Stealth malware – Towards Verifiable OSes Joanna Rutkowska Advanced Malware Labs 23 rd Chaos Communication Congress Berlin, Germany, December 28 th, 2006.

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
Dr. Richard Ford  Szor 12  Virus Scanners – why they need to scan memory and what issues there are in this area.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Operating Systems Security
Security Vulnerabilities in A Virtual Environment
Wireless and Mobile Security
Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.
Rootkit Hunting vs. Compromise Detection Joanna Rutkowska invisiblethings.org Black Hat Federal 2006, Washington D.C., January 25 th 2006.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
Role Of Network IDS in Network Perimeter Defense.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Rootkits vs. Stealth by Design Malware Joanna Rutkowska invisiblethings.org Black Hat Europe 2006, Amsterdam, March 2 nd 2006.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Secure Software Confidentiality Integrity Data Security Authentication
Outline What does the OS protect? Authentication for operating systems
Fighting Stealth Malware – Towards Verifiable OSes
Outline What does the OS protect? Authentication for operating systems
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Security in Networking
Practical Rootkit Detection with RAI
Chap 10 Malicious Software.
Hiding Malware Rootkits
Security.
Chap 10 Malicious Software.
Sai Krishna Deepak Maram, CS 6410
Operating System Concepts
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Presentation transcript:

Stealth malware – Towards Verifiable OSes Joanna Rutkowska Advanced Malware Labs 23 rd Chaos Communication Congress Berlin, Germany, December 28 th, 2006

2© COSEINC Advanced Malware Labs, 2006 Stealth Malware rootkits, backdoors, keyloggers, etc… stealth is a key feature! stealth – means that legal processes can’t see it (A/V) stealth – means that administrator can’t see it (admin tools) stealth – means that we should never know whether we’re infected or not!

3© COSEINC Advanced Malware Labs, 2006 Paradox… If a stealth malware does its job well… …then we can not detect it… …so how can we know that we are infected?

4© COSEINC Advanced Malware Labs, 2006 How we know that we were infected? We count on the bug in the malware! We hope that the author forgot about something! We use hacks to detect some known stealth malware (e.g. hidden processes). We need to change this! We need a systematic way to check for a system integrity! We need a solution which would allow us to detect malware which is not buggy!

The 4 Myths About Stealth Malware Fighting!

6© COSEINC Advanced Malware Labs, 2006 Myth #1 Remove the disk and scan for anomalies on a trusted machine! Alternative version: boot system from the clean CD This will not work against non-persistent rootkits! This will also not work against persistent rootkits, which do not rely on disk to survive reboot BIOS-resident rootkits PCI-ROM resident rootkits Ask John Heasman for details ;)

7© COSEINC Advanced Malware Labs, 2006 Myth #2 Detect malware by analyzing network activity! After all, every piece of malware needs to “call home” or allow for some other form of communication with the attacker… We will catch it then, right? Malware may use advanced forms of covert channels, making its network-based detection virtually impossible in practice…

8© COSEINC Advanced Malware Labs, 2006 Covert channels

9© COSEINC Advanced Malware Labs, 2006 Simple data hiding in HTTP GET / HTTP/1.0 Host: User-Agent: Mozilla/5.0 ( ) Accept: text/html Accept-Language: en,fr,en,fr,en,en,en,en Accept-Encoding: gzip,deflate,compress Accept-Charset: ISO ,utf-8,ISO CONNECTION: close Proxy-Connection: close X-Microsoft-Plugin: unexpected error # source:

10© COSEINC Advanced Malware Labs, 2006 NUSHU proof of concept Presented at 21 st CCC in 2004 by yours truly Passive – do not generate any packets, just changes some fields (TCP ISN) in the packets generated by a user Uses strong encryption to make the new ISN’s look random Implements error recovery protocol Exemplary implementation for Linux 2.4 kernel

11© COSEINC Advanced Malware Labs, 2006 Passive Covert Channels

12© COSEINC Advanced Malware Labs, 2006 Statistical detection Source: Steven J. Murdoch and Stephen Lewis, Computer Laboratory University of Cambridge, 22 nd CCC, 2005.

