SlideShare a Scribd company logo
1 of 37
Download to read offline
www.bitdefender.com 
8/25/2014• 1Zero-Footprint Guest Memory Introspection from Xen 
Xen Project DEVELOPER SUMMITAugust 18th, 2014Mihai DONȚU –Technical Project Manager, BitdefenderRavi SAHITA –Principal Engineer, IntelImproving VM Introspection Using Hardware Virtualization Extensions
www.bitdefender.com 
8/25/2014• 2 
Outline 
•Security issues 
•Memory introspection 
oOperation 
oEvolution 
•XenAccess and mem-events enhancements 
•Sample usages 
•Hardware Acceleration for memory introspection 
•Conclusions
www.bitdefender.com 
8/25/2014• 3 
Securityissues we are facing today 
•Advanced malware types 
oRootkits 
oKernel exploits 
oZero-days 
•APTs, botnets, cyber-espionage and so on heavily rely on those…
www.bitdefender.com 
8/25/2014• 4 
Securityissues we are facing today2
www.bitdefender.com 
8/25/2014• 5 
Securityissuesweare facing today3 
Malware today execute in the same context and with the same privileges as anti-malware software lack of isolation problem 
Common Malware 
Advanced Malware 
Drivers 
App1(Office) 
OS Kernel 
ISOLATIONKernel Controlled 
App2(Browser) 
SecuritySolution 
SecurityFilter 
Drivers 
App1(Office) 
OS Kernel 
App2(Browser) 
SecuritySolution 
SecurityFilter 
ISOLATIONKernel Controlled 
Isolation Bypassed & Malware Controlled
www.bitdefender.com 
8/25/2014• 6 
Conclusion: advanced attacks evade traditional security solutions
www.bitdefender.com 
8/25/2014• 7 
Envision the big picture 
so… what’s the big difference?... 
Xen Hypervisor 
dom0 
SVA 
(domU0) 
domU1 
MemoryIntrospection Engine 
domU2 
domUN 
Protected area
www.bitdefender.com 
8/25/2014• 8 
Memory introspection 
Envision the big picture 
Xen Hypervisor 
dom0 
SVA 
(domU0) 
domU1 
MemoryIntrospection Engine 
domU2 
domUN 
Protected area 
Hypervisor Controlled, Hardware EnforcedSTRONG ISOLATION 
Introspection Engine Alternative 2 
Introspection Engine Alternative 3
www.bitdefender.com 
8/25/2014• 9 
•Address a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware 
•Analyze raw memory image of guest OS, services and user mode applications, then identify 
okernel memory areas 
odriver objects, driver code, IDT, etc. 
ouser memory areas 
oprocess code, process stack, process heap, etc. 
What is memory introspection? 
Envision the big picture
www.bitdefender.com 
8/25/2014• 10 
•Use existent hardware virtualization extensions (Intel EPT / AMD RVI) 
•Set hooks on guest OS memory 
omark 4K pages as non-execute or non-writable 
ohooking & notification must be supported efficientlyby HV & CPU 
•Audit access of those areas by the code running in VM (OS or apps) 
owrite attempts (driver objects, fast I/O tables, page tables) 
oexecution attempts 
•Allow or deny attempts –decision provided by security logic 
How does it work? 
Memory introspection
www.bitdefender.com 
8/25/2014• 11 
How does it work? 2 
Memory introspection 
EPT protected areas 
provide detection for various OS level changes (ex. new module load, new process start, …) 
EPT protected areas 
provide detection for attempts & protection against integrity violation 
Guest VM PhysicalMemory Space 
OS kernel code 
kernel driver code and data 
kernel data SSDT, IDT, … 
user mode code 
user mode stacks & heaps
www.bitdefender.com 
8/25/2014• 12 
•Building a reliable image of the guest OS state 
owhat objects are inside a guest VM? 
owhat operations are being performed inside a guest VM? 
oobject and event identification and correlation is done by the introspection engine –to decide event and object maliciousness 
•Using hooks we can detect numerous events, including 
oa driver / kernel module is loaded or unloaded 
oa new user process or thread is created 
ouser stack / heap is allocated 
omemory is being paged in / out 
How does it work? 3 
Memory introspection
www.bitdefender.com 
8/25/2014• 13 
How does it work? 4 
Memory introspection 
Traditional in-guest security solution 
Out-of-guest memory introspection 
OS Kernel 
Typical Anti-Malware Kernel Module 
Read mem by Virtual Addr, read files, registry, … 
Enum processes, files, … 
0101010011 
MZ… 
Setup well-knowncallbacks & notifications 
New process PID 0x1234 
HKLM... 
XEN Hypervisor 
Memory Introspection Engine 
Read mem by Physical AddrRead vCPUregisters 
0101010011 
Setup EPT hooks on mempages (by Physical Addr) 
Write / Execute attempt on PA 0x000A12345678 
RAX = 0x1234RIP = 0x7890
www.bitdefender.com 
8/25/2014• 14 
•bridging the semantic gap –obtain rich semantics from only raw physical memory pages and virtual CPU registers 
ohow do we correlate 4K memory pages with semantically rich and meaningful OS specific data structures? 
oto be solved by security solution vendors 
•forward lots of mem-event notifications with low overhead to introspection engine 
oto be solved by hypervisor and CPU vendors 
Two big challenges 
Memory introspection
www.bitdefender.com 
8/25/2014• 15 
Memory introspection evolution 
•2003 –Garfinkel & Rosenblum: “A Virtual Machine Introspection Based Architecture for Intrusion Detection” 
