EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.

Slides:



Advertisements
Similar presentations
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Advertisements

Intermediate x86 Part 3 Xeno Kovah – 2010 xkovah at gmail.
0 - 0.
Addition Facts
Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.
Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Content Overview Virtual Disk Port to Intel platform
Hardware-assisted Virtualization
SE-292: High Performance Computing
© 2010 VMware Inc. All rights reserved Application-level mobile virtualization Harvey Tuch, Staff Engineer, Mobile Virtualization Platform January 25 th.
Virtualization Technology
Addition 1’s to 20.
Test B, 100 Subtraction Facts
CS533 Concepts of Operating Systems Class 14 Virtualization and Exokernels.
Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
LINUX Virtualization Running other code under LINUX.
虛擬化技術 Virtualization and Virtual Machines
A Survey on Virtualization Technologies
Tanenbaum 8.3 See references
SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)
80386DX.
A Survey on Virtualization Technologies. Virtualization is “HOT” Microsoft acquires Connectix Corp. EMC acquires VMware Veritas acquires Ejascent IBM,
CS533 Concepts of Operating Systems Jonathan Walpole.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Christoffer Dall Department of Computer Science Columbia University
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Christoffer Dall Department of Computer Science Columbia University
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.
CS533 Concepts of Operating Systems Jonathan Walpole.
High Performance Computing on Virtualized Environments Ganesh Thiagarajan Fall 2014 Instructor: Yuzhe(Richard) Tang Syracuse University.
System Virtualization 1 Learning Objective: –To understand the implementation choices and details of System Virtualization COMP
G53SEC 1 Reference Monitors Enforcement of Access Control.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Contents Introduction Available OSF Solutions for VM UFO Design Implementation Evaluation Discussion Conclusions References.
Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.
Full and Para Virtualization
Lecture 12 Virtualization Overview 1 Dec. 1, 2015 Prof. Kyu Ho Park “Understanding Full Virtualization, Paravirtualization, and Hardware Assist”, White.
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Extending Xen * with Intel ® Virtualization Technology Mobile Embedded System Choi, Jin-yong
CS 695 Topics in Virtualization and Cloud Computing, Autumn 2012 CS 695 Topics in Virtualization and Cloud Computing More Introduction + Processor Virtualization.
Lecture 13: Virtual Machines
Lok Yan Manjukumar Jayachandra Mu Zhang Heng Yin
Virtualization D. J. Foreman 2009.
Presented by Mike Marty
Attacks on Virtual Machine Emulators
Anton Burtsev February, 2017
Virtualization overview
Running other code under LINUX
OS Virtualization.
Virtualization Techniques
A Survey on Virtualization Technologies
Chapter 33: Virtual Machines
Computer Security: Art and Science, 2nd Edition
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
First Generation 32–Bit microprocessor
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
System Virtualization
CS295: Modern Systems Virtualization
Slides from E0-253 taught by Arkaprava Basu and Vinod Ganapathy
Chapter 33: Virtual Machines
Presentation transcript:

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics nEther: IN-GUEST DETECTION OF OUT-OF-THE-GUEST MALWARE ANALYSERS

Gábor Pék, CrySyS Lab. Short Summary We successfully achieved  In-guest detection of an out-of-the-guest malware analysis framework (Ether)  In-guest timing attack  Detection based on CPUID information  Detecting hardware assisted virtualization (can be a bit of information for analysis )  Detection based on errata in Intel CPUs 9/16/2014 2

Gábor Pék, CrySyS Lab. Goals in Malware Analysis  Analyser: dissecting and figuring out the operations of the analysed program  Author of the malware: thwarting the analysis of the code and hiding its real intents, operations, execution 9/16/2014 3

Gábor Pék, CrySyS Lab. What is Malware Analysis?  Analysing malware  Static (entire program, thwarting disassemblers)  Dynamic (one control path)  we focus on this  Two types of dynamic analysis: Native and Virtualization based  Main tricks of detecting dynamic analyzers  Timing information  Special data structures, e.g., PEB  Single-step debugging (trap flag)  Exception handling 9/16/2014 4

