HyperForce: Hypervisor-enForcedExecution of Security-Critical Code  Francesco Gadaleta, Nick Nikiforakis, J.T. Muehlberg, ...
Outlinewhat’s the matter?virtualization technologyour countermeasureconclusion
cryptography     malware policy management virtualization    compliance hashing attack key logger framework               ...
security is an   issue
A 2010 report by McAfee, revealed that the cost tocorporations of work time lost due to virus attackswas   $6.3m/dayEmploy...
2007 Malware Report by Computer Economics on the annualworldwide economic damage caused by malicious code attackson organi...
DEMO TIME
VIRTUALIZATIONTECHNOLOGY
HYPERVISORHARDWARE (VT-D)
Nice, but...Hardware costsMaintainance costs(sys admin, power consumption)Performance costs
ROOTKITS:A PROBLEM
malicious      ROOTKIT                        dangerous              stealthy      insidiousdetection            hard
WE SAIDhelloROOTKITty
WE SAIDhelloROOTKITty Phase 1: collecting addresses of data structures to protect                                         ...
WE SAIDhelloROOTKITty Phase 2: check integrity within the hypervisor mem. space                            guest kernel  g...
WE SAIDhelloROOTKITty      Phase 3: repair compromised objects (*)                                             guest kerne...
PerformanceChecks occur at specific momentsProblem must be relaxed (split huge lists of objects)In-hypervisor approachGues...
HyperForceAPPROACH
guest kernel                  monitor                  (trusted)                    code  HYPERVISORHARDWARE (VT-D)
monitor                                         interrupt handler is the                             (trusted)            ...
monitor                                         interrupt handler is the                             (trusted)            ...
monitor                                         interrupt handler is the                             (trusted)            ...
Performance        hardware&softwareCPU               Intel Core 2 Duo Pro VT-DRAM               4GBHypervisor        Linu...
Performance          in-host speedupcontext switch                                   26%                 0    1.25        ...
Performance        in-guest speedupcontext switch                                  10%                     0   2.5      5....
Performance               detection timeDetection of 1 over 15000 critical kernel objects (worst case)0                2.5...
Is this working?
CONCLUSION
What now?                                  don’t w                                           or r yWe will be all virtuali...
What now?                                    don’t w                                             or r yWe will be all virt...
What now?                                      don’t w                                               or r yWe will be all ...
What now?                                      don’t w                                               or r yWe will be all ...
What now?                                      don’t w                                               or r yWe will be all ...
What’s next?Use the framework for other types of mitigation
What’s next?Use the framework for other types of mitigationStore something “smarter” in the protected memoryarea
What’s next?Use the framework for other types of mitigationStore something “smarter” in the protected memoryarea          ...
Thank you.   DISCLAIMER:         Feel free to contact me!I rarely tweet about computer security         francesco.gadaleta...
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Upcoming SlideShare
Loading in …5
×

Hyperforce: Hypervisor-enForced Execution of Security-Critical Code

454 views

Published on

We present HyperForce, a framework which allows the deployment of security-critical code in a way that significantly outperforms previous in-hypervisor systems while maintaining similar guarantees with respect to security and integrity. HyperForce is a hybrid system which combines the performance of an in-guest security mechanism with the security of in-hypervisor one.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
454
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hyperforce: Hypervisor-enForced Execution of Security-Critical Code

