Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

Slides:

Advertisements

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.

Operating System Security : David Phillips A Study of Windows Rootkits.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Memory Management 2010.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Computer Organization

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.

Virtualization Concepts Presented by: Mariano Diaz.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Rootkits in Windows XP  What they are and how they work.

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

{ Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Cristiano Giuffrida, Anton Kuijsten & Andrew S.Tanenbaum.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Copyright © George Coulouris, Jean Dollimore, Tim Kindberg This material is made available for private study and for direct.

C OUNTERING K ERNEL R OOTKITS WITH L IGHTWEIGHT H OOK P ROTECTION Presented by: Ruaa Abdulrahman CAP Malware and Software Vulnerability Analysis.

Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

 Introduction  Prior research  Problem overview  HookSafe Design  Implementation  Evaluation  Experiment result Conclusion.

G53SEC 1 Reference Monitors Enforcement of Access Control.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

A summary by Nick Rayner for PSU CS533, Spring 2006

By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

Operating Systems Security

Full and Para Virtualization

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.

1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.

Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National.

Virtualization for Cloud Computing

Virtualization.

Efficient Software-Based Fault Isolation

Hardware-rooted Trust for Secure Key Management & Transient Trust

Protecting Memory What is there to protect in memory?

Protecting Memory What is there to protect in memory?

Protecting Memory What is there to protect in memory?

CS490 Windows Internals Quiz 2 09/27/2013.

Paging and Segmentation

Lecture 3: Main Memory.

Lecture Topics: 11/1 General Operating System Concepts Processes

Hiding Malware Rootkits

CSE 451: Operating Systems Autumn 2005 Memory Management

Prof. Leonardo Mostarda University of Camerino

CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management

Sai Krishna Deepak Maram, CS 6410

CSE 451: Operating Systems Autumn 2003 Lecture 9 Memory Management

Countering Kernel Rootkits with Lightweight Hook Protection

Presentation transcript:

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011

2 Acknowledgements Title: Countering Kernel Rootkits with Lightweight Hook Protection Authors: –North Carolina State University Zhi Wang Xuxian Jiang Peng Ning –Microsoft Research Weidong Cui Published at: CCS '09 Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009 Sponsored by: –NSF , , , and

3 Rootkits HookSafe Design and Implementation Performance Closing Remarks

4 Rootkits HookSafe Design and Implementation Performance Closing Remarks

5 Kernel Space Where the core of the OS resides May be accessed through system calls Has full access to the system Like running in real mode assembly language, but at a higher level (i.e. easier programming)

6 Kernel Rootkits Hide presence and activities –Hijack control by modifying kernel space Types: –Kernel Object Hooking (most of the rootkits) –Dynamic Kernel Object Manipulation Tamper OS to launch attacks –System backdoor –Stealing private information –Escalating privileges of malicious process –Disabling defense mechanisms

7 Example of Rootkit (TDL4) From the Rootkit.Win32.TDSS family Installs in Master Boot Record Runs before the Operating System Blocks programs from running Delivers advertisements Google redirects Keeps a copy of payload in MBR so it can be reinstalled Best way to get rid of it is by replacing the MBR Previous versions (infecting drivers) could be removed with TDSSKiller from Kasperry group

8 Rootkits HookSafe Design and Implementation Performance Closing Remarks

9 Traditional Defense Approaches Analyzing rootkits behaviors –Examples: Panorama, HookFinder, K-Tracer Search common symptoms on infected computers –Examples: Copilot, SBCFI, VMwatcher Preserve kernel code integrity –Examples: SecVisor, Patagonix, NICKLE –Can be bypassed by return-oriented rootkits Hijack function pointers or return addresses Utilize kernel code snippets

10 HookSafe Challenge: Protection granularity gap –Hook protection requires byte granularity –Hardware only provides page level protection Kernel hooks (function pointers), after initialized have frequent read access, less write access (less than 1%) Move hooks to page-aligned memory and protect with traditional page protection –Any write access can be monitored Small overhead effect

