SlideShare a Scribd company logo
1 of 36
Download to read offline
Malware Collection and Analysis
via Hardware Virtualization
Tamas K Lengyel
Computer Science and Engineering
11/10/2015
Outline
1. Introduction and Problem statement
2. Background, Challenges & Approach
3. Limitations and scope
4. Publications to date
5. Malware collection system & results
6. Malware analysis system & results
7. Hardware and software limitations
8. Contributions
9. Future work
Introduction
• 1,000,000 new malware binaries a day
• Thwarting malware requires in-depth
understanding of its operation
• Collect and analyze malware
• Existing tools and techniques are impeded by
modern malware techniques
• Packing, evasion and metamorphism
• Hardware virtualization has been proposed to
counter these techniques
Requirements
1. Scalability
Maximizing the number of concurrently active collection
and analysis sessions on limited hardware resources
2. Stealth
Detecting the monitoring environment should be
prevented
3. Fidelity
The collected data has to be accurate
4. Isolation
Monitoring components have to be securely isolated
and we need to prevent cross-contamination
Prominent prior work
• 2005: Vrable et al. - Scalability, fidelity, and
containment in the potemkin virtual honeyfarm
• 2008: Payne et al. - Lares: An architecture for
secure active monitoring using virtualization
• 2008: Dinaburg et al. - Ether: malware analysis
via hardware virtualization extensions
• 2013: Deng et al. - Spider: Stealthy binary
program instrumentation and debugging via
hardware virtualization
Problem statement
Developing effective anti-malware technologies
requires the collection and rapid analysis of an
increasing number of malware samples such
that all four requirements are met
simultaneously.
No comprehensive evaluation to date has been
performed to determine whether virtualization is
an effective platform for the development of
such tools.
Virtualization
Challenges
1. Scalability
Disk and memory requirements are linear
2. Stealth
In-guest tools can be detected
3. Isolation
In-guest tools can be disabled
Cross-contamination of VMs over the network
4. Fidelity
Data collection is negatively impacted by 2 & 3
Our approach
1. Study current malware techniques
2. Develop out-of-guest tools
3. Conduct live experiments
4. Evaluate results
5. Study shortcomings and limitations
Limitations
1. Definition of malware
Constantly evolving and undefined set
2. Measurements and metrics
Requirements are not always quantifiable
Results are only indicative, not definitive
We work to counter current malware techniques
3. Repeatability of experiments
External entities outside our control
Scope
• Malware analysis vs. malware detection
Black Box Analysis
We only aim at collecting relevant information which
may aid malware detection
• Detection of virtualization vs. detection of
monitoring
Virtualization is already widely deployed
• Determining when we collected enough data
Halting problem
Publications
• CSET’12: Virtual Machine Introspection in a Hybrid Honeypot
Architecture. Acceptance rate: 48%
• NSS’13: Towards Hybrid Honeynets via Virtual Machine
Introspection and Cloning. Acceptance rate: 24%
• SHCIS’14: Multi-tiered Security Architecture for ARM via the
Virtualization and Security Extensions
• MMF’14: Pitfalls of Virtual Machine Introspection on Modern
Hardware.
• MMF’14: Code Validation for Modern OS Kernels
• ACSAC’14: Scalability, Fidelity and Stealth in the DRAKVUF
Dynamic Malware Analysis system. Acceptance rate: 19.9%
• SHCIS’15: Virtual Machine Introspection with Xen on ARM
• C&TC’15: CloudIDEA: A Malware Defense Architecture for
Cloud Data Centers. Acceptance rate: 38%
Malware collection
Primary requirement: capture malware binaries
• Scalability: Deploy copy-on-write disk and
memory sharing
• Stealth: No in-guest agents, no modification to
the hypervisor
• Isolation: External agent + network isolation
• Fidelity: Kernel heap pool-tag scanning
Network Isolation
Fidelity via pool tag scanning
struct {
union {
struct {
uint16_t previous_size:9;
uint16_t pool_index :7;
uint16_t block_size :9;
uint16_t pool_type :7;
};
uint16_t flags;
};
uint32_t pool_tag;
} _POOL_HEADER
Captured malware samples
Results: scalability
Malware analysis
Primary requirement: capture useful live data
• Scalability: Re-use CoW techniques from prior
experiments
• Stealth: No in-guest agents, no modification to
the hypervisor, command injection with VMI
• Isolation: VLAN tagging, TCB disaggregation
• Fidelity: Syscalls and kernel heap-allocations
Useful data?
Goal is to generate data that is complete in order
to be useful for analysis
Data-collection should be flexible to allow tuning to
specific requirements
Two main objectives defined in prior art:
1. Syscall monitoring
2. Kernel heap monitoring
We also will monitor deleted files as we deemed
that an interesting and useful addition
System design
Syscall trapping
Stealthy breakpoint injection method:
1. Overwrite internal kernel function entry points
with #BP (0xCC)
2. Read/write protect page with EPT
3. When traps hit, place back original byte
4. Singlestep 1 instruction
5. Place breakpoint back again
Can monitor all internal kernel functions, not just
system calls!
Heap-allocation trapping
Command injection
Syscalls of 115k malware
Heap allocs of 115k malware
Files deleted
File size 100KByte+
Stalling malware
Standard methods
• Detection of virtualized environments
• Detection of in-guest artifacts
• Sleeping
Advanced methods
• Time-skew detection
• API spamming
API spamming
• Repeatedly call monitored APIs which normally
complete fast
• NtCreateSemaphore
• Logging these calls will take more time
• Spamming these times-out the monitoring
Use of NtCreateSemaphore in 60s:
Observed in: 45,383 samples. Average: 7.77
Samples significantly above average: 1
Number of calls: 17,453
Summary
Hardware virtualization is effective for both
malware collection and analysis
All four requirements can be met simultaneously
using hardware virtualization
The technology is sufficiently flexible to develop
and fine-tune data collection techniques
Major improvement in the arms-race against
malware
Software limitations
Race-condition with multiple vCPUs
Hardware limitations on x86
EPT only reports violation start address
Read/write operation may be up to 8 bytes long
Hardware limitations on x86
sTLB makes TLB-splitting
attacks no longer feasible
TLB can still be used to hide
mappings from VMI
Hardware limitations on ARM
Split-TLB architecture without sTLB
Hardware-assisted translation available from the
VMM
Translation is performed as data-fetch access
• Only hits the dTLB
Hiding code-pages on ARM is possible via split-TLB
attacks
Contributions
1. Identified core requirements that must be met
simultaneously
2. Developed and open-sourced the prototypes,
with major contributions to existing systems
3. Performed extensive tests with modern malware
4. Identified hardware and software limitations that
must be addressed when building such systems
Future work
• Keeping up with the evolving threat landscape
• Attacks against the hypervisor and lower layers
• Data-only malware
• Stalling malware
• Making use of new and evolving hardware
virtualization extensions
• Hybrid VMI
• Data-mining the collected information
• Identifying malware groups
• Creating IDS/IPS rules
Questions?
• Dissertation text available at
http://tklengyel.com/thesis.pdf
• DRAKVUF
http://drakvuf.com
• LibVMI
http://libvmi.com

