SlideShare a Scribd company logo
Virtual Machine
Introspection
Tamas K Lengyel
tamas@tklengyel.com
Thomas Kittel
kittel@sec.in.tum.de
Agenda
1. Motivation
2. What is VMI + Xen + demos
– Isolation
– Interpretation
– Interposition
3. Cloud security + open problems
– Kernel code integrity
4. Conclusion
Our motivation
● Malware collection
● Malware analysis
● Intrusion detection
● Intrusion prevention
● Stealthy debugging
● Cloud security
● Mobile security
Not our motivation
● DRM
● MITM
● Espionage
● Stealth rootkits
Common approaches
● In-guest agents
– Easy to implement
– No isolation
● Network monitor
– Has isolation
– Limited or no context
● Scan VM disk and memory
– Has isolation and context
– Passive view
What is VMI
● Reconstruct high-level state information from
hardware view
– Similar concept to deep packet inspection
● Isolation
– Increased resiliency
● Interpretation
– Complete view of the system
● Interposition
– Control over the execution flow
Isolation
● Reconstruct state without executing code in the
guest
– Avoid in-guest hooks
● Tampering is hard(er)
– Hypervisor based isolation
– Increased trust in the code
● Performance gain
– No “anti-virus storm”
Interpretation
● Understand virtual hardware
– Heavy focus on memory
– vCPU, disk & network
● Reconstruction of state is hard and error-prone
– Complexity
– Requires lots of reverse engineering for Windows
● What data can we trust?
Paging woes
● x86, x86+PS, x86+PAE, IA32E
● Bits 9-11 of the PTE are available bits for the OS
to use as it sees fit
● Paging is different for Windows and Linux!
– if (entry & (1 << 11)) and not entry & (1 << 10)
● Accurate reconstruction is complex
Paging woes
● Paged out memory
– Find and interpret swap file on disk
– Semantics of the swap file defined by the OS
– More complexity
● Xen to the rescue
– Inject page faults via the hypervisor!
– Memory pages can be transparently brought back
– Takes time
– Available starting with Xen 4.5
Paging woes
● Forensics tools need to scan for potential page
tables
overlay = {'VOLATILITY_MAGIC': [ None, {
'DTBSignature' : [ None, ['VolatilityMagic',
dict(value = "x03x00x1bx00")
]],
…
● This is actually a signature for a process
● With VMI we can just use the CR3 from the vCPU
Mapping the kernel
● Requires debug data
● Microsoft gives easy access to it
– Proprietary format
– Has been reverse engineered
– Rekall nicely dumps it into JSON format
● Linux is more problematic
– No cross-distro central repository available
– Fedora DarkServer is a step in the right direction
Scanning woes
● Scanning for the kernel, processes, files, etc.
– Relying on pool tag headers
– 4-byte description (KDBG, Proc, File, etc.)
– Meta-information about type of kernel heap allocation
● Partial structures, old structures, false positives
– Memory doesn't get reset to zero on free
– More heuristics needed to validate hits
– More heuristics = more complexity = more fragile
Anti-forensics
● 2012: One-byte Modification for Breaking Memory
Forensic Analysis
● 2014: ADD - Complicating Memory Forensics
Through Memory Disarray
Fundamental problems with trusting data!
● Scanning for weak signatures
● Inconsistent memory state
Interposition
● Coherent view into the system
● Avoid scanning
– KDBG scan can be avoided:
vCPU0 FS/GS → _KPCR → Kernel!
– Heap allocations can be monitored directly
● Native support built into Xen, no custom patching!
– Designed for debugging
– Relatively unknown and undocumented feature
Tracing on Xen
● 4 types of events currently supported (Intel only)
– MOV-TO-CR0/CR3/CR4
– Debugging breakpoints (INT3)
– Extended Page Table (EPT) violations
– Monitor Trap Flag (MTF) singlestepping
● The hardware would support many more
– See full list in Intel SDM 3c 25.1.3
LibVMI – http://libvmi.com
● Hypervisor agnostic C library
– Xen, KVM & raw memory dump support
– x86, x86+PS, x86+PAE, IA32E, ARM
– Windows and Linux guest support
– Python interface
– Write code once, deploy on all supported hypervisors
– Read & write memory
– Wrapper around Xen events!
– LGPL
Malware files in memory
● Write-caching buffers writes to the disk
● Temporary files only ever present in memory!
– Common for malware droppers
● Have to catch the delete event or the memory
could get recycled
● Interposition is critical
–
DRAKVUF – http://drakvuf.com
● Agentless dynamic malware analyzer
– GPLv2
– Built on Xen, LibVMI, Volatility & Rekall
● No in-guest agents = no in-guest artifacts
– Malware sample started externally
– Monitor both user- and kernel-mode malware
– Extract ephemeral artifacts
VMIDBG
● Fresh out of the oven!
– GDB integration!
– https://github.com/Zentific/vmidbg
● Stealthy debugging
– Currently supports Linux
– WinDBG integration next!
– Check the readme ;)
Cloud security
● Separate security policy for each cloud user
● Start live monitoring before compromise happens
– Baseline of integrity
