BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
Vm final
1. VM 2015fall final presentation
VM applications
B00902069 傅 蕎
B00902070 沈雯萱
2. Reference Papers
● “Terra: a virtual machine-based platform for trusted
computing”, Tal Garfinkel, et. al., Proceedings of the
nineteenth ACM symposium on Operating systems
principles, SOSP’03, 2003
● “ReVirt: enabling intrusion analysis through virtual-
machine logging and replay”, G. Dunlap, et. al., ACM
SIGOPS Operating Systems Review - OSDI '02:
Proceedings of the 5th symposium on Operating
systems design and implementation, 2002
● “SubVirt: implementing malware with virtual machines”,
S.T King, P. Chen, 2006 IEEE Symposium on Security
and Privacy, 2006.
● “Cider: Native Execution of iOS Apps on Android”,
Jeremy Andrus, et. al., ASPLOS 2
3. Outline
● Why apply VM
● Four applications
Motivation
Technical Highlight
Major Experience Result
Main Contribution
● Our own idea
● Comparison
● Conclusion
3
4. Why apply VM?
● Allows programs to run cross platforms.
● Enable innovation in security.
● Failure isolation.
4
7. Motivation
● Commodity systems impose “fundamental
limitations” on security
● Opened-box systems
General purpose, rich functionality
● Closed-box systems
Greater security, maybe including tamper-resistance
7
8. Technical Highlight
● TVMM: Partitions a single tamper-resistant,
general-purpose platform into multiple
isolated virtual machines
TVMM runs at the highest privilege level and is
secure against tampering by administrator (root
secure)
Management VM
Formulates all platform access control and resource
management policies
8
9. Experience Result
● Quake – multi-player online game vulnerable
to client cheating
Terra provides:
Security communication
Client integrity
Server integrity
Isolation
Terra can’t prevent:
DoS attacks
9
10. Main Contribution
● Make closed-box VMs equivalent to dedicated
hardware and software of closed-box platforms
● The TVMM mechanisms allow Terra to partition
the platform into multiple, isolated VMs.
10
12. Motivation
Post-attack analysis
Understand the attack
Fix the vulnerability
Repair any damage
● Current system logger
Need integrity of the OS being logged
No sufficient information for non-deterministic events
● Revirt
12
13. Revirt
● Encapsulate target(OS+app) inside VM
● Log below the VM
● Replay executions before, during, after
an intruder compromises the system
● Replay instruction-by-instruction
● Non-deterministic attack or execution
Time
External input
● Long-term to several months
13
14. Technical highlight
● UMLinux
Virtual machine is a user process on host
(OS-on-OS)
Guest app -> Guest kernel -> Host kernel
Logging in OS-on-OS is safer
● Logging
Record all non-deterministic event affecting VM
PC, number of branches, signals, interrupts, traps
● Replaying
Prevent new interrupt
14
15. Experience
● 5 workloads
● Virtualization overhead
● Validating correctness
Add extensive error to alert
● Logging and replaying overhead
Space & Time
15
16. Main contribution
● Enable a system administrator to replay the
long-term, instruction-by-instruction
execution of a computer system
16
18. Motivation
● Attacker V.S. Defender
Control of lower layer system
To monitor, perturb execution, modify state, etc.
To avoid detector
● Current rootkit
No clear advantage over detection system
Tradeoff between functionality and invisibility
● Virtual Machine Based Rootkit(VMBR)
18
19. VMBR
● Run beneath the OS
hoist the target OS into a virtual machine
● No visible state or event
● Easy to develop malicious services
19
20. Technical highlight
● Loads before target OS/applications
Use VMM to boot
● 3 kinds of malicious services
No interact with target
Observe information about target
Intentionally perturb execution of target
● Maintain control
Only lose after power up before VMBR start
Lose when power off, keep low-power mode
20
21. Experience
● 2 proof-of-concept VMBR
to subvert Windows XP & Linux targets
● 4 example malicious services
Evaluation
Disk place
Time to install VMBR
Effect on time of booting target
User view
Memory space
21
22. Defend VMBR
● Security software below VMBR
Not go through VMBR layer!!
