C OUNTERING K ERNEL R OOTKITS WITH L IGHTWEIGHT H OOK P ROTECTION Presented by: Ruaa Abdulrahman CAP 6135.. Malware and Software Vulnerability Analysis.

Slides:

Advertisements

Similar presentations

Virtualization Technology

Advertisements

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Analyzing and Improving Linux Kernel Memory Protection A Model Checking Approach ACSAC 2010 Siarhei Liakh, North Carolina State University Michael Grace,

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

Computer Science HyperSentry: Enabling Stealthy In-context Measurement of Hypervisor Integrity Ahmed M. Azab, Peng Ning, Zhi Wang, Xuxian Jiang North Carolina.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Virtualization for Cloud Computing

LINUX Virtualization Running other code under LINUX.

Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.

Tanenbaum 8.3 See references

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

H YPER S AFE : A L IGHTWEIGHT A PPROACH TO P ROVIDE L IFETIME H YPERVISOR C ONTROL -F LOW I NTEGRITY Self Protection for the Hypervisor.

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Virtualization Concepts Presented by: Mariano Diaz.

Xen I/O Overview. Xen is a popular open-source x86 virtual machine monitor – full-virtualization – para-virtualization para-virtualization as a more efficient.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

Virtualization Part 2 – VMware. Virtualization 2 CS5204 – Operating Systems VMware: binary translation Hypervisor VMM Base Functionality (e.g. scheduling)

Our work on virtualization Chen Haogang, Wang Xiaolin {hchen, Institute of Network and Information Systems School of Electrical Engineering.

High Performance Computing on Virtualized Environments Ganesh Thiagarajan Fall 2014 Instructor: Yuzhe(Richard) Tang Syracuse University.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

Author: Monirul Sharif, Wenke Lee, Weidong Cui, Andrea Lanzi Reportor: Chun-Chih Wu Advisor: Hsing-Kuo Pao Select: CCS09’

 Introduction  Prior research  Problem overview  HookSafe Design  Implementation  Evaluation  Experiment result Conclusion.

G53SEC 1 Reference Monitors Enforcement of Access Control.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

Operating Systems Security

Security Vulnerabilities in A Virtual Environment

Full and Para Virtualization

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.

1 Lecture 1: Computer System Structures We go over the aspects of computer architecture relevant to OS design  overview  input and output (I/O) organization.

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw (ONL)

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.

Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National.

Virtualization for Cloud Computing

Protecting Memory What is there to protect in memory?

Running other code under LINUX

Introduction to Operating Systems

OS Virtualization.

Practical Rootkit Detection with RAI

Virtualization Techniques

Lecture 3: Main Memory.

Hiding Malware Rootkits

Operating System Chapter 7. Memory Management

Sai Krishna Deepak Maram, CS 6410

Shielding applications from an untrusted cloud with Haven

Countering Kernel Rootkits with Lightweight Hook Protection

Xen and the Art of Virtualization

Presentation transcript:

C OUNTERING K ERNEL R OOTKITS WITH L IGHTWEIGHT H OOK P ROTECTION Presented by: Ruaa Abdulrahman CAP Malware and Software Vulnerability Analysis April 08,

I NFORMATION Authors: North Carolina State University Zhi Wang Xuxian Jiang Peng Ning Microsoft Research Weidong Cui Published at : CCS '09 Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009 Sponsored by: NSF , , , and

K ERNEL ROOTKITS it’s one of the most stealthy computer malware and poses significant security threats. Why ? its directly subverting OS kernel, not just hide their response, but also tamper with OS functionalities to launch various attack like: - opining system backdoors. - Stealing privet information. - Escalating privileges of malicious processes. - Disabling defense mechanisms. 3

K ERNEL ROOTKITS Because all of that threats : we need ? Preservation of kernel code integrity. Safeguard relevant kernel control data which are the return addresses and function pointers. 4 In this paper they focused on function pointers and called it “kernel hook”. Equally important

K ERNEL H OOK kernel hook == Function Pointer Intuitively, to safeguard kernel hooks, we need to monitor and verify any write access to the memory page with kernel hook. This approach has two conditions to work well: 1- There existing a very limited number of kernel hooks for protection. 2-These hooks are not co- located together with frequently modified memory data. 5

