[2014 CodeEngn Conference 10] 김학수 - 하이퍼바이저 루트킷, 어디까지 가봤니

976 views

Published on

2014 CodeEngn Conference 10

가상화에 관심있으신 분들을 위한!!

VMWare, Parallels, GoogleDrive 등 우리가 사용하고 있는 많은 프로그램에는 Hypervisor 기술이 들어가 있다. 이 기술은 Ring-1이므로 CPU에서 제공하는 명령어로 커널보다 높은 권한으로 동작하며 이러한 hypervisor를 hooking하여 만들어지는 Hypervisor Rootkit은 Ring 1에 있는 hypervisor를 hooking하여 감염시켜 자신이 원하는 동작을 하는 것을 말한다. 해당 Rootkit을 이용하여 백신탐지 우회부터 클라우드 시스템 감염까지 가능하다는 것을 시연과 시나리오를 통해 알아본다.

http://codeengn.com/conference/10
http://codeengn.com/conference/archive

Published in: Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
976
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

[2014 CodeEngn Conference 10] 김학수 - 하이퍼바이저 루트킷, 어디까지 가봤니

  1. 1. - 초보 분석가의 눈물겨운 가상화 입문기 www.CodeEngn.com 2014 CodeEngn Conference 10
  2. 2. Index ⓒ 2014 CodeEngn hakbaby ü Origin of the Hypervisor ü Hardware Assisted Virtualization About Hypervisor Attack Hypervisor ü HVM Rootkit ü SMM Rootkit ü Hypervisor in Cloud ü Trust Execution Technology ü Secure Virtual Machine Protect Hypervisor
  3. 3. Virtualization : 가상화 ⓒ 2014 CodeEngn hakbaby 하나의 하드웨어에서 여러 운영체제를 실행할 수 있는 기술
  4. 4. Virtualization – Hypervisor?! ⓒ 2014 CodeEngn hakbaby 하나의 하드웨어에서 여러 운영체제를 실행할 수 있는 기술 가상화를 구현하기 위해 필요한 논리적인 플랫폼 : Hypervisor
  5. 5. Origin of the Hypervisor - Emulator ⓒ 2014 CodeEngn hakbaby 운영체제와 하드웨어를 1 대 1로 매칭하여 명령어를 수정해주는 방식 (Binary Translation) Hardware (Intel IA-32) Blade Hardware Other HardwareCPU Memory NIC Disk Emulation Engine (ARM) Emulation Engine (IBM Power PC) Guest OS (MAC OS X) Guest OS (Android) Host PC OS (Windows 8) Application MOV R0, R1 MOV EAX, EBX Binary Translation
  6. 6. Origin of the Hypervisor – Full & Para ü Full Virtualization 시스템 전체를 가상화하여 시스템의 BIOS, CPU, 메모리 등을 완전히 에뮬레이션 하는 방식 ⓒ 2014 CodeEngn hakbaby Ring 3 (User Application) Ring 2 Ring 1 (Guest OS) Ring 0 (Virtual Machine Monitor) Host Computer System Hardware DirectExecution (UserRequest) Binary Translation
  7. 7. Emulation vs Virtualization? : What’s different? ⓒ 2014 CodeEngn hakbaby Hardware (Intel IA-32) Guest OS (Windows XP) Host PC OS (Windows 8) Guest OS (Ubuntu)Application Virtual Machine Monitor [Virtualization] Hardware (Intel IA-32) Emulation Engine (ARM) Guest OS (Android) Host PC OS (Windows 8) Emulation Engine (IBM Power PC) Guest OS (MAC ) Application [Emulator]
  8. 8. Origin of the Hypervisor – Full & Para ü Para Virtualization Guest OS의 커널을 일부 수정하여 사용하며, OS 레벨 요청을 Hypercall이 처리 ⓒ 2014 CodeEngn hakbaby Hypervisor Call (Hypercall) Ring 3 (User Application) Ring 2 Ring 1 Ring 0 ( Modified-Guest OS) Virtual Machine Monitor Host Computer System Hardware DirectExecution (UserRequest)