More Related Content

What's hot

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMTamas K Lengyel
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?RIPE NCC
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverGregory Hanis
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomPriyanka Aash
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_finalPacSecJP
 

What's hot (20)

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnology
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live ForeverTelehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
 
Defcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-roomDefcon 22-jesus-molina-learn-how-to-control-every-room
Defcon 22-jesus-molina-learn-how-to-control-every-room
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 

Similar to Malware Collection and Analysis via Hardware Virtualization

NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environmentAyush Gargya
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...TI Safe
 
Dist sniffing & scanning project
Dist sniffing & scanning projectDist sniffing & scanning project
Dist sniffing & scanning projectRishu Seth
 
Memory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingMemory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingPriyanka Aash
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowAntiy Labs
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryKenta Yamamoto
 
Secure Distibuted data discovery & dissemination IN WSN
Secure Distibuted data discovery & dissemination IN WSNSecure Distibuted data discovery & dissemination IN WSN
Secure Distibuted data discovery & dissemination IN WSNSWAMI06
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by  Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by  Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 

Similar to Malware Collection and Analysis via Hardware Virtualization (20)

NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
VMI based malware detection in virtual environment
VMI based malware detection in virtual environmentVMI based malware detection in virtual environment
VMI based malware detection in virtual environment
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
Dist sniffing & scanning project
Dist sniffing & scanning projectDist sniffing & scanning project
Dist sniffing & scanning project
 