K ERNEL H OOK Unfortunately,these two conditions do not work with OS like Linux and windows because: - These OS may have thousands of kernel hook “ not limited number ” - and it can be widely scattered across the kernel space. The solution for the above challenges:: ” Hooksafe ”. 6

P ROBLEM OVERVIEW Kernel rootkit : two types: - Kernel Object Hooking (KOH). - Dynamic Kernel Object Manipulation (DKOM) They focused (KOH) because it is more common attack. KOH can hijack code hook or data hook. 7 hijack control data subvert control data

P ROBLEM OVERVIEW Hijacking a kernel code hook: is easier to protect because its require modifying the kernel text section which is - usually static and - can be marked as read-only. Kernel data hooks are function pointers and usually reside in two main kernel memory regions: - Preallocated memory areas including the data sections. - The dynamically allocated areas such as Kernel heap. 8

P ROBLEM OVERVIEW Kernel data hooks are function pointers and usually reside in two main kernel memory regions: - Preallocated memory areas including the data sections. - The dynamically allocated areas such as Kernel heap. 9 The aim is to protect the kernal hooks in both memorie regions to be tampered by a Kernal rootKits.

P ROBLEM OVERVIEW Protection granularity gap Challenge Efficient Hook protection requires byte - level granularity. BUT.. Hardware only provides page level protection AND.. Since kernal hooks are scattered across the kernal space and often co-located with other dynamic kernal data, SO.. we can not simply use hardware-based page level protection. 10

P ROBLEM OVERVIEW 11 Experiment.. - They analyzed a typical Ubuntu 8.04 server using a whole emulator called QEMU. - They used 5881 Linux Kernal Hooks. - They found that these Kernal hooks are scattered across 41 Pages and some of them located in dynamic kernal heap.

P ROBLEM OVERVIEW 12

P ROBLEM OVERVIEW What are Pages? - Non-continuous memory blocks - Creates a mapping between a physical address and a virtual ones - Provides virtual RAM 13

H OOKSAFE o Hooksafe is a hypervisor-based lightweight system that able to efficiently protect thousands of kernel hooks in a guest OS from being hijacked o “In computing, a hypervisor, also called virtual machine monitor ( VMM ), is one of many virtualization techniques which allow multiple operating systems, termed guests, to run concurrently on a host computer, a feature called hardware virtualization.” Wikipedia 14

H OOKSAFE D ESIGN Assumptions: - A hypervisor will be used to monitor virtual machines - A bootstrap like tboot exists to establish a static root of trust of the system A hypervisor can be securely loaded Protect the kernel at boot time - Runtime integrity of hypervisor is maintained 15

H OOKSAFE DESIGN In order to resolve the protection granularity gap problem, They Relocate kernel hooks to a dedicate page- aligned memory space. Introduce thin hook indirection layer to regulate accesses to them with hardware based page level protection. They created a shadow copy of the kernel hooks in a centralized location. Any attempt to modify the shadow copy will be trapped and verified by the underlying hypervisor. 16

H OOKSAFE DESIGN All read and Write accesses to protected Kernal hooks are routed through the hook indirection layer. Only hypervisor can write to the memory pages of protected kernel, In read access they use piece of indirection code residing in the guest OS kernel memory to read corresponding shadow hook. 17

H OOKSAFE DESIGN Hooksafe achieves its functionality in two steps: 1- Offline hook profiles 2- On line hook protector 18

O FFLINE HOOK PROFILES it is a component that profiles the guest kernel execution and outputs a hook access profile for each protected hook. Hook access profile will be used to enable transparent hook indirection. Kernal instructions that read or write to a hook called Hook Access Points (HAPs). 19

O FFLINE HOOK PROFILES 1- Static analysis performed on OS kernel source code, Utilize known program analysis technique to automatically collect hook access profile. More complete, but less precise For the Design.. There are two approaches: 2- Dynamic analysis Doesn’t need OS kernel source code, run the target system on the top of an emulator and monitor every memory access to derive the hook access instruction. Allow for recording precise runtime information, but less coverage HookSafe chooses Precision ( Dynamic ) over Coverage ( Static )