  9. 9. Para Virtualization – Hypercall? ⓒ 2014 CodeEngn hakbaby Interrupt Gate Descriptor Interrupt Descriptor Table INT 2E SYSENTER SYSENTER_EIP (MSR) ISR Offset Segment Selector Code Descriptor Code Segment Base Address Privilege Level (DPL) System Service Dispatcher (KiSystemService) System Service Table(ntoskrnl.exe) System Service Table(win32k.sys) Global Descriptor Table Service Descriptor Table Service Table Counter Table Service Limit Argument Table KeServiceDescriptorTable Function Address System Service Dispatch Table Kernel Function EAX [System Calls on Windows]
  10. 10. Hypervisor : Hardware-Assist Virtualization ü Hardware-Assist Virtualization 가상화 방식의 가장 큰 과부화 원인인 Binary Translation이 없어지고 CPU의 지원을 받기 시작함 ⓒ 2014 CodeEngn hakbaby Ring 3 (User Application) Ring 2 Ring 1 Ring 0 (Guest OS) Hypervisor Layer Host Computer System Hardware Non-Root Mode Privilege Levels Root Mode Privilege Levels DirectExecution (UserRequest) 특정 명령어 실행과 H/W 제어 권한이 일부 제한됨 CPU나 H/W의 모든 제어권을 가짐 Guest 0 Guest 1 VM MonitorVMXON VMXOFF VM Entry VM ExitVM Exit [INTEL Virtual Machine Monitor & Guests]
  11. 11. Hypervisor – Type of Hypervisor ⓒ 2014 CodeEngn hakbaby Hypervisor Hypervisor Native (Bare Metal) 호스트의 하드웨어에 위치하여, 하드웨어 제어와 Guest OS 모니터링을 담당함 Hosted 호스트의 운영체제에 위치하며, 단순히 소프트웨어의 역할로써 Guest OS에 관리를 담당함
  12. 12. Attack of Hypervisor : Virtual Machine Extensions ⓒ 2014 CodeEngn hakbaby Ring 3 Ring 0 Root Mode Guest OS (Windows XP)Guest OS (Ubuntu) Application Application VM Entry VM Exit VMM Configuration VMM Control Structure (VMCS) Memory and I/O Virtualization Host PC Hardware Virtual CPU ① ② ③ ④ ⑤ Intel VT-x
  13. 13. HVM Rootkit : HVM ⓒ 2014 CodeEngn hakbaby ü Hardware-assisted Virtualization Machine : HVM HVM은 일반적으로 VMCS를 설정해 Guest OS를 구동하고 Guest OS의 코드가 실행되다가 설정된 동작을 수행하면 Exit 되도록 하여 이를 VMM에서 처리 Operating System - Kernel’s Processor Control Block (KPCB) VM Guest 0 Guest0 VMCS VM Guest 1 Guest1 VMCS VM Guest 2 Guest2 VMCS VM Guest 3 Guest3 VMCS Active VMCS *VMCS Active VMCS *VMCS Current VMCS *VMCS *simplicityKPRCB *CurrentThread *NextThread *IdleThread KPROCESS EPROCESS LIST_ENTRY { FLINK BLINK } KPROCESS EPROCESS LIST_ENTRY { FLINK BLINK } KPROCESS EPROCESS LIST_ENTRY { FLINK BLINK } KTHREAD ETHREAD ApcState Hypervisor – Virtual Machine Control Data Structures (VMCS)
  14. 14. Hypervisor : VMCS (Intel) VMX Non-Root 오퍼레이션과 VMX 전환을 제어하는 구조체 ⓒ 2014 CodeEngn hakbaby Active Not Current Clear Inactive Not Current Clear Active Not Current Launched Anything Else Active Current Clear Active Current Launched VMPTRLDY VMPTRLDX VMPTRLDY VMPTRLDX VMCLEAR X VMCLEAR XVMCLEAR X VMLAUNCH [States of VMCS X]
  15. 15. HVM Rootkit : VMRUN Instruction ⓒ 2014 CodeEngn hakbaby Instruction Flow (Outside Matrix) VMCB (AMD) VMRUN Guest state and specification of what guest envents are intercepted Host PC (Hypervisor) Virtual Machine Instruction Fllow (Inside Guest) Guest has been Intercepted Resume at the next instruction After VMRUN (Exit code written to VMCB on exit)