othe starting point for a considerable amount of academic research 
•2006 –Jiang & Wang: “’Out-of-the-box’ Monitoring of VM-based High-Interaction Honeypots” 
•2008 –Dinaburg et al.: “Ether: Malware Analysis via Hardware Virtualization Extensions” 
oBuilt on top of Xen 3.1 
•2008 –VMsafe API announced by VMware, which provides access to a guest’s: 
oCPU, memory, disk, I/O devices etc. 
osupported memory introspection for vSphere / ESXi 
•2010 –VMware vShield Endpoint(as a replacement for VMsafe API) 
oin-guest agent based 
ofile introspection only 
•2012 –VMware deprecates VMsafe
www.bitdefender.com 
8/25/2014• 16 
Memory introspection in Xen 
•2007 –XenAccess, XenProbes 
•2008 –Lares 
•2009 –first patches for the mem-events API 
•2010 –LibVMI –uses XenAccess and XenStore 
otargets Xen, but support for other HV-s can be added 
oinsufficient flexibility in changing page permissions 
ono support for mapping guest memory RW 
oinsufficient information about the guest CPUs 
ohigh overhead when reading the vCPUregister state 
oa ‘complete’ initialization requires intimate knowledge about the guest OS 
ocode for handling specific guest OS-s (Windows, with Linux in the works)
www.bitdefender.com 
8/25/2014• 17 
XenAccess and mem-events enhancements 
•2014 –Bitdefender published a set of patches (as RFC) to enhance the mem-events API 
oimplements its own version of LibVMI 
osimpler API 
onothing [guest] OS specific 
osupport for other HV-s can be added 
oallows to map guest memory (via EPT) 
ouses a very simple page cache to optimize (un)maps 
ooptimized access to specific resources 
•Some patches went into mainline, others will follow shortly
www.bitdefender.com 
8/25/2014• 18 
XenAccess and mem-events enhancements2 
mem-event notification 
Xen Hypervisor 
SVA 
(domU0) 
MemoryIntrospection Engine 
domU1 
uint32_t flags; 
uint32_t vcpu_id; 
uint64_t gfn; 
… 
mem_event_regs_t regs;
www.bitdefender.com 
8/25/2014• 19 
Example use of the extended API 
Xen Hypervisor 
dom0 
SVA 
(domU0) 
MemoryIntrospection Engine 
Protected areas 
Critical Kernel Module 
Critical Kernel Module 
App1 
App2 
… 
Code, stacks, heaps, IAT, … 
Code, stacks, heaps, IAT, … 
Code, stacks, heaps, IAT, … 
Mem-events andVMCALLs facilitated by XEN
www.bitdefender.com 
8/25/2014• 20 
Example use of the extended API 2 
•Bitdefender’s own introspection engine can 
oprotect the kernel from known rootkit hooking techniques 
oprotect user processes (e.g. browsers, MS Office, Adobe Reader, …) from 
ocode injection 
ofunction detouring 
ocode execution from stack / heap 
ounpacked malicious code 
oinject remediation tools into the guest on-the-fly (no help from ‘within’ needed) 
•Runs in userspace in a user domain (SVA –Security Virtual Appliance) 
•Introspection logic has very small overhead 
obulk of the overhead is given by sending / receiving events and calls between protected guest VMs and SVA
21 
Hardware Acceleration for Memory IntrospectionRavi SahitaIntel
22 
Hardware Acceleration for Memory Introspection 
Factors Limiting VM Memory Monitoring Performance 
Addressing Lack of Memory Isolation 
Addressing Performance gaps for execution and data access-control policies 
Xen Extensions
23 
Factors Limiting VM Memory Monitoring Performance 
Round-trip time 
–Monitoring execution and data accesses 
–Dynamic data structures imply high frequency events 
Filtering events 
–Monitoring data accesses requires filtering non- interesting events due to 4K page sharing 
Further, round-trip time is amplified with VMMs nesting
24 
Multiple EPTs as Protection Domains 
CPU0 
Hypervisor 
Intel®VT-xwith EPT 
VM0 
Extended Page Table(EPT) Domains 
EPTWalker 
Execution crossing 
EPT domains or data 
Accesses causing events 
host physical address 
Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x) 
OS kernel 
Code/data 
(RX/RW) 
Driver 
Code (RX) 
Driver 
Code (RO) 
OS kernel 
Code/data 
(RO/NP) 
Data 
(RW) 
Data 
(NP)
25 
Addressing Lack of Isolation… 
Xen 
EPT Domains 
EPT Domains 
policy 
events 
CPU 
Hypervisor- derived isolation
26 
Kernel module 
Kernel module 
Security module 
…Without Sacrificing Performance 
Must allow for legal execution of components isolated in permission domains 
Each execution transfer across domains leads to VM exits that the hypervisor must mediate 
As components isolated via domains, numerous execution transfers are induced 
High Frequency of such VM exits to the hypervisor causes overhead 
Process 
Hypervisor 
Eliminate these induced VM exitson legalcontrol transfers 
Legal control transfers
27 
VM Functions: Hypercalls Without VM Exits 
VM Functions: Intel®VT-x extensions for services configured by the hypervisor 
–Different VM Functions correspond to different services 
Hypervisor configures VM Functions via new fields in VMCS 
Guest software invokes VM Functions via new instruction (VMFUNC<leaf>) 
–Value in EAX specifies which VM Function leaf is invoked 
CPU provides services as configured with no VM exit 
Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x)