Gábor Pék, CrySyS Lab. HW Assisted Virtualization  New and higher CPU privilege level (Ring -1)  Native instruction execution  Intel VT  VMX root mode for VMM/Hypervisor  VMX non-root mode for guest OS  VMX transitions: VM Exit / VM Entry  Rich feature set and control of operation  Xen, KVM 9/16/2014 5

Gábor Pék, CrySyS Lab. Ether – Malware analysis via HW Virtualization Extensions  Transparent, out-of-the-guest malware analysis platform based on Xen and Intel VT  Transparency of Ether: the malware cannot detect Ether  Transparency requirements as of the Ether paper:  Higher privilege of analyser environment  No non-privileged side effects  Same instruction execution semantics X  Identical exception handling  Identical notion of time X 9/16/2014 6

Gábor Pék, CrySyS Lab. Advantages of Ether and challenges to detect it  No in-guest memory presence  Hide of changes made on CPU registers  Memory protection: modifies only shadow page tables  Privileged instruction handling  No instruction emulation  Controlling timing (e.g., RDTSC instruction) 9/16/2014 7

Gábor Pék, CrySyS Lab. Contributions 9/16/  Design and implementation of an application framework to detect Ether based on multiple feature tests  Feature tests for Ether and Intel VT  A practical in-guest timing attack against Ether  Detecting Ether via CPUID information  Detection of HW assisted virtualization utilizing CPU errata

Gábor Pék, CrySyS Lab. System Overview 9/16/2014 9

Gábor Pék, CrySyS Lab. Various uses of RDTSC 9/16/  Different behaviour of sensitive instructions (e.g., RDTSC) in VMX non-root mode Guest OS rdtsc Normal operation TSC rdtsc faketime (FT) Operation of Ether rdtsc FT+Y VM Entry VM Exit … … CPU Virtual CPU Virtual CPU Guest OS

Gábor Pék, CrySyS Lab. Facts about Ether  Alleged operation: FT = TSC, Y = TSC_OFFSET  but TSC_OFFSET is disabled  Real operation: Monotonic increase of FT for every RDTSC call (Y =1)  There can be external RDTSC calls during an analysis  The TSC difference between two RDTSCs of the analysed program = # of RDTSCs of the Guest during analysis (~9-171) 9/16/

Gábor Pék, CrySyS Lab. Practical implementation of in-guest timing attack  Call an RDTSC and store it  Create a loop of non-sensitive instructions (e.g., nop )  Call an RDTSC and compare it with the stored value ( diff ) 9/16/ if (diff < length of the loop) Ether is present else Ether is not present

Gábor Pék, CrySyS Lab. CPUID information  CPUID instruction: processor identifcation and feature information  Allegedly: Ether has no in-memory presence  Reality: The TSC bit returned by CPUID is unset under Ether  Other bits of information  PAE and PSE are disabled 9/16/

Gábor Pék, CrySyS Lab. CPU Errata  Design deficiencies of CPUs  Some of them are unpredictable  Cause unexpected system behaviour  Several have ”No Fix ” status  Xen creates virtualized CPUs for privileged instructions  We have an erratum using MSRs (AH4)  The access of MSRs are privileged  VM exit  Errata are not emulated by virtual CPUs  Bingo, we have a new feature test 9/16/

Gábor Pék, CrySyS Lab. Detecting Intel VT 9/16/ Erratum AH4Number of updates # of testsNativeXenXen + Ether

Gábor Pék, CrySyS Lab. Future Work  Fundamentality of these problems  Updating the theoretical model and practical implementation of Ether  Finding more feature tests against other out- of-the-guest approaches (e.g., Azure)  Proving that perfect transparency has practical limitations 9/16/

Gábor Pék, CrySyS Lab. Thanks for Your Attention! Questions ? CrySyS Lab. Budapest University of Technology and Economics 9/16/

Gábor Pék, CrySyS Lab. Dynamic Analysis  Using Virtualization  Pure software virtualiztaion (QEMU, BOCHS)  Sandboxing environments (Anubis, CWSandbox)  Myriads of detection vectors  Timing information (e.g., Racing)  In-guest memory scans  Invalid instructions  Novel approaches were required 9/16/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.