An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

Slides:

Advertisements

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Advertisements

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)

Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.

Presented by Boris Yurovitsky

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Virtualization for Cloud Computing

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.

Tanenbaum 8.3 See references

Chapter 2 Operating System Overview Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,

SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?

Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.

WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

1 CS503: Operating Systems Spring 2014 Dongyan Xu Department of Computer Science Purdue University.

Virtualization Concepts Presented by: Mariano Diaz.

The Semantic Gap Challenge Stealthy Malware Detection Through VMM-Based “Out-of-the-Box” Semantic View Reconstruction November 2007 ACM: Association for.

Benefits: Increased server utilization Reduced IT TCO Improved IT agility.

Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.

Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.

Section 3.1: Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.

Introduction 1-1 Introduction to Virtual Machines From “Virtual Machines” Smith and Nair Chapter 1.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.

High Performance Computing on Virtualized Environments Ganesh Thiagarajan Fall 2014 Instructor: Yuzhe(Richard) Tang Syracuse University.

Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.

Virtualization 3 Subtitle: “What can we do to a VM?” Learning Objectives: – To understand the VM-handling mechanisms of a hypervisor – To understand how.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

Malicious Logic and Defenses. Malicious Logic Trojan Horse – A Trojan horse is a program with an overt (documented or known) effect and covert (undocumented.

Operating Systems Security

Security Vulnerabilities in A Virtual Environment

Full and Para Virtualization

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.

Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

E Virtual Machines Lecture 1 What is Virtualization? Scott Devine VMware, Inc.

Virtualization for Cloud Computing

Virtualization.

Virtual Machine Monitors

Eugene Spafford, Dongyan Xu, Ryan Riley

Chapter 1: Introduction

Lecture 24 Virtual Machine Monitors

Introduction to Operating Systems

OS Virtualization.

By Dunlap, King, Cinar, Basrai, Chen

Virtualization Techniques

CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors

Operating Systems Structure

Xen and the Art of Virtualization

CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors

Presentation transcript:

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant Professor Dept. of Computer Science George Mason University Xuxian Jiang Associate Professor CERIAS and Dept. of Computer Science Purdue University Dongyan Xu

Outline  Motivation  “Out-of-the-box” for high assurance  New VMM component: OBSERV  New capabilities enabled  High assurance system monitoring  Stealth malware detection  External run of COTS anti-virus software  OS integrity protection against kernel rootkits  Planned work  Summary

 Malware remains a top concern in cyber defense  Malware: viruses, worms, rootkits, spyware, bots… Motivation

 Rootkit attack trend Source: McAfee Avert Lab Report (April 2006) 400% growth Q1 of % growth Viruses, worms, bots, …

 State-of-the-art: Running high-assurance modules (e.g., anti-virus systems) inside the monitored system  Advantage: They can see everything (e.g., files, processes…)  Disadvantage: VirusScanFirefox IE OS Kernel … Why Going “Out-of-the-Box”? They cannot see anything!

Why Going “Out-of-the-Box”?  Fundamental flaw in current practice  Malware and malware defense running in the same system space at the same privileged level  No clear winner in this “arms race”  Solution: Going “out-of-the-box” Firefox IE OS Kernel … VirusScan Virtual Machine Monitor (VMM)

Semantic Gap The “Semantic-Gap” Challenge  What we get:  Low-level states  Memory pages, disk blocks…  Low-level events  Privileged instructions,  Interrupts, I/O…  What we want:  High-level semantic states  Files, processes…  high-level semantic events  System calls, context switches… Virtual Machine Monitor (e.g., VMware, Xen) Guest OS VirusScan

Our Solution: OBSERV  OBSERV: “Out-of-the-Box” with SEmantically Reconstructed View  A new component missing in current VMMs Firefox IE OS Kernel … Virtual Machine Monitor (VMM) OBSERV

New Capabilities Capability II: Malware detection by view comparison Capability II: Malware detection by view comparison Capability I: High-assurance system logging Capability I: High-assurance system logging Firefox IE OS Kernel … Virtual Machine Monitor (VMM) OBSERV Capability III: External run of COTS anti-virus software Capability III: External run of COTS anti-virus software OBSERV View In-the-box View Diff Capability IV: OS kernel integrity protection Capability IV: OS kernel integrity protection