● Monitor and protect critical components & paths
– IDT, GDT, SSDT, In-line hooks, etc.
● Trust data that is essential
– If modifying it means it crashes the system, malware
(probably) won’t touch it
But wait..
● Can we really trust any data?
● Hardware reports incomplete trap information
– Read-modify-write (fixed in software in Xen 4.5)
● The Tagged Translation Lookaside Buffer!
– Intel VPID & AMD ASID (2008)
– Entries only visible from within the same context
– The page tables don’t necessarily represent what
translation the guest actually uses
The tagged TLB
● Unique tag for each vCPU so cached entries
survive VMEXIT/VMENTRY
● A rootkit in the guest could muck with the
pagetables after a translation is cached
– Only in-guest code can access the cache!
● Effectiveness varies based on hypervisor and OS
– Xen assigns new tag on each guest MOV-TO-CR3
– Windows 7 frequently flushes global pages
Cloud security
● No need to move everything outside
● Secure in-guest agents
– Better performance, better visibility
– Hybrid approach
– Hardware support coming: Intel #VE
● Alternative approaches
– Reduce the size of the guest system
– MirageOS, NetBSD rumpkernels, OSv
Secure in-guest kernel
● Blacklist approach
– Deny malicious changes
– Need to enumerate all possible things that could go wrong
● Whitelist approach
– Allow only verified changes
– Need to enumerate all valid changes that we want to allow
Kernel Code Integrity
● Linux employs run-time code self-patching
● Need to differentiate between legitimate and
malicious changes
● Load-time patching (architecture specific)
– Load-time patching can be validated during load time
● Run-time patching eg. for hardware hot-plugging
– Run-time patching has to be validated continuously
Kernel run-time patching – Examples
● SMP Locks
– vCPU hot-plug
– Locks needed only if more than one vCPU is present
– Could be used to replace entire functions
● Jump Labels
– In a certain software state some branches are very unlikely
– Jumps are patched out if a function is not required
– The code must be consistent with the systems state
Simple Validation Approaches
● Lock the kernel
– Deny all changes to the code at run-time
– Disables legitimate run-time patching
● Hash the kernel
– White-list all known kernel states
– Number of hashes to maintain grows unbounded
– Separating code from data is non-trivial
– Weird memory optimizations
●
Linux kernel has portions of its large code pages also
mapped into user-space processes
Trap and validate using VMI
● Only allow patching on predefined code locations
– For these locations the patching mechanism is known
– Patches can be retraced and understood
– The patch must match the systems state
● Code patching is not an atomic operation
– System needs to be aware about the intermediate states
● Trap write events to kernel code
– Validate that the current change is not malicious
Summary
● VMI supports a wide spectrum of applications
– Isolation, Interpretation, Interposition
– Balance depends on your use-case
– Pure VMI is not a requirement for all cases
– Hardware support is improving
● Tools are open-source!
– LibVMI http://libvmi.com
– DRAKVUF http://drakvuf.com
● Find us
– #libvmi on Freenode | @tklengyel | kittel@sec.in.tum.de
Acknowledgement
● Zentific: Steve, Matt & Russ
● LibVMI: Bryan & Tony
● Volatility: MHL, moyix, Andrew & gleeda
● Rekall: Scudette
● DARPA: Mudge
● TUM: George, Sebastian & Jonas
Food for thought
Run-time trust may “require deep changes to the way we construct
systems, as we would need a way to tie its low-level implementation to
a high-level semantic description of its runtime behavior in a way that is
verifiable (it would do no good if programs could claim malicious
behavior was something innocent). We can summarize this research
path by asking whether we can ensure that a program
1) says what it does; 2) does what it says; and 3) can prove it.”
Brendan Dolan-Gavitt
Appendix
● https://randomascii.wordpress.com/2013/02/20/symbols-on-
linux-part-three-linux-versus-windows/
● https://archive.org/details/ShmooCon2014_ADD_Complicating
_Memory_Forensics_Through_Memory_Disarray
● http://volatility-labs.blogspot.com/2014/02/add-next-big-threat-
to-memory.html
● http://www.rekall-forensic.com/posts/2014-02-19-profiles.html
● http://www.rekall-forensic.com/posts/2014-02-21-do-we-need-
kdbg.html
● http://www.rekall-forensic.com/posts/2014-10-25-pagefile.html
Appendix
● http://www.sec.in.tum.de/assets/Uploads/acsacmmfkittel.pdf
● http://www.sec.in.tum.de/assets/Uploads/scalability-fidelity-
stealth.pdf
● http://www.sec.in.tum.de/assets/Uploads/pitfalls-virtual-
machine.pdf
● http://www.sec.in.tum.de/assets/Uploads/lengyelshcis2.pdf
● http://www.sec.in.tum.de/assets/Uploads/virtual-machine-
introspection.pdf
● http://xenproject.org/help/presentations-and-
videos/video/latest/xpus14-vm-security-on-the-outside-
looking-in-by-steven-maresca-of-zentific.html

