The Semantic Gap Challenge Stealthy Malware Detection Through VMM-Based “Out-of-the-Box” Semantic View Reconstruction November 2007 ACM: Association for.

Slides:



Advertisements
Similar presentations
1 Computational Asset Description for Cyber Experiment Support using OWL Telcordia Contact: Marian Nodine Telcordia Technologies Applied Research
Advertisements

Virtualization Dr. Michael L. Collard
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.
Xen , Linux Vserver , Planet Lab
Efficient VM Introspection in KVM and Performance Comparison with Xen
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
CS-3013 & CS-502, Summer 2006 Virtual Machine Systems1 CS-502 Operating Systems Slides excerpted from Silbershatz, Ch. 2.
Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.
Presented by Boris Yurovitsky
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Virtualization for Cloud Computing
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.
Distributed Systems CS Virtualization- Overview Lecture 22, Dec 4, 2013 Mohammad Hammoud 1.
Paper on Best implemented scientific concept for E-Governance Virtual Machine By Nitin V. Choudhari, DIO,NIC,Akola By Nitin V. Choudhari, DIO,NIC,Akola.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
To run the program: To run the program: You need the OS: You need the OS:
Introduction to Virtual Machines. Administration Presentation and class participation: 40% –Each student will present two and a half times this semester.
E Virtual Machines Lecture 4 Device Virtualization
Tanenbaum 8.3 See references
Paper on Best implemented scientific concept for E-Governance projects Virtual Machine By Nitin V. Choudhari, DIO,NIC,Akola.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.
Virtualization Concepts Presented by: Mariano Diaz.
Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
INTRODUCTION TO VIRTUALIZATION KRISTEN WILLIAMS MOSES IKE.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
CS 346 – Chapter 2 OS services –OS user interface –System calls –System programs How to make an OS –Implementation –Structure –Virtual machines Commitment.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Operating Systems Security
Security Vulnerabilities in A Virtual Environment
Full and Para Virtualization
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Introduction Why are virtual machines interesting?
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Operating-System Structures
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
VMM Based Rootkit Detection on Android
Cloud Computing – UNIT - II. VIRTUALIZATION Virtualization Hiding the reality The mantra of smart computing is to intelligently hide the reality Binary->
Virtual Machines Mr. Monil Adhikari. Agenda Introduction Classes of Virtual Machines System Virtual Machines Process Virtual Machines.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Virtualization Neependra Khare
Virtualization for Cloud Computing
Virtualization.
Virtual Machine Monitors
Virtualization Dr. Michael L. Collard
Running other code under LINUX
Backtracking Intrusions
Chapter 2. Malware Analysis in VMs
Hiding Malware Rootkits
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Introduction to Virtual Machines
Introduction to Virtual Machines
Basic Dynamic Analysis VMs and Sandboxes
Hypervisor A hypervisor or virtual machine monitor (VMM) is computer software, firmware or hardware that creates and runs virtual machines. A computer.
Presentation transcript:

The Semantic Gap Challenge Stealthy Malware Detection Through VMM-Based “Out-of-the-Box” Semantic View Reconstruction November 2007 ACM: Association for Computing Machinery Authors: Xuxian Jiang-North Carolina State University Xinyuan Wang-George Mason Univeristy & Dongyan Xu-Purdue University

Definition Semantic: of, pertaining to, or arising from the different meanings of words or other symbols Semantics: the study of meanings: the language used to achieve a desired effect on an audience especially through the use of words with novel or dual meanings

Essential Data/Main Idea There is a recent trend in malware to equip the software with stealthy techniques to detect, evade and avoid malware detection attempts The fundamental limitation of current host- based anti malware systems is they run inside the host they are protecting. This is called "in-the-box" which makes them vulnerable to counter detection and avoidance by certain malwares. To fix this limitation, many solutions are using Virtual Machine technologies and placing the malware detection facilities outside of the protected VM bubble. This is called "out-of-the- box". Yet, they gain breaking into to at the cost of loosing the internal semantic view of the host which is enjoyed by the "in- the-box" approach. This causes a technical challenge called the "semantic gap".

Abstract The paper about the design, implementation and evaluation of VM Watcher and "out of the box" approach that overcomes the semantic gap challenge. New technique called "guest view casting" Developed to reconstruct internal semantic views (files, ps and kernel modules) of VM from the outside, rather than typical inside approach.

Abstract New technique casts semantic definitions of guest OS Data Structures and functions Puts on the Virtual Machine Monitor (VMM) Level VM state Semantic view reconstructed from multiple perspectives Reconstruct these details for system call events (ps, call #, parameters, & return value) in the VM & increases the semantic view.

