Virtual Machines for Security

Slides:



Advertisements
Similar presentations
Virtualization Dr. Michael L. Collard
Advertisements

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
CS-3013 & CS-502, Summer 2006 Virtual Machine Systems1 CS-502 Operating Systems Slides excerpted from Silbershatz, Ch. 2.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
Virtualization for Cloud Computing
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Tanenbaum 8.3 See references
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Virtualization Concepts Presented by: Mariano Diaz.
Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
Virtual Machine Monitors: Technology and Trends Jonathan Kaldor CS614 / F07.
Introduction 1-1 Introduction to Virtual Machines From “Virtual Machines” Smith and Nair Chapter 1.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
CE Operating Systems Lecture 3 Overview of OS functions and structure.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
CS 346 – Chapter 2 OS services –OS user interface –System calls –System programs How to make an OS –Implementation –Structure –Virtual machines Commitment.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Operating Systems Security
Full and Para Virtualization
Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,
Introduction Why are virtual machines interesting?
Operating-System Structures
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
VMM Based Rootkit Detection on Android
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Virtualization Neependra Khare
1 Virtualization "Virtualization software makes it possible to run multiple operating systems and multiple applications on the same server at the same.
Virtualization for Cloud Computing
Introduction to Virtualization
Virtualization.
Virtual Machine Monitors
Virtualization D. J. Foreman 2009.
Introduction to Operating Systems
CSC 482/582: Computer Security
Virtualization Dr. Michael L. Collard
Policies and Mechanisms for Operating System Security
Operating Systems Design (CS 423)
Lecture 24 Virtual Machine Monitors
Virtualization overview
Group 8 Virtualization of the Cloud
CIT 480: Securing Computer Systems
Virtual Machines Arkaprava Basu.
OS Virtualization.
Introduction to Operating Systems
Virtualization Layer Virtual Hardware Virtual Networking
Virtualization Techniques
A Survey on Virtualization Technologies
Lecture Topics: 11/1 General Operating System Concepts Processes
Operating Systems Lecture 3.
Computer Security: Art and Science, 2nd Edition
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Sai Krishna Deepak Maram, CS 6410
SCONE: Secure Linux Containers Environments with Intel SGX
Introduction to Virtual Machines
Vinod Ganapathy securely How to snapshot memory Vinod Ganapathy
Introduction to Virtual Machines
Xen and the Art of Virtualization
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
System Virtualization
Slides from E0-253 taught by Arkaprava Basu and Vinod Ganapathy
Hypervisor A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines. A computer.
Presentation transcript:

Virtual Machines for Security

What is (system) virtual machine? Virtual machine: Complete compute environment with its own isolated processing capabilities, memory and communication channels. Virtual machine is an efficient isolated duplicate of the physical machine [Goldberg, Popek] Virtual Machine Monitor/Hypervisor: System software that creates and manages virtual machines Desirable qualities of a VMM [Goldberg/Popek]: Equivalence: Virtual m/c interface similar to real m/c Safety/Isolation: Each VM should be isolated from other Low performance overhead: Perf. close to real m/c

Without virtualization (bare metal) Application 1 Application 2 OS Hardware Slide Sorav Bansal, IIT-Delhi

With virtualization Virtual Machine Monitor (VMM)/Hypervisor Hardware Virtual Hardware Guest OS 1 App Virtual Hardware Guest OS 2 App Virtual Machine Monitor (VMM)/Hypervisor Hardware Slide Sorav Bansal, IIT-Delhi

Different OS on same H/W Virtual Hardware Linux App Virtual Hardware Windows App Virtual Machine Monitor (VMM)/Hypervisor Hardware Slide Sorav Bansal, IIT-Delhi

Why Virtual Machines? Operating system diversity: Can run both Linux and Windows on same h/w Security/Isolation: Hypervisor separates the VMs from each other and isolates VMs from H/W Rapid provisioning/Cloud/ Server consolidation: On demand provisioning of hardware resources

Why Virtual Machines? Operating system diversity: Can run both Linux and Windows on same h/w Security/Isolation: Hypervisor separates the VMs from each other and isolates VMs from H/W Rapid provisioning/Server consolidation: On demand provisioning of hardware resources High availability/Load balancing: Ability to live-migrate a VM to other physical server Encapsulation: The execution environment of an application is encapsulated within VM

