Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.

Slides:



Advertisements
Similar presentations
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Advertisements

“Out-of-the-Box” Monitoring of VM-based High-Interaction Honeypots Xuxian Jiang, Xinyuan Wang Department of Information and Software Engineering George.
Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,
Efficient VM Introspection in KVM and Performance Comparison with Xen
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
G Robert Grimm New York University Disco.
Network Implementation for Xen and KVM Class project for E : Network System Design and Implantation 12 Apr 2010 Kangkook Jee (kj2181)
Virtual Machines Measure Up John Staton Karsten Steinhaeuser University of Notre Dame December 15, 2005 Graduate Operating Systems, Fall 2005 Final Project.
Presented by Boris Yurovitsky
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu (Presenter) Department of Computer Science.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation Eugene Spafford, Dongyan Xu Department of Computer Science and Center.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Virtualization for Cloud Computing
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
E Virtual Machines Lecture 4 Device Virtualization
Tanenbaum 8.3 See references
SymCall: Symbiotic Virtualization Through VMM-to-Guest Upcalls John R. Lange and Peter Dinda University of Pittsburgh (CS) Northwestern University (EECS)
SubVirt: Implementing malware with virtual machines
Zen and the Art of Virtualization Paul Barham, et al. University of Cambridge, Microsoft Research Cambridge Published by ACM SOSP’03 Presented by Tina.
Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang
Cooperative Linux… “A treaty between two OS giants” Presented by: Rakesh kumar (usn: 4BD07CS084 )
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人:張逸文.
1 UCR Firmware Attacks and Security introduction.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Virtualization Concepts Presented by: Mariano Diaz.
Honeypot and Intrusion Detection System
The Semantic Gap Challenge Stealthy Malware Detection Through VMM-Based “Out-of-the-Box” Semantic View Reconstruction November 2007 ACM: Association for.
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
ICOM Noack Operating Systems - Administrivia Prontuario - Please time-share and ask questions Info is in my homepage amadeus/~noack/ Make bookmark.
Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
Introduction 1-1 Introduction to Virtual Machines From “Virtual Machines” Smith and Nair Chapter 1.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.
A Virtual Machine Introspection Based Architecture for Intrusion Detection CS598 STK Presented by Zahid Anwar.
Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.
Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Operating Systems Security
Security Vulnerabilities in A Virtual Environment
Full and Para Virtualization
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,
Introduction Why are virtual machines interesting?
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
THAWAN KOOBURAT MICHAEL SWIFT UNIVERSITY OF WISCONSIN - MADISON 1 The Best of Both Worlds with On-Demand Virtualization.
Operating-System Structures
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,
E Virtual Machines Lecture 1 What is Virtualization? Scott Devine VMware, Inc.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.
Introduction to Virtualization
Virtualization.
Virtual Machine Monitors
Breaking Up is Hard to Do
Lecture 24 Virtual Machine Monitors
OS Virtualization.
CS 140 Lecture Notes: Virtual Machines
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Xen and the Art of Virtualization
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Presentation transcript:

Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan Wang, Dongyan Xu George Mason University Purdue University

 Internet malware remains a top threat  Malware: viruses, worms, rootkits, spyware, bots… Motivation

 Recent Trend on Rootkits Source: McAfee Avert Lab Report (April 2006) 400% growth Q1 of % growth Viruses/worms/bots, PUPs, …

Existing Defenses ( e.g., Anti-Virus Software )  Running inside the monitored system  Advantages  They can see everything (e.g., files, processes,…)  Disadvantages  Once compromised by advanced stealthy malware, they may not see anything! VirusScanFirefox IE OS Kernel …

Existing Defenses  Key observation  Both anti-virus software and vulnerable software are running inside the same system  Hard to guarantee tamper-resistance  Solution: “Out-of-the-box” defense Firefox IE OS Kernel … VirusScan Virtual Machine Monitor (VMM)

The “Semantic-Gap” Challenge  What we can observe?  Low-level states  Memory pages, disk blocks,…  Low-level events  Privileged instructions,  Interrupts, I/O access, …  What we want to observe?  High-level states w/ semantic info.  Files, processes,…  high-level events w/ semantic info.  System calls, context switches, … Virtual Machine Monitor (e.g., VMware, Xen, QEMU) Guest OS Semantic Gap VirusScan