28 
VMFUNC-based Domain Switching 
Paravirtualized software can request protection domain switch via VMFUNC (specifying domain index) 
Hypervisor pre- configures domain index to EPTPs 
Hypervisor pre- configures domain boundaries 
View switching to speed up access control policies 
CPU0 
Hypervisor 
Intel®VT-xwith EPT 
VM0 
Extended Page Table(EPT) domains 
EPTWalker 
VMFUNC (EPTP switch) 
Host physical address 
Aternate ExtendedPage Table(EPT) list 
Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x)
29 
Asynchronous Induced VMExits 
In VM-introspection scenarios critical data is monitored in place 
Legacy approaches are to VMExit and emulate access 
Alternatively, VMExit and switch views to single step the guest (MTF) 
High frequency of writes to monitored data cause high overhead 
Requires custom logic in the VMM increasing complexity/state in the hypervisor 
Kernel (Guest) 
Hypervisor 
EPT Domains 
Ring-0 
Monitoring 
Agent 
Monitored 
Memory 
WRITE 
2. EPT-V 
VMexit 
3. VMResume to single step access 
Single 
Step Memory 
View 
4. VMexit after access completed 
Access Policy 
1. View Policies 
5. VMResume 
EPT Domains 
Emulation
30 
Accelerating Induced Events 
Via Virtualization Exception (#VE) 
–Mutates EPT violations into a new IA exception–delivered through guest IDT 
VMM enables EPT violation conversion to #VE 
Data access monitoring view policies setup in EPT domains 
Data access causes #VE instead of VMexit 
Guest monitoring agent can emulate in guest OR use VMFUNC to single step access 
Hypervisor (VMX-root) 
Kernel/VMX-non-root 
EPT Domains 
Monitoring 
Service 
Monitored 
Memory 
1. Handle #VE 
3. Complete single step or emulate in guest 
Single Step 
Memory 
View 
2. Setup single step or emulate 
WRITE 
Access Policy 
1. Policies 
VMFUNC 
VMFUNC 
#VE 
#VE info 
VMFUNC 
EPT Domains
31 
VMFUNC Configuration 
Hypervisor checks IA32_VMX_VMFUNC MSR for allowed VM-Function controls 
Opts-in by setting “Enable VM functions” in the secondary processor-based VM- execution controls field 
Activates “EPTP switching” by setting bit-0 in the VM Function Control 
Configure alternate EPTP values in memory referenced via VMCS field 
Guest software uses VMFUNC opcode with leaf selector EAX=0 and ECX containing the index of EPTP (view) selected 
Errors reported to the hypervisor via VM Exits 
“Enable VM functions” VM- execution control (bit 13) 
EPTP-list address 
0:Alternate-EPTP 
1:Alternate-EPTP 
511:Alternate-EPTP 
“EPTP switching” (bit 0) 
Secondary processor-based VM-execution controls 
VMFunction Control (new) 
In memory 
VMCS 
In VMCS 
(new) 
IA32_VMX_VMFUNC MSR (index 491H)
32 
Virtualization Exception (VE) Configuration 
Enumerated by the VMM via capability MSR 
Set VMCS “Enable VE” bit 
Negotiate “VE Info” page with Hypervisor 
#VE delivered through guest IDT 
Suppress VE EPTE Bit 63 
–Set on pages the VMM does not want to cause a #VE for 
“Enable VE” VM-execution control (bit 18) 
VE Information Address 
Exit Reason 
Suppress 
Exit Qualification 
Secondary processor-based VM-execution controls 
In memory 
Virtual Machine Control Structure (VMCS) 
In VMCS 
(new) 
IA32_VMX_PROCBASED_ CTLS2 (48Bh) Bit 50 
Guest Linear Address 
Guest Physical Address 
EPTP Index
33 
Xen Extensions 
1.Efficiently creating and maintaining alternate EPT views/domains via extension of p2m 
2.Hypercalls to edit EPT permissions without conflicting with Xen EPT management 
3.Report guest-specific memory events via #VE in a Xen compatible manner (Suppress #VE EPTE bit) 
4.Enabling CPU acceleration if VMFUNC and #VE CPU enumerated and opted-in 
Xen Hypervisor 
domUN 
domU0 
Security 
Engine 
EPT Domains 
EPT Domains 
Security 
Engine 
CPU 
#VE 
EPT Domains 
EPT Domains 
#VE
34 
VM Introspection Performance Improvements 
Round-trip time 
–VMFUNC to allow safe, fast Memory View (EPT) switches 
–VMexits mutated to #VE for guest memory monitoring 
Filtering events 
–Reduced latency of #VE event handling reduces overhead of filtering events 
Round-trip time amplification due to VMM nesting 
–No VMexits to root VMM implies no amplification of VMexits due to EPT violations 
Scalable Runtime Memory Introspection w/o VT overheads
www.bitdefender.com 
8/25/2014• 35 
•Today Xen can be the base for providing a much improved layer of security –serves as a model for other HV vendors 
oTruly agentless security (zero in guest footprint) 
oIT Admins can deploy introspection based solutions seamlessly, without changing a single line of config inside the guest VMs 
•Hardware enforced isolation (against kernel exploits, zero days, …) 
•Hardware extensions enable intra-VM isolation to enable protected agent based introspection for high frequency access monitoring and agent isolation 
•Both models require straight-forward Xen infrastructure changes (multi-EPT views, hardware acceleration capabilities) 
Conclusions
www.bitdefender.com 
8/25/2014• 36 
Thank you! 
enterprise.bitdefender.com
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bitdefender and Ravi Sahita, Intel

More Related Content

What's hot

Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013
The Linux Foundation
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
Priyanka Aash
 

What's hot (20)

Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
XPDDS18: Windows PV Drivers Project: Status and Updates - Paul Durrant, Citri...
 
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...XPDS16:  Xenbedded: Xen-based client virtualization for phones and tablets - ...
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARM
 
ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)ALSS14: Xen Project Automotive Hypervisor (Demo)
ALSS14: Xen Project Automotive Hypervisor (Demo)
 
Xen io
Xen ioXen io
Xen io
 
µ-Xen
µ-Xenµ-Xen
µ-Xen
 
Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)Securing Your Cloud with Xen (CloudOpen NA 2013)
Securing Your Cloud with Xen (CloudOpen NA 2013)
 
XPDS16: Xen Development Update
XPDS16: Xen Development UpdateXPDS16: Xen Development Update
XPDS16: Xen Development Update
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
 
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...XPDDS18: LCC18:  Xen Project: After 15 years, What's Next? - George Dunlap, C...
XPDDS18: LCC18: Xen Project: After 15 years, What's Next? - George Dunlap, C...
 
Xen Project: Windows PV Drivers
Xen Project: Windows PV DriversXen Project: Windows PV Drivers
Xen Project: Windows PV Drivers
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013
 
PVH : PV Guest in HVM container
PVH : PV Guest in HVM containerPVH : PV Guest in HVM container
PVH : PV Guest in HVM container
 
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
XPDS16:  CPUID handling for guests - Andrew Cooper, CitrixXPDS16:  CPUID handling for guests - Andrew Cooper, Citrix
XPDS16: CPUID handling for guests - Andrew Cooper, Citrix
 
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
LCNA14: Why Use Xen for Large Scale Enterprise Deployments? - Konrad Rzeszute...
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)Xen 10th anniversary Status Report (at SELF 2013)
Xen 10th anniversary Status Report (at SELF 2013)
 
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
XPDDS19: Argo and Hypervisor-Mediated Data eXchange (HMX) - Christopher Clark...
 

Viewers also liked

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
Leadership styles
Leadership stylesLeadership styles
Leadership styles
Mohini Sahu
 

Viewers also liked (12)

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
 
Software QA Services – An Important Ingredient in Software Development
Software QA Services – An Important Ingredient in Software DevelopmentSoftware QA Services – An Important Ingredient in Software Development
Software QA Services – An Important Ingredient in Software Development
 
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
XPDS13: Erlang on Xen - Redefining the Cloud Software Stack - Victor Sovietov...
 
OWF: Xen - Open Source Hypervisor Designed for Clouds
OWF: Xen - Open Source Hypervisor Designed for CloudsOWF: Xen - Open Source Hypervisor Designed for Clouds
OWF: Xen - Open Source Hypervisor Designed for Clouds
 
Creativity and Design Thinking
Creativity and Design ThinkingCreativity and Design Thinking
Creativity and Design Thinking
 
Creativity exercises
Creativity exercisesCreativity exercises
Creativity exercises
 
Creativity
CreativityCreativity
Creativity
 
virtualization tutorial at ACM bangalore Compute 2009
virtualization tutorial at ACM bangalore Compute 2009virtualization tutorial at ACM bangalore Compute 2009
virtualization tutorial at ACM bangalore Compute 2009
 
Leadership styles
Leadership stylesLeadership styles
Leadership styles
 
17 Ways to Design a Presentation People Want to View
17 Ways to Design a Presentation People Want to View17 Ways to Design a Presentation People Want to View
17 Ways to Design a Presentation People Want to View
 

Similar to XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bitdefender and Ravi Sahita, Intel

ICALEPCS 2011: Testing Environments using Virtualization
ICALEPCS 2011: Testing Environments using VirtualizationICALEPCS 2011: Testing Environments using Virtualization
ICALEPCS 2011: Testing Environments using Virtualization
Omer Khalid
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
Louis Göhl
 

Similar to XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bitdefender and Ravi Sahita, Intel (20)

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Xen revisited
Xen revisitedXen revisited
Xen revisited
 
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
ICALEPCS 2011: Testing Environments using Virtualization
ICALEPCS 2011: Testing Environments using VirtualizationICALEPCS 2011: Testing Environments using Virtualization
ICALEPCS 2011: Testing Environments using Virtualization
 
The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)The Lies We Tell Our Code (#seascale 2015 04-22)
The Lies We Tell Our Code (#seascale 2015 04-22)
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]Security best practices for hyper v and server virtualisation [svr307]
Security best practices for hyper v and server virtualisation [svr307]
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systems
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOS
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
 
Sierraware ARM hypervisor
Sierraware ARM hypervisor Sierraware ARM hypervisor
Sierraware ARM hypervisor
 
Qinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-finalQinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-final
 
Handout2o
Handout2oHandout2o
Handout2o
 
Unikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library HypervisorUnikernels: Rise of the Library Hypervisor
Unikernels: Rise of the Library Hypervisor
 

More from The Linux Foundation

More from The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote:  Unikraft Weather ReportXPDDS19 Keynote:  Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 

Recently uploaded (20)

Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 

XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bitdefender and Ravi Sahita, Intel

