Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Slides:



Advertisements
Similar presentations
1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
Advertisements

Virtualization Technology
User-Mode Linux Ken C.K. Lee
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Implementing an Untrusted Operating System on Trusted Hardware.
Operating System Security : David Phillips A Study of Windows Rootkits.
Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.
Chapter 6 Limited Direct Execution
Presented By Srinivas Sundaravaradan. MACH µ-Kernel system based on message passing Over 5000 cycles to transfer a short message Buffering IPC L3 Similar.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
OS Fall ’ 02 Introduction Operating Systems Fall 2002.
OS Spring’03 Introduction Operating Systems Spring 2003.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
OS Spring’04 Introduction Operating Systems Spring 2004.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing
虛擬化技術 Virtualization and Virtual Machines
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Tanenbaum 8.3 See references
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
Protection and the Kernel: Mode, Space, and Context.
80386DX.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
CS533 Concepts of Operating Systems Jonathan Walpole.
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.
CS533 Concepts of Operating Systems Jonathan Walpole.
Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.
Operating Systems Security
security breakthrough INTRODUCING hypervisor memory introspection
Processes and Virtual Memory
Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Chapter 6 Limited Direct Execution Chien-Chung Shen CIS/UD
Study on “Secure In-VM Monitoring Using Hardware Virtualization” Qiang.Guan Dependable Computing System Lab New Mexico Tech.
Introduction to Operating Systems Concepts
Virtualization.
Virtual Machine Monitors
Introduction to Operating Systems
Why VT-d Direct memory access (DMA) is a method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing.
GPUvm: GPU Virtualization at the Hypervisor
Dynamic Compilation Vijay Janapa Reddi
Protection and OS Structure
CS 6560: Operating Systems Design
Lecture 24 Virtual Machine Monitors
OS Virtualization.
CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Lecture Topics: 11/1 General Operating System Concepts Processes
Hiding Malware Rootkits
The Design & Implementation of Hyperupcalls
Sai Krishna Deepak Maram, CS 6410
Shielding applications from an untrusted cloud with Haven
Interrupts and System Calls
CS295: Modern Systems Virtualization
Presentation transcript:

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch

2 Introduction Problem: Kernel level rootkits can kill security monitoring software Solution: Virtualization allows the monitor to live outside the VM Problem: Out-of-VM monitoring can be very expensive –Why?

3 Out-of-VM monitoring Inspection H Handler C M Monitor code D M Monitor data R Response D P Program data C P Program code K Hook D K Hook data A Adversary program

4 Problem with out-of-VM monitoring Significant performance impact –VM context switch is expensive –Introspection is hypercall-driven: expensive We want a monitor without these problems Performance guarantees: –(P1) Fast invocation: No privilege change for handlers –(P2) Data read/write at native speed: No penalty to access D M or D P

5 Solution: Secure In-VM Monitoring H Handler C M Monitor code D M Monitor data R Response D P Program data C P Program code K Hook D K Hook data A Adversary program

6 Security guarantees Run the monitor inside the VM context, but provide out-of-VM-style security guarantees: –(S1) Isolation of monitor code C M and data D M : Adversary can’t access the monitor at all –(S2) Designated point for switching into C M : There’s only point entry point (tiny attack surface) –(S3) The handler is called iff the hook is triggered: The hook calls the handler; nobody else can –(S4) Behavior of M is not maliciously alterable: No dependency on monitored data or code

7 How to achieve this? Separate address space with a one-way page table for the monitor Small entry/exit gates into this address space –Invocation checker verifies that the call is legit

8 The SIM address space SIM Data/Code The monitor itself Visible only within SIM address space Invocation checker Verifies call chain is legit Visible only in SIM space Entry/exit gates Visible in both Writable only in SIM space Tiny, well crafted Kernel code/data Not executable in SIM space (can't accidentally run insecure code)

9 Changing the address space CR3 register indicates page table directory –Hypervisor controlled To avoid hypercall, use Intel CPU's "CR3_TARGET_LIST" to freely switch between: –P_SHADOW: Process's normal space –SIM_SHADOW: Restricted SIM space

10 Entry/exit gates Only point of entry for SIM address space Entry: –Disable interrupts –Save CPU state to the stack –Switch address space –Re-disable interrupts –Switch stack to a SIM-restricted one –Run invocation checker Exit: –Restore stack, page table, CPU state –Re-enable interrupts –Jump to return point (usually the point of origin)

11 Invocation checker Obviously can't rely on stack Use CPU debug registers to track jump history Lock these registers from modification by VM

12 Security monitor Can't rely on untrusted code –No kernel functions, dynamic libraries, etc. Need to traverse kernel data structures just like the out-of-VM technique (VMI) Hardware access granted by hypervisor API

13 Performance requirements met?  (P1) Fast invocation: Yes: No privilege change needed; just a page table switch  (P2) Data read/write at native speed: Yes: Pages are mapped, accessed natively

14 Security requirements met?  (S1) Isolation of monitor code C M and data D M : Yes: Monitor memory isn't mapped to the process space  (S2) Designated point for switching into C M : Yes: Entry/exit points are the only way in  (S3) The handler is called iff the hook is triggered: Yes: Hook calls handler; calls pass the invocation checker  (S4) Behavior of M is not maliciously alterable: Yes: Untrusted code is non-executable in SIM space

15 Ah, but what if they... Jump into the entry gate after the interrupt disable instruction (CLI)? –It gets re-disabled again after the page table switch Switch to SIM_SHADOW directly? –The next instruction is no longer executable –But what if they do it right before a SIM page? Any page after an unallocated address is made non-executable

16 Implementation Linux KVM host, Windows XP guest To initialize from a trusted boot state, a driver: –Reserves virtual address space for entry/exit gates –Has the hypervisor construct a SIM page table –Loads the security monitor into kernel space and has the hypervisor remap it into SIM space –Informs the hypervisor of each hook and handler; hypervisor generates entry/exit routines accordingly Memory protection: –Don't check every time CR3 is changed, check new page table entries as they are created

17 Evaluation: Monitor invocation Time to enter and exit a no-op handler –SIM: μs –Out-of-VM: μs Factor of 10.7 improvement

18 Evaluation: Process creation monitor Hook process creation Traverse kernel data to find process name Process must be on whitelist to proceed –If not, skip and return failure Average time for process creation: –Traditional In-VM approach: μs –SIM approach: μs(+13.7%) –Out-of-VM approach: μs(+690.5%)

19 Evaluation: System call tracing Make note of every system call, emit trace every 10,000 calls Macrobenchmarks from PCMark 05 suite BenchmarkBareOut-of-VM overhead SIM overhead Memory Latency10.42 MAcc/s84.58%7.97% HTML Render1.12 pg/s52.42%5.83% File Compress3.4 MB/s3.97%0.59% File Encrypt20.56 MB/s7.85%0.89% File Decrypt78.21 MB/s2.53%0.45% HDD15.29 MB/s41.68%3.74% Text Edit82.73 pg/s128.84%9.64% Average-46.10%4.15%

20 Conclusion SIM: The best of both worlds –Security of out-of-VM solution –Performance of traditional in-VM monitoring

21 Concerns Very difficult to develop monitors –No libraries –No system calls –Porting a full-fledge anti-malware package? Interrupt race condition in entry code? CLI PUSHA MOV EAX, SIM_SHADOW MOV CR3, EAX CLI MOV [P_ESP] ESP MOV ESP, [SIM_ESP] JMP INVOKATION_CHECK Address space switch Normal entry Attacker entry Interrupt now?

22 Discussion