O FFLINE HOOK PROFILES - Implementation It is based on an open source whole system emulator( QEMU). QEMU uses binary translation technique which rewrites guest’s binary instruction. Then records executions of instructions that read or write memories. If instruction accesses any kernel hook it is recorded as HAP and the value. At the end, collected HAP instructions and values will be compiled as corresponding hook access profile. 21

O NLINE HOOK PROTECTOR Its input is the Hook Access Profile. Creates a shadow copy of all protected hooks Instruments HAP instructions such that their accesses will be transparently redirected to the shadow copy. Shadow copies are moved into a centralized location to be protected from unauthorized modifications and kernel rootkits. (i.e. page level protection). 22

O NLINE HOOK PROTECTOR - For the Design.. There are Three Processes : Initialization: 1. Uses a short-lived kernel module (temporary) to create shadow copy of kernel hooks and load the code for indirection layer. 2. Use the online patching that provided by the hypervisor in order to instrument HAPs in guest kernel. 23

O NLINE HOOK PROTECTOR Run-Time Read/Write Indirection Read Access: reads from the shadow hook copy and returns to HAP site. Write Access: indirection layer issues hyper call and transfers control to hypervisor for validation check. Memory protection component validates write request and update shadow hook. 24

O NLINE HOOK PROTECTOR Run-Time Tracking of Dynamically Allocated Hooks Dynamically Allocated Hooks is embedded in Dynamic Kernel Object (i.e. heap). If one such kernel object is being allocated, a hypercall will be issued to HookSafe to create a shadow copy of the hook Another hypercall is triggered to remove the shadow copy when kernel object is released. 25

O NLINE HOOK PROTECTOR - Implementation It is developed based on Xen Hypervisor. Hypervisor replaces the HAP instruction at runtime with jmp instruction to allow execution flow to trampoline code in Hook indirection layer. Trampoline code collects runtime info which is used by hook redirector to determine exact kernel hook being accessed. After hook redirector processes the actual read or write on shadow hook, trampoline executes HAP specific overwritten instruction, if any, before returning to original program. 26

O NLINE HOOK PROTECTOR 27

O NLINE HOOK PROTECTOR 28

MEMORY PROTECTION In order to protect the guest kernel code and the in-guest memory used by hooksafe. the hypervisor maintains an SPT for each guest, which regulate the translation directly from a guest virtual address to the host physical address. Any update in the guest page table GPT in the guest kernel is trapped and propagated to the SPT shadow page table by the hypervisor. 29

E VALUATION In order to evaluate HookSafe’s effectiveness in preventing real-world rootkits, They used the Xen Hypervisor (version 3.3.o) to protect more than 5900 kernel hooks in Ubuntu 8.04 Linux system. There experiments with nine real-world rootkits show that Hooksafe can effectively defeat these nine rootkits attempt to hijack kernal hooks that are being protected. It prevented all of nine rootkits from modifying protected hooks and hiding themselves. This large scale protection is achieved with only 6% slow down in system performance. 30

E VALUATION 31

C ONCLUSION HookSafe is a hypervisor-based lightweight system that can protect thousands of kernel hooks from being hijacked by Kernel rootkits. HookSafe overcomes a critical challenge of Protection Granularity Gap by introducing a thin hook indirection layer. Experimental result with nine real-world rootkits show HookSafe is effective in defeating their hijacking attempts with only 6% performance overhead. 32

S TRENGTHS Rootkit protection is performed without the need of going to the source code (Dynamic Analysis) Low overhead of 6% of runtime Works with variable instruction length architecture (e.g. x86) Perform byte equivalent protection by using page protection of the hypervisor. 33

W EAKNESS Doesn’t record what caused the rootkit infection. It can detect, but not defend against future attempts. When discrepancy is found it automatically assumes the original hook was compromised. Memory usage for creating shadow copies 34

S UGGESTIONS Test HookSafe on Windows Instead of checking discrepancy between hooks and their copy, check against a hash value to find out which is compromised Incorporate static analysis or broader dynamic analysis (e.g. adaptive analysis) 35

R EFERENCES 1. Z. Wang, X. Jiang, W. Cui, and P. Ning, “Countering kernel rootkits with lightweight hook protection”, Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA, 2009, pp. 545 –

37

QUESTIONS 38