  • 1. www.bitdefender.com 8/25/2014• 1Zero-Footprint Guest Memory Introspection from Xen Xen Project DEVELOPER SUMMITAugust 18th, 2014Mihai DONȚU –Technical Project Manager, BitdefenderRavi SAHITA –Principal Engineer, IntelImproving VM Introspection Using Hardware Virtualization Extensions
  • 2. www.bitdefender.com 8/25/2014• 2 Outline •Security issues •Memory introspection oOperation oEvolution •XenAccess and mem-events enhancements •Sample usages •Hardware Acceleration for memory introspection •Conclusions
  • 3. www.bitdefender.com 8/25/2014• 3 Securityissues we are facing today •Advanced malware types oRootkits oKernel exploits oZero-days •APTs, botnets, cyber-espionage and so on heavily rely on those…
  • 4. www.bitdefender.com 8/25/2014• 4 Securityissues we are facing today2
  • 5. www.bitdefender.com 8/25/2014• 5 Securityissuesweare facing today3 Malware today execute in the same context and with the same privileges as anti-malware software lack of isolation problem Common Malware Advanced Malware Drivers App1(Office) OS Kernel ISOLATIONKernel Controlled App2(Browser) SecuritySolution SecurityFilter Drivers App1(Office) OS Kernel App2(Browser) SecuritySolution SecurityFilter ISOLATIONKernel Controlled Isolation Bypassed & Malware Controlled
  • 6. www.bitdefender.com 8/25/2014• 6 Conclusion: advanced attacks evade traditional security solutions
  • 7. www.bitdefender.com 8/25/2014• 7 Envision the big picture so… what’s the big difference?... Xen Hypervisor dom0 SVA (domU0) domU1 MemoryIntrospection Engine domU2 domUN Protected area
  • 8. www.bitdefender.com 8/25/2014• 8 Memory introspection Envision the big picture Xen Hypervisor dom0 SVA (domU0) domU1 MemoryIntrospection Engine domU2 domUN Protected area Hypervisor Controlled, Hardware EnforcedSTRONG ISOLATION Introspection Engine Alternative 2 Introspection Engine Alternative 3
  • 9. www.bitdefender.com 8/25/2014• 9 •Address a number of security issues from outside the guest OS without relying on functionality that can be rendered unreliable by advanced malware •Analyze raw memory image of guest OS, services and user mode applications, then identify okernel memory areas odriver objects, driver code, IDT, etc. ouser memory areas oprocess code, process stack, process heap, etc. What is memory introspection? Envision the big picture
  • 10. www.bitdefender.com 8/25/2014• 10 •Use existent hardware virtualization extensions (Intel EPT / AMD RVI) •Set hooks on guest OS memory omark 4K pages as non-execute or non-writable ohooking & notification must be supported efficientlyby HV & CPU •Audit access of those areas by the code running in VM (OS or apps) owrite attempts (driver objects, fast I/O tables, page tables) oexecution attempts •Allow or deny attempts –decision provided by security logic How does it work? Memory introspection
  • 11. www.bitdefender.com 8/25/2014• 11 How does it work? 2 Memory introspection EPT protected areas provide detection for various OS level changes (ex. new module load, new process start, …) EPT protected areas provide detection for attempts & protection against integrity violation Guest VM PhysicalMemory Space OS kernel code kernel driver code and data kernel data SSDT, IDT, … user mode code user mode stacks & heaps
  • 12. www.bitdefender.com 8/25/2014• 12 •Building a reliable image of the guest OS state owhat objects are inside a guest VM? owhat operations are being performed inside a guest VM? oobject and event identification and correlation is done by the introspection engine –to decide event and object maliciousness •Using hooks we can detect numerous events, including oa driver / kernel module is loaded or unloaded oa new user process or thread is created ouser stack / heap is allocated omemory is being paged in / out How does it work? 3 Memory introspection
  • 13. www.bitdefender.com 8/25/2014• 13 How does it work? 4 Memory introspection Traditional in-guest security solution Out-of-guest memory introspection OS Kernel Typical Anti-Malware Kernel Module Read mem by Virtual Addr, read files, registry, … Enum processes, files, … 0101010011 MZ… Setup well-knowncallbacks & notifications New process PID 0x1234 HKLM... XEN Hypervisor Memory Introspection Engine Read mem by Physical AddrRead vCPUregisters 0101010011 Setup EPT hooks on mempages (by Physical Addr) Write / Execute attempt on PA 0x000A12345678 RAX = 0x1234RIP = 0x7890
  • 14. www.bitdefender.com 8/25/2014• 14 •bridging the semantic gap –obtain rich semantics from only raw physical memory pages and virtual CPU registers ohow do we correlate 4K memory pages with semantically rich and meaningful OS specific data structures? oto be solved by security solution vendors •forward lots of mem-event notifications with low overhead to introspection engine oto be solved by hypervisor and CPU vendors Two big challenges Memory introspection
