We present HyperForce, a framework which allows the deployment of security-critical code in a way that significantly outperforms previous in-hypervisor systems while maintaining similar guarantees with respect to security and integrity. HyperForce is a hybrid system which combines the performance of an in-guest security mechanism with the security of in-hypervisor one.
5. A 2010 report by McAfee, revealed that the cost to
corporations of work time lost due to virus attacks
was $6.3m/day
Employee salary: 3000$
Employee salary/day: 100$
Num. of employees
wasting work time: 63000
6. 2007 Malware Report by Computer Economics on the annual
worldwide economic damage caused by malicious code attacks
on organizations showed that the costs were $13.3 billion
A Fox News report in 2009 estimated that $86b is lost
worldwide annually.
15. WE SAID
helloROOTKITty
Phase 1: collecting addresses of data structures to protect
phy
s ad
0xC dr
1 234
0xC 567 size
3214
0xC 567 128 flag
421 s
456 128 111
0xC A 111
521 11
456 111
C 64 111
11
111
4 111
11
guest kernel 111
111
11
trusted
module
guest memory space
hypervisor memory space
hypervisor
16. WE SAID
helloROOTKITty
Phase 2: check integrity within the hypervisor mem. space
guest kernel
guest memory space
hypervisor memory space
hypervisor phys addr size hash
0xC1234567 128 abcd
0xC3214567 128 abde
0xC421456A 64 1234
0xC521456C 4 4321
17. WE SAID
helloROOTKITty
Phase 3: repair compromised objects (*)
guest kernel
guest memory space
hypervisor memory space
hypervisor phys addr size hash
0xC1234567 128 abcd
0xC3214567 128 abde
0xC421456A 64 1234
0xC521456C 4 4321
(*) if original content has been provided
18. Performance
Checks occur at specific moments
Problem must be relaxed (split huge lists of objects)
In-hypervisor approach
Guest introspection and mapping guest memory from
hypervisor is not cheap
30. What now?
don’t w
or r y
We will be all virtualized soon that’s g
ood !
31. What now?
don’t w
or r y
We will be all virtualized soon that’s g
ood !
We presented a framework to enforce in-guest execution of
critical code
32. What now?
don’t w
or r y
We will be all virtualized soon that’s g
ood !
We presented a framework to enforce in-guest execution of
critical code
Specifically related to mitigation of rootkits
HelloRootkitty protects with small performance impact
33. What now?
don’t w
or r y
We will be all virtualized soon that’s g
ood !
We presented a framework to enforce in-guest execution of
critical code
Specifically related to mitigation of rootkits
HelloRootkitty protects with small performance impact
34. What now?
don’t w
or r y
We will be all virtualized soon that’s g
ood !
We presented a framework to enforce in-guest execution of
critical code
Specifically related to mitigation of rootkits
HelloRootkitty protects with small performance impact
HelloRootkitty in HyperForce does it much faster
36. What’s next?
Use the framework for other types of mitigation
Store something “smarter” in the protected memory
area
37. What’s next?
Use the framework for other types of mitigation
Store something “smarter” in the protected memory
area
. collecting guest system data
. no interference with malware
. isolation from corrupted system
38. Thank you.
DISCLAIMER: Feel free to contact me!
I rarely tweet about
computer security francesco.gadaleta@cs.kuleuven.be
http://frag.gadaleta.org
@fragadaleta
tefsom