1 / 26

SubVirt: Implementing malware with virtual machines

SubVirt: Implementing malware with virtual machines. Presented by Boris Yurovitsky boris.yurovitsky@gmail.com. The Paper. SubVirt: Implementing malware(*) with virtual machines By S. King, P. Chen University of Michigan Y. Wang, C. Verbowski, H. Wang, J. Lorch Microsoft Research

sammy
Download Presentation

SubVirt: Implementing malware with virtual machines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SubVirt: Implementing malware with virtual machines Presented by Boris Yurovitsky boris.yurovitsky@gmail.com

  2. The Paper • SubVirt: Implementing malware(*) with virtual machines • By • S. King, P. Chen University of Michigan • Y. Wang, C. Verbowski, H. Wang, J. Lorch Microsoft Research • Appears On • 2006 IEEE Symposium on Security and Privacy • (*) Malware – malicious software Topics in Information Security 2007

  3. Presentation Outline • Introduction • Virtualization Technology • VM-Based Rootkit Implementation • Defense Topics in Information Security 2007

  4. Rootkit Introduction • A tool used to hide malicious activities • Goals of the Attacker • More capability • Less visibility • Goals of the Defender • Detect • Prevent Topics in Information Security 2007

  5. Some History Introduction Topics in Information Security 2007

  6. Current State Introduction Whoever controls a lower level – wins Rootkits and detection SW migrate to lower layers Both stop at the OS level Whoever is smarter – wins Attackers must sacrifice functionality for invisibility Topics in Information Security 2007

  7. Virtualization Manage underlying hardware Provide an abstraction of a virtual-machine Common practices Run several OSes on the same system Test and Debug Live machine migration Virtualization Topics in Information Security 2007

  8. Virtual Machine Introspection Virtualization • The Semantic Gap • VM: disk blocks, network packets, memory • Guest SW: files, TCP connections, variables • Read guest OS symbol and page tables • Use breakpoints to control execution • Invoke guest OS or application code Topics in Information Security 2007

  9. VMBR – a new class of rootkits Implementation • Virtual Machine-Based Rootkit (VMBR) • Use the virtual-machine technologies • Gain maximum control • Allow arbitrary malware yet stay invisible Topics in Information Security 2007

  10. VMBR Implementation I Implementation Topics in Information Security 2007

  11. Installation Implementation Topics in Information Security 2007

  12. Installation – contd. Implementation • Acquire root level access • Exploit remote vulnerability • Corrupt a software / bootable image on a P2P network • Save to persistent storage • Use the file system • Use low-level access • Modify boot sequence (and avoid detection) • Run at shutdown • Take over the low-level disk controller Microsoft Security Bulletin MSxx-xxx:“A remote code execution vulnerability exists in … that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by … An attacker … could take complete control of an affected system.” Topics in Information Security 2007

  13. VMBR Implementation II Implementation Topics in Information Security 2007

  14. Malicious Services Class I – No interaction with the target system Spam relays Phishing servers (*) Distributed DoS zombies Implementation • (*) denotes services implemented by the authors Topics in Information Security 2007

  15. Malicious Services – contd. Class II – Observe the target system Hardware Key loggers (*) Packet Monitor Using VMI Intercept SSL packets before encrypt Scan for sensitive data (e. g. ~user/.ssh/id_dsa) (*) Implementation Topics in Information Security 2007

  16. Class III – Deliberately modify the target system Can either modify HW level data or use VMI Examples: Modify execution of target applications (*) Modify network traffic Malicious Services – contd. Implementation Topics in Information Security 2007

  17. VMBR Implementation III Implementation Topics in Information Security 2007

  18. Maintaining Control Implementation • VMBR has full control of the system while powered up. • No control from system power-up until load of the VMBR • User can boot from an alternate media • Avoiding power-up • Emulate restarts – only restart the VM (*) • Alternate boot media is loaded under the VMBR! • Avoid complete shutdown (*) • Emulate shutdown using ACPI Topics in Information Security 2007

  19. VMBR Implementation IV Implementation Topics in Information Security 2007

  20. Performance System performance is hardly affected About 3% RAM usage for the Virtual PC-based VMBR Video intensive applications may suffer degraded performance Solution: graphics card doesn’t have to be virtualized… Implementation Topics in Information Security 2007

  21. Performance – contd. Implementation • All times are given in seconds • All measurements have variance less than 3% Topics in Information Security 2007

  22. Security Below the VMBR Defense • Hardware based defense • Intel’s Trusted Execution Technology (formerly LaGrande) • AMD’s platform for trustworthy computing initiative • Copilot – PCI-based integrity monitor • Secure boot from CD or network • Do not forget to unplug… • Secure VMM • Detect and prevent VMBRs at the installation stage Topics in Information Security 2007

  23. Security Above the VMBR Defense • Detect VMM impact on the system • Memory: VMBR can hide memory usage by paging • Disk: VMBR can hide disk usage by emulating bad blocks • CPU: VMBR can slow down target’s clock • Run benchmarks against wall-mount clock • Detect modifications to I/O drivers • VMBR can emulate only what it needs Topics in Information Security 2007

  24. Conclusions • VMBR is a new form of a layer-below attack • VMBRs can provide features unavailable to traditional rootkits • VMBRs are easy to implement • VMBRs are difficult to detect and remove • Future of VMBRs • Widespread use of virtualization • Hardware support for virtualization Topics in Information Security 2007

  25. Thank You Topics in Information Security 2007

  26. Home Assignment • What are the advantages of a VM-based rootkit over an OS level rootkit from the attacker’s point of view. • If complete control over the hardware is achieved, why VMI is still required? Discuss the differences between HW level based and VMI based key loggers. • Suppose a secure file system is deployed on the host. Would user data remain secure from a malicious service running within a VMBR? Explain. • How hardware support for virtualization would affect VMBRs? • boris.yurovitsky@gmail.com Topics in Information Security 2007

More Related