Practical Rootkit Detection with RAI

Slides:

Advertisements

Similar presentations

Content Overview Virtual Disk Port to Intel platform

Advertisements

Part IV: Memory Management

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

V IRTUALIZATION A TTACKS Undetectable Bluepill. V IRTUALIZATION AND ITS A TTACKS What is Virtualization? What makes it possible? How does it affect security?

Memory Management (II)

Operating System Support Focus on Architecture

2 Copyright © 2009, Oracle. All rights reserved. Installing your Oracle Software.

Virtualization for Cloud Computing

Tanenbaum 8.3 See references

ATIF MEHMOOD MALIK KASHIF SIDDIQUE Improving dependability of Cloud Computing with Fault Tolerance and High Availability.

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Appendix B Planning a Virtualization Strategy for Exchange Server 2010.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

8.4 paging Paging is a memory-management scheme that permits the physical address space of a process to be non-contiguous. The basic method for implementation.

Chapter 1 : The Linux System Part 1 Lecture 1 10/21/

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

G53SEC 1 Reference Monitors Enforcement of Access Control.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

Reducing Trust Domain with TXT Daniel De Graaf. TXT overview Original TPM – Static Root of Trust – BIOS, all boot ROMs, bootloader, hypervisor, OS TPM.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

Operating Systems Security

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

Security Vulnerabilities in A Virtual Environment

Wireless and Mobile Security

Full and Para Virtualization

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Virtualization for Cloud Computing

Virtualization.

Memory COMPUTER ARCHITECTURE

Dag Toppe Larsen UiB/CERN CERN,

Dag Toppe Larsen UiB/CERN CERN,

EnGarde: Mutually Trusted Inspection of SGX Enclaves

143A: Principles of Operating Systems Lecture 6: Address translation (Paging) Anton Burtsev October, 2017.

William Stallings Computer Organization and Architecture

Effective Data-Race Detection for the Kernel

Swapping Segmented paging allows us to have non-contiguous allocations

CS490 Windows Internals Quiz 2 09/27/2013.

Virtualization overview

Running other code under LINUX

Chapter 2. Malware Analysis in VMs

OS Virtualization.

Analysis of Mixed-mode Malware

Page Replacement.

Memory Management Tasks

Virtual machines benefits

Computer Security: Art and Science, 2nd Edition

Outline Chapter 2 (cont) OS Design OS structure

CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors

Sai Krishna Deepak Maram, CS 6410

Reverse engineering through full system simulations

Lecture 3: Main Memory.

Virtualization Dr. S. R. Ahmed.

CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors

This material is based upon work supported by the National Science Foundation under Grant #XXXXXX. Any opinions, findings, and conclusions or recommendations.

Presentation transcript:

Practical Rootkit Detection with RAI Christoph Csallner, University of Texas at Arlington http://ranger.uta.edu/~csallner/ Joint work with: Shabnam Aboughadareh This material is based upon work supported by the National Science Foundation under Grants No. 1017305, 1117369, and 1527398. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Practical Detection Challenges C1: Malware detection app = Attack surface Current AV very large C2: Signature-based is slow Deployment typically needs app restart New attack signature not yet in black list What if legacy app infected before white-listed? C3: Can’t trust legacy platforms No TPM, intel VT-x, etc.

Threat Model: Many machines like: App#1 App#N …. User Kernel Operating System Kernel Module#1 …. Kernel Module#M

Threat Model Monitored app / OS may be kernel- or user-mode OS may be on hardware, container, VM System may already be under attack Adversary has full ongoing access to OS & apps Inject code Manipulate binaries on disk & in memory Obtain higher privilege level: Root, .. Hook sys call table, overwrite code & read-only data

RAI Setup App 1 .... App N App 1 .... App N Operating system Kernel module 1 Kernel module 1 .... .... RAI kernel module Hashes RAI kernel module Machine 1 Machine 3 RAI Back-end App 1 .... App N App 1 .... App N Operating system Operating system Kernel module 1 Kernel module 1 .... .... RAI kernel module RAI kernel module Machine 2 Machine 4

RAI Design RAI component is tiny kernel module Easier to install / test / port / hide Small attack surface No need for special hardware / virtualization Offload almost everything to RAI server On-demand (“real-time”) detection No restart of monitored system / app needed No need to disable current AV No need to black / white list

RAI Design Deploy on running applications Get dynamic white / black list via voting scheme Client: Periodically monitor (hash) physical memory Server: Request & compare hashes in random intervals If only minority of apps infected Server voting scheme: Hash outliers are suspicious Attack usually spreads relatively slowly across sites

Implementation: Physical Memory (RAM) Hashing Hash of pages’ hashes Different machines may swap out different pages If comparison fails: Compare page-level hashes

Monitoring Dynamically Loaded Code Problem: Two instances of application can be in two different execution states Example: A benign dynamic library is loaded into one instance but not into the other instance Solution: Hashing each executable segment separately .text libc.so benign_lib1.so ld.so Hash_T1 Application A in state S1 Hash_T2 Application A in state S2 benign_lib2.so

De-relocate Addresses Virtual addresses of kernel module / app library may differ across executions: Load order, etc. Position Dependent Code: In kernel module / legacy libraries OS loader “relocates” relative with absolute virtual address Different absolute address  Code hashes will differ Don’t want to rely on disk contents to resolve problem Heuristic Approach: Disassemble memory contents, find addresses and de-relocate them Use Distorm disassembler: Provides convenient access to opcodes and operands

Evaluation: Two Setups “Local” setup All clients on same physical machine 40 VMware Ubuntu Linux instances Two groups with the same kernel versions (2.6 and 3), 512 MB RAM, 32 and 64 bits processors 100 user-mode applications and 41 kernel modules One VM dedicated server: Ubuntu 12.04 LTS, 64 bits AWS setup Sets of 6—60 clients equally distributed over 10 AWS regions Similar setups to local experiment 90 user-mode applications Ubuntu 12.04 LTS, 30 GB RAM server running in Oregon

RAI evaluation: Slowdown Test-bed: 20 Ubuntu Linux VMWare virtual machines, kernel version 2.6, 3, 32-bit or 64-bit Intel processor, 512 MB RAM Server: Debian Linux, 2.33 GHz Xeon, 64-bit, 32 GB RAM 100 user-mode applications and 41 kernel modules RAI Activity Target Loc Slowdown (%) Hash User-mode app Client 8 Kernel (OS) 3 Hash + de-relocate Kernel module 20 Compare hashes 20 VMS Server 15

RAI evaluation: False positives - False positive rate for user-mode applications and OS: 0% - False positive rate for kernel-mode modules: below %10 Reason: Disassembly errors for de-relocation of dynamic addresses. Kernel Module Number of Pages False Hash False Positive(%) e1000 22 3 13.6 vmwgfx 18 2 11.1 ttm 11 1 9.0 drm 33 3.0 bluetooth 55 5.4 rfcomm 9 psmouse 16 12.5 All 41 modules 314 13 4.1

RAI Evaluation Example detected rootkits Rootkit Exec Mode Kernel Version CPU Loc Attack LD_PRELOAD User 3, 2.6 32-bit, 64-bit Memory Exchange Libraries Jynxkit 2.6 32-bit Patch dynamic loader Disk Inject code Attach to process Divert Execution System call hooking Kernel 3 64-bit Change kernel data Suterusu Change kernel code