  16. 16. HVM Rootkit : Blue Pill Infection ⓒ 2014 CodeEngn hakbaby CALL BluePill CALL BluePill Enable SVM Prepare VMCB VMRUN Check VMCS.exitcode RET RIP VMCB Native Operating System Native Operating System continues to execute, But inside Virtual Machine this time Blue Pill Hypervisor Only During First Call RET From Blue Pill PROC, Never reached in host mode, Only executed once in guest mode
  17. 17. HVM Rootkit : Blue Pill ⓒ 2014 CodeEngn hakbaby Instdrv.exe CPU Ring 0 VMCB Host Bluepill.sys ① ②③
  18. 18. HVM Rootkit : Blue Pill ⓒ 2014 CodeEngn hakbaby Instdrv.exe CPU Ring 0 VMCB Host Bluepill.sys Hypervisor Bluepill ④
  19. 19. Cheat Engine - DBVM ⓒ 2014 CodeEngn hakbaby
  20. 20. Cheat Engine - DBVM ⓒ 2014 CodeEngn hakbaby
  21. 21. Cheat Engine - DBVM ⓒ 2014 CodeEngn hakbaby
  22. 22. Imagine of Story! ⓒ 2014 CodeEngn hakbaby üCloud Computing 인터넷 상의 서버를 통하여 데이터 저장, 네트워크, 콘텐츠 사용 등 IT 관련 서비스를 한번에 사용할 수 있는 컴퓨팅
  23. 23. Cloud Computing Services ⓒ 2014 CodeEngn hakbaby Software as a Service Infra as a service Platform as a service Network Architects Application Developers End Users Network Storage Server Virtualization
  24. 24. Attack of Cloud System! ⓒ 2014 CodeEngn hakbaby Cloud Hypervisor Cloud Physical Hardware … Guest 0 Guest 1 Guest 2 Guest 3 Guest X
  25. 25. Attack of Cloud System! ⓒ 2014 CodeEngn hakbaby Infected-Cloud Hypervisor Cloud Physical Hardware … Guest 0 Infected-Guest 1 Guest 2 Guest 3 Guest X ① ② ③ Control Another Guest OS
  26. 26. So, How Detected? ⓒ 2014 CodeEngn hakbaby Trust Execution Technology (TXT) Secure Virtual Machine (SVM)
  27. 27. INTEL – Trust Execution Technology ⓒ 2014 CodeEngn hakbaby INTEL TXT Hardware Hardware Hypervisor Hardware Hypervisor Hardware Hypervisor Hardware Hypervisor MATCH NO MATCH
  28. 28. Trusted Platform Module : TPM 장비에 암호화 키를 통합하여 하드웨어를 보호하기 위해 설계된 전용 마이크로 프로세서 ⓒ 2014 CodeEngn hakbaby
  29. 29. Conclusion
  30. 30. Reference ü Intel, “Intel 64 and IA-32 Architectures Software Developer's Manual” ü David Chisnall, “Xen 하이퍼바이저 완벽 가이드“ ü Joanna Rutkowska, “Introducing Blue Pill” ü Rafal Wojtczuk, Joanna Rutkowska, “Attacking Intel Trusted Execution Technology” ü Hanbum Bak, “Virtualization Technology for Security” ü MJ0011, “Analyzing VMware Operating System & Detecting Rootkit from Outside” ü Farzad Sabahi, “Secure Virtualization for Cloud Environment Using Hypervisor-based Technology” ü Rafal Wojtczuk, Joanna Rutkowska, Attacking Intel TXT via SINIT Code Execution Hijacking ⓒ 2014 CodeEngn hakbaby
  31. 31. Speaker Info 순천향대학교 정보보호학과 SecurityFirst hakbaby92@gmail.com (fb.com/hakbaby) 김 학 수 ⓒ 2014 CodeEngn hakbaby www.CodeEngn.com 2014 CodeEngn Conference 10

×