  1. 1. HyperForce: Hypervisor-enForcedExecution of Security-Critical Code Francesco Gadaleta, Nick Nikiforakis, J.T. Muehlberg, Wouter Joosen Katholieke Universiteit Leuven Belgium
  2. 2. Outlinewhat’s the matter?virtualization technologyour countermeasureconclusion
  3. 3. cryptography malware policy management virtualization compliance hashing attack key logger framework engineering technologynetwork system library botnet computer buffer overflowcompiler secure embeddedsecurity low level instruction virtual machine countermeasure hardware malicious legislation language
  4. 4. security is an issue
  5. 5. A 2010 report by McAfee, revealed that the cost tocorporations of work time lost due to virus attackswas $6.3m/dayEmployee salary: 3000$Employee salary/day: 100$Num. of employeeswasting work time: 63000
  6. 6. 2007 Malware Report by Computer Economics on the annualworldwide economic damage caused by malicious code attackson organizations showed that the costs were $13.3 billionA Fox News report in 2009 estimated that $86b is lostworldwide annually.
  7. 7. DEMO TIME
  8. 8. VIRTUALIZATIONTECHNOLOGY
  9. 9. HYPERVISORHARDWARE (VT-D)
  10. 10. Nice, but...Hardware costsMaintainance costs(sys admin, power consumption)Performance costs
  11. 11. ROOTKITS:A PROBLEM
  12. 12. malicious ROOTKIT dangerous stealthy insidiousdetection hard
  13. 13. WE SAIDhelloROOTKITty
  14. 14. WE SAIDhelloROOTKITty Phase 1: collecting addresses of data structures to protect phy s ad 0xC dr 1 234 0xC 567 size 3214 0xC 567 128 flag 421 s 456 128 111 0xC A 111 521 11 456 111 C 64 111 11 111 4 111 11 guest kernel 111 111 11 trusted module guest memory space hypervisor memory space hypervisor
  15. 15. WE SAIDhelloROOTKITty Phase 2: check integrity within the hypervisor mem. space guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
  16. 16. WE SAIDhelloROOTKITty Phase 3: repair compromised objects (*) guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321 (*) if original content has been provided
  17. 17. PerformanceChecks occur at specific momentsProblem must be relaxed (split huge lists of objects)In-hypervisor approachGuest introspection and mapping guest memory fromhypervisor is not cheap
  18. 18. HyperForceAPPROACH
  19. 19. guest kernel monitor (trusted) code HYPERVISORHARDWARE (VT-D)
  20. 20. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interruptvirtual HYPERVISORphysica HARDWARE (VT-D) l
  21. 21. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interruptvirtual HYPERVISORphysica HARDWARE (VT-D) l
  22. 22. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interruptvirtual HYPERVISORphysica HARDWARE (VT-D) l
  23. 23. Performance hardware&softwareCPU Intel Core 2 Duo Pro VT-DRAM 4GBHypervisor Linux KVM-drvVirtual machine QEMU-kvm
  24. 24. Performance in-host speedupcontext switch 26% 0 1.25 2.50 3.75 5.00mem. map 19% 0 1,750 3,500 5,250 7,000page fault 7% 0 1.25 2.50 3.75 5.00 mem. lat 11% 0 37.5 75.0 112.5 150.0 HelloRootkitty Hello with HyperForce
  25. 25. Performance in-guest speedupcontext switch 10% 0 2.5 5.0 7.5 10.0fork syscall 8% 0 500 1,000 1,500 2,000open/close syscall 10% 0 1.25 2.50 3.75 5.00signal handling 51% 0 2.5 5.0 7.5 10.0 HelloRootkitty Hello with HyperForce
  26. 26. Performance detection timeDetection of 1 over 15000 critical kernel objects (worst case)0 2.5 5.0 7.5 10.0 HelloRootkitty Hello with HyperForce
  27. 27. Is this working?
  28. 28. CONCLUSION
  29. 29. What now? don’t w or r yWe will be all virtualized soon that’s g ood !
  30. 30. What now? don’t w or r yWe will be all virtualized soon that’s g ood !We presented a framework to enforce in-guest execution ofcritical code
  31. 31. What now? don’t w or r yWe will be all virtualized soon that’s g ood !We presented a framework to enforce in-guest execution ofcritical codeSpecifically related to mitigation of rootkitsHelloRootkitty protects with small performance impact
  32. 32. What now? don’t w or r yWe will be all virtualized soon that’s g ood !We presented a framework to enforce in-guest execution ofcritical codeSpecifically related to mitigation of rootkitsHelloRootkitty protects with small performance impact
  33. 33. What now? don’t w or r yWe will be all virtualized soon that’s g ood !We presented a framework to enforce in-guest execution ofcritical codeSpecifically related to mitigation of rootkitsHelloRootkitty protects with small performance impactHelloRootkitty in HyperForce does it much faster
  34. 34. What’s next?Use the framework for other types of mitigation
  35. 35. What’s next?Use the framework for other types of mitigationStore something “smarter” in the protected memoryarea
  36. 36. What’s next?Use the framework for other types of mitigationStore something “smarter” in the protected memoryarea . collecting guest system data . no interference with malware . isolation from corrupted system
  37. 37. Thank you. DISCLAIMER: Feel free to contact me!I rarely tweet about computer security francesco.gadaleta@cs.kuleuven.be http://frag.gadaleta.org @fragadaleta tefsom

×