Rodney Owens and Weichao Wang Department of SIS UNC Charlotte 1 OS Fingerprinting through Memory De-duplication Technique in Virtual Machines.

Slides:



Advertisements
Similar presentations
Distributed System Lab.1 Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Thomas Ristenpart ¤, Eran Tromer, Hovav.
Advertisements

Remus: High Availability via Asynchronous Virtual Machine Replication
Rohit Kugaonkar CMSC 601 Spring 2011 May 9 th 2011
Lecture 4: Cloud Computing Security: a first look Xiaowei Yang (Duke University)
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 3 02/15/2010 Security and Privacy in Cloud Computing.
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Yan Qiang,
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.
Virtual Memory Introduction to Operating Systems: Module 9.
Virtual Machines What Why How Powerpoint?. What is a Virtual Machine? A Piece of software that emulates hardware.  Might emulate the I/O devices  Might.
Western Michigan University Covert Timing Channels Omar Darwish Instructor: Professor Elise de Doncker.
Hey, You, Get Off of My Cloud
Memory Buddies: Exploiting Page Sharing for Smart Colocation in Virtualized Data Centers Timothy Wood, Gabriel Tarasuk-Levin, Prashant Shenoy, Peter Desnoyers*,
Memory Management 2010.
Computer Organization and Architecture
Scheduler-based Defenses against Cross-VM Side- channels Venkat(anathan) Varadarajan, Thomas Ristenpart, and Michael Swift 1 D EPARTMENT OF C OMPUTER S.
PRASHANTHI NARAYAN NETTEM.
Authors: Thomas Ristenpart, et at.
The Evolution of the Kaspersky Lab Approach to Corporate Security Petr Merkulov, Chief Product Officer, Kaspersky Lab Kaspersky Lab Cyber Conference, Cancun,
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing
CS364 CH08 Operating System Support TECH Computer Science Operating System Overview Scheduling Memory Management Pentium II and PowerPC Memory Management.
Layers and Views of a Computer System Operating System Services Program creation Program execution Access to I/O devices Controlled access to files System.
Ragib Hasan Johns Hopkins University en Spring 2010 Lecture 2 02/01/2010 Security and Privacy in Cloud Computing.
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds Written by Thomas Ristenpart Eran Tromer Hovav Shacham Stehan.
Eliminating Fine Grained Timers in Xen Bhanu Vattikonda with Sambit Das and Hovav Shacham.
Virtual Machine Course Rofideh Hadighi University of Science and Technology of Mazandaran, 31 Dec 2009.
Page 19/17/2015 CSE 30341: Operating Systems Principles Optimal Algorithm  Replace page that will not be used for longest period of time  Used for measuring.
Review of Memory Management, Virtual Memory CS448.
DATA DYNAMICS AND PUBLIC VERIFIABILITY CHECKING WITHOUT THIRD PARTY AUDITOR GUIDED BY PROJECT MEMBERS: Ms. V.JAYANTHI M.E Assistant Professor V.KARTHIKEYAN.
Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 4 09/10/2013 Security and Privacy in Cloud Computing.
Saturday, 10 October 2015 Andrew Woods, Thomas Adam, Matthew Welch Memory Leaks Presentation Matthew Welch Thomas Adam Andrew Woods.
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
Virtualization Part 2 – VMware. Virtualization 2 CS5204 – Operating Systems VMware: binary translation Hypervisor VMM Base Functionality (e.g. scheduling)
High Performance Computing on Virtualized Environments Ganesh Thiagarajan Fall 2014 Instructor: Yuzhe(Richard) Tang Syracuse University.
Chapter 9: Virtual Memory Background Demand Paging Copy-on-Write Page Replacement Allocation of Frames Thrashing Memory-Mapped Files Allocating Kernel.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Thomas Ristenpart,Eran Tromer, Horav Shahcham and Stefan Savage
HEY, YOU, GET OFF OF MY CLOUD: EXPLORING INFORMATION LEAKAGE IN THIRD-PARTY COMPUTE CLOUDS Eran Tromer MIT Hovav Shacham UCSD Stefan Savage UCSD ACM CCS.
OS Fingerprinting through Memory De-duplication Technique in Virtual Machines Rodney Owens and Weichao Wang Department of SIS UNC Charlotte.
A paper by Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage, Proceedings of the ACM Conference on Computer and Communications Security,
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
Ch 5 Quick Quiz T F 1. Linux is an example of an operating system. T F 2. With sequential processing techniques, multiple tasks are performed at the exact.
Operating Systems Security
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Full and Para Virtualization
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad KTH Applied Information Security Lab Security aspects.
References: “Hey, You, Get Off My Cloud: Exploring Information Leakage in Third-Party Compute Clouds” by Thomas Ristenpart, Eran Tromer – UC San Diego;
Hey, You, Get Off of My Cloud Thomas Ristenpart, Eran Tromer, Hovav Shacham, Stefan Savage Presented by Daniel De Graaf.
Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov
Thomas Ristenpart , Eran Tromer, Hovav Shacham ,Stefan Savage CCS’09
Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.
Mapping/Topology attacks on Virtual Machines
Virtualization for Cloud Computing
DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING CLOUD COMPUTING
Logistics Homework 5 will be out this evening, due 3:09pm 4/14
Hey, You, Get Off of My Cloud
Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham,
William Stallings Computer Organization and Architecture
Virtual Memory Management
Group 8 Virtualization of the Cloud
Hands-On Virtualization in the Classroom
Lecture 28: Virtual Memory-Address Translation
Sai Krishna Deepak Maram, CS 6410
Lecture 3: Main Memory.
CSE 542: Operating Systems
Presentation transcript:

Rodney Owens and Weichao Wang Department of SIS UNC Charlotte 1 OS Fingerprinting through Memory De-duplication Technique in Virtual Machines

1. Motivation 2. Our Approach from 500 Miles Away 3. Details of the Approach 2

Organizations using “Infrastructure as a Service.” Attacker can “guess and check” Operating System. Anyone directly using a virtual machine in which an untrusted third party may be allowed to manipulate another virtual machine on the same host. 3

Overview of the Attack 1. Run virtual machine on same host as target. 2. Guess at an OS. 3. Allow memory de-duplication to compare and merge the memory files. 4. Fingerprint the OS based on the access delay. Defense 1. Guest can load other OS signatures. 2. Disable de-duplication 4

Memory de-duplication is when memory pages that have the same contents are only stored in memory once Of particular advantage for a hypervisor hosting several virtual machines that may have the same contents, more memory can be allocated than is available. 5 Details Loc.