More Related Content

What's hot

Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
Tamas K Lengyel
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
Tamas K Lengyel
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Tamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
Tamas K Lengyel
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Tamas K Lengyel
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
Tamas K Lengyel
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
Positive Hack Days
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
Tamas K Lengyel
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
PacSecJP
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat Security Conference
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
James Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
James Morris
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
PacSecJP
 

What's hot (20)

Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 

Similar to 31c3 Presentation - Virtual Machine Introspection

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
distortdistort
 
cfengine3 at #lspe
cfengine3 at #lspecfengine3 at #lspe
cfengine3 at #lspe
Chris Westin
 
OpenVZ Linux Containers
OpenVZ Linux ContainersOpenVZ Linux Containers
OpenVZ Linux Containers
Kirill Kolyshkin
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
Bakry3
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
Bitdefender Enterprise
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
The Linux Foundation
 
Linux Virtualization
Linux VirtualizationLinux Virtualization
Linux Virtualization
OpenVZ
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Docker, Inc.
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
NETWAYS
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
Maciej Lasyk
 

Similar to 31c3 Presentation - Virtual Machine Introspection (20)

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
cfengine3 at #lspe
cfengine3 at #lspecfengine3 at #lspe
cfengine3 at #lspe
 
OpenVZ Linux Containers
OpenVZ Linux ContainersOpenVZ Linux Containers
OpenVZ Linux Containers
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
Linux Virtualization
Linux VirtualizationLinux Virtualization
Linux Virtualization
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 

Recently uploaded

Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale:  Going Multi-Cluster  with IstioKubernetes at Scale:  Going Multi-Cluster  with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
Severalnines
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
kalichargn70th171
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
Reetu63
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
kgyxske
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Peter Caitens
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging  a  Tech AgencyPreparing Non - Technical Founders for Engaging  a  Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
ISH Technologies
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 

Recently uploaded (20)

Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale:  Going Multi-Cluster  with IstioKubernetes at Scale:  Going Multi-Cluster  with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
ppt on the brain chip neuralink.pptx
ppt  on   the brain  chip neuralink.pptxppt  on   the brain  chip neuralink.pptx
ppt on the brain chip neuralink.pptx
 
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
一比一原版(sdsu毕业证书)圣地亚哥州立大学毕业证如何办理
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom KittEnhanced Screen Flows UI/UX using SLDS with Tom Kitt
Enhanced Screen Flows UI/UX using SLDS with Tom Kitt
 
Preparing Non - Technical Founders for Engaging a Tech Agency
Preparing Non - Technical Founders for Engaging  a  Tech AgencyPreparing Non - Technical Founders for Engaging  a  Tech Agency
Preparing Non - Technical Founders for Engaging a Tech Agency
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 