Other “virtual machines(?)” Language VM: Language runtime focused on running a single application e.g., Java Virtual Machine, Microsoft Common Language runtime, Javascripts “Lightweight” VM: Does not run guest OS; Isolate applications from other e.g., Docker, FreeBSD’s Jail, Google’s Native Client Our focus is System virtual machine: presents a “copy” of whole machine

Types of system virtual machine Type 1 (Bare metal): VMM runs on bare metal; directly control the physical machine e.g., Xen, VMWare ESX server Type 2 (Hosted): VMM runs as part of/on top of an OS e.g., KVM, VMWare workstation

Implementing a VMM Three pieces of a system: Instructions -- defined by the ISA (e.g., x86, ARM) Memory I/O (network, disk) Mostly a quick discussion of the first two. We won’t discuss the third in this course. For a detailed discussion of virtualization, take E0253!

Direct Execution + ??? Idea: Run most instructions of the VM directly on the hardware Advantage: Performance close to native execution Challenge: How to ensure isolation/protection ? If all instructions of the VM are directly executed then VMM has no control !

Direct Execution + Trap and Emulate Idea: Trap to hypervisor when the VM tries to execute an instruction that could change the state of the system/take control (i.e., impact safety/isolation). Emulate execution of these instruction in hypervisor Direct execution of any other innocuous instructions on h/w that cannot impact other VMs or the hypervisor

How to do Trap and Emulate? Generally two categories of instructions: User instructions: Typically compute instructions e.g., add, mult, ld, store, jmp System instructions: Typically for system management e.g., iret, invlpg, hlt, in, out Two mode of CPU operation: User mode (in x86-64 typically ring 3) Privileged mode (in x86-64 ring 0) Attempt to execute system instructions in user mode generates trap/general protection fault (gpf)

How to do Trap and Emulate? System state: Example, control registers like cr3 (remember?) Access to system state in user mode trigger gpf Idea: Run the VM in user mode (ring 3), while the hypervisor in privileged mode (ring 0) Anytime VM tries to execute an system instr. or tries to access system state, trap to VMM

Formalizing Direct exec. + Trap & emulate Goldberg & Popek theorem: Control sensitive intr.: Instructions that can update system state Behavior sensitive instr.: If instructions behavior depends upon system state Requirement for architecture/ISA to be virtualizable via trap & emulate: {control sensitive} U {behavior sensitive} {privileged} UI

Virtual Memory in un-virtualized system Process A’s virtual address space Process B’s virtual address space Page table Page table Managed by the OS Physical memory

Requirement for memory virtualization No direct access to physical memory from VM Only hypervisor should manage physical memory But, fool the guest OS to think that it is accessing physical memory

Virtualizing Virtual Memory Managed by guest OS Virtual Machine 1 Virtual Machine 2 App 2 App 1 App 2 App 1 Guest Page table Guest physical memory Managed by hypervisor Nested Page table System (real)Physical memory

Virtualizing Virtual Memory Guest Virtual Address Guest Physical Address System Physical Address 1 2 gVA gPA sPA Guest Page Table Nested Page Table Two levels of address translation on each memory access by an application running inside a VM Based on "Efficient Memory Virtualization" Gandhi et. al., MICRO'14

Applications of VM A.K.A. Virtual Machine Introspection (VMI) Rootkit (OS malware) detection Better network intrusion detection Challenges: Semantic Gap problem.

Layered computer system design Modern computer systems are built using layers of abstraction User app User app … Utilities & Libraries ls, ps, & bash utilities libc gcc … Operating System Syscalls IDT Kernel Code Process List … Memory I/O devices CPU Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Fundamental principle in security The lower you go, the more control you have User app User app Least control … Utilities & Libraries ls, ps, & bash utilities libc gcc … Operating System Syscalls IDT Kernel Code Process List … Memory I/O devices CPU Hardware Most control Vinod Ganapathy - Policies and Mechanisms for OS Security

Example: Malware detection User app Utilities & Libraries Operating System Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Example: Malware detection User app Malware detector Utilities & Libraries Operating System Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Example: Malware detection User app Malware detector Trusted Layer Utilities & Libraries … TCB cat ps ls Operating System Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

But utilities may be compromised! User app Malware detector Utilities & Libraries cat ps ls Operating System Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

But utilities may be compromised! Show me file contents 1 User app Malware detector 1 Utilities & Libraries cat ps ls Operating System Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