Only data that “coincidentally” shares an exactly matching memory page (typically 4KB) is shared. Programs/VMs are not informed when they have a shared memory page. 6 Details Loc.

1. Hypervisor/kernel scans for memory pages that are identical during free clock cycles. 2. If found, make pointers for each virtual memory page to point to a single physical memory page 3. If page is written to in the future, make a copy of the memory page for that individual to write to. “Copy-on-write” 7 Details Loc.

No, with ASLR, memory pages are loaded in random locations. The contents are not changed. The location of the memory pages does not matter, only that they have exactly matching contents. 8 Details Loc.

Not if you guess several memory pages at once. Guess at thousands of memory pages at the same time, the delay will accumulate into the milliseconds, which is measureable. 9 Details Loc.

In a good hypervisor, the APIC timer is virtualized to measure time in the milliseconds accurately. Write your program in assembly and use the timeGetTime directive provided by masm Details Loc.

1. Load VM with desired OS 2. Take memory dump 3. Repeat at least 3 times, more is better Protects from unknown variables, disk caching 4. Split each into 4KB memory pages 5. Repeat with next OS Memory pages present in all samples of one OS, but none of the others, are combined into an “OS signature.” These signatures are what is written to memory; its re- write time is measured after de-duplication for a longer delay than other signatures. 11 Details Loc.

12 LinuxSignature Size (pages) Fedora Ubuntu Windows2000XP SP1 XP SP2 XP SP3 2003Vista 32 bit Vista 64 bit Signature Size (pages) Details Loc.

Windows 95! Very low memory demands Uses PE executable binaries Easy to append signatures to. timeGetTime has a 1ms resolution. 13 Details Loc.

Done with CPU and Memory demands at different levels: Low – left idle Medium: CPU - encryption algorithms are left running Memory – QA+Win32 memory test High – Prime95 stress test 14 Details Loc.

15 Details Loc.

16

1. Load other OS signatures in your VM. 1. Security through obfuscation wastes memory and is not 100%. 2. Change Hypervisor to not de-duplicate OS signature files. 1. Requires a change in the Hypervisor. 17

P. Auffret, “Sinfp, unification of active and passive operating system fingerprinting,” Jour. Comp. Virology, vol. 6, no. 3, pp. 197–205, Fyodor, “Remote os detection via tcp/ip stack fingerprinting,” article.html, Tech. Rep.,1999. L. G. Greenwald and T. J. Thomas, “Toward undetected operating system fingerprinting,” in Proceedings of the first USENIX workshopon Offensive Technologies, 2007, pp. 6:1–6:10. D. Richardson, S. Gribble, and T. Kohno, “The limits of automatic os fingerprint generation,” in ACM workshop on Artificial intelligence and security (AISec), 2010, pp. 24–34. G. Taleck, “Ambiguity resolution via passive os fingerprinting,” in International Symposium on Recent Advances in Intrusion Detection (RAID), 2003, pp. 192–206. A. Verma, P. Ahuja, and A. Neogi, “Power-aware dynamic placement of hpc applications,” in Proceedings of the annual international conference on Supercomputing, 2008, pp. 175–184. A. Aviram, S. Hu, B. Ford, and R. Gummadi, “Determinating timing channels in compute clouds,” in Proceedings of ACM workshop on Cloud computing security workshop, 2010, pp. 103–108. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, “Hey, you, get off of my cloud: exploring information leakage in third- party compute clouds,” in Proc. of ACM Conference on Computer and Communications Security (CCS), K. Okamura and Y. Oyama, “Load-based covert channels between xen virtual machines,” in Proceedings of the ACM Symposium on Applied Computing, 2010, pp. 173–180. D. Gupta, S. Lee, M. Vrable, S. Savage, A. Snoeren, G. Varghese, G. Voelker, and A. Vahdat, “Difference engine: harnessing memory redundancy in virtual machines,” Commun. ACM, vol. 53, no. 10, pp. 85–93, X. Zhang, Z. Huo, J. Ma, and D. Meng, “Exploiting data deduplication to accelerate live virtual machine migration,” in IEEE International Conference on Cluster Computing, 2010, pp. 88–96. A. Arcangeli, I. Eidus, and C. Wright, “Increasing memory density by using ksm,” in Linux Symposium, 2009, pp. 19–28. K. Suzaki, K. Iijima, T. Yagi, and C. Artho, “Memory deduplication as a threat to the guest os,” in Proceedings of the Fourth European Workshop on System Security, 2011, pp. 1:1–1:6. H. Raj, R. Nathuji, A. Singh, and P. England, “Resource management for isolation enhanced cloud services,” in ACM Cloud Computing Security Workshop, 2009, pp. 77–84. Y. Zhang, A. Juels, A. Oprea, and M. K. Reiter, “Homealone: Coresidency detection in the cloud via side-channel analysis,” in Proceedings of the IEEE Symposium on Security and Privacy (Oakland), 2011, pp. 313–

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.