OBSERV: Bridging the Semantic Gap  Step 1: Procuring low-level VM states and events  Disk blocks, memory pages, registers…  Traps, interrupts…  Step 2: Reconstructing high-level semantic view  Files, directories, processes, and kernel modules…  System calls, context switches… VM Introspection Guest View Casting

Step 1: VM Introspection Raw VMM Observations Virtual Machines (VMs) VMware Academic Program VM disk image VM hardware state (e.g., registers) VM physical memory VM-related low-level events (e.g., interrupts)

Step 2: Guest View Casting Virtual Machine Monitor (VMM) Guest OS Key observation: The guest OS provides all semantic “templates” of data structures and functions to reconstruct VM’s semantic view OBSERV Semantic Gap

Guest View Casting Raw VMM Observations Casted Guest Functions & Data Structures Reconstructed Semantic View Device drivers, file system drivers Memory translation, task_struct, mm_struct CR3, MSR_SYSENTER_CS, MSR_SYSENTER_EIP/ESP Event semantics Syscalls, context switches,.... Event-specific arguments… VM disk image VM hardware state (e.g., registers) VM physical memory VM-related low-level events (e.g., interrupts)

Guest View Casting on Memory State Process List Process Memory Layout

OBSERV Capability I Capability I: High-assurance system logging Capability I: High-assurance system logging Firefox IE OS Kernel … Virtual Machine Monitor (VMM) OBSERV X. Jiang, X. Wang, "'Out-of-the-Box' Monitoring of VM-Based High-Interaction Honeypots", International Symposium on Recent Advances in Intrusion Detection (RAID 2007)

OBSERV Capabilities II and III Capability II: Stealth malware detection by view comparison Capability II: Stealth malware detection by view comparison Firefox IE OS Kernel … Virtual Machine Monitor (VMM) OBSERV Capability III: External run of COTS anti- virus software Capability III: External run of COTS anti- virus software OBSERV View In-the-box View Diff X. Jiang, X. Wang, D. Xu, "Stealthy Malware Detection Through VMM-Based 'Out-of-the- Box' Semantic View Reconstruction", ACM Conference on Computer and Communications Security (CCS 2007)

View Comparison for Malware Detection  Experiment setup  Both guest OS and host OS run Windows XP (SP2)  VMM: VMware Server  Running Symantec AntiVirus twice  Inside  Outside Hacker Defender NTRootkit

External Scanning Result Internal Scanning Result Diff

OBSERV Capability IV: OS Kernel Integrity Protection  High-assurance OS kernel  No malicious kernel code  No kernel rootkit attacks  Two main tasks:  Tracking run-time kernel code layout  Enforcing the following properties  Only loading authenticated kernel code  Only executing authenticated kernel code R. Riley, X. Jiang, D. Xu, "Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing", CERIAS Technical Report TR , Purdue University, 2008

OBSERV NICKLE: “ No Instruction Creeping into Kernel Level Executed” NICKLE Standard memory Kernel Code Shadow memory VMM Guest OS  Step 1: Create two memory spaces  Standard memory  Shadow memory  Step 2: Authenticate and copy kernel code to shadow memory  Step 3: Memory access dispatch  Kernel code fetch -> shadow memory  All other accesses -> standard memory Kernel Code

Demonstration of Effectiveness Successfully preventing 23 real-world kernel rootkits!

Planned Work  Porting OBSERV to hardware  FPGA, multicore, PCI card…  Research problems  Software/hardware function division  Hardware primitives/policies for high assurance  Formal verification of OBSERV capabilities  Performance optimization

Summary  OBSERV enables “out-of-the-box” malware defense paradigm, bringing high assurance to  System logging and monitoring  Malware detection and prevention  OS kernel (against kernel rootkits)  We are looking for  Applications in Cyber Defense activities  Collaboration/deployment/funding opportunities

Process Coloring: An Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu, Ryan Riley Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University Xuxian Jiang Department of Computer Science George Mason University Part of NICIAR Program A related project funded by IARPA through AFRL

Thank you! For more information: