1 / 25

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis. Yang Feng Jan 6 th 2011. Outline. Introduction Design Implementation Evaluation Conclusion. Introduction. Traditional tools: Disassembling Dynamic black box analysis Debugging Virtualization Technology

ingo
Download Presentation

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MAVMM: Lightweight and Purpose Built VMM for Malware Analysis Yang Feng Jan 6th 2011

  2. Outline • Introduction • Design • Implementation • Evaluation • Conclusion

  3. Introduction • Traditional tools: • Disassembling • Dynamic black box analysis • Debugging • Virtualization Technology • Strong isolation, take snapshots and roll back the guest’s state • Monitor virtual machine based rootkits

  4. Introduction • Virtualization Technology • Evade detection and prevent analysis • Side channels, artifacts of platform • General purpose VMM is not suitable for malware analysis • Designed for functionality and performance • Complexity virtual device emulation, expose many vulnerabilities

  5. Introduction • MAVMM • A VMM focus on malware analysis • Hardware-support for virtualization • Keep VMM small and simple • Smaller TCB(trusted computing base) • Function: execution trace, memory dump, system call, disk access and network interaction • Detectability

  6. Design • Independent of virtualization platform and guest operating system • Use hardware virtualization technology • Faster virtualization performance • Simplify VMM implementation • Advantage: • Additional CPU mode for hypervisor • Nested paging-Memory virtualization • Address space identifiers(ASID)-reduce TLB switches • IOMMU-I/O virtualization • Event interception and injection-Instruction virtualization

  7. Design • Special Purpose Hypervisor • Thin and lean->simplicity->transparency and security • Xen, KVM or VMware: too complex->bugs General purpose VMM MAVMM

  8. Design • Boot-strapping the Hypervisor • Start earlier and run at a higher CPU privilege level • Two options: • Boot directly from a boot loader (*) -> small and simple • Run on top of or alongside a host OS • Protecting Hypervisor Memory • Nested paging table(NPT) <-> EPT • input/output memory management unit(IOMMU) <-> VT-d

  9. Design • Feature Extraction • Execution trace -> run-time debugger • TF flag in rflags register, set it to 1 • Memory page • Fetch guest pointers from memory • Guest logical address -> host physical address • Segmentation unit and paging unit, with the help of NPT • System calls • Network and disk access -> system calls

  10. Design • Getting analysis data • Use the same hard disk • Use a separated hard disk • Use an USB flash drive • Use a system port such as serial port • Selective analysis • Compact mode: keep activated a few interceptions • Full mode: all features mentioned • Monitor specific processes: processes list, intercept write to paging base pointer(CR3 register) • Track sub-processes: system call tracing • -> minimize detectability -> bios service or simple driver

  11. Implementation • Use AMD SVM technology • Started with TVMM • http://venus.is.s.u-tokyo.ac.jp/~kaneda/tvmm/ • NPT, IOMMU, AMD Simnow

  12. Implementation • Boot-strapping • Use grub boot loader • Grub starts -> MAVMM -> Grub • Why not MAVMM load the guest OS directly? • Initialize the booting environment expected by Guest OS • Be sure it’s not overwrite the guest OS image • Too complicated • Set initial instruction pointer address of the guest to 0x7c00: • 0x7c00: beginning address of loaded master boot record

  13. Implementation • Protecting Hypervisor Memory • Create NPT and fill with ID mapping • NP fault exception, handle the fault and hide • Use an external USB drive to virtualize VMM region • Hide query of the USB port • Use Device Exclusion Vector(DEV) to protect VMM from being affected by external device DMA

  14. Implementation • Feature Extraction • System call • int 0x80 or sysenter • iret or sysexit • For int 0x80: use control bit in VMCB, read EAX register • Using iret interception with thread ID mapping to handle some system call (useful data is after handler) • For sysenter: modify index in SYSENTER_CS_MSR to point to some unmapped segment -> #GP fault

  15. Implementation • Feature Extraction • Network and File Access • Network: • sys_socketcall -> func and args -> EBX & ECX • sockaddr_in structure • Record IP addresses, port number and data • File • sys_read and sys_write • Mapping from descriptor numbers of opened files to pathnames • sys_open and sys_close

  16. Implementation • Feature Extraction • Getting Analysis Data • Bind a virtual serial port in Simnow to a real port on Host • External USB drive -> hiding device and I/O access mechanism • Selective Analysis • Using a guest program mavmm-u and VMMCALL instructions • Compact mode and full mode • Remove binary file and its existence before executing malware

  17. Implementation • Transparent Event Forwarding • Track system call, no hardware virtualization support • Intercept iret instruction and modification of CR3 • Set TF flag to 1 in rflags register -> DB fault • Works well for most interceptions except interrupt and exception • Forwarding these two events already supported

  18. Evaluation • In AMD Simnow simulator • Simulate a machine with 900MHz processor and 256MB of RAM • Run Simnow on 2.4GHz Intel Core 2 CPU with 2.5GB RAM • On x86_64 Ubuntu Linux 8.04 • Kernel 2.6.24-24

  19. Evaluation • Functionality • Fine-grained tracking • A simple “Hello world” program

  20. Evaluation • Functionality • High-level tracking • Monitor the booting process of tty Linux 8.0 -> 21953 system calls • Rootkit.Linux.Agent.30.Chsh

  21. Evaluation • Detectability • Red Pill: sensitive but not-privileged instruction • Local descriptor tables register check • VMWare I/O Channel • Virtual PC Special Inst. • Machine state word check • Xen CPUID Check

  22. Evaluation • Security • About TLB profiling attack • MAVMM does not support multiple guest VM instances • Smaller, fewer TLB entries written • About external timing attack • Complex and expensive • Root privilege, huge amount of CPU cycles, an external timing source and prior knowledge about target system • About trusted computing base

  23. Evaluation • Performance Overhead • Compact mode and full mode, outside hypervisor • Each program five times and show average • Future: switch to USB logging, batch data dumps

  24. Conclusion • A lightweight VMM designed specially for malware analysis • Hardware virtualization support • Simplicity, security and transparency • Extract useful information • Easy to add new functions

  25. Thanks!

More Related