Use secure hardware
Boot from safe medium
Physically unplug the machine
Secure VMM
● Security software above VMBR
CPU overhead cause timing difference
Extra memory and disk place
Change in I/O devices
Imperfect virtualization then
22
23. Main contribution
● A non-traditional malware can gain a clear
advantage over intrusion detection systems
running in a target OS
23
25. Motivation
● Users who wants to run iOS games are
stuck with the smaller screen sizes.
● Users who prefer larger selection of
hardware are stuck with the poor quality and
selection of Android games.
● Cider: an OS compatibility architecture that
can run apps of different platforms
simultaneously.
25
26. Technical Highlight
● Persona: Distinguish iOS and Linux threads
Mach-O Loader: supporting XNU syscall interface
and facilitating proper signal delivery.
● Duct Tapes: Translate foreign APIs to
domestic APIs
Compile-time code adaption layer
● Diplomats: iOS apps using Adroid libraries
Android ELF loader
Kernal-level persona management
Mediates foreign function calls into domestic library
26
30. We think...
● VM has many great features which standard
OS doesn't.
● Making an operating system which has no
host system but all virtual machines.
30
32. Conclusion
● VM is good!
● VM can be applied on
security
running/developing cross platforms program
isolating OS
32
33. Team Work
● We partition the four paper into two part.
● After read our own part, we summarize our
part to each other.
● Discuss the rest part of the report together.
33
log在VM下是為了保護被壞人洗腦OS/app 會把被洗腦後作的事全部記下來
fault-tolerance for primary-backup recovery
external input:滑鼠 鍵盤 網卡...
similar but not same host HW
OSonOS VS direct on OS就是普通的VM(target app run on host OS)
VMM會自己切換是guest kernel/user mode
guest OS相信下層的程度->TCB trusted computing base
log in OSonOS比較難攻擊 因為TCB比較小(被攻擊時不會影響到host) 雖然同樣都吃host OS值不值得信任(future work)
只需要記會影響VM process execution的non-deter就好了 其他很多都不用記(影響host process的)
分析attack時可以有幾個小工具: replay一半作點事的工具
overhead都沒有很多 表現都接近1 正常使用都不會發現
: implementing malware with virtual machines
Iimplementing malware with virtual machines
lower layer是實作upper layer用的abstraction的人
像是OS都看得見application
rootkit: tools used to hdie malicious activities
現在的rootkit有兩個缺點:
no clear advantage over detection 頂多和detect在同一層 還是沒有win
VMM: 管理下層resource給上層很多個VM有abstraction
guest(user mode)都不知道VMM在幹嘛(kernel mode) 正常的使用在VMM之上
VM services都是作在guest外面 以防擾亂guest
software inside & outside看到的state/event不同 -> semantic gap
VM introspection(VMI) 幫助VM services 了解或修改guest的state/event 然後可以invoke guest OS/app
VM services可以protect他們自己by disallow external I/O
VMBR把target搬到VM然後跑malware also isolate malware所以不會被發現
VMBR可以以VMM的角色修改target state/event 而且不會被發現
must gain privilege to modify boot sequence
save VMBR state in disk(most convenient) 下次就會boot VMBR
(1)就是讓他在attack OS裡跑就可以
(2)偷偷作log by modify VMM,VMI可以隨時trap target OS/app
(3)modify exe of target 可以改HWdata也可以透過VMI改data or exe of target
first code system BIOS
min power off的時間
handle reboot,restart virtual HW than reset physical HW
simulate 關機 VMBR還是在跑
4個example包含了前面說的三種惡意軟體類型+detect countermeasure
small fraction of disk
virtual PC比較慢是因為他用了slower hardware和less memory
few diff for user, little impact on target, use special driver within target OS
small percentage of memory
很難detect 因為virtualize state and ideally no modify state in target
target 看不到VM 就算看到了 VMBR也可以動手腳讓他以為沒事
那時候還有imperfect virtualization inst for x86
user可以detect in privilege level
隨著技術進步這點就不是問題了
: Native Execution of iOS Apps on Android
Native Execution of iOS Apps on Android
passmark : 手機效能測試軟體
measuement: operations per sec 所以越高越好
cider android: android run on cider
cider ios: ios run on cider