SlideShare a Scribd company logo

lightweight virtualization framework protects critical kernel objects from rootkits

Francesco Gadaleta
Francesco Gadaleta

A lightweight invariance-enforcing framework to mitigate rootkits in virtualized operating systems

Technology
1 of 24
hello rootKitty a lightweight invariance-enforcing framework Francesco Gadaleta - Nick Nikiforakis DISTRINET Research Group Katholieke Universiteit Leuven - Belgium
hello rootKitty a lightweight invariance-enforcing framework Francesco Gadaleta - Nick Nikiforakis DISTRINET Research Group Katholieke Universiteit Leuven - Belgium
OVERVIEW rootkit Operating System framework critical kernel objects malware detection code virus Analysis integrity invariance attack module virtualization malicious repairing memory corruption approach profiling hardware-based countermeasure evaluation
๏ process hiding ๏ botnet ๏ stealing private data ROOTKIT ๏ subverting kernels ๏ spamming ๏ bank fraud
ROOTKIT User-mode ls, ps, PATH, etc... limited to user’s privileges Kernel-mode device drivers, access to kern. memory, etc... limited to kernel’s privileges (=unlimited)
FACTof rootkits will never be solved the problem
FACT
FACT “I’d rather tackle world peace than the rootkit problem, it is that hard to solve”
ATTACKER MODEL Loading rootkit as LKM Loading by overwriting memory directly (eg. /dev/mem, /dev/kmem) Executing arbitrary code via kernel vulnerability GOAL: Compromission of hardcoded, static, dynamic kernel objects
VIRTUALIZATION Events trapped by the hypervisor case EXIT_REASON_MOV_CR case EXIT_REASON_CPUID case EXIT_REASON_IO_INSTRUCTION case EXIT_REASON_RDMSR case EXIT_REASON_WRMSR Guest kernel case EXIT_REASON_EXCEPTION_OR_NMI case EXIT_REASON_EXTERNAL_INT case EXIT_REASON_INTERRUPT_WINDOW case EXIT_REASON_INVLPG case EXIT_REASON_VMCALL: /* for debugging */ case EXIT_REASON_INIT_SIGNAL case EXIT_REASON_STARTUP_IPI case EXIT_REASON_HLT VMExit VMEntry case EXIT_REASON_TASK_SWITCH case EXIT_REASON_XSETBV guest memory space hypervisor memory space Hypervisor
ASSUMPTION Rootkits modify kernel data structures Observing critical kernel objects is a good detection strategy Virtualization still not massively exploited in desktop environments (QubesOS)
APPROACH Phase 1: collecting addresses of data structures to protect phy s ad 0xC dr 1 234 0xC 567 size 3214 0xC 567 128 flag 421 s 456 128 111 0xC A 111 521 11 456 111 C 64 111 11 111 4 111 11 guest kernel 111 111 11 trusted module guest memory space hypervisor memory space hypervisor
APPROACH Phase 2: check integrity within the hypervisor mem. space guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
APPROACH Phase 3: repair compromised objects (if original content provided) guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
IMPLEMENTATION Exploit the MOV_CR event :-| App 1 App 2 App 3 (1) When the guest kernel changes a <mov CR3, cr3_app2> scheduler control register it is doing Guest something “interesting” such as kernel task switching :-) (2) guest memory space hypervisor memory space Room for improvement: we can hypervisor (3) map all the objects to a common host_virt_space area in the hypervisor’s space and phys addr size hash 0xC1234567 128 abcd compute the checksum once 0xC3214567 0xC421456A 128 64 abde 1234 0xC521456C 4 4321
IMPLEMENTATION Lists of objects to protect might be HUGE => let’s relax the problem phys addr size hash <mov CR3, cr3_app1> <mov CR3, cr3_app2> <mov CR3, cr3_app3> SOLUTION: <mov CR3, cr3_app4> on MOV_CR event the hypervisor checks a subset of objects $$
EVALUATION BitVisor 1.1 and Linux Kernel 2.6 Total: 15000 kernel objects 128-bit sized Rate: 100 objects/MOV_CR* Corruption of pointers in the guest system call table
PERFORMANCE LMBENCH (microbenchmarks) Processes open/close sign. handl. fork exec +0.6% +2.5% +41% +35% Local comm. TCP File reread Mmap reread Bcopy Mem.read Mem. write bandwidths +2.2% 0% -0.9% -0.32% -0.12% 0.12%
PERFORMANCE APACHEBENCH 100K requests, 50 concurrently on local lighttpd server (macrobenchmarks) Time +1.50% Req. per second +1.52% Time per request +1.54% Time per conc. req +1.4% Transfer rate +1.52% DETECTION TIME (time the hypervisor needs to check a compromised object in the worst case) Depends on the guest load, about 6 sec wall-clock time
LIMITATIONS Protects invariants Attacks to variant data structures are still possible
DISCUSSION Kernel developers support system Fine-grained protection Lightweight contermeasure Guarantees target-monitor isolation
DEMO.
CONCLUSION helloRootkitty mitigates the problem of kernel malware Negligible overhead Attack surface might be considerably reduced Easy integration with other protection mechanisms (Daikon, Gibraltar)
THANKS.