  • 15. www.bitdefender.com 8/25/2014• 15 Memory introspection evolution •2003 –Garfinkel & Rosenblum: “A Virtual Machine Introspection Based Architecture for Intrusion Detection” othe starting point for a considerable amount of academic research •2006 –Jiang & Wang: “’Out-of-the-box’ Monitoring of VM-based High-Interaction Honeypots” •2008 –Dinaburg et al.: “Ether: Malware Analysis via Hardware Virtualization Extensions” oBuilt on top of Xen 3.1 •2008 –VMsafe API announced by VMware, which provides access to a guest’s: oCPU, memory, disk, I/O devices etc. osupported memory introspection for vSphere / ESXi •2010 –VMware vShield Endpoint(as a replacement for VMsafe API) oin-guest agent based ofile introspection only •2012 –VMware deprecates VMsafe
  • 16. www.bitdefender.com 8/25/2014• 16 Memory introspection in Xen •2007 –XenAccess, XenProbes •2008 –Lares •2009 –first patches for the mem-events API •2010 –LibVMI –uses XenAccess and XenStore otargets Xen, but support for other HV-s can be added oinsufficient flexibility in changing page permissions ono support for mapping guest memory RW oinsufficient information about the guest CPUs ohigh overhead when reading the vCPUregister state oa ‘complete’ initialization requires intimate knowledge about the guest OS ocode for handling specific guest OS-s (Windows, with Linux in the works)
  • 17. www.bitdefender.com 8/25/2014• 17 XenAccess and mem-events enhancements •2014 –Bitdefender published a set of patches (as RFC) to enhance the mem-events API oimplements its own version of LibVMI osimpler API onothing [guest] OS specific osupport for other HV-s can be added oallows to map guest memory (via EPT) ouses a very simple page cache to optimize (un)maps ooptimized access to specific resources •Some patches went into mainline, others will follow shortly
  • 18. www.bitdefender.com 8/25/2014• 18 XenAccess and mem-events enhancements2 mem-event notification Xen Hypervisor SVA (domU0) MemoryIntrospection Engine domU1 uint32_t flags; uint32_t vcpu_id; uint64_t gfn; … mem_event_regs_t regs;
  • 19. www.bitdefender.com 8/25/2014• 19 Example use of the extended API Xen Hypervisor dom0 SVA (domU0) MemoryIntrospection Engine Protected areas Critical Kernel Module Critical Kernel Module App1 App2 … Code, stacks, heaps, IAT, … Code, stacks, heaps, IAT, … Code, stacks, heaps, IAT, … Mem-events andVMCALLs facilitated by XEN
  • 20. www.bitdefender.com 8/25/2014• 20 Example use of the extended API 2 •Bitdefender’s own introspection engine can oprotect the kernel from known rootkit hooking techniques oprotect user processes (e.g. browsers, MS Office, Adobe Reader, …) from ocode injection ofunction detouring ocode execution from stack / heap ounpacked malicious code oinject remediation tools into the guest on-the-fly (no help from ‘within’ needed) •Runs in userspace in a user domain (SVA –Security Virtual Appliance) •Introspection logic has very small overhead obulk of the overhead is given by sending / receiving events and calls between protected guest VMs and SVA
  • 21. 21 Hardware Acceleration for Memory IntrospectionRavi SahitaIntel
  • 22. 22 Hardware Acceleration for Memory Introspection Factors Limiting VM Memory Monitoring Performance Addressing Lack of Memory Isolation Addressing Performance gaps for execution and data access-control policies Xen Extensions
  • 23. 23 Factors Limiting VM Memory Monitoring Performance Round-trip time –Monitoring execution and data accesses –Dynamic data structures imply high frequency events Filtering events –Monitoring data accesses requires filtering non- interesting events due to 4K page sharing Further, round-trip time is amplified with VMMs nesting
  • 24. 24 Multiple EPTs as Protection Domains CPU0 Hypervisor Intel®VT-xwith EPT VM0 Extended Page Table(EPT) Domains EPTWalker Execution crossing EPT domains or data Accesses causing events host physical address Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x) OS kernel Code/data (RX/RW) Driver Code (RX) Driver Code (RO) OS kernel Code/data (RO/NP) Data (RW) Data (NP)
  • 25. 25 Addressing Lack of Isolation… Xen EPT Domains EPT Domains policy events CPU Hypervisor- derived isolation
  • 26. 26 Kernel module Kernel module Security module …Without Sacrificing Performance Must allow for legal execution of components isolated in permission domains Each execution transfer across domains leads to VM exits that the hypervisor must mediate As components isolated via domains, numerous execution transfers are induced High Frequency of such VM exits to the hypervisor causes overhead Process Hypervisor Eliminate these induced VM exitson legalcontrol transfers Legal control transfers
  • 27. 27 VM Functions: Hypercalls Without VM Exits VM Functions: Intel®VT-x extensions for services configured by the hypervisor –Different VM Functions correspond to different services Hypervisor configures VM Functions via new fields in VMCS Guest software invokes VM Functions via new instruction (VMFUNC<leaf>) –Value in EAX specifies which VM Function leaf is invoked CPU provides services as configured with no VM exit Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x)
