SlideShare a Scribd company logo

Hyperforce: Hypervisor-enForced Execution of Security-Critical Code

Francesco Gadaleta
Francesco Gadaleta

We present HyperForce, a framework which allows the deployment of security-critical code in a way that significantly outperforms previous in-hypervisor systems while maintaining similar guarantees with respect to security and integrity. HyperForce is a hybrid system which combines the performance of an in-guest security mechanism with the security of in-hypervisor one.

Technology
1 of 38
Download to read offline
HyperForce: Hypervisor-enForced Execution of Security-Critical Code Francesco Gadaleta, Nick Nikiforakis, J.T. Muehlberg, Wouter Joosen Katholieke Universiteit Leuven Belgium
Outline what’s the matter? virtualization technology our countermeasure conclusion
cryptography malware policy management virtualization compliance hashing attack key logger framework engineering technology network system library botnet computer buffer overflow compiler secure embeddedsecurity low level instruction virtual machine countermeasure hardware malicious legislation language
security is an issue
A 2010 report by McAfee, revealed that the cost to corporations of work time lost due to virus attacks was $6.3m/day Employee salary: 3000$ Employee salary/day: 100$ Num. of employees wasting work time: 63000
2007 Malware Report by Computer Economics on the annual worldwide economic damage caused by malicious code attacks on organizations showed that the costs were $13.3 billion A Fox News report in 2009 estimated that $86b is lost worldwide annually.
DEMO TIME
VIRTUALIZATION TECHNOLOGY
HYPERVISOR HARDWARE (VT-D)
Nice, but... Hardware costs Maintainance costs (sys admin, power consumption) Performance costs
ROOTKITS: A PROBLEM
malicious ROOTKIT dangerous stealthy insidious detection hard
WE SAID helloROOTKITty
WE SAID helloROOTKITty Phase 1: collecting addresses of data structures to protect phy s ad 0xC dr 1 234 0xC 567 size 3214 0xC 567 128 flag 421 s 456 128 111 0xC A 111 521 11 456 111 C 64 111 11 111 4 111 11 guest kernel 111 111 11 trusted module guest memory space hypervisor memory space hypervisor
WE SAID helloROOTKITty Phase 2: check integrity within the hypervisor mem. space guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
WE SAID helloROOTKITty Phase 3: repair compromised objects (*) guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321 (*) if original content has been provided
Performance Checks occur at specific moments Problem must be relaxed (split huge lists of objects) In-hypervisor approach Guest introspection and mapping guest memory from hypervisor is not cheap
HyperForce APPROACH
guest kernel monitor (trusted) code HYPERVISOR HARDWARE (VT-D)
monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
Performance hardware&software CPU Intel Core 2 Duo Pro VT-D RAM 4GB Hypervisor Linux KVM-drv Virtual machine QEMU-kvm
Performance in-host speedup context switch 26% 0 1.25 2.50 3.75 5.00 mem. map 19% 0 1,750 3,500 5,250 7,000 page fault 7% 0 1.25 2.50 3.75 5.00 mem. lat 11% 0 37.5 75.0 112.5 150.0 HelloRootkitty Hello with HyperForce
Performance in-guest speedup context switch 10% 0 2.5 5.0 7.5 10.0 fork syscall 8% 0 500 1,000 1,500 2,000 open/close syscall 10% 0 1.25 2.50 3.75 5.00 signal handling 51% 0 2.5 5.0 7.5 10.0 HelloRootkitty Hello with HyperForce
Performance detection time Detection of 1 over 15000 critical kernel objects (worst case) 0 2.5 5.0 7.5 10.0 HelloRootkitty Hello with HyperForce
Is this working?
CONCLUSION
What now? don’t w or r y We will be all virtualized soon that’s g ood !
What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code
What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact
What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact
What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact HelloRootkitty in HyperForce does it much faster
What’s next? Use the framework for other types of mitigation
What’s next? Use the framework for other types of mitigation Store something “smarter” in the protected memory area
What’s next? Use the framework for other types of mitigation Store something “smarter” in the protected memory area . collecting guest system data . no interference with malware . isolation from corrupted system
Thank you. DISCLAIMER: Feel free to contact me! I rarely tweet about computer security francesco.gadaleta@cs.kuleuven.be http://frag.gadaleta.org @fragadaleta tefsom

Recommended

Hello rootKitty: A lightweight invariance-enforcing framework
Hello rootKitty: A lightweight invariance-enforcing frameworkHello rootKitty: A lightweight invariance-enforcing framework
Hello rootKitty: A lightweight invariance-enforcing framework
Francesco Gadaleta
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New Devices
Shree Kumar
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad Usb
Seunghun han
 
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
Seunghun han
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
Seunghun han
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbg
Frank Boldewin
 