Recommended

Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Master Homeland Security 2014 Lisi
Master Homeland Security 2014 LisiMaster Homeland Security 2014 Lisi
Master Homeland Security 2014 LisiMarco Lisi
 
Icl gnss helsinki-2014_lisi_v02
Icl gnss helsinki-2014_lisi_v02Icl gnss helsinki-2014_lisi_v02
Icl gnss helsinki-2014_lisi_v02Marco Lisi
 
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSSECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSMarco Lisi
 
3XRC4
3XRC43XRC4
3XRC4Samir Crypticus
 
Analysis of a Modified RC4
Analysis of a Modified RC4 Analysis of a Modified RC4
Analysis of a Modified RC4 Tharindu Weerasinghe
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1Samir Crypticus
 
BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
BuBBle: a Javascript engine level countermeasure against heap-spraying attacksBuBBle: a Javascript engine level countermeasure against heap-spraying attacks
BuBBle: a Javascript engine level countermeasure against heap-spraying attacksFrancesco Gadaleta
 

Recommended

Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Master Homeland Security 2014 Lisi
Master Homeland Security 2014 LisiMaster Homeland Security 2014 Lisi
Master Homeland Security 2014 LisiMarco Lisi
 
Icl gnss helsinki-2014_lisi_v02
Icl gnss helsinki-2014_lisi_v02Icl gnss helsinki-2014_lisi_v02
Icl gnss helsinki-2014_lisi_v02Marco Lisi
 
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSSECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSMarco Lisi
 
3XRC4
3XRC43XRC4
3XRC4Samir Crypticus
 
Analysis of a Modified RC4
Analysis of a Modified RC4 Analysis of a Modified RC4
Analysis of a Modified RC4 Tharindu Weerasinghe
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1Samir Crypticus
 
BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
BuBBle: a Javascript engine level countermeasure against heap-spraying attacksBuBBle: a Javascript engine level countermeasure against heap-spraying attacks
BuBBle: a Javascript engine level countermeasure against heap-spraying attacksFrancesco Gadaleta
 
"It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ..."It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ...Marco Lisi
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Sogei2014 lisi v01
Sogei2014 lisi v01Sogei2014 lisi v01
Sogei2014 lisi v01Marco Lisi
 
Iwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiIwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiMarco Lisi
 
Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Marco Lisi
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
20th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v0320th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v03Marco Lisi
 
Turning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentTurning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentlgandx
 
Origine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementOrigine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementMarco Lisi
 
CeBIT SCALE 11 pitch
CeBIT SCALE 11 pitchCeBIT SCALE 11 pitch
CeBIT SCALE 11 pitchEric Larcheveque
 
Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Marco Lisi
 
Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Marco Lisi
 
Bitcoin hardware wallets security
Bitcoin hardware wallets securityBitcoin hardware wallets security
Bitcoin hardware wallets securityEric Larcheveque
 
Master navigation torino_2013
Master navigation torino_2013Master navigation torino_2013
Master navigation torino_2013Marco Lisi
 
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Marco Lisi
 
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...mjaganm
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxSebastián Guerrero Selma
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Możliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneMożliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneSecuRing
 
GNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationGNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationMarco Lisi
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeFrancesco Gadaleta
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacksMarian Marinov
 

More Related Content

Viewers also liked

"It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ..."It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ...Marco Lisi
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Sogei2014 lisi v01
Sogei2014 lisi v01Sogei2014 lisi v01
Sogei2014 lisi v01Marco Lisi
 
Iwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiIwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiMarco Lisi
 
Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Marco Lisi
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
20th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v0320th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v03Marco Lisi
 
Turning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentTurning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentlgandx
 
Origine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementOrigine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementMarco Lisi
 
Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Marco Lisi
 
Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Marco Lisi
 
Bitcoin hardware wallets security
Bitcoin hardware wallets securityBitcoin hardware wallets security
Bitcoin hardware wallets securityEric Larcheveque
 
Master navigation torino_2013
Master navigation torino_2013Master navigation torino_2013
Master navigation torino_2013Marco Lisi
 
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Marco Lisi
 
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...mjaganm
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxSebastián Guerrero Selma
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Możliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneMożliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneSecuRing
 
GNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationGNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationMarco Lisi
 

Viewers also liked (20)

"It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ..."It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ...
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
Sogei2014 lisi v01
Sogei2014 lisi v01Sogei2014 lisi v01
Sogei2014 lisi v01
 
Iwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiIwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisi
 
Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
20th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v0320th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v03
 
Turning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentTurning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurent
 
Origine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementOrigine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_management
 
CeBIT SCALE 11 pitch
CeBIT SCALE 11 pitchCeBIT SCALE 11 pitch
CeBIT SCALE 11 pitch
 
Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01
 
Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015
 
Bitcoin hardware wallets security
Bitcoin hardware wallets securityBitcoin hardware wallets security
Bitcoin hardware wallets security
 
Master navigation torino_2013
Master navigation torino_2013Master navigation torino_2013
Master navigation torino_2013
 
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
 
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in Firefox
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Możliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneMożliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilne
 
GNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationGNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and Mitigation
 

Similar to lightweight virtualization framework protects critical kernel objects from rootkits

Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeFrancesco Gadaleta
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacksMarian Marinov
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows DebuggingBala Subra
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBhoomil Chavda
 
Drilling Deep Into Exadata Performance
Drilling Deep Into Exadata PerformanceDrilling Deep Into Exadata Performance
Drilling Deep Into Exadata PerformanceEnkitec
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...The Linux Foundation
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devicesPriyanka Aash
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
Porting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitecturePorting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitectureThe Linux Foundation
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopDigicomp Academy AG
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64The Linux Foundation
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
XenTT: Deterministic Systems Analysis in Xen
XenTT: Deterministic Systems Analysis in XenXenTT: Deterministic Systems Analysis in Xen
XenTT: Deterministic Systems Analysis in XenThe Linux Foundation
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...confluent
 

Similar to lightweight virtualization framework protects critical kernel objects from rootkits (20)

Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacks
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows Debugging
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handling
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
Drilling Deep Into Exadata Performance
Drilling Deep Into Exadata PerformanceDrilling Deep Into Exadata Performance
Drilling Deep Into Exadata Performance
 
Failure Of DEP And ASLR
Failure Of DEP And ASLRFailure Of DEP And ASLR
Failure Of DEP And ASLR
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devices
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Porting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitecturePorting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS Architecture
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
 
Valgrind
ValgrindValgrind
Valgrind
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
 
XenTT: Deterministic Systems Analysis in Xen
XenTT: Deterministic Systems Analysis in XenXenTT: Deterministic Systems Analysis in Xen
XenTT: Deterministic Systems Analysis in Xen
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

lightweight virtualization framework protects critical kernel objects from rootkits