  • 28. 28 VMFUNC-based Domain Switching Paravirtualized software can request protection domain switch via VMFUNC (specifying domain index) Hypervisor pre- configures domain index to EPTPs Hypervisor pre- configures domain boundaries View switching to speed up access control policies CPU0 Hypervisor Intel®VT-xwith EPT VM0 Extended Page Table(EPT) domains EPTWalker VMFUNC (EPTP switch) Host physical address Aternate ExtendedPage Table(EPT) list Intel®Virtualization Technology for IA-32, Intel®64 and Intel®Architecture (Intel®VT-x)
  • 29. 29 Asynchronous Induced VMExits In VM-introspection scenarios critical data is monitored in place Legacy approaches are to VMExit and emulate access Alternatively, VMExit and switch views to single step the guest (MTF) High frequency of writes to monitored data cause high overhead Requires custom logic in the VMM increasing complexity/state in the hypervisor Kernel (Guest) Hypervisor EPT Domains Ring-0 Monitoring Agent Monitored Memory WRITE 2. EPT-V VMexit 3. VMResume to single step access Single Step Memory View 4. VMexit after access completed Access Policy 1. View Policies 5. VMResume EPT Domains Emulation
  • 30. 30 Accelerating Induced Events Via Virtualization Exception (#VE) –Mutates EPT violations into a new IA exception–delivered through guest IDT VMM enables EPT violation conversion to #VE Data access monitoring view policies setup in EPT domains Data access causes #VE instead of VMexit Guest monitoring agent can emulate in guest OR use VMFUNC to single step access Hypervisor (VMX-root) Kernel/VMX-non-root EPT Domains Monitoring Service Monitored Memory 1. Handle #VE 3. Complete single step or emulate in guest Single Step Memory View 2. Setup single step or emulate WRITE Access Policy 1. Policies VMFUNC VMFUNC #VE #VE info VMFUNC EPT Domains
  • 31. 31 VMFUNC Configuration Hypervisor checks IA32_VMX_VMFUNC MSR for allowed VM-Function controls Opts-in by setting “Enable VM functions” in the secondary processor-based VM- execution controls field Activates “EPTP switching” by setting bit-0 in the VM Function Control Configure alternate EPTP values in memory referenced via VMCS field Guest software uses VMFUNC opcode with leaf selector EAX=0 and ECX containing the index of EPTP (view) selected Errors reported to the hypervisor via VM Exits “Enable VM functions” VM- execution control (bit 13) EPTP-list address 0:Alternate-EPTP 1:Alternate-EPTP 511:Alternate-EPTP “EPTP switching” (bit 0) Secondary processor-based VM-execution controls VMFunction Control (new) In memory VMCS In VMCS (new) IA32_VMX_VMFUNC MSR (index 491H)
  • 32. 32 Virtualization Exception (VE) Configuration Enumerated by the VMM via capability MSR Set VMCS “Enable VE” bit Negotiate “VE Info” page with Hypervisor #VE delivered through guest IDT Suppress VE EPTE Bit 63 –Set on pages the VMM does not want to cause a #VE for “Enable VE” VM-execution control (bit 18) VE Information Address Exit Reason Suppress Exit Qualification Secondary processor-based VM-execution controls In memory Virtual Machine Control Structure (VMCS) In VMCS (new) IA32_VMX_PROCBASED_ CTLS2 (48Bh) Bit 50 Guest Linear Address Guest Physical Address EPTP Index
  • 33. 33 Xen Extensions 1.Efficiently creating and maintaining alternate EPT views/domains via extension of p2m 2.Hypercalls to edit EPT permissions without conflicting with Xen EPT management 3.Report guest-specific memory events via #VE in a Xen compatible manner (Suppress #VE EPTE bit) 4.Enabling CPU acceleration if VMFUNC and #VE CPU enumerated and opted-in Xen Hypervisor domUN domU0 Security Engine EPT Domains EPT Domains Security Engine CPU #VE EPT Domains EPT Domains #VE
  • 34. 34 VM Introspection Performance Improvements Round-trip time –VMFUNC to allow safe, fast Memory View (EPT) switches –VMexits mutated to #VE for guest memory monitoring Filtering events –Reduced latency of #VE event handling reduces overhead of filtering events Round-trip time amplification due to VMM nesting –No VMexits to root VMM implies no amplification of VMexits due to EPT violations Scalable Runtime Memory Introspection w/o VT overheads
  • 35. www.bitdefender.com 8/25/2014• 35 •Today Xen can be the base for providing a much improved layer of security –serves as a model for other HV vendors oTruly agentless security (zero in guest footprint) oIT Admins can deploy introspection based solutions seamlessly, without changing a single line of config inside the guest VMs •Hardware enforced isolation (against kernel exploits, zero days, …) •Hardware extensions enable intra-VM isolation to enable protected agent based introspection for high frequency access monitoring and agent isolation •Both models require straight-forward Xen infrastructure changes (multi-EPT views, hardware acceleration capabilities) Conclusions
  • 36. www.bitdefender.com 8/25/2014• 36 Thank you! enterprise.bitdefender.com