Memory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computingMemory forensics using VMI for cloud computing
Memory forensics using VMI for cloud computing
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Virus Detection Based on the Packet Flow
Virus Detection Based on the Packet FlowVirus Detection Based on the Packet Flow
Virus Detection Based on the Packet Flow
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
 
Secure Distibuted data discovery & dissemination IN WSN
Secure Distibuted data discovery & dissemination IN WSNSecure Distibuted data discovery & dissemination IN WSN
Secure Distibuted data discovery & dissemination IN WSN
 
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by  Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by  Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 

More from Tamas K Lengyel

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningTamas K Lengyel
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingTamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenTamas K Lengyel
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with XenTamas K Lengyel
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwareTamas K Lengyel
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningTamas K Lengyel
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 

More from Tamas K Lengyel (12)

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and Xen
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
 
CrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardware
 
Pitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardwarePitfalls of virtual machine introspection on modern hardware
Pitfalls of virtual machine introspection on modern hardware
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 

Recently uploaded

IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024vaibhav130304
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfFurqanuddin10
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)Max Lee
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachNeo4j
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfDeskTrack
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Krakówbim.edu.pl
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersEmilyJiang23
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfMehmet Akar
 
How to pick right visual testing tool.pdf
How to pick right visual testing tool.pdfHow to pick right visual testing tool.pdf
How to pick right visual testing tool.pdfTestgrid.io
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabbereGrabber
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...Alluxio, Inc.
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionWave PLM
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 

Recently uploaded (20)

IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA -  Language Models and Knowledge Graphs: A Systems ApproachKLARNA -  Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
AI Hackathon.pptx
AI                        Hackathon.pptxAI                        Hackathon.pptx
AI Hackathon.pptx
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
How to pick right visual testing tool.pdf
How to pick right visual testing tool.pdfHow to pick right visual testing tool.pdf
How to pick right visual testing tool.pdf
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
AI/ML Infra Meetup | Improve Speed and GPU Utilization for Model Training & S...
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 

