SlideShare a Scribd company logo

lightweight virtualization framework protects critical kernel objects from rootkits

Francesco Gadaleta
Francesco Gadaleta

A lightweight invariance-enforcing framework to mitigate rootkits in virtualized operating systems

Technology
1 of 24
hello rootKitty a lightweight invariance-enforcing framework Francesco Gadaleta - Nick Nikiforakis DISTRINET Research Group Katholieke Universiteit Leuven - Belgium
hello rootKitty a lightweight invariance-enforcing framework Francesco Gadaleta - Nick Nikiforakis DISTRINET Research Group Katholieke Universiteit Leuven - Belgium
OVERVIEW rootkit Operating System framework critical kernel objects malware detection code virus Analysis integrity invariance attack module virtualization malicious repairing memory corruption approach profiling hardware-based countermeasure evaluation
๏ process hiding ๏ botnet ๏ stealing private data ROOTKIT ๏ subverting kernels ๏ spamming ๏ bank fraud
ROOTKIT User-mode ls, ps, PATH, etc... limited to user’s privileges Kernel-mode device drivers, access to kern. memory, etc... limited to kernel’s privileges (=unlimited)
FACTof rootkits will never be solved the problem
FACT
FACT “I’d rather tackle world peace than the rootkit problem, it is that hard to solve”
ATTACKER MODEL Loading rootkit as LKM Loading by overwriting memory directly (eg. /dev/mem, /dev/kmem) Executing arbitrary code via kernel vulnerability GOAL: Compromission of hardcoded, static, dynamic kernel objects
VIRTUALIZATION Events trapped by the hypervisor case EXIT_REASON_MOV_CR case EXIT_REASON_CPUID case EXIT_REASON_IO_INSTRUCTION case EXIT_REASON_RDMSR case EXIT_REASON_WRMSR Guest kernel case EXIT_REASON_EXCEPTION_OR_NMI case EXIT_REASON_EXTERNAL_INT case EXIT_REASON_INTERRUPT_WINDOW case EXIT_REASON_INVLPG case EXIT_REASON_VMCALL: /* for debugging */ case EXIT_REASON_INIT_SIGNAL case EXIT_REASON_STARTUP_IPI case EXIT_REASON_HLT VMExit VMEntry case EXIT_REASON_TASK_SWITCH case EXIT_REASON_XSETBV guest memory space hypervisor memory space Hypervisor
ASSUMPTION Rootkits modify kernel data structures Observing critical kernel objects is a good detection strategy Virtualization still not massively exploited in desktop environments (QubesOS)
APPROACH Phase 1: collecting addresses of data structures to protect phy s ad 0xC dr 1 234 0xC 567 size 3214 0xC 567 128 flag 421 s 456 128 111 0xC A 111 521 11 456 111 C 64 111 11 111 4 111 11 guest kernel 111 111 11 trusted module guest memory space hypervisor memory space hypervisor
APPROACH Phase 2: check integrity within the hypervisor mem. space guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
APPROACH Phase 3: repair compromised objects (if original content provided) guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
IMPLEMENTATION Exploit the MOV_CR event :-| App 1 App 2 App 3 (1) When the guest kernel changes a <mov CR3, cr3_app2> scheduler control register it is doing Guest something “interesting” such as kernel task switching :-) (2) guest memory space hypervisor memory space Room for improvement: we can hypervisor (3) map all the objects to a common host_virt_space area in the hypervisor’s space and phys addr size hash 0xC1234567 128 abcd compute the checksum once 0xC3214567 0xC421456A 128 64 abde 1234 0xC521456C 4 4321
IMPLEMENTATION Lists of objects to protect might be HUGE => let’s relax the problem phys addr size hash <mov CR3, cr3_app1> <mov CR3, cr3_app2> <mov CR3, cr3_app3> SOLUTION: <mov CR3, cr3_app4> on MOV_CR event the hypervisor checks a subset of objects $$
EVALUATION BitVisor 1.1 and Linux Kernel 2.6 Total: 15000 kernel objects 128-bit sized Rate: 100 objects/MOV_CR* Corruption of pointers in the guest system call table
PERFORMANCE LMBENCH (microbenchmarks) Processes open/close sign. handl. fork exec +0.6% +2.5% +41% +35% Local comm. TCP File reread Mmap reread Bcopy Mem.read Mem. write bandwidths +2.2% 0% -0.9% -0.32% -0.12% 0.12%
PERFORMANCE APACHEBENCH 100K requests, 50 concurrently on local lighttpd server (macrobenchmarks) Time +1.50% Req. per second +1.52% Time per request +1.54% Time per conc. req +1.4% Transfer rate +1.52% DETECTION TIME (time the hypervisor needs to check a compromised object in the worst case) Depends on the guest load, about 6 sec wall-clock time
LIMITATIONS Protects invariants Attacks to variant data structures are still possible
DISCUSSION Kernel developers support system Fine-grained protection Lightweight contermeasure Guarantees target-monitor isolation
DEMO.
CONCLUSION helloRootkitty mitigates the problem of kernel malware Negligible overhead Attack surface might be considerably reduced Easy integration with other protection mechanisms (Daikon, Gibraltar)
THANKS.

