Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.

Slides:



Advertisements
Similar presentations
Content Overview Virtual Disk Port to Intel platform
Advertisements

System Area Network Abhiram Shandilya 12/06/01. Overview Introduction to System Area Networks SAN Design and Examples SAN Applications.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Chapter 6 Security Kernels.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Avishai Wool lecture Introduction to Systems Programming Lecture 8 Input-Output.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Memory Management (II)
04/16/2010CSCI 315 Operating Systems Design1 I/O Systems Notice: The slides for this lecture have been largely based on those accompanying an earlier edition.
1 Last Class: Introduction Operating system = interface between user & architecture Importance of OS OS history: Change is only constant User-level Applications.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Chapter 13: I/O Systems I/O Hardware Application I/O Interface
Copyright ©: Nahrstedt, Angrave, Abdelzaher
Fast Dynamic Binary Translation for the Kernel Piyus Kedia and Sorav Bansal IIT Delhi.
Tanenbaum 8.3 See references
Input/Output. Input/Output Problems Wide variety of peripherals —Delivering different amounts of data —At different speeds —In different formats All slower.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh Conference: RAID 2010 Advisor: Yuh-Jye Lee Reporter: Yi-Hsiang Yang
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 13: I/O Systems I/O Hardware Application I/O Interface Kernel I/O Subsystem.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
2007 Oct 18SYSC2001* - Dept. Systems and Computer Engineering, Carleton University Fall SYSC2001-Ch7.ppt 1 Chapter 7 Input/Output 7.1 External Devices.
Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
2009 Sep 10SYSC Dept. Systems and Computer Engineering, Carleton University F09. SYSC2001-Ch7.ppt 1 Chapter 7 Input/Output 7.1 External Devices 7.2.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’
G53SEC 1 Reference Monitors Enforcement of Access Control.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Zeldovich et al. (both papers) Reading Group by Theo.
CS533 - Concepts of Operating Systems 1 The Mach System Presented by Catherine Vilhauer.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
1.4 Hardware Review. CPU  Fetch-decode-execute cycle 1. Fetch 2. Bump PC 3. Decode 4. Determine operand addr (if necessary) 5. Fetch operand from memory.
Operating Systems Security
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
Input/Output Problems Wide variety of peripherals —Delivering different amounts of data —At different speeds —In different formats All slower than CPU.
Input Output Techniques Programmed Interrupt driven Direct Memory Access (DMA)
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
OS Memory Addressing. Architecture CPU – Processing units – Caches – Interrupt controllers – MMU Memory Interconnect North bridge South bridge PCI, etc.
1 Device Controller I/O units typically consist of A mechanical component: the device itself An electronic component: the device controller or adapter.
Kernel Modules – Introduction CSC/ECE 573, Sections 001 Fall, 2012.
Study on “Secure In-VM Monitoring Using Hardware Virtualization” Qiang.Guan Dependable Computing System Lab New Mexico Tech.
Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.
Introduction to Operating Systems Concepts
Memory Protection: Kernel and User Address Spaces
OS Virtualization.
CSCI 315 Operating Systems Design
Memory Protection: Kernel and User Address Spaces
AT91RM9200 Boot strategies This training module describes the boot strategies on the AT91RM9200 including the internal Boot ROM and the U-Boot program.
Operating System Support for Virtual Machines
Hiding Malware Rootkits
Sai Krishna Deepak Maram, CS 6410
SCONE: Secure Linux Containers Environments with Intel SGX
Lecture 3: Main Memory.
Outline Operating System Organization Operating System Examples
CSE 471 Autumn 1998 Virtual memory
Chapter 13: I/O Systems.
Chapter 13: I/O Systems “The two main jobs of a computer are I/O and [CPU] processing. In many cases, the main job is I/O, and the [CPU] processing is.
2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자.
Presentation transcript:

Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy Fraser Jesus Molina William A. Arbaugh

Maryland Information Systems Security Lab 2 Copilot Kernel Integrity Monitor Compatible - works on commodity GNU/Linux x86 PCs Effective - detected tampering by 12 real-world rootkits - check every 30 seconds = 1% performance penalty Isolated - implemented on its own PCI add-in card Independent - operates even if host kernel is compromised

Maryland Information Systems Security Lab 3 Integrity Threat Example system call vector IDT Host RAM other kernel data and process pages 1. Attacker gains entry kernel text kernel page tables 2. Attacker inserts/modifies code 3. Attacker gets his code executed

Maryland Information Systems Security Lab 4 Copilot Integrity Protection kernel text system call vector IDT CPU/ cache bridge/ memory controller PCI local bus system call vector modified Copilot Admin Station other kernel data and process pages

Maryland Information Systems Security Lab 5 Copilot Protection Strategy Copilot currently uses the following traditional methods: –Hash of Linux kernel text –Linux system call vector –Linux interrupt descriptor table –Linux module list –Hash of Linux module text Compare the above with a “known-good” state Adding hashing/jump table targets simple Copilot improves these methods by providing an isolated & independent platform for kernel monitoring

Maryland Information Systems Security Lab 6 PCI add-in card requirements Unrestricted access to bus - EBSA-285 has bus mastering capability Independence from host - EBSA-285 has a mode that ignores host commands Sufficient processing power, memory - StrongARM SA-110 CPU, 16MB RAM Independent communication channel for reporting - RS-232 serial port

Maryland Information Systems Security Lab 7 Architecture/OS Requirements All kernel data structures must be available to monitor –Linux provides virtual addresses for data structures –Linux x86 virtual address translation easy to replicate –Linux kernel memory is never paged out of RAM –PC PCI bus addresses, physical addresses identical –PC PCI bus can address all of physical memory

Maryland Information Systems Security Lab 8 Virtual memory translation 0x end of RAM virtual addresses used by kernel: physical addresses used during DMA: kernel text, page tables linear map nonlinear map via page tables vmalloc area, module cores 0xc high_memory 0xfe000000

Maryland Information Systems Security Lab 9 Experimental Results Typical rootkit implementation: An LKM that interposes on the system call vector: Adore, rial, rkit, synapsis, modhide1, phide, kbd, linspy… More sophisticated, more stealthy: SucKIT - loads via /dev/kmem instead of LKM Phantasmagoria - modifies kernel text, not syscall vector Insecurity by Obscurity: Taskigt - adds a hook to /proc filesystem Knark - adds inet protocol handler

Maryland Information Systems Security Lab 10 STREAM memory throughput benchmarks Penalty: 10% 10% 7% 7%

Maryland Information Systems Security Lab 11 WebStone HTTP throughput benchmark Cycle (in seconds): off continuous Penalty: 0% 1% 2% 4% 14% MB/s

Maryland Information Systems Security Lab 12 Related Work Existing approaches: Userspace tools –Tripwire, AIDE, chkrootkit, checkps, Rkscan… Kernel space tools –Saint Jude (St. Michael), KSTAT, Carbonite, Samhain Challenge-response protocols for remote genuinity –Kennell/Jamieson, SWATT Other hardware approaches –TCG-based approaches

Maryland Information Systems Security Lab 13 Limitations and Future Work Problems with a PCI-based approach –Inability to monitor execution –Relocation/cache attacks –Memory race conditions Future directions –In-memory image prediction from trusted binary –Extending coverage to most (all?) jumps –Data/non-text auditing (e.g. process table, open files…) –Protect host-kernel-resident protection mechanisms

Maryland Information Systems Security Lab 14 Copilot Summary Proven effective in lab tests: - Detected the 12 rootkits listed on earlier slide - 30-second detection window - Less than 1% application performance penalty Advantages over existing technologies: - Applicable to commodity GNU/Linux x86 hosts - No reliance on host software for correctness - Plugs into unmodified commodity host - Can be extended to support dynamic data

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.