Malware Collection and Analysis via Hardware Virtualization

  • 1. Malware Collection and Analysis via Hardware Virtualization Tamas K Lengyel Computer Science and Engineering 11/10/2015
  • 2. Outline 1. Introduction and Problem statement 2. Background, Challenges & Approach 3. Limitations and scope 4. Publications to date 5. Malware collection system & results 6. Malware analysis system & results 7. Hardware and software limitations 8. Contributions 9. Future work
  • 3. Introduction • 1,000,000 new malware binaries a day • Thwarting malware requires in-depth understanding of its operation • Collect and analyze malware • Existing tools and techniques are impeded by modern malware techniques • Packing, evasion and metamorphism • Hardware virtualization has been proposed to counter these techniques
  • 4. Requirements 1. Scalability Maximizing the number of concurrently active collection and analysis sessions on limited hardware resources 2. Stealth Detecting the monitoring environment should be prevented 3. Fidelity The collected data has to be accurate 4. Isolation Monitoring components have to be securely isolated and we need to prevent cross-contamination
  • 5. Prominent prior work • 2005: Vrable et al. - Scalability, fidelity, and containment in the potemkin virtual honeyfarm • 2008: Payne et al. - Lares: An architecture for secure active monitoring using virtualization • 2008: Dinaburg et al. - Ether: malware analysis via hardware virtualization extensions • 2013: Deng et al. - Spider: Stealthy binary program instrumentation and debugging via hardware virtualization
  • 6. Problem statement Developing effective anti-malware technologies requires the collection and rapid analysis of an increasing number of malware samples such that all four requirements are met simultaneously. No comprehensive evaluation to date has been performed to determine whether virtualization is an effective platform for the development of such tools.
  • 8. Challenges 1. Scalability Disk and memory requirements are linear 2. Stealth In-guest tools can be detected 3. Isolation In-guest tools can be disabled Cross-contamination of VMs over the network 4. Fidelity Data collection is negatively impacted by 2 & 3
  • 9. Our approach 1. Study current malware techniques 2. Develop out-of-guest tools 3. Conduct live experiments 4. Evaluate results 5. Study shortcomings and limitations
  • 10. Limitations 1. Definition of malware Constantly evolving and undefined set 2. Measurements and metrics Requirements are not always quantifiable Results are only indicative, not definitive We work to counter current malware techniques 3. Repeatability of experiments External entities outside our control
  • 11. Scope • Malware analysis vs. malware detection Black Box Analysis We only aim at collecting relevant information which may aid malware detection • Detection of virtualization vs. detection of monitoring Virtualization is already widely deployed • Determining when we collected enough data Halting problem
  • 12. Publications • CSET’12: Virtual Machine Introspection in a Hybrid Honeypot Architecture. Acceptance rate: 48% • NSS’13: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning. Acceptance rate: 24% • SHCIS’14: Multi-tiered Security Architecture for ARM via the Virtualization and Security Extensions • MMF’14: Pitfalls of Virtual Machine Introspection on Modern Hardware. • MMF’14: Code Validation for Modern OS Kernels • ACSAC’14: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis system. Acceptance rate: 19.9% • SHCIS’15: Virtual Machine Introspection with Xen on ARM • C&TC’15: CloudIDEA: A Malware Defense Architecture for Cloud Data Centers. Acceptance rate: 38%
  • 13. Malware collection Primary requirement: capture malware binaries • Scalability: Deploy copy-on-write disk and memory sharing • Stealth: No in-guest agents, no modification to the hypervisor • Isolation: External agent + network isolation • Fidelity: Kernel heap pool-tag scanning
  • 15. Fidelity via pool tag scanning struct { union { struct { uint16_t previous_size:9; uint16_t pool_index :7; uint16_t block_size :9; uint16_t pool_type :7; }; uint16_t flags; }; uint32_t pool_tag; } _POOL_HEADER
  • 18. Malware analysis Primary requirement: capture useful live data • Scalability: Re-use CoW techniques from prior experiments • Stealth: No in-guest agents, no modification to the hypervisor, command injection with VMI • Isolation: VLAN tagging, TCB disaggregation • Fidelity: Syscalls and kernel heap-allocations
  • 19. Useful data? Goal is to generate data that is complete in order to be useful for analysis Data-collection should be flexible to allow tuning to specific requirements Two main objectives defined in prior art: 1. Syscall monitoring 2. Kernel heap monitoring We also will monitor deleted files as we deemed that an interesting and useful addition
  • 21. Syscall trapping Stealthy breakpoint injection method: 1. Overwrite internal kernel function entry points with #BP (0xCC) 2. Read/write protect page with EPT 3. When traps hit, place back original byte 4. Singlestep 1 instruction 5. Place breakpoint back again Can monitor all internal kernel functions, not just system calls!
  • 24. Syscalls of 115k malware
  • 25. Heap allocs of 115k malware
  • 27. Stalling malware Standard methods • Detection of virtualized environments • Detection of in-guest artifacts • Sleeping Advanced methods • Time-skew detection • API spamming
  • 28. API spamming • Repeatedly call monitored APIs which normally complete fast • NtCreateSemaphore • Logging these calls will take more time • Spamming these times-out the monitoring Use of NtCreateSemaphore in 60s: Observed in: 45,383 samples. Average: 7.77 Samples significantly above average: 1 Number of calls: 17,453
  • 29. Summary Hardware virtualization is effective for both malware collection and analysis All four requirements can be met simultaneously using hardware virtualization The technology is sufficiently flexible to develop and fine-tune data collection techniques Major improvement in the arms-race against malware
  • 31. Hardware limitations on x86 EPT only reports violation start address Read/write operation may be up to 8 bytes long
  • 32. Hardware limitations on x86 sTLB makes TLB-splitting attacks no longer feasible TLB can still be used to hide mappings from VMI
  • 33. Hardware limitations on ARM Split-TLB architecture without sTLB Hardware-assisted translation available from the VMM Translation is performed as data-fetch access • Only hits the dTLB Hiding code-pages on ARM is possible via split-TLB attacks
  • 34. Contributions 1. Identified core requirements that must be met simultaneously 2. Developed and open-sourced the prototypes, with major contributions to existing systems 3. Performed extensive tests with modern malware 4. Identified hardware and software limitations that must be addressed when building such systems
  • 35. Future work • Keeping up with the evolving threat landscape • Attacks against the hypervisor and lower layers • Data-only malware • Stalling malware • Making use of new and evolving hardware virtualization extensions • Hybrid VMI • Data-mining the collected information • Identifying malware groups • Creating IDS/IPS rules
  • 36. Questions? • Dissertation text available at http://tklengyel.com/thesis.pdf • DRAKVUF http://drakvuf.com • LibVMI http://libvmi.com