disk space • Run a program that requires entire machine’s memo/disk space • Not virtualizing all I/O devices • Directly access to non-virtualized devices • Drivers access physical memo • Leak of VMM’s information by Sensitive, non-privileged instructions • Execute them at a lower processor privilege level (rings 1 - 3) Implementing malware with virtual machines
Trends toward virtualization • Towards hardware virtualization support • Intel and AMD • More practical VMBRs • Reduce the amount of state needed to support VMBRs • Reduce the amount of time needed to boot VMBRs • Allow hardware devices to perform at full capacity • Towards widespread VMM use • Helps defenders detect/prevent VMBRs • Secure VMM Implementing malware with virtual machines
Related work • Layer below attacks • Kernel layer rootkits • Projects use VMMs for security • Trusted VMMs: Terra, NGSCB • Detect intrusions: VMI, IntroVirt • Isolation: NSA’s NetTop • Analyze intrusions: ReVirt • Project detect presence of VMM • Pioneer Implementing malware with virtual machines
Conclusion • VMBR • Qualitatively more control • Still easy to implement service • HW enhancements might make more effective • Defending is possible by controlling low layers • When compared to traditional malwares, • More state • More difficult to install • Reboot needed to run • More of an impact Implementing malware with virtual machines
Reference • ST. King, PM. Chen, YM. Wang, C. Verbowski, HJ. Wang, JR. Lorch, "SubVirt : Implementing malware with Virtual Machines" ,In the Proceedings of the IEEE Symposium on Security and Privacy,May 2006. Implementing malware with virtual machines
Thanks for paying attention. Implementing malware with virtual machines