31c3 Presentation - Virtual Machine Introspection

  • 1. Virtual Machine Introspection Tamas K Lengyel tamas@tklengyel.com Thomas Kittel kittel@sec.in.tum.de
  • 2. Agenda 1. Motivation 2. What is VMI + Xen + demos – Isolation – Interpretation – Interposition 3. Cloud security + open problems – Kernel code integrity 4. Conclusion
  • 3. Our motivation ● Malware collection ● Malware analysis ● Intrusion detection ● Intrusion prevention ● Stealthy debugging ● Cloud security ● Mobile security
  • 4. Not our motivation ● DRM ● MITM ● Espionage ● Stealth rootkits
  • 5. Common approaches ● In-guest agents – Easy to implement – No isolation ● Network monitor – Has isolation – Limited or no context ● Scan VM disk and memory – Has isolation and context – Passive view
  • 6. What is VMI ● Reconstruct high-level state information from hardware view – Similar concept to deep packet inspection ● Isolation – Increased resiliency ● Interpretation – Complete view of the system ● Interposition – Control over the execution flow
  • 7. Isolation ● Reconstruct state without executing code in the guest – Avoid in-guest hooks ● Tampering is hard(er) – Hypervisor based isolation – Increased trust in the code ● Performance gain – No “anti-virus storm”
  • 8. Interpretation ● Understand virtual hardware – Heavy focus on memory – vCPU, disk & network ● Reconstruction of state is hard and error-prone – Complexity – Requires lots of reverse engineering for Windows ● What data can we trust?
  • 9.
  • 10. Paging woes ● x86, x86+PS, x86+PAE, IA32E ● Bits 9-11 of the PTE are available bits for the OS to use as it sees fit ● Paging is different for Windows and Linux! – if (entry & (1 << 11)) and not entry & (1 << 10) ● Accurate reconstruction is complex
  • 11. Paging woes ● Paged out memory – Find and interpret swap file on disk – Semantics of the swap file defined by the OS – More complexity ● Xen to the rescue – Inject page faults via the hypervisor! – Memory pages can be transparently brought back – Takes time – Available starting with Xen 4.5
  • 12. Paging woes ● Forensics tools need to scan for potential page tables overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "x03x00x1bx00") ]], … ● This is actually a signature for a process ● With VMI we can just use the CR3 from the vCPU
  • 13. Mapping the kernel ● Requires debug data ● Microsoft gives easy access to it – Proprietary format – Has been reverse engineered – Rekall nicely dumps it into JSON format ● Linux is more problematic – No cross-distro central repository available – Fedora DarkServer is a step in the right direction
  • 14. Scanning woes ● Scanning for the kernel, processes, files, etc. – Relying on pool tag headers – 4-byte description (KDBG, Proc, File, etc.) – Meta-information about type of kernel heap allocation ● Partial structures, old structures, false positives – Memory doesn't get reset to zero on free – More heuristics needed to validate hits – More heuristics = more complexity = more fragile
  • 15. Anti-forensics ● 2012: One-byte Modification for Breaking Memory Forensic Analysis ● 2014: ADD - Complicating Memory Forensics Through Memory Disarray Fundamental problems with trusting data! ● Scanning for weak signatures ● Inconsistent memory state
  • 16. Interposition ● Coherent view into the system ● Avoid scanning – KDBG scan can be avoided: vCPU0 FS/GS → _KPCR → Kernel! – Heap allocations can be monitored directly ● Native support built into Xen, no custom patching! – Designed for debugging – Relatively unknown and undocumented feature
  • 17. Tracing on Xen ● 4 types of events currently supported (Intel only) – MOV-TO-CR0/CR3/CR4 – Debugging breakpoints (INT3) – Extended Page Table (EPT) violations – Monitor Trap Flag (MTF) singlestepping ● The hardware would support many more – See full list in Intel SDM 3c 25.1.3
  • 18. LibVMI – http://libvmi.com ● Hypervisor agnostic C library – Xen, KVM & raw memory dump support – x86, x86+PS, x86+PAE, IA32E, ARM – Windows and Linux guest support – Python interface – Write code once, deploy on all supported hypervisors – Read & write memory – Wrapper around Xen events! – LGPL
  • 19.
  • 20.
  • 21. Malware files in memory ● Write-caching buffers writes to the disk ● Temporary files only ever present in memory! – Common for malware droppers ● Have to catch the delete event or the memory could get recycled ● Interposition is critical –
  • 22. DRAKVUF – http://drakvuf.com ● Agentless dynamic malware analyzer – GPLv2 – Built on Xen, LibVMI, Volatility & Rekall ● No in-guest agents = no in-guest artifacts – Malware sample started externally – Monitor both user- and kernel-mode malware – Extract ephemeral artifacts
  • 23. VMIDBG ● Fresh out of the oven! – GDB integration! – https://github.com/Zentific/vmidbg ● Stealthy debugging – Currently supports Linux – WinDBG integration next! – Check the readme ;)
  • 24.
  • 25.