Recommended

Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Master Homeland Security 2014 Lisi
Master Homeland Security 2014 LisiMaster Homeland Security 2014 Lisi
Master Homeland Security 2014 LisiMarco Lisi
 
Icl gnss helsinki-2014_lisi_v02
Icl gnss helsinki-2014_lisi_v02Icl gnss helsinki-2014_lisi_v02
Icl gnss helsinki-2014_lisi_v02Marco Lisi
 
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSSECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSMarco Lisi
 
3XRC4
3XRC43XRC4
3XRC4Samir Crypticus
 
Analysis of a Modified RC4
Analysis of a Modified RC4 Analysis of a Modified RC4
Analysis of a Modified RC4 Tharindu Weerasinghe
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1Samir Crypticus
 
BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
BuBBle: a Javascript engine level countermeasure against heap-spraying attacksBuBBle: a Javascript engine level countermeasure against heap-spraying attacks
BuBBle: a Javascript engine level countermeasure against heap-spraying attacksFrancesco Gadaleta
 

Recommended

Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Master Homeland Security 2014 Lisi
Master Homeland Security 2014 LisiMaster Homeland Security 2014 Lisi
Master Homeland Security 2014 LisiMarco Lisi
 
Icl gnss helsinki-2014_lisi_v02
Icl gnss helsinki-2014_lisi_v02Icl gnss helsinki-2014_lisi_v02
Icl gnss helsinki-2014_lisi_v02Marco Lisi
 
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSSECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSMarco Lisi
 
3XRC4
3XRC43XRC4
3XRC4Samir Crypticus
 
Analysis of a Modified RC4
Analysis of a Modified RC4 Analysis of a Modified RC4
Analysis of a Modified RC4 Tharindu Weerasinghe
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1Samir Crypticus
 
BuBBle: a Javascript engine level countermeasure against heap-spraying attacks
BuBBle: a Javascript engine level countermeasure against heap-spraying attacksBuBBle: a Javascript engine level countermeasure against heap-spraying attacks
BuBBle: a Javascript engine level countermeasure against heap-spraying attacksFrancesco Gadaleta
 
"It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ..."It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ...Marco Lisi
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Sogei2014 lisi v01
Sogei2014 lisi v01Sogei2014 lisi v01
Sogei2014 lisi v01Marco Lisi
 
Iwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiIwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiMarco Lisi
 
Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Marco Lisi
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
20th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v0320th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v03Marco Lisi
 
Turning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentTurning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentlgandx
 
Origine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementOrigine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementMarco Lisi
 