  • 1. hello rootKitty a lightweight invariance-enforcing framework Francesco Gadaleta - Nick Nikiforakis DISTRINET Research Group Katholieke Universiteit Leuven - Belgium
  • 2. hello rootKitty a lightweight invariance-enforcing framework Francesco Gadaleta - Nick Nikiforakis DISTRINET Research Group Katholieke Universiteit Leuven - Belgium
  • 3. OVERVIEW rootkit Operating System framework critical kernel objects malware detection code virus Analysis integrity invariance attack module virtualization malicious repairing memory corruption approach profiling hardware-based countermeasure evaluation
  • 4. ๏ process hiding ๏ botnet ๏ stealing private data ROOTKIT ๏ subverting kernels ๏ spamming ๏ bank fraud
  • 5. ROOTKIT User-mode ls, ps, PATH, etc... limited to user’s privileges Kernel-mode device drivers, access to kern. memory, etc... limited to kernel’s privileges (=unlimited)
  • 6. FACTof rootkits will never be solved the problem
  • 8. FACT “I’d rather tackle world peace than the rootkit problem, it is that hard to solve”
  • 9. ATTACKER MODEL Loading rootkit as LKM Loading by overwriting memory directly (eg. /dev/mem, /dev/kmem) Executing arbitrary code via kernel vulnerability GOAL: Compromission of hardcoded, static, dynamic kernel objects
  • 10. VIRTUALIZATION Events trapped by the hypervisor case EXIT_REASON_MOV_CR case EXIT_REASON_CPUID case EXIT_REASON_IO_INSTRUCTION case EXIT_REASON_RDMSR case EXIT_REASON_WRMSR Guest kernel case EXIT_REASON_EXCEPTION_OR_NMI case EXIT_REASON_EXTERNAL_INT case EXIT_REASON_INTERRUPT_WINDOW case EXIT_REASON_INVLPG case EXIT_REASON_VMCALL: /* for debugging */ case EXIT_REASON_INIT_SIGNAL case EXIT_REASON_STARTUP_IPI case EXIT_REASON_HLT VMExit VMEntry case EXIT_REASON_TASK_SWITCH case EXIT_REASON_XSETBV guest memory space hypervisor memory space Hypervisor
  • 11. ASSUMPTION Rootkits modify kernel data structures Observing critical kernel objects is a good detection strategy Virtualization still not massively exploited in desktop environments (QubesOS)
  • 12. APPROACH Phase 1: collecting addresses of data structures to protect phy s ad 0xC dr 1 234 0xC 567 size 3214 0xC 567 128 flag 421 s 456 128 111 0xC A 111 521 11 456 111 C 64 111 11 111 4 111 11 guest kernel 111 111 11 trusted module guest memory space hypervisor memory space hypervisor
  • 13. APPROACH Phase 2: check integrity within the hypervisor mem. space guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
  • 14. APPROACH Phase 3: repair compromised objects (if original content provided) guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
  • 15. IMPLEMENTATION Exploit the MOV_CR event :-| App 1 App 2 App 3 (1) When the guest kernel changes a <mov CR3, cr3_app2> scheduler control register it is doing Guest something “interesting” such as kernel task switching :-) (2) guest memory space hypervisor memory space Room for improvement: we can hypervisor (3) map all the objects to a common host_virt_space area in the hypervisor’s space and phys addr size hash 0xC1234567 128 abcd compute the checksum once 0xC3214567 0xC421456A 128 64 abde 1234 0xC521456C 4 4321
  • 16. IMPLEMENTATION Lists of objects to protect might be HUGE => let’s relax the problem phys addr size hash <mov CR3, cr3_app1> <mov CR3, cr3_app2> <mov CR3, cr3_app3> SOLUTION: <mov CR3, cr3_app4> on MOV_CR event the hypervisor checks a subset of objects $$
  • 17. EVALUATION BitVisor 1.1 and Linux Kernel 2.6 Total: 15000 kernel objects 128-bit sized Rate: 100 objects/MOV_CR* Corruption of pointers in the guest system call table
  • 18. PERFORMANCE LMBENCH (microbenchmarks) Processes open/close sign. handl. fork exec +0.6% +2.5% +41% +35% Local comm. TCP File reread Mmap reread Bcopy Mem.read Mem. write bandwidths +2.2% 0% -0.9% -0.32% -0.12% 0.12%
  • 19. PERFORMANCE APACHEBENCH 100K requests, 50 concurrently on local lighttpd server (macrobenchmarks) Time +1.50% Req. per second +1.52% Time per request +1.54% Time per conc. req +1.4% Transfer rate +1.52% DETECTION TIME (time the hypervisor needs to check a compromised object in the worst case) Depends on the guest load, about 6 sec wall-clock time
  • 20. LIMITATIONS Protects invariants Attacks to variant data structures are still possible
  • 21. DISCUSSION Kernel developers support system Fine-grained protection Lightweight contermeasure Guarantees target-monitor isolation
  • 22. DEMO.
  • 23. CONCLUSION helloRootkitty mitigates the problem of kernel malware Negligible overhead Attack surface might be considerably reduced Easy integration with other protection mechanisms (Daikon, Gibraltar)