13© COSEINC Advanced Malware Labs, 2006 Improving NUSHU Not enough randomness is bad, but too much of randomness is not good either! We need to mimic the original OS ISN generator as closely as possible Murdoch and Lewis analyzed the Linux and BSD kernel generators in detail and proposed how to improve NUSHU so that it won’t be detectable by such easy statistical analysis Does that mean the improved scheme is totally undetectable? In theory: probably not… In practice: for sure!

14© COSEINC Advanced Malware Labs, 2006 Myth #3 Find malware by looking for hidden objects! Hidden processes, threads, files, reg keys, etc. Malware may be “Stealth by Design” and does not create any objects See e.g. my deepdoor proof-of-concept presented at BH Federal 2006.

15© COSEINC Advanced Malware Labs, 2006 Myth #4 Deploy efficient protection technology and don’t worry about rootkits anymore! Do you know a prevention technology which has never been bypassed (having a clear vulnerability record)? Anyone? Also – an attacker can always exploit a bug (e.g. in kernel graphics card driver)

16© COSEINC Advanced Malware Labs, 2006 Kernel Protection bypasses Linux + grsecurity: /dev/kmem protection bypass, Guillaume Pelat, SELinux local priv esacaltion, Rafal Wojtczuk, OpenBSD securelevel bypass, Loïc Duflot at el., Vista kernel drivers signature check bypass, Joanna Rutkowska, [+ all overflows in kernel drivers] Still believe that we can come up with a 100% kernel protection? ;)

17© COSEINC Advanced Malware Labs, 2006 Yin & Yang of Security Prevention Detection Reaction

18© COSEINC Advanced Malware Labs, 2006 Detection In my work I focus on detection And I believe that the proper approach to detection is a Systematic Verification of running OS & Applications In contrast to “chaotic detection” as we see today, which is based on implementing various “hacks” against known rootkiting techniques… Yes, I also created several “chaotic detectors” in the past ;)

19© COSEINC Advanced Malware Labs, 2006 Detection vs. Prevention Prevention: do everything so that attacker doesn’t get into your system firewalls, OS hardening (least priv, NX, ASLR, etc…) Detection: Am I compromised or not? We do need detection! We do need a systematic approach to detection! Not just hacks!

20© COSEINC Advanced Malware Labs, 2006 Detection vs. Prevention If our prevention is not perfect (and it never is!) then: We can not be sure that somebody already not exploited the bug in it and “owned our system” Updating our prevention system today will help to mitigate only future incidents. But how do we know that it already hasn’t been exploited? Yes, we need detection! Detection, on the other hand, can always be improved and it gives immediate answer whether somebody compromised the system in the past. The point: detection doesn’t need to be 100% to be useful, prevention (if used alone) does!

21© COSEINC Advanced Malware Labs, 2006 How malware gets installed? Is it: Exploit? Unauthorized use of a (stolen) password? Malicious employee? User’s stupidity (click on an attachment)? Important for prevention Irrelevant for detection! We don’t care about the history of infection – we just want to evaluate the state of the system at the present time – here and now!

22© COSEINC Advanced Malware Labs, 2006 What is System Compromise? Action which subverts at least one of the: operating system (critical) applications running in the system Does this without user consent There is no documented way to find out that the subversion took place This is a different definition then all A/V programs use! This is a narrowed problem.

23© COSEINC Advanced Malware Labs, 2006 OS View

24© COSEINC Advanced Malware Labs, 2006 Malware classification proposal Type 0: Malware which doesn’t modify OS in any undocumented way nor any other process (non- intrusive), Type I: Malware which modifies things which should never be modified (e.g. Kernel code, BIOS which has it’s HASH stored in TPM, MSR registers, etc…), Type II: Malware which modifies things which are designed to be modified (e.g. DATA sections). Type III: Malware which doesn’t modify OS nor Apps at all – but still intercepts and controls the system!

25© COSEINC Advanced Malware Labs, 2006 Type 0 Malware

26© COSEINC Advanced Malware Labs, 2006 Type 0 Malware Doesn’t fall under my the definition of system compromise! They do not compromise other Applications or kernel. They might be “bad”, but they not make other’s applications “bad”. Examples include all simple botnets, trojans, etc…, which are implemented in the form of a standalone application (i.e. do not interact with other processors nor kernel) Favorite are of research of all A/V vendors ;) Whether evil.exe is “bad” or “legitimate”?

