Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.

Slides:

Advertisements

Similar presentations

Cyber-Identity, Authority and Trust in an Uncertain World

Advertisements

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.

SecureBus: Towards Application- Transparent Trusted Computing with Mandatory Access Control Xinwen Zhang 1, Songqing Chen 2 Michael J. Covington 3, and.

Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.

A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,

Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.

1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Institute for Cyber Security

© 2006 Ravi Sandhu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.

Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.

1 Building a Fast, Virtualized Data Plane with Programmable Hardware Bilal Anwer Nick Feamster.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

OPERATING SYSTEMS Lecturer: Szabolcs Mikulas Office: B38B

1 Processes and Threads Creation and Termination States Usage Implementations.

Chapter 1 Introduction Copyright © Operating Systems, by Dhananjay Dhamdhere Copyright © Introduction Abstract Views of an Operating System.

Secure Virtual Machine Execution Under an Untrusted Management OS Chunxiao Li Anand Raghunathan Niraj K. Jha.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Content Overview Virtual Disk Port to Intel platform

Redesigning Xen Memory Sharing (Grant) Mechanism Kaushik Kumar Ram (Rice University) Jose Renato Santos (HP Labs) Yoshio Turner (HP Labs) Alan L. Cox (Rice.

Hardware-assisted Virtualization

INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.

Slide 19-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 19.

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.

Virtual Switching Without a Hypervisor for a More Secure Cloud Xin Jin Princeton University Joint work with Eric Keller(UPenn) and Jennifer Rexford(Princeton)

Addition 1’s to 20.

FireDroid: Hardening Security in Almost-Stock Android Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, Wannes van der Mark 1 University of Auckland,

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Difference Engine: Harnessing Memory Redundancy in Virtual Machines by Diwaker Gupta et al. presented by Jonathan Berkhahn.

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Title of Selected Paper: Design and Implementation of Secure Embedded Systems Based on Trustzone Authors: Yan-ling Xu, Wei Pan, Xin-guo Zhang Presented.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October

Windows Security and Rootkits Mike Willard January 2007.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.

Operating Systems Security

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

security breakthrough INTRODUCING hypervisor memory introspection

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National.

Why VT-d Direct memory access (DMA) is a method that allows an input/output (I/O) device to send or receive data directly to or from the main memory, bypassing.

Operating System Structure

VMPCS-OGC Virtual Machine Protection and Checking System using Out-of-Guest Control ferify.

OS Virtualization.

NSA Security-Enhanced Linux (SELinux)

Presentation transcript:

Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi Sandhu University of Texas at San Antonio Xinwen Zhang Samsung Information Systems of America SACMAT 2007

2 Motivations Ensuring the integrity of kernel resources is a fundamental goal of OS security Exploiting a vulnerability allows the attacker to modify the kernel and core system utilities, hence compromising the integrity of the entire system Malware: Worms, Keyloggers, Rootkits …

3 Threat Example: Rootkits A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computerRootkits:Subeverting the Windows Kernel Goals: Hide malicious resources (e.g., processes, files, registry keys, open ports, etc.) Provide hidden backdoor access Techniques: modifying kernel resources (integrity violation) Loadable Kernel Modules (most popular method) Modify system call table, kernel text, Interrupt Descriptor Table (IDT) Patching the running kernel (memory modification) Modify /dev/kmem

4 Existing Approaches Existing Models: MAC (Biba, Bell-LaPadula, Chinese Wall) Clear goal Too restrictive, coarse-grained No ongoing check Existing Enforcement Mechanisms: User-Level Good performance No isolation Easily compromised OS Kernel (SELinux) No isolation Too many polices (50,000 +policies in Linux ) Hardware-based Coprocessor (Copliot) Isolation Needing another PCI card, no real time prevention

5 Our Approach Virtual Machine Monitor (VMM) based Architecture Strong Isolation: Compromised guest OS cannot disable protection mechanism in VMM Introspection: VMM can see hardware states Interposition: VMM can enforce memory access, NIC … VMM can monitor and enforce events happening in a guest VM. UCON Decision continuity and attribute mutability Previous work has shown policy specification flexibility of UCON

6 Outline Policy and Model: KI UCON KI model for OS kernel integrity KI Event-based logic model for UCON KI policy specification VMM-based Enforcement Architecture Prototype Evaluation Conclusion and Future Work

7 UCON Model (Park and Sandhu 2004) Attributes can be updated as side-effects of a usage: pre, ongoing, and post updates Persistent and mutable attributes Attribute Mutability Three phases of a usage process Decision in first two phases pre-decision ongoing-decisions: repeatedly check during ongoing usage phase Decision Continuity

8 KI UCON KI Model for OS Kernel Integrity Subjects (S): Active processes and loadable kernel modules (LKMs) Objects (O): Kernel memory spaces, disk devices, and registers Subject attributes (ATT(S)): Text hash values of subjects Object attributes (ATT (O)): Addresses, types, status of objects Rights (ATT (R)): Generic actions such as read and write Authorizations: Functional predicates that have to be evaluated for usage decisions

9 KI Event-based Policy Model for UCON KI KI A UCON KI policy is a well-typed policy rule of the form: 1i1j1k 1i1j 1k (e 1 … e i ) causes (act 1 … act j ) if (p 1 … p k ) where e 1,…, e i are events, act 1,…, act j are actions, and p 1,…, p k are predicates. KI 1 i1j 1k A UCON KI policy specifies that when events e 1,…, e i occur, actions act 1,…, act j must be performed by the system if predicates p 1,…, p k are satisfied.

10 Subjects events and system actions * means repetition

11 Example Policies specified by EPA Pre-Authorization Mutability

12 Architecture

13 Architecture Subject generates an access request event from the guest VM and intercepted by VME (step 1) VME contacts AR and retrieves the subjects and objects attributes (steps 2 and 3) VME queries AVC (step 4) If AVC has valid entry and S & O attributes not changed, gives yes (step 5) and goes to step 8, otherwise gives no and goes to step6 VME pushes S & O attributes to PDP (step 6) PDP makes access control decision according to policy and S & O attributes (step 7) The decision is forwarded to VME and enforced in the VM (step 8)

14 Architecture Update of attributes (Mutability) VME gets the new attributes from the guest VM (step 9) New subject/object attributes are pushed back to AR (step 10) e.g. update system call table address after legitimate process modified it Update the decision cache VME pushes the decision along with subject and objects attributes to AVC after usage (step11)

15 Prototype Implementation An OS kernel integrity protection system Bochs IA-32 Emulator Guest VM: Red hat7.2 (Linux ) Example policy: kernel text, system call table, IDT table and virtual file system dispatch table cannot be modified SymbolUse _text _etext _sys_call_table idt_tabe proc_root_opera tions Beginning of kernel text End of kernel text system call table Interrupt Descriptor Table Root File System Ops Interesting symbols found from /boot/system.map

16 Prototype sys_exit sys_fork sys_read sys_write sys_execve … Runtime addresses collected from a Redhat 7.2 Linux system ( )

17 Evaluation Evaluation results with 18 real-world kernel rootkits

18 Example Rootkits Adore rootkit Adore-ng rootkit suckit rootkit

19 Possible Extensions KI UCON KI Extensions Attributes Management Conditions Obligations Policy Enforcement

20 Conclusions We have proposed a VMM-based usage framework for OS kernel integrity protection We have subjected our prototype to 18 real-world kernel rootkits to validate its practicality and effectiveness

21 Ongoing and Future Work Extending our framework for general OS security Porting to other VMM platforms, like XEN

Thank You! URL: