1 / 19

SoK : Introspections on Trust and the Semantic Gap

SoK : Introspections on Trust and the Semantic Gap. Bhushan Jain , Mirza Basim Baig , Dongli Zhang, Donald Porter, Radu Sion. O perating Systems, S ecurity, C oncurrency and A rchitecture R esearch. VMI: Rootkit Detection Technique. Guest OS. VMI is building block for layered security

moswen
Download Presentation

SoK : Introspections on Trust and the Semantic Gap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SoK: Introspections on Trust and the Semantic Gap Bhushan Jain, MirzaBasimBaig, Dongli Zhang, Donald Porter, RaduSion Operating Systems, Security,Concurrency and Architecture Research

  2. VMI: Rootkit Detection Technique Guest OS • VMI is building block for layered security • Trusted hypervisor monitors less trusted guest • Common VMI goal: Identify processes in guest • Rootkit goal: Confuse VMI & hide malicious process • This paper/talk: • Organize prior VMI work by principal design choices • Pervasive trust assumptions in VMI systems • Search other related problems for ideas to remove trust Hyper visor

  3. Semantic Gap: A challenge for VMI Compromised Guest OS Process Descriptors VMI Guest OS Guest Kernel Heap Guest Kernel Heap Guest Kernel Heap 01010011 11110010 11010110 01101010 01010011 11110010 11010110 01101010 10111001 11010100 10011100 10101011 10111001 11010100 10011100 10101011 Semantic Gap VMI Hypervisor VMI Challenge : Bridge the semantic gap even for compromised guest VMI Challenge : Bridge the semantic gap

  4. Main Takeaways • Survey 12 years of VMI research ; 100 papers • Present a framework to reason about design choices • Contradiction: VMI reintroduces some trust in guest • Assume benign, initially uncompromised guest OS • Promising avenues to remove trust assumptions • Force guest OS to aid in its own introspection • Continuous adversarial learning on untrusted guest OS • Fine grained hardware support for memory protection ~

  5. Assumptions in VMI Techniques • One VMI technique: Learning and Reconstruction • An example attack: Structure Manipulation • More VMI assumptions about attacker • Assumptions across all VMI design techniques Ubiquitous trust assumptions across all VMI designs

  6. Learning and Reconstruction Learning Phase: Generate data structure signature Linux Guest OS Guest Kernel Heap Guest Kernel Heap 01010011 11110010 11010110 01101010 10111001 11010100 10011100 10101011 Offline safe environment Hypervisor Continuous over guest lifespan Searching Phase: Find data structure instances Assumption: Same OS behavior in learning and monitoring

  7. Data Structure Manipulation Attack Malicious Guest OS Linux Guest OS structtask_struct{ …… …… char comm[16]; void *notifier; …… } Guest Kernel Heap Offset Process Command Guest Kernel Heap Guest Kernel Heap 01010011 11110010 11010110 01101010 10111001 11010100 10011100 10101011 strlcpy(tsk->comm, buf, 16); strlcpy(tsk->comm,”Chrome”,16); notifier = kmalloc(16,GFP_KERNEL); strlcpy(tsk->notifier, buf, 16); 1128 Initialization Change field interpretation Hypervisor Typecast & offset math = Firefox = Chrome = Chrome = Skype All processes are benign = Chrome = Adore-ng Malicious or Compromised OS can violate VMI assumptions

  8. Fragile Trust Assumptions • Assumption:  Consistent structure interpretation • Attack: Change interpretation of a data structure • Mislead VMI tools by presenting false system state • Defense: No existing defense • CFI on benign kernel may help prevent bootstrapping • Attack obviated by generous threat models • Trust guest OS to be uncompromised and benign Structure manipulation: Realistic but outside threat model

  9. More Assumptions About Attacker Invariant: Set of processes in Scheduler tree = Process list Process list used to enumerate Linux Guest OS Guest Kernel Heap Guest Kernel Heap Guest Kernel Heap 01010011 11110010 11010110 01101010 10111001 11010100 10011100 10101011 Process tree used by scheduler Invariant Violated!!! Hypervisor Assume attacker can’t win race with asynchronous checking

  10. Other Attack Techniques • Write text Segment • Kernel Object Hooking (KOH) • Change function pointers (data segment) • Direct Kernel Object Manipulation (DKOM) • Manipulate heap objects – violate invariants • Dynamic Kernel Structure Manipulation (DKSM) • Change data structure interpretation

  11. Trusted Guest Pervasive in VMI Current VMI techniques built on some level of trust in guest

  12. A Fresh Look at Semantic Gap Trusted T Untrusted U VMI Problems Any Insights? Search related problems for techniques to remove trust

  13. Force Guest OS to Aid Introspection • Untrusted OS: Trusted app bridges semantic gap • Guest gives hypervisor evidence of correct behavior • Not directly applicable to problems solved by VMI • VMI tools implicitly assume unmodified guest OS • Relaxes threat model and induces trust • Can we force guest OS to help introspection? • Relax the constraint of unmodified OS Make light modifications to guest OS to prove correctness

  14. Continuously Train on Untrusted OS • VMI assumes same training & classification behavior • Least fundamental assumption • Apply continuous, adversarial machine learning • Incrementally train the VMI classifiers on untrusted OS • Detect inconsistent control flow, data access pattern Adapt adversarial learning for continuous VMI training

  15. Fine-grained Hardware Support • Only detection of kernel invariant violation attacks • Asynchronous scanning to check violations • All prevention systems use memory protection • Expensive at page granularity • Map invariant detection to memory protection • Need lightweight fine-grained memory protection Fine-grained protection hardware can reduce trust assumption

  16. Conclusions • Semantic gap problem for benign OS is solved • Difficult open VMI problem for malicious OS • Adapt techniques from other trust models • Force guest OS to aid in its own introspection • Continuous adversarial learning on untrusted guest OS • Fine grained hardware support for memory protection bpjain@cs.stonybrook.edu

  17. Backup

  18. Code Implanting Inject code in guest OS Protect the injected code Linux Guest OS Guest Kernel Heap Guest Kernel Heap structtask_struct *task; for_each_process(task) call_home("%s\n",task->comm); return 0; 01010011 11110010 11010110 01101010 10111001 11010100 10011100 10101011 Hypervisor Assumption: Guest OS reports correct information

  19. Data Outgrafting Reuse static trusted kernel code Trusted Sibling Guest OS Linux Guest OS COW Guest Kernel Heap Guest Kernel Heap Guest Kernel Heap Guest Kernel Heap 01010011 11110010 11010110 01101010 01010011 11110010 11010110 01101010 10111001 11010100 10011100 10101011 10111001 11010100 10011100 10101011 Hypervisor Input runtime heap & data Assumption: Identical guest OS behavior in both VMs

More Related