CeBIT SCALE 11 pitch
CeBIT SCALE 11 pitchCeBIT SCALE 11 pitch
CeBIT SCALE 11 pitchEric Larcheveque
 
Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Marco Lisi
 
Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Marco Lisi
 
Bitcoin hardware wallets security
Bitcoin hardware wallets securityBitcoin hardware wallets security
Bitcoin hardware wallets securityEric Larcheveque
 
Master navigation torino_2013
Master navigation torino_2013Master navigation torino_2013
Master navigation torino_2013Marco Lisi
 
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Marco Lisi
 
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...mjaganm
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxSebastián Guerrero Selma
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Możliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneMożliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneSecuRing
 
GNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationGNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationMarco Lisi
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeFrancesco Gadaleta
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacksMarian Marinov
 

More Related Content

Viewers also liked

"It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ..."It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ...Marco Lisi
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Sogei2014 lisi v01
Sogei2014 lisi v01Sogei2014 lisi v01
Sogei2014 lisi v01Marco Lisi
 
Iwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiIwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiMarco Lisi
 
Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Marco Lisi
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
20th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v0320th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v03Marco Lisi
 
Turning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentTurning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentlgandx
 
Origine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementOrigine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementMarco Lisi
 
Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Marco Lisi
 
Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Marco Lisi
 
Bitcoin hardware wallets security
Bitcoin hardware wallets securityBitcoin hardware wallets security
Bitcoin hardware wallets securityEric Larcheveque
 
Master navigation torino_2013
Master navigation torino_2013Master navigation torino_2013
Master navigation torino_2013Marco Lisi
 
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Marco Lisi
 
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...mjaganm
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxSebastián Guerrero Selma
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Możliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneMożliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneSecuRing
 
GNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationGNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationMarco Lisi
 

Viewers also liked (20)

"It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ..."It's all about Time" - Presentation at the National Instruments Aerospace & ...
"It's all about Time" - Presentation at the National Instruments Aerospace & ...
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
Sogei2014 lisi v01
Sogei2014 lisi v01Sogei2014 lisi v01
Sogei2014 lisi v01
 
Iwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisiIwscff delft 2015_akhtyamov_golkar_lisi
Iwscff delft 2015_akhtyamov_golkar_lisi
 
Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015Security_in_Satellite_Systems_Lisi_2015
Security_in_Satellite_Systems_Lisi_2015
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
20th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v0320th kabandconference 2014_lisi_v03
20th kabandconference 2014_lisi_v03
 
Turning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurentTurning client-side-to-server-side-ruxcon-2011-laurent
Turning client-side-to-server-side-ruxcon-2011-laurent
 
Origine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_managementOrigine ed evoluzione_del_project_management
Origine ed evoluzione_del_project_management
 
CeBIT SCALE 11 pitch
CeBIT SCALE 11 pitchCeBIT SCALE 11 pitch
CeBIT SCALE 11 pitch
 
Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01Cnes workshop mw_filters_2015_angeletti_lisi_v01
Cnes workshop mw_filters_2015_angeletti_lisi_v01
 
Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015Satellites and Timing - Space Expo, Milan, 2015
Satellites and Timing - Space Expo, Milan, 2015
 
Bitcoin hardware wallets security
Bitcoin hardware wallets securityBitcoin hardware wallets security
Bitcoin hardware wallets security
 
Master navigation torino_2013
Master navigation torino_2013Master navigation torino_2013
Master navigation torino_2013
 
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
Federated Systems of Pico-Satellites for Future Space-Based Service Infrastru...
 
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
Hardware Software Partitioning Of Advanced Encryption Standard To Counter Dif...
 
A tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in FirefoxA tale about chained vulnerabilities in Firefox
A tale about chained vulnerabilities in Firefox
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Możliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilneMożliwości złośliwego oprogramowania na platformy mobilne
Możliwości złośliwego oprogramowania na platformy mobilne
 
GNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and MitigationGNSS Jamming Detection, Localization and Mitigation
GNSS Jamming Detection, Localization and Mitigation
 

Similar to lightweight virtualization framework protects critical kernel objects from rootkits

Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeFrancesco Gadaleta
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacksMarian Marinov
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows DebuggingBala Subra
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBhoomil Chavda
 
Drilling Deep Into Exadata Performance
Drilling Deep Into Exadata PerformanceDrilling Deep Into Exadata Performance
Drilling Deep Into Exadata PerformanceEnkitec
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...The Linux Foundation
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devicesPriyanka Aash
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
Porting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitecturePorting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitectureThe Linux Foundation
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopDigicomp Academy AG
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64The Linux Foundation
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
 
XenTT: Deterministic Systems Analysis in Xen
XenTT: Deterministic Systems Analysis in XenXenTT: Deterministic Systems Analysis in Xen
XenTT: Deterministic Systems Analysis in XenThe Linux Foundation
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...confluent
 

Similar to lightweight virtualization framework protects critical kernel objects from rootkits (20)

Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
 
Meltdown & Spectre attacks
Meltdown & Spectre attacksMeltdown & Spectre attacks
Meltdown & Spectre attacks
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows Debugging
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianPoc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
 
Beneath the Linux Interrupt handling
Beneath the Linux Interrupt handlingBeneath the Linux Interrupt handling
Beneath the Linux Interrupt handling
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
Drilling Deep Into Exadata Performance
Drilling Deep Into Exadata PerformanceDrilling Deep Into Exadata Performance
Drilling Deep Into Exadata Performance
 
Failure Of DEP And ASLR
Failure Of DEP And ASLRFailure Of DEP And ASLR
Failure Of DEP And ASLR
 
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
XPDDS17: uniprof: Transparent Unikernel Performance Profiling and Debugging -...
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devices
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Porting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS ArchitecturePorting Xen Paravirtualization to MIPS Architecture
Porting Xen Paravirtualization to MIPS Architecture
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktopWorkshop: XenClient Serve & Manage your road warriors with local virtual desktop
Workshop: XenClient Serve & Manage your road warriors with local virtual desktop
 
Valgrind
ValgrindValgrind
Valgrind
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64
 
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devices
 
XenTT: Deterministic Systems Analysis in Xen
XenTT: Deterministic Systems Analysis in XenXenTT: Deterministic Systems Analysis in Xen
XenTT: Deterministic Systems Analysis in Xen
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
The Foundations of Multi-DC Kafka (Jakub Korab, Solutions Architect, Confluen...
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

lightweight virtualization framework protects critical kernel objects from rootkits