  • 26. Cloud security ● Separate security policy for each cloud user ● Start live monitoring before compromise happens – Baseline of integrity ● Monitor and protect critical components & paths – IDT, GDT, SSDT, In-line hooks, etc. ● Trust data that is essential – If modifying it means it crashes the system, malware (probably) won’t touch it
  • 27. But wait.. ● Can we really trust any data? ● Hardware reports incomplete trap information – Read-modify-write (fixed in software in Xen 4.5) ● The Tagged Translation Lookaside Buffer! – Intel VPID & AMD ASID (2008) – Entries only visible from within the same context – The page tables don’t necessarily represent what translation the guest actually uses
  • 28. The tagged TLB ● Unique tag for each vCPU so cached entries survive VMEXIT/VMENTRY ● A rootkit in the guest could muck with the pagetables after a translation is cached – Only in-guest code can access the cache! ● Effectiveness varies based on hypervisor and OS – Xen assigns new tag on each guest MOV-TO-CR3 – Windows 7 frequently flushes global pages
  • 29. Cloud security ● No need to move everything outside ● Secure in-guest agents – Better performance, better visibility – Hybrid approach – Hardware support coming: Intel #VE ● Alternative approaches – Reduce the size of the guest system – MirageOS, NetBSD rumpkernels, OSv
  • 30. Secure in-guest kernel ● Blacklist approach – Deny malicious changes – Need to enumerate all possible things that could go wrong ● Whitelist approach – Allow only verified changes – Need to enumerate all valid changes that we want to allow
  • 31. Kernel Code Integrity ● Linux employs run-time code self-patching ● Need to differentiate between legitimate and malicious changes ● Load-time patching (architecture specific) – Load-time patching can be validated during load time ● Run-time patching eg. for hardware hot-plugging – Run-time patching has to be validated continuously
  • 32. Kernel run-time patching – Examples ● SMP Locks – vCPU hot-plug – Locks needed only if more than one vCPU is present – Could be used to replace entire functions ● Jump Labels – In a certain software state some branches are very unlikely – Jumps are patched out if a function is not required – The code must be consistent with the systems state
  • 33. Simple Validation Approaches ● Lock the kernel – Deny all changes to the code at run-time – Disables legitimate run-time patching ● Hash the kernel – White-list all known kernel states – Number of hashes to maintain grows unbounded – Separating code from data is non-trivial – Weird memory optimizations ● Linux kernel has portions of its large code pages also mapped into user-space processes
  • 34. Trap and validate using VMI ● Only allow patching on predefined code locations – For these locations the patching mechanism is known – Patches can be retraced and understood – The patch must match the systems state ● Code patching is not an atomic operation – System needs to be aware about the intermediate states ● Trap write events to kernel code – Validate that the current change is not malicious
  • 35. Summary ● VMI supports a wide spectrum of applications – Isolation, Interpretation, Interposition – Balance depends on your use-case – Pure VMI is not a requirement for all cases – Hardware support is improving ● Tools are open-source! – LibVMI http://libvmi.com – DRAKVUF http://drakvuf.com ● Find us – #libvmi on Freenode | @tklengyel | kittel@sec.in.tum.de
  • 36. Acknowledgement ● Zentific: Steve, Matt & Russ ● LibVMI: Bryan & Tony ● Volatility: MHL, moyix, Andrew & gleeda ● Rekall: Scudette ● DARPA: Mudge ● TUM: George, Sebastian & Jonas
  • 37. Food for thought Run-time trust may “require deep changes to the way we construct systems, as we would need a way to tie its low-level implementation to a high-level semantic description of its runtime behavior in a way that is verifiable (it would do no good if programs could claim malicious behavior was something innocent). We can summarize this research path by asking whether we can ensure that a program 1) says what it does; 2) does what it says; and 3) can prove it.” Brendan Dolan-Gavitt
  • 38. Appendix ● https://randomascii.wordpress.com/2013/02/20/symbols-on- linux-part-three-linux-versus-windows/ ● https://archive.org/details/ShmooCon2014_ADD_Complicating _Memory_Forensics_Through_Memory_Disarray ● http://volatility-labs.blogspot.com/2014/02/add-next-big-threat- to-memory.html ● http://www.rekall-forensic.com/posts/2014-02-19-profiles.html ● http://www.rekall-forensic.com/posts/2014-02-21-do-we-need- kdbg.html ● http://www.rekall-forensic.com/posts/2014-10-25-pagefile.html
  • 39. Appendix ● http://www.sec.in.tum.de/assets/Uploads/acsacmmfkittel.pdf ● http://www.sec.in.tum.de/assets/Uploads/scalability-fidelity- stealth.pdf ● http://www.sec.in.tum.de/assets/Uploads/pitfalls-virtual- machine.pdf ● http://www.sec.in.tum.de/assets/Uploads/lengyelshcis2.pdf ● http://www.sec.in.tum.de/assets/Uploads/virtual-machine- introspection.pdf ● http://xenproject.org/help/presentations-and- videos/video/latest/xpus14-vm-security-on-the-outside- looking-in-by-steven-maresca-of-zentific.html