Download as PDF, PPTX
Uploaded byFrancesco Gadaleta
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
The document presents Hyperforce, a framework for enforcing the secure execution of security-critical code in virtual environments, particularly aimed at mitigating rootkits. It discusses the economic impact of malware and outlines performance metrics showing that Hyperforce allows for trusted monitoring with minimal performance loss. The conclusion suggests the potential for broader applications of this framework to enhance system security further.
More Related Content
Similar to Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
- 1. HyperForce: Hypervisor-enForced Execution ofSecurity-Critical Code Francesco Gadaleta, Nick Nikiforakis, J.T. Muehlberg, Wouter Joosen Katholieke Universiteit Leuven Belgium
- 2. Outline what’s the matter? virtualizationtechnology our countermeasure conclusion
- 3. cryptography malware policy management virtualization compliance hashing attack key logger framework engineering technology network system library botnet computer buffer overflow compiler secure embeddedsecurity low level instruction virtual machine countermeasure hardware malicious legislation language
- 4. security is an issue
- 5. A 2010 reportby McAfee, revealed that the cost to corporations of work time lost due to virus attacks was $6.3m/day Employee salary: 3000$ Employee salary/day: 100$ Num. of employees wasting work time: 63000
- 6. 2007 Malware Reportby Computer Economics on the annual worldwide economic damage caused by malicious code attacks on organizations showed that the costs were $13.3 billion A Fox News report in 2009 estimated that $86b is lost worldwide annually.
- 8.
- 9.
- 10.
- 11. Nice, but... Hardware costs Maintainancecosts (sys admin, power consumption) Performance costs
- 12.
- 13. malicious ROOTKIT dangerous stealthy insidious detection hard
- 14.
- 15. WE SAID helloROOTKITty Phase1: collecting addresses of data structures to protect phy s ad 0xC dr 1 234 0xC 567 size 3214 0xC 567 128 flag 421 s 456 128 111 0xC A 111 521 11 456 111 C 64 111 11 111 4 111 11 guest kernel 111 111 11 trusted module guest memory space hypervisor memory space hypervisor
- 16. WE SAID helloROOTKITty Phase2: check integrity within the hypervisor mem. space guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321
- 17. WE SAID helloROOTKITty Phase 3: repair compromised objects (*) guest kernel guest memory space hypervisor memory space hypervisor phys addr size hash 0xC1234567 128 abcd 0xC3214567 128 abde 0xC421456A 64 1234 0xC521456C 4 4321 (*) if original content has been provided
- 18. Performance Checks occur atspecific moments Problem must be relaxed (split huge lists of objects) In-hypervisor approach Guest introspection and mapping guest memory from hypervisor is not cheap
- 19.
- 20. guest kernel monitor (trusted) code HYPERVISOR HARDWARE (VT-D)
- 21. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
- 22. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
- 23. monitor interrupt handler is the (trusted) monitoring code code guest kernel executes IDT interrupt handler guest kernel hardware (virtual) device raises interrupt virtual HYPERVISOR physica HARDWARE (VT-D) l
- 24. Performance hardware&software CPU Intel Core 2 Duo Pro VT-D RAM 4GB Hypervisor Linux KVM-drv Virtual machine QEMU-kvm
- 25. Performance in-host speedup context switch 26% 0 1.25 2.50 3.75 5.00 mem. map 19% 0 1,750 3,500 5,250 7,000 page fault 7% 0 1.25 2.50 3.75 5.00 mem. lat 11% 0 37.5 75.0 112.5 150.0 HelloRootkitty Hello with HyperForce
- 26. Performance in-guest speedup context switch 10% 0 2.5 5.0 7.5 10.0 fork syscall 8% 0 500 1,000 1,500 2,000 open/close syscall 10% 0 1.25 2.50 3.75 5.00 signal handling 51% 0 2.5 5.0 7.5 10.0 HelloRootkitty Hello with HyperForce
- 27. Performance detection time Detection of 1 over 15000 critical kernel objects (worst case) 0 2.5 5.0 7.5 10.0 HelloRootkitty Hello with HyperForce
- 28.
- 29.
- 30. What now? don’t w or r y We will be all virtualized soon that’s g ood !
- 31. What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code
- 32. What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact
- 33. What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact
- 34. What now? don’t w or r y We will be all virtualized soon that’s g ood ! We presented a framework to enforce in-guest execution of critical code Specifically related to mitigation of rootkits HelloRootkitty protects with small performance impact HelloRootkitty in HyperForce does it much faster
- 35. What’s next? Use theframework for other types of mitigation
- 36. What’s next? Use theframework for other types of mitigation Store something “smarter” in the protected memory area
- 37. What’s next? Use theframework for other types of mitigation Store something “smarter” in the protected memory area . collecting guest system data . no interference with malware . isolation from corrupted system
- 38. Thank you. DISCLAIMER: Feel free to contact me! I rarely tweet about computer security francesco.gadaleta@cs.kuleuven.be http://frag.gadaleta.org @fragadaleta tefsom