27© COSEINC Advanced Malware Labs, 2006 Type I Malware

28© COSEINC Advanced Malware Labs, 2006 Type I Malware examples Hacker Defender (and all commercial variations) Sony Rootkit Apropos Adore (although syscall tables is not part of kernel code section, it’s still a thing which should not be modified!) Suckit Shadow Walker – Sherri Sparks and Jamie Butler Although IDT is not a code section (actually it’s inside an INIT section of ntoskrnl ), it’s still something which is not designed to be modified!

29© COSEINC Advanced Malware Labs, 2006 Type I Malware detection We need to verify that all those “constant things”, like e.g. code sections, has not been touched… We need a baseline to compare with Hash (requires “learning phase”) Digital signature (requires some sort of PKI)

30© COSEINC Advanced Malware Labs, 2006 Digital Signatures: Prevention vs. Detection Executables signing may play two different roles: To prevent execution of untrusted code (prevention) To allow for detection of code modifications (detection) The preventive role of code signing usually doesn’t work too well – there are always many ways to bypass it (e.g. exploit + arbitrary shellcode)… But that is not important for us as we focus on detection!

31© COSEINC Advanced Malware Labs, 2006 Fighting Type I malware on Windows VICE SVV Patch Guard by MS on 64 bit Windows Today’s challenge: false positives Lots of nasty apps which use tricks which they shouldn’t use (mostly AV products) Tomorrow: Patch Guard should solve all those problems with false positives for Type I Malware detection… … making Type I Malware detection a piece of cake!

32© COSEINC Advanced Malware Labs, 2006 System Virginity Verifier Idea Code sections are read-only in all modern OSes Program should not modify their code! Idea: check if code sections of important system DLLs and system drivers (kernel modules) are the same in memory and in the corresponding PE files on disk Don’t forget about relocations! Skip.idata etc…

33© COSEINC Advanced Malware Labs, 2006 Patch Guard By Microsoft, to be (is) included in all x64 Windows Actions forbidden: Modifying system service tables Modifying the IDT Modifying the GDT Using kernel stacks that are not allocated by the kernel Patching any part of the kernel (detected on AMD64-based systems only) [I assume they mean code sections here] Can PG be subverted? Ask Metasploit ;) Also PG doesn’t prevent Type II and Type III malware But this is not important!

34© COSEINC Advanced Malware Labs, 2006 Patch Guard Important thing is: PG should force all the legal (non malicious) apps to not use all those rootkit-like tricks (which dozens of commercial products use today) PG should clear the playground, making it much easier to create tools like SVV in the future It won’t be necessary to implement smart heuristics to distinguish between Personal Firewall-like hooking and rootkit-like hooking It’s unlikely that PG bypassing techniques could be used by serious software companies, because it will give MS the right to treat their products as malware!

35© COSEINC Advanced Malware Labs, 2006 Type II Malware

36© COSEINC Advanced Malware Labs, 2006 Type II Malware examples He4Hook (only some versions) – Raw IRP hooking on fs driver prrf by palmers (Phrack 58!) – Linux procfs smart data manipulation to hide processes (possibility to extend to arbitrary files hiding by hooking VFS data structures) FU by Jamie Butler, FUto by Jamie and Peter Silberman PHIDE2 by – very sophisticated process hider, still however easily detectable with X-VIEW... Deepdoor by yours truly

37© COSEINC Advanced Malware Labs, 2006 Fighting Type II Malware There are three issues here: To know where to look To understand what we read To be able to read memory But… we all know how to read memory, don’t we?