11 Hooks per Page Histogram [1]

12 What are Pages? Fundamental to use non-continuous memory blocks Creates a mapping between a physical address and a virtual ones Provides virtual RAM

13 Paging Process [2]

14 Paging Mapping [2]

15 Rootkits HookSafe Design and Implementation Performance Closing Remarks

16 Assumptions A hypervisor will be used to monitor virtual machines –From Wikipedia: “In computing, a hypervisor, also called virtual machine monitor (VMM), is one of many virtualization techniques which allow multiple operating systems, termed guests, to run concurrently on a host computer, a feature called hardware virtualization.” A bootstrap like tboot exists to establish a static root of trust of the system –A hypervisor can be securely loaded –Protect the kernel at boot time Runtime integrity of hypervisor is maintained

17 HookSafe Architecture [1]

18 Offline Hook Profiler Set of functions that read/write the hook –Hook Access Points (HAPs) Set of values assign to a hook Enables transparent hook indirection

19 Offline Hook Profiler Design Static Analysis –Performed on kernel’s source code –Automatically collect hook profiles using 3 rd party program techniques (e.g. points-to analysis) Dynamic Analysis –Does not need the source code (good for Windows) –Run target system on an emulator and monitor memory access to derive hook profiles Tradeoff –Coverage (static) vs Precision (dynamic) HookSafe choses precision over coverage

20 Offline Hook Profiler Implementation Run in emulation and hooks are recorded with set of read/write (HAPs) and values [1]

21 Online Hook Protector Its input is the Hook Access Profiles Creates a shadow copy of all protected hooks Instruments HAP instructions so that the access is redirected to the shadow copy Shadow copies are moved into a centralized location to be protected from unauthorized modifications (i.e. page level protection)

22 Online Hook Protector Design Initialization –Temporary kernel module to create shadow copy of hooks and load the code for indirection layer –Patch the HAPs for redirection to copy Run-Time Read/Write Indirection –Read: reads from copy and returns to HAPs –Write: control is passed to hypervisor for validation check. New value seen in the offline profiling phase. Run-Time Tracking of Dynamically Allocated Hooks –Embedded in Dynamic Kernel Object (i.e. heap) –Size is fixed because it can only be know at runtime Hardware abstraction intercept register access

23 Online Hook Protector Implementation 5 bytes jmp instruction 1 byte opcode (0xE9) 32-bit integer offset operand Variable length instructions in x86 jmps are padded with NOP (0x90) old instructions are re-written and moved [1]

24 Rootkits HookSafe Design and Implementation Performance Closing Remarks

25 Detecting Rootkits At read periodically the hook indirection checks for consistency between the original hook, and the shadow copy Any discrepancy is caused by a compromised original hook At write if action is legitimate both original and copy of the hook is written

26 Evaluation [1]

27 Evaluation Example [1]

28 Rootkits HookSafe Design and Implementation Performance Closing Remarks

29 Strengths (Remarks) Rootkit protection without the need of going to the source code Low overhead of 6% of runtime Works with variable instruction length architecture (e.g. x86) Byte equivalent protection using page protection of the hypervisor

30 Weakness Doesn’t record what caused the rootkit infection. It can detect, but not defend against future attempts When discrepancy is found it automatically assumes the original hook was compromised. This was not the case with mood-nt Legitimate values need to be inside of hook profile Memory usage for creating shadow copies

31 Suggestions Test HookSafe on Windows Add mechanisms to restore MBR or VBR in case of multiple OS present Instead of checking discrepancy between hooks and their copy, check against a hash value to find out which is compromised Incorporate static analysis or broader dynamic analysis (e.g. adaptive analysis)

32 References 1.Z. Wang, X. Jiang, W. Cui, and P. Ning, “Countering kernel rootkits with lightweight hook protection”, Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009, pp. 545 – ?qid= http://support.kaspersky.com/viruses/solutions ?qid=

33 QUESTIONS