  • 1. hello rootKitty a lightweight invariance-enforcing framework Francesco Gadaleta - Nick Nikiforakis DISTRINET Research Group Katholieke Universiteit Leuven - Belgium
  • 2. hello rootKitty a lightweight invariance-enforcing framework Francesco Gadaleta - Nick Nikiforakis DISTRINET Research Group Katholieke Universiteit Leuven - Belgium
  • 3. OVERVIEW rootkit Operating System framework critical kernel objects malware detection code virus Analysis integrity invariance attack module virtualization malicious repairing memory corruption approach profiling hardware-based countermeasure evaluation
  • 4. ๏ process hiding ๏ botnet ๏ stealing private data ROOTKIT ๏ subverting kernels ๏ spamming ๏ bank fraud
  • 5. ROOTKIT User-mode ls, ps, PATH, etc... limited to user’s privileges Kernel-mode device drivers, access to kern. memory, etc... limited to kernel’s privileges (=unlimited)
  • 6. FACTof rootkits will never be solved the problem
  • 8. FACT “I’d rather tackle world peace than the rootkit problem, it is that hard to solve”
  • 9. ATTACKER MODEL Loading rootkit as LKM Loading by overwriting memory directly (eg. /dev/mem, /dev/kmem) Executing arbitrary code via kernel vulnerability GOAL: Compromission of hardcoded, static, dynamic kernel objects
  • 10. VIRTUALIZATION Events trapped by the hypervisor case EXIT_REASON_MOV_CR case EXIT_REASON_CPUID case EXIT_REASON_IO_INSTRUCTION case EXIT_REASON_RDMSR case EXIT_REASON_WRMSR Guest kernel case EXIT_REASON_EXCEPTION_OR_NMI case EXIT_REASON_EXTERNAL_INT case EXIT_REASON_INTERRUPT_WINDOW case EXIT_REASON_INVLPG case EXIT_REASON_VMCALL: /* for debugging */ case EXIT_REASON_INIT_SIGNAL case EXIT_REASON_STARTUP_IPI case EXIT_REASON_HLT VMExit VMEntry case EXIT_REASON_TASK_SWITCH case EXIT_REASON_XSETBV guest memory space hypervisor memory space Hypervisor
  • 11. ASSUMPTION Rootkits modify kernel data structures Observing critical kernel objects is a good detection strategy Virtualization still not massively exploited in desktop environments (QubesOS)
  • 12. APPROACH Phase 1: collecting addresses of data structures to protect phy s ad 0xC dr 1 234 0xC 567 size 3214 0xC 567 128 flag 421 s 456 128 111 0xC A 111 521 11 456 111 C 64 111 11 111 4 111 11 guest kernel 111 111 11 trusted module guest memory space hypervisor memory space hypervisor
  • 13. APPROACH Phase 2: check integrity within the hypervisor mem. space guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
  • 14. APPROACH Phase 3: repair compromised objects (if original content provided) guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
  • 15. IMPLEMENTATION Exploit the MOV_CR event :-| App 1 App 2 App 3 (1) When the guest kernel changes a <mov CR3, cr3_app2> scheduler control register it is doing Guest something “interesting” such as kernel task switching :-) (2) guest memory space hypervisor memory space Room for improvement: we can hypervisor (3) map all the objects to a common host_virt_space area in the hypervisor’s space and phys addr size hash 0xC1234567 128 abcd compute the checksum once 0xC3214567 0xC421456A 128 64 abde 1234 0xC521456C 4 4321
  • 16. IMPLEMENTATION Lists of objects to protect might be HUGE => let’s relax the problem phys addr size hash <mov CR3, cr3_app1> <mov CR3, cr3_app2> <mov CR3, cr3_app3> SOLUTION: <mov CR3, cr3_app4> on MOV_CR event the hypervisor checks a subset of objects $$
  • 17. EVALUATION BitVisor 1.1 and Linux Kernel 2.6 Total: 15000 kernel objects 128-bit sized Rate: 100 objects/MOV_CR* Corruption of pointers in the guest system call table
  • 18. PERFORMANCE LMBENCH (microbenchmarks) Processes open/close sign. handl. fork exec +0.6% +2.5% +41% +35% Local comm. TCP File reread Mmap reread Bcopy Mem.read Mem. write bandwidths +2.2% 0% -0.9% -0.32% -0.12% 0.12%
  • 19. PERFORMANCE APACHEBENCH 100K requests, 50 concurrently on local lighttpd server (macrobenchmarks) Time +1.50% Req. per second +1.52% Time per request +1.54% Time per conc. req +1.4% Transfer rate +1.52% DETECTION TIME (time the hypervisor needs to check a compromised object in the worst case) Depends on the guest load, about 6 sec wall-clock time
  • 20. LIMITATIONS Protects invariants Attacks to variant data structures are still possible
  • 21. DISCUSSION Kernel developers support system Fine-grained protection Lightweight contermeasure Guarantees target-monitor isolation
  • 22. DEMO.
  • 23. CONCLUSION helloRootkitty mitigates the problem of kernel malware Negligible overhead Attack surface might be considerably reduced Easy integration with other protection mechanisms (Daikon, Gibraltar)