38© COSEINC Advanced Malware Labs, 2006 Type II Malware Detection cont. “To know where to look” issue there is lots of data inside the OS… how to make sure that we check all the potential places? Consider network backdoor implementation on Windows: … TDI hooking NDIS additional protocol registered NDIS_OPEN_BLOCK hooking (deepdoor) X_BINDING_INFO hooking (Alex Tereshkin, BH Vegas 2006) …

39© COSEINC Advanced Malware Labs, 2006 Type II Malware Detection cont. To understand what we read What does it mean that e.g. openBlk->ReceivePacketHandle == 0xffab0042 We need to know how to interpret those values – so, we need to understand the semantics behind the data structures which we need to verify… The simple solution in case of function pointers is: Check whether it points into a valid code section of a trusted module We need to first determine whether the section is valid and whether the modules is trusted (solve Type I detection)! BTW, this scheme can still be cheated ;)

40© COSEINC Advanced Malware Labs, 2006 Type II Malware Detection cont. To be able to read memory Hey, that shouldn’t be a problem All computers are just Turning machines, right? Yes, but complicated ones…

41© COSEINC Advanced Malware Labs, 2006 Memory Reading: software based Usually we use a kernel driver or LKM to access all memory (including kernel) This might be implemented as a hypervisor on processors which support hardware virtualization to resist ISA attacks However: We need to properly synchronize with memory manager We can read only virtual memory – see Shadow Walker of how easy it is to cheat about virtual memory We need a way to access page directory reliably (and securely) – but how we convert CR3 physical address to virtual address? No, we can’t rely on OS “default” mapping here!

42© COSEINC Advanced Malware Labs, 2006 Memory Reading: DMA (hardware based) Super Reliable! Does not require additional software on a target computer – non-invasive Hardware is cheap (FireWire cable will do the job) But: Can not read paged-out memory :( Also – are you sure that it’s actually that reliable? ;)

43© COSEINC Advanced Malware Labs, 2006 Type II Malware – bottom line Today we can not design a systematic detection method against type II malware for most (all?) of the OSes Changes (little) in the design of the OS are needed to make type II malware detection feasible – see later.

Towards Systematic Verification of the OS & Applications…

45© COSEINC Advanced Malware Labs, 2006 Ultimate Goal We want a recipe to create a detector Software based Hardware based (DMA) Hypervisor based Detector, once run against a given system, would return the verdict: 0 – means system is clean 1 – means system is compromised (i.e. infected with Type I, II or III malware)

46© COSEINC Advanced Malware Labs, 2006 Problem We don’t know how to solve the problem of Type II malware… Because the operating systems are too complex: We don’t know what to check We can’t safely and reliably read memory

47© COSEINC Advanced Malware Labs, 2006 Changing the rules a bit… But maybe we could change the rules of the game a little bit? How about we introduced the following requirement : The only executable pages in the system (kernel) are those which contain trusted code. All others pages should be marked as non-executable. For now, let’s focus on kernel only, so we avoid the problem of some usermode applications, which would like to violate this requirement: e.g. JIT compilers.

48© COSEINC Advanced Malware Labs, 2006 Verifiable OS: requirements 1.Underlying processor must support non-executable attribute on a per-page level 2.OS must maintain strong data/code separation on a per-page level 3.There must exist a way to verify code on a per-page level (e.g. digital signatures implemented) 4.OS must allow to safely read raw memory by a 3 rd party program (kernel driver). Alternatively, if paging must be disabled, if hardware based access is to be used.

49© COSEINC Advanced Malware Labs, 2006 Verification of the OS For each memory page in the system: If the page is marked as executable then check if the code contained within the page is trusted (e.g. verify the fingerprint).

50© COSEINC Advanced Malware Labs, 2006 Code/Data separation in various OSes Code/Data separation becomes more and more popular recently as a way to mitigate exploitation attempts (AKA non-exec) Windows x64 (including Vista): Kernel stack, Paged Pool, Session Pool – NX bit set All other pages are executable, including those from Non- paged pool NetBSD – implements code/data separation as a result of W^X policy (probably also Open- and FreeBSD) Linux – PaX enforces code/data separation (not sure if it works in kernel already, on only in usermode)

51© COSEINC Advanced Malware Labs, 2006 Code signing in various OSes Windows: all system executables are digitally signed Vista x64: all 3 rd party kernel drivers are signed NetBSD: veriexec allows for associating fingerprints with files and then for per-page verification (see later) Doesn’t work with digital signatures, yet Linux: as a 3 rd party extensions only (?) Solaris: Implements signed binaries (ELFs), starting from version 10

52© COSEINC Advanced Malware Labs, 2006 NetBSD – the first verifiable OS? Veriexec – could be used to implement verification of code on a page-level granularity Work done by Brett Lymn Implements code/data separation on page-level granularity (as a result of W^X) Memory reading problem is still not solved but is being looked into by Elad Efrat :) We should get some running POC within coming months! Ask Elad Efrat for more details!