But utilities may be compromised! Show me file contents 1 2 Fake, benign content User app Malware detector 2 Utilities & Libraries cat ps ls Operating System Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Vinod Ganapathy - Policies and Mechanisms for OS Security Solution: Query the OS Query with syscall 1 User app Malware detector Utilities & Libraries 1 Operating System System call API TCB Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Vinod Ganapathy - Policies and Mechanisms for OS Security Solution: Query the OS Query with syscall 1 2 OS reads file User app Malware detector Utilities & Libraries 2 Operating System System call API TCB Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Vinod Ganapathy - Policies and Mechanisms for OS Security Solution: Query the OS Query with syscall 1 2 OS reads file User app Malware detector 3 Returns true file content Utilities & Libraries 3 Operating System System call API TCB Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

OS detects malicious utilities too cat file B Read file User app Malware detector A B diff vs ? Utilities & Libraries A cat B Operating System System call API TCB Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

What if the OS is malicious? User app Malware detector Utilities & Libraries Operating System System call API Is it game over? Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Rootkit = Malware that infects OS Rootkits hide malware from detectors  Long-term stealth Malware detector … Utilities & Libraries Operating System System call API Is it game over? Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

How does an OS get infected? Exploits of kernel vulnerabilities: Injecting malicious code by exploiting a memory error in the kernel Privilege escalation attacks: Exploit a root process and use resulting administrative privileges to update the kernel Social engineering attacks: Trick user into installing fake kernel updates Defeated via signature verification of kernel updates Trivial to perform prior to the Windows Vista OS Vinod Ganapathy - Policies and Mechanisms for OS Security

How prevalent are rootkits? 2010 Microsoft report: 7% of all infections from client machines due to rootkits[1] 2016 HummingBad Android rootkit:[2] Up to 85 million Android devices infected? Earns malware authors $300,000 each week through fraudulent mobile advertisements Used in many high-profile incidents: Torpig and Storm botnets Sony BMG (2005), Greek wiretapping (2004/5) [1] Microsoft Malware Protection Center, “Some Observations on Rootkits,” January 2010, https://blogs.technet.microsoft.com/mmpc/2010/01/07/some-observations-on-rootkits [2] CheckPoint Software, “From HummingBad to Worse,” July 2016, http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

How can we detect rootkits? Ask for help from the layers below User app Malware detector Utilities & Libraries Operating System System call API Is it game over? TCB Hypervisor (a.k.a. Virtual Machine Monitor) Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Vinod Ganapathy - Policies and Mechanisms for OS Security How low can we go? User app Malware detector Utilities & Libraries Operating System Is it game over? Hypervisor [Bluepill, Subvert] TCB Hardware Vinod Ganapathy - Policies and Mechanisms for OS Security

Vinod Ganapathy - Policies and Mechanisms for OS Security How low can we go? User app Malware detector Utilities & Libraries Operating System Is it game over? Hardware ??? [Stuxnet, Trojaned ICs] TCB Vinod Ganapathy - Policies and Mechanisms for OS Security

… Analysis of memory snapshots obtained from target machine Potentially rootkit infected User app User app … Utilities & Libraries Operating System Kernel Code Process List Syscall Hardware Physical Memory TCB Vinod Ganapathy - Policies and Mechanisms for OS Security

… Analysis of memory snapshots obtained from target machine Potentially rootkit infected Analysis machine Trusted User app User app … Utilities & Libraries Operating System Kernel Code Process List Syscall Hardware Physical Memory TCB Vinod Ganapathy - Policies and Mechanisms for OS Security

… … Analysis of memory snapshots obtained from target machine Potentially rootkit infected Analysis machine Trusted User app User app … Utilities & Libraries Operating System Kernel Code Process List Syscall Snapshot of memory pages Hardware … Physical Memory TCB Vinod Ganapathy - Policies and Mechanisms for OS Security

Vinod Ganapathy - Policies and Mechanisms for OS Security How to detect rootkits? What algorithm should we use for memory snapshot analysis? Concerns the policy Formulate rootkit detection problem as one of detecting invariant violations How can we fetch memory pages without involving the target’s OS? Concerns the mechanism That is the feature provided by virtual machines Vinod Ganapathy - Policies and Mechanisms for OS Security

Example 1: Linux Adore rootkit sys_open(...) { ... } int main() { open(…) ... return(0) } sys_open Mention that attacks are not only for control data, even for non-control data. System call table User app OS kernel Vinod Ganapathy - Policies and Mechanisms for OS Security 44

Example 1: Linux Adore rootkit sys_open(...) { ... } int main() { open(…) ... return(0) } evil_open evil_open(...) { malicious(); sys_open(...) } Mention that attacks are not only for control data, even for non-control data. System call table User app OS kernel Vinod Ganapathy - Policies and Mechanisms for OS Security 45

Example 1: Linux Adore rootkit Violated: Function pointer values in system call table should not change sys_open(...) { ... } int main() { open(…) ... return(0) } evil_open evil_open(...) { malicious(); sys_open(...) } Mention that attacks are not only for control data, even for non-control data. System call table User app OS kernel Vinod Ganapathy - Policies and Mechanisms for OS Security 46

Example 2: Windows Fu rootkit run-list: Used by the scheduler to select processes for execution Process A Process B Process C run_list run_list run_list next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - Policies and Mechanisms for OS Security

Example 2: Windows Fu rootkit run-list: Used by the scheduler to select processes for execution Process A Hidden process Process B Process C run_list run_list run_list run_list next_task next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - Policies and Mechanisms for OS Security

Example 2: Windows Fu rootkit Violated: run-list ⊆ all-tasks run-list: Used by the scheduler to select processes for execution Process A Hidden process Process B Process C run_list run_list run_list run_list next_task next_task next_task next_task all-tasks: Used for process accounting Vinod Ganapathy - Policies and Mechanisms for OS Security

Offline training phase Clean reference machine Not rootkit infected Analysis machine User app User app … Utilities & Libraries Operating System Kernel Code Process List Syscall Snapshot of memory pages Hardware … Physical Memory TCB Vinod Ganapathy - Policies and Mechanisms for OS Security

Offline training phase Clean reference machine Not rootkit infected Analysis machine User app User app Invariant DB … Utilities & Libraries Inference Operating System Kernel Code Process List Syscall Snapshot of memory pages Hardware … Physical Memory TCB Vinod Ganapathy - Policies and Mechanisms for OS Security

Online enforcement phase Target machine Potentially rootkit infected Analysis machine User app User app Invariant DB … Compare Utilities & Libraries Inference Operating System Kernel Code Process List Syscall Snapshot of memory pages Hardware … Physical Memory TCB Vinod Ganapathy - Policies and Mechanisms for OS Security

Reconstructing data structures Kernel data structure type definitions (2) Entry-points into the kernel struct task_struct {...} struct list_head {...} struct siginfo {...} ... ffffe400 init_task ffffe410 phys_base ffffe420 loops_per_jiffy ... … (3) Snapshot of memory pages Vinod Ganapathy - Policies and Mechanisms for OS Security

How to interpret raw dump? This is the semantic gap problem Hypervisor only sees: Raw memory snapshots. If doing live monitoring, only sees low level hardware events (e.g., a fault) Has to figure out how to interpret these snapshots or events May need help from the (untrusted) guest OS! Soln: Use a semantic gap bridging library

Reconstructing data structures Kernel data structure type definitions (2) Entry-points into the kernel struct task_struct {...} struct list_head {...} struct siginfo {...} ... ffffe400 init_task ffffe410 phys_base ffffe420 loops_per_jiffy ... Definition of task_struct Data at 0xffffe400 struct task_struct { int state; int counter; struct task_struct *next; ... } 00000001 0034ea23 ac3456bc ... … init_task.state = 1 init_task.counter = 0x34ea23 init_task.next = 0xac3456bc (3) Snapshot of memory pages Vinod Ganapathy - Policies and Mechanisms for OS Security

Reconstructing data structures Kernel data structure type definitions (2) Entry-points into the kernel struct task_struct {...} struct list_head {...} struct siginfo {...} ... ffffe400 init_task ffffe410 phys_base ffffe420 loops_per_jiffy ... Definition of task_struct Data at 0xac3456bc struct task_struct { int state; int counter; struct task_struct *next; ... } 00000000 0056ae71 bf6723ae ... … init_task.next.state = 0 init_task.next.counter = 0x56ae71 init_task.next.next = 0xbf6723ae (3) Snapshot of memory pages Vinod Ganapathy - Policies and Mechanisms for OS Security

Preventing malicious code execution Trusted domain Guest domain Checking daemon Code: OS & applications 2 Hash DB hash(page) ? Code page 3 1 Alert user Resume guest Hypervisor Mobisys 6/30/2011

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.