Main Contribution  VMwatcher: A systematic approach to bridge the semantic gap  Reconstructing semantic objects and events from low-level VMM observations Firefox IE OS Kernel … Virtual Machine Monitor (VMM) VMwatcher Capability I: “Out-of-the-box” execution of commodity anti-malware software Capability I: “Out-of-the-box” execution of commodity anti-malware software Capability II: View comparison-based stealthy malware detection Capability II: View comparison-based stealthy malware detection

VMwatcher: Bridging the Semantic Gap  Step 1: Procuring low-level VM states and events  Disk blocks, memory pages, registers, …  Traps, interrupts, …  Step 2: Reconstructing high-level semantic view  Files, directories, processes, and kernel modules,…  System calls, context switches, … VM Introspection Guest View Casting

Step 1: VM Introspection Raw VMM Observations Virtual Machines (VMs) VMware Academic Program VM Disk Image VM Hardware State (e.g., registers) VM Physical Memory VM-related low-level events (e.g., interrupts)

Step 2: Guest View Casting Virtual Machine Monitor (VMM) Guest OS Disk Key observation: The guest OS already contains all necessary semantic definitions of data structures as well as functionalities to construct the semantic view VMwatcher Semantic Gap VirusScan Cross-view

Guest View Casting Raw VMM Observations Casted Guest Functions & Data Structures Reconstructed Semantic View Device drivers, file system drivers Memory translation, task_struct, mm_struct CR3, MSR_SYSENTER_CS, MSR_SYSENTER_EIP/ESP Event semantics Syscalls, Context switches,.... Event-specific arguments… VM Disk Image VM Hardware State (e.g., registers) VM Physical Memory VM-related low-level events (e.g., interrupts) Demo clip (3.5mins):

Guest View Casting on Memory State (Linux) Process List Process Memory Layout

Guest Memory Addressing  Traditional memory addressing  Given a VA, MMU translates VA to PA  OSes used to map with known PA  Linux: VA 0xc == PA 0x0  Windows: VA 0x == PA 0x0  VM complicates the translation  Guest virtual -> guest physical  Guest physical -> host physical VM Introspection Reverse Address Translation Emulated Address Translation

Evaluation  Effectiveness  Cross-view malware detection  Exp. I: Cross-view detection on volatile state  Exp. II: Cross-view detection on persistent state  Exp. III: Cross-view detection on both volatile and persistent state  Out-of-the-box execution of commodity anti- malware software  Exp. IV: Symantec AntiVirus  Exp. V: Windows Defender  Performance  Difference between internal scanning & external scanning

 Experiment Setup  Guest VM: Windows XP (SP2)  Windows Fu Rootkit  Host OS: Scientific Linux 4.4  VMM: VMware Server Exp. I: Cross-view detection on volatile memory state “Inside-the-box” view VMwatcher view Diff

 Experiment Setup  Guest VM: A Redhat 7.2-based honeypot  Linux SHv4 rootkit  Host OS: Windows XP (SP2)  VMM: VMware Server Exp. II: Cross-view detection on persistent disk state “Inside-the-box” view VMwatcher view Diff

Experiment (IV)  Experiment Setup  Both guest OS and host OS run Windows XP (SP2)  VMM: VMware Server  Running Symantec AntiVirus Twice  Outside  Inside Hacker Defender NTRootkit

External Scanning Result Internal Scanning Result Diff

Performance  Internal scanning time vs. external scanning time Internal scanning takes longer to complete !

Related Work  Enhancing security with virtualization ( Livewire[Garfinkel03], IntroVirt[Joshi05], HyperSpector[Kourai05] )  Focusing on targeted attacks with specialized IDSes  Cross-view detection ( Strider GhostBuster[Wang05], RootkitRevealer/ Blacklight/IceSword/… )  Either destroying the volatile state or obtaining two internal views  Secure monitors  CoPilot [Petroni04], Terra [Garfinkel03], sHype [Sailer05], SecVisor [Perrig07],TRANGO,…

Conclusions  VMwatcher – A systematic approach that bridges the semantic gap and enables two unique malware detection capabilities:  Cross-view malware detection  “Out-of-the-box” execution of commodity anti- malware software

Thank you! For more information: URL:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.