53© COSEINC Advanced Malware Labs, 2006 Implementation Specific Attacks (ISA) Any given program (executable) can be cheated using an implementation specific attack! (if it runs with the same privileges as malware does) E.g. we can patch the ‘IF’ statement in the program: If (kernelInfected) printf (“Dear user, you’re in troubles!\n”); It’s trivial for a rootkit to implement ISA against well known detectors – see e.g. commercial Hacker Defender rootkit (now defunct)

54© COSEINC Advanced Malware Labs, 2006 Mitigating ISA Detector/Verifier located in hypervisor Using a hardware based memory access PCI card FireWire Problem with paged-out memory Using a non-public detector acceptable in e.g. corporate environment

Now imagine we have solved all those problems…

56© COSEINC Advanced Malware Labs, 2006 Type III Malware

57© COSEINC Advanced Malware Labs, 2006 Type III malware examples Vitriol (Dino Dai Zovi, Black Hat Vegas 2006) – abuses Intel VT-x virtualization technology, works on MacOS Blue Pill (J. Rutkowska, SyScan/Black Hat Vegas 2006) – abuses AMD SVM virtualization technology, works on Vista x64.

58© COSEINC Advanced Malware Labs, 2006 Fighting Type III malware Timing analysis in case of virtualization based malware Practical problems (trusted time source?) Next generation VM based software might be immune to timing analysis – ongoing research – stay tuned ;) Detecting side effects Network communication Disk usage (in case of persistent malware – not necessarily hidden files, but e.g. infected files)

59© COSEINC Advanced Malware Labs, 2006 Type III malware detection in practice Today it seems that it’s not possible to detect (verify OS against) type III malware in any systematic way :( We may imagine exploiting a bug in hardware virtualization implementation which would reveal the presence of a hypervisor (something ala redpill)… … but that would be just that – a (temporarily) hack And we want a systematic way (documented, legal, reliable)!

60© COSEINC Advanced Malware Labs, 2006 Hardware Red Pill? How about creating a new instruction – SVMCHECK: mov rax, svmcheck cmp rax, 0 jnz inside_vm Password should be different for every processor Password is necessary so that it would be impossible to write a generic program which would behave differently inside VM and on a native machine. Users would get the passwords on certificates when they buy a new processor or computer Password would have to be entered to the AV program during its installation.

61© COSEINC Advanced Malware Labs, 2006 kernel protection vs. hypervisor protection On an average general purpose OS there is a lot of kernel code: core kernel all kernel drivers Making sure there is no bug in all kernel mode software is impossible – kernel prevention will never be satisfactory Hypervisor can be very thin – easily auditable and most importantly there is no need for 3 rd party code in hypervisor (ala kernel drivers). Thus: effective hypervisor protection seems feasible, (unlike kernel protection).

62© COSEINC Advanced Malware Labs, 2006 Bottom Line Type 0 malware is beyond the scope of my research Type I malware is relatively easy to fight But we can’t fight type II malware effectively without changing the OS design a little bit ISA are always possible, but we can mitigate those attacks in practice Effective verification against type III malware is unfeasible without the help from CPU-vendors (hardware redpill) Prevention against type III malware seems feasible

63© COSEINC Advanced Malware Labs, 2006 Happy New Year? Gartner: 10 Key Predictions for 2007: #5: By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses. (source: eWeek)

64© COSEINC Advanced Malware Labs, 2006 Stealth Malware – The Battle So, can the good guys win? No, unless OS vendors will join the game! Who can we trust, then? For sure not our operating systems :(

65© COSEINC Advanced Malware Labs, 2006 Credits Elad Efrat of NetBSD

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.