Abstract With semantic gap bridged we identify two unique malware detection capabilities:  View comparison-based malware detection: and it's demonstration in rootkit detection  Out of the box deployment of host based anti malware software with improved detection accuracy & tamper resistance

Introduction Internet malware-rootkits and bots are getting very sneaky and elusive. They hide their presence from detection factilities & anti malware software Host based anti malwared systems are installed and executed inside the hosts they are monitoring and protecting: “in the box” This makes the anti malware system visible, tangible, and unavoidable to the malware inside the host

Introduction Now with Virtual Machine technologies we can use this to our advantage. Use the strong isolation and confines ps inside VM so that even if it's compromised by malware, it will be hard to compromise systems outside the VM “semantic gap” between the VM view from inside the box vs outside the box Inside views: ps, files, kernel modules Outside views: memory pgs, registers, disk blocks

“In the Box” vs “Out of the Box”

VM Watcher Advantages to both views. VM Watcher-a VMM based “out of the box” approach overcomes the semantic gap challenge It starts the Virtual Machine view in a non intrusive manner so it can inspect low level VM states without influencing the VM's execution “guest view casting” a new technique

Guest View Casting This new approach reconstructs the VMs internal view: files, dir, ps, and kernel level modules for “out of the box” malware detection Based on the observation that the guest Operating System of a VM provides all the necessary definitions of guest data structures & functions to construct the VM sematic view & cast them on the VMM level observation Also externally remake the sematic view of the target Virtual Machine

Design Goals VM Watcher should not disturb the system state of the VM being monitored VM Watcher should narrow the sematic gap so that malware detection systems run inside the VM can also run outside the VM VM Watcher should be generic and applicable to a wide range of existing VMMs.  2 approaches: full virtualization (VMWare, QEMU) & para virtualization (Xen, User Mode Linux)

Enabling Techniques Non Intrusive VM Introspection: provide low level VM states externally. Non intrusive technique to gain full VM state including registers, memory & disk Guest View Casting: external reconstruction of the sematic level view of VM thus bridging the semantic gap

Implementation VM Watcher w/ 4 existing VM's: VMWare, QEMU, Xen & UML. The implemenation details: Open source VMM: QEMU, Xen & UML. Close source: VMWare only exposes raw disk blocks & raw memory pgs. Open source allows full access to low level VM states and events

Narrowing Semantic Gap 3 unique detection & monitoring capabilities:  (i) view comparison: based malware detection and its demonstration in rootkit detection  (ii) “out-of-the-box” deployment of off-the- shelf anti malware software with improved detection accuracy and tamper-resistance  (iii) nonintrusive: system call monitoring for malware and intrusion behavior observation

Experiments  Evaluation experiments with real-world malware  Includes elusive kernel-level rootkits  Demonstrates VMwatcher's practicality and effectiveness  #1: Viewed comparison on volatile states  #2: Viewed comparison on persistent states  #3: Viewed comparison on both volatile & persistent states  #4: Cross platform malware detection

#1 View comparison on volatile states Involves Windows kernel FU rootkit. It runs and hides in process w/ PID 336. VMWare running w/ host OS is Scientific Linux 4.4 & guest OS is Windows XP SP2. Windows cmd shell PID 1080 is c reated and invokes the FU rootkit to hide ps 336. The hidden ps is running SSH. The Windows Task Mgr does not list the SSH client ps indicating that this ps has been hidden Exposed by VM Watcher external view.

Experiment #1 The small box w/ solid lines indicates the SSHClient.exe ps which is not shown by Win Task Mgr. VM Watcher can be readily adopted by real world honey pots to detect in the wild rootkit attacks. Also recent incidents show the same FU rootkit has been actively used to hide the presence of advanced bots

Experiment #1

Ex #3-Adore-ng Rootkit Advanced Linux kernel rootkit that replaces kernel level function pointers to hide files & ps Adore-ng infection on a Xen Fedora Core 4 Virtual Machine Four xterm windows 0: inside the VM where adore-ng kernel mod is loaded w/ backdoor ps PID : external view of VM: mounted devices 2: files under the dir /root/demo in the VM 3: current running ps inside VM

Experiment #3- Volatile & Persistant States

Out of the box Malware Detection

Anti-Virus Scanning Time

Summary VM Watcher is a VMM approach that enables out of the box malware detection Addresses the semantic gap challenge VM Watcher has stronger tamper resistance by moving anti malware facilities out of the monitored VM while maintaining a current semantic view of the VM “inside the box” via external semantic view reconstruction

Summary VM Watcher prototype on Linux and Windows platforms shows it's practical nature and effectivness The experiments with real world self hiding rootkits demonstrates the power of new malware detection capabilites introducted by VM Watcher

Good/Bad Points Good points: very concrete experiments shown towards end of the paper that brought it all together Used a variety of open source & proprietary Operating Systems and current anti virus softwares in experimentations Bad points:Was not able to discuss Experiments 2 and 4 due to time constraints (me) Guest view casting Figures were confusing

Good/Bad Points Vocabulary used was very extensive and advanced With the technical nature of the paper, the vocabulary used should have been more basic in nature to facilitate better understanding Had to reread the paper a few times to understand the jist of the paper

Improvements & Future Work Great experiments were done in relation to malware/rootkit detection Virtual Machine experimentation was great. Liked the use of open source VM's such as Xen, QEMU, and UML. Talked about different VM states: full vs para virtualization. Future work with this would be great. Further discussion of honey pots and “in the wild” rootkit attacks would improve the paper

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.