Hardware assisted Virtualization in Embedded
Hardware assisted Virtualization in EmbeddedHardware assisted Virtualization in Embedded
Hardware assisted Virtualization in Embedded
The Linux Foundation
 
ประเภทของคอมพิวเตอร์
ประเภทของคอมพิวเตอร์ประเภทของคอมพิวเตอร์
ประเภทของคอมพิวเตอร์
Moo Fay Kiki
 

Recommended

Hello rootKitty: A lightweight invariance-enforcing framework
Hello rootKitty: A lightweight invariance-enforcing frameworkHello rootKitty: A lightweight invariance-enforcing framework
Hello rootKitty: A lightweight invariance-enforcing framework
Francesco Gadaleta
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New Devices
Shree Kumar
 
HITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad UsbHITBSecConf 2016-Create Your Own Bad Usb
HITBSecConf 2016-Create Your Own Bad Usb
Seunghun han
 
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
Seunghun han
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
Seunghun han
 
Hunting rootkits with windbg
Hunting rootkits with windbgHunting rootkits with windbg
Hunting rootkits with windbg
Frank Boldewin
 
Hardware assisted Virtualization in Embedded
Hardware assisted Virtualization in EmbeddedHardware assisted Virtualization in Embedded
Hardware assisted Virtualization in Embedded
The Linux Foundation
 
ประเภทของคอมพิวเตอร์
ประเภทของคอมพิวเตอร์ประเภทของคอมพิวเตอร์
ประเภทของคอมพิวเตอร์
Moo Fay Kiki
 
Ajs 4 c
Ajs 4 cAjs 4 c
Ajs 4 c
Niit Care
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Digicomp Academy AG
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
CSO_Presentations
 
Module computer systems
Module computer systemsModule computer systems
Module computer systems
Kak Yong
 
Nd8301nvr
Nd8301nvrNd8301nvr
Nd8301nvr
Ale Druetta
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
kbour23
 
VR-Zone Technology News | Stuff for the Geeks! Issue #11
VR-Zone Technology News | Stuff for the Geeks! Issue #11VR-Zone Technology News | Stuff for the Geeks! Issue #11
VR-Zone Technology News | Stuff for the Geeks! Issue #11
VR-Zone .com
 
42x3549 05
42x3549 0542x3549 05
42x3549 05
Miha Grešak
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
Angelill0
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows Debugging
Bala Subra
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Nate Lawson
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacks
Marian Marinov
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
jeffz
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handling
Bhoomil Chavda
 
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: Introduction
Brendan Gregg
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
seed4mexyz
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
Zytronic Projected Capacitive Integration Manual and Controller Use
Zytronic Projected Capacitive Integration Manual and Controller UseZytronic Projected Capacitive Integration Manual and Controller Use
Zytronic Projected Capacitive Integration Manual and Controller Use
camax_adm
 
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
camax_adm
 

More Related Content

What's hot

Module computer systems
Module computer systemsModule computer systems
Module computer systems
Kak Yong
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
kbour23
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
Angelill0
 

What's hot (9)

Ajs 4 c
Ajs 4 cAjs 4 c
Ajs 4 c
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
 
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
Peter Gutmann Presentation - CSO Perspectives Roadshow Auckland 9th Mar 2015
 
Module computer systems
Module computer systemsModule computer systems
Module computer systems
 
Nd8301nvr
Nd8301nvrNd8301nvr
Nd8301nvr
 
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8...
 
VR-Zone Technology News | Stuff for the Geeks! Issue #11
VR-Zone Technology News | Stuff for the Geeks! Issue #11VR-Zone Technology News | Stuff for the Geeks! Issue #11
VR-Zone Technology News | Stuff for the Geeks! Issue #11
 
42x3549 05
42x3549 0542x3549 05
42x3549 05
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
 

Similar to Hyperforce: Hypervisor-enForced Execution of Security-Critical Code

Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
jeffz
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Liang Chen
 
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
camax_adm
 
Me3D: A Model-driven Methodology Expediting Embedded Device Driver Development
Me3D: A Model-driven Methodology Expediting Embedded Device Driver DevelopmentMe3D: A Model-driven Methodology Expediting Embedded Device Driver Development
Me3D: A Model-driven Methodology Expediting Embedded Device Driver Development
huichenphd
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
The Linux Foundation
 

Similar to Hyperforce: Hypervisor-enForced Execution of Security-Critical Code (20)

Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows Debugging
 
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacks
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handling
 
DTrace Topics: Introduction
DTrace Topics: IntroductionDTrace Topics: Introduction
DTrace Topics: Introduction
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
HAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptxHAVOC-Workshop-Slides.pptx
HAVOC-Workshop-Slides.pptx
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
Zytronic Projected Capacitive Integration Manual and Controller Use
Zytronic Projected Capacitive Integration Manual and Controller UseZytronic Projected Capacitive Integration Manual and Controller Use
Zytronic Projected Capacitive Integration Manual and Controller Use
 
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
Zytronic projected capacitive_x-y_controller_touchscreen_user_manual_-_issue_1
 
淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Hypersafe (Introducing in japanese by third party)
Hypersafe (Introducing in japanese by third party)Hypersafe (Introducing in japanese by third party)
Hypersafe (Introducing in japanese by third party)
 
Me3D: A Model-driven Methodology Expediting Embedded Device Driver Development
Me3D: A Model-driven Methodology Expediting Embedded Device Driver DevelopmentMe3D: A Model-driven Methodology Expediting Embedded Device Driver Development
Me3D: A Model-driven Methodology Expediting Embedded Device Driver Development
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
 
Innodisk at aditech customer meet 2015
Innodisk at aditech customer meet 2015Innodisk at aditech customer meet 2015
Innodisk at aditech customer meet 2015
 
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 mode
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Hyperforce: Hypervisor-enForced Execution of Security-Critical Code

  • 1. HyperForce: Hypervisor-enForced Execution of Security-Critical Code Francesco Gadaleta, Nick Nikiforakis, J.T. Muehlberg, Wouter Joosen Katholieke Universiteit Leuven Belgium
  • 2. Outline what’s the matter? virtualization technology our countermeasure conclusion
  • 3. cryptography malware policy management virtualization compliance hashing attack key logger framework engineering technology network system library botnet computer buffer overflow compiler secure embeddedsecurity low level instruction virtual machine countermeasure hardware malicious legislation language
  • 5. A 2010 report by McAfee, revealed that the cost to corporations of work time lost due to virus attacks was $6.3m/day Employee salary: 3000$ Employee salary/day: 100$ Num. of employees wasting work time: 63000
  • 6. 2007 Malware Report by Computer Economics on the annual worldwide economic damage caused by malicious code attacks on organizations showed that the costs were $13.3 billion A Fox News report in 2009 estimated that $86b is lost worldwide annually.
  • 7.
  • 11. Nice, but... Hardware costs Maintainance costs (sys admin, power consumption) Performance costs
  • 13. malicious ROOTKIT dangerous stealthy insidious detection hard
  • 15. WE SAID helloROOTKITty Phase 1: collecting addresses of data structures to protect phy s ad 0xC dr 1 234 0xC 567 size 3214 0xC 567 128 flag 421 s 456 128 111 0xC A 111 521 11 456 111 C 64 111 11 111 4 111 11 guest kernel 111 111 11 trusted module guest memory space hypervisor memory space hypervisor
  • 16. WE SAID helloROOTKITty Phase 2: check integrity within the hypervisor mem. space guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
  • 17. WE SAID helloROOTKITty Phase 3: repair compromised objects (*) guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321 (*) if original content has been provided
  • 18. Performance Checks occur at specific moments Problem must be relaxed (split huge lists of objects) In-hypervisor approach Guest introspection and mapping guest memory from hypervisor is not cheap
  • 20. guest kernel monitor (trusted) code HYPERVISOR HARDWARE (VT-D)
  • 21. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
  • 22. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
  • 23. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
  • 24. Performance hardware&software CPU Intel Core 2 Duo Pro VT-D RAM 4GB Hypervisor Linux KVM-drv Virtual machine QEMU-kvm
  • 25. Performance in-host speedup context switch 26% 0 1.25 2.50 3.75 5.00 mem. map 19% 0 1,750 3,500 5,250 7,000 page fault 7% 0 1.25 2.50 3.75 5.00 mem. lat 11% 0 37.5 75.0 112.5 150.0 HelloRootkitty Hello with HyperForce
  • 26. Performance in-guest speedup context switch 10% 0 2.5 5.0 7.5 10.0 fork syscall 8% 0 500 1,000 1,500 2,000 open/close syscall 10% 0 1.25 2.50 3.75 5.00 signal handling 51% 0 2.5 5.0 7.5 10.0 HelloRootkitty Hello with HyperForce
  • 27. Performance detection time Detection of 1 over 15000 critical kernel objects (worst case) 0 2.5 5.0 7.5 10.0 HelloRootkitty Hello with HyperForce
  • 30. What now? don’t w or r y We will be all virtualized soon that’s g ood !
  • 31. What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code
  • 32. What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact
  • 33. What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact
  • 34. What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact HelloRootkitty in HyperForce does it much faster
  • 35. What’s next? Use the framework for other types of mitigation
  • 36. What’s next? Use the framework for other types of mitigation Store something “smarter” in the protected memory area
  • 37. What’s next? Use the framework for other types of mitigation Store something “smarter” in the protected memory area . collecting guest system data . no interference with malware . isolation from corrupted system
  • 38. Thank you. DISCLAIMER: Feel free to contact me! I rarely tweet about computer security francesco.gadaleta@cs.kuleuven.be http://frag.gadaleta.org @fragadaleta tefsom