 Introduction  Prior research  Problem overview  HookSafe Design  Implementation  Evaluation  Experiment result Conclusion.

Slides:

Advertisements

Similar presentations

Virtualization Technology

Advertisements

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Analyzing and Improving Linux Kernel Memory Protection A Model Checking Approach ACSAC 2010 Siarhei Liakh, North Carolina State University Michael Grace,

Operating System Security : David Phillips A Study of Windows Rootkits.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.

Tanenbaum 8.3 See references

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Computer Organization

Jakub Szefer, Eric Keller, Ruby B. Lee Jennifer Rexford Princeton University CCS October, 2011 報告人：張逸文.

Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Introduction Overview Static analysis Memory analysis Kernel integrity checking Implementation and evaluation Limitations and future work Conclusions.

Topics covered: Memory subsystem CSE243: Introduction to Computer Architecture and Hardware/Software Interface.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Virtualization Concepts Presented by: Mariano Diaz.

Xen I/O Overview. Xen is a popular open-source x86 virtual machine monitor – full-virtualization – para-virtualization para-virtualization as a more efficient.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

29th ACSAC (December, 2013) SPIDER: Stealthy Binary Program Instrumentation and Debugging via Hardware Virtualization Zhui Deng, Xiangyu Zhang, and Dongyan.

Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

C OUNTERING K ERNEL R OOTKITS WITH L IGHTWEIGHT H OOK P ROTECTION Presented by: Ruaa Abdulrahman CAP Malware and Software Vulnerability Analysis.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

CE Operating Systems Lecture 3 Overview of OS functions and structure.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Systems II San Pham CS /20/03. Topics Operating Systems Resource Management – Process Management – CPU Scheduling – Deadlock Protection/Security.

G53SEC 1 Reference Monitors Enforcement of Access Control.

Hidden Processes: The Implication for Intrusion Detection

By Teacher Asma Aleisa Year 1433 H.   Goals of memory management  To provide a convenient abstraction for programming.  To allocate scarce memory.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.

Operating Systems Security

security breakthrough INTRODUCING hypervisor memory introspection

Processes and Virtual Memory

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.

Full and Para Virtualization

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.

DATA COMPROMISE Controlling the flow of sensitive electronic information remains a major challenge, ranging from theft to accidental violation of policies.

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.

COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.

Computer Science Infrastructure Security for Virtual Cloud Computing Peng Ning 04/08/111BITS/ Financial Services Roundtable Supported by the US National.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

Remix: On-demand Live Randomization

Chapter 2: System Structures

Operating System Structure

CompSci 725 Presentation by Siu Cho Jun, William.

OS Virtualization.

Hiding Malware Rootkits

Computer Security: Art and Science, 2nd Edition

Countering Kernel Rootkits with Lightweight Hook Protection

System calls….. C-program->POSIX call

COMP755 Advanced Operating Systems

Structure of Processes

Presentation transcript:

 Introduction  Prior research  Problem overview  HookSafe Design  Implementation  Evaluation  Experiment result Conclusion

 A rootkit is a malicious prgram designed to hide the existence of certain processes from normal methods of detection and enable continued privileged access to computer.  Kernel rootkits are considered to be one of the most stealthy computer malware and pose significant security threats.  By directly subverting the OS they not only hide their presence but also tamper with functionality to launch various attacks.

 Prior research 1. Focus on analyzing rootkit behavior 2. Detecting rootkits based on certain symptoms exhibited by rootkit infection 3. SecVisor, NICKLE developed to preserve kernel code integrity by preventing rootkit code by executing.  These can be bypassed by return oriented rootkits which subvert kernel control flow and launch attack by only using legitimate kernel code snippets.

 In addition to preservation of kernel code, it is important to safeguard relevant kernel code data to preserve kernel control flow integrity.  Two main type of control data: return addresses and function pointers.  Intuitive approach: hardware-based page-level protection.  In the OS kernel, there exist thousands of kernel hooks that can be widely scattered.  Also they can be dynamically allocated.  In this approach, all writes have to be trapped. It can cause performance overhead due to unnecessary page faults.

 The focus of the paper is on Kernel object hooking rootkits that gain the control of kernel execution by hijacking either code hooks or data hooks.  Hijacking kernel code requires modifying kernel text which is usually static so it can be marked as read-only.  Kernel data hooks are function pointers and reside in two main kernel memory regions.

 These two memory areas are: 1. Preallocated memory areas:data sections, bss sections, loadable kernel module 2. Dynamically allocated areas such as kernel heap  HookSafe design faces the challenge of, protection granularity gap. Protection granularity gap: hardware provides page level protection but kernel hooks are at byte level granularity  Kernel hooks are scattered in kernel space and often co-located with other dynamic kernel data, we cannot simply use page-level protection.

 All read and write accesses to protected kernel hooks are routed through hook indirection layer.  Offline hook profiler component profiles guest kernel execution and outputs hook access profile for each protected hook. Kernel instructions that read or write to a hook called Hook Access Points(HAP).  Online hook protector creates shadow copy of hooks and instrument Hap instructions such that their access will be directed to shadow copy.

 Static analysis and dynamic analysis  Static analysis is performed on OS kernel source code and uses program analysis to automatically collect hook access profile.  Dynamic Analysis runs target system on top of an emulator and monitors every memory access to derive hook access information.  This allows recording precise runtime info such as the values a hook has taken.

 Initialization: 1. Uses an in-guest short-lived kernel module to create shadow copy of kernel hooks and load the code for indirection layer. 2. Then it leverages the online patching provided by the hypervisor to instrument HAPs in guest kernel.

 Run-time Read/Write Indirection:  Read Access: reads from the shadow hook and returns to HAP site.  Write Access: indirection layer issues hypercall and transfer control to hypervisor. Memory protection component validates write request and update shadow hook.

 Run-time tracking of dynamically allocated hooks  Dynamically allocated hook is embedded in dynamic kernel object.  If one such kernel object is being allocated, a hypercall will be issued to HookSafe to create a shadow copy of the hook  Another hypercall is triggered to remove the shadow copy when kernel object is released.

 The online hook protection component was developed based on Xen hypervisor.  Offline hook profiling is based on QEMU, an open source whole-system emulator.  The prototype HookSafe is implemented and evaluated in a system running Ubuntu Linux 8.04

 QEMU implements a key virtualization technique called binary translation which rewrites guest’s binary instruction.  Prototype extends this with additional instrumentation code to record execution of instructions that read or write memories.  If instruction accesses any kernel hook it is recorded as HAP and log the value  At the end, collected HAP instructions and values will be compiled as corresponding hook access profile.

 Hypervisor replaces the HAP instruction at runtime with jmp instruction to detour execution flow to trampoline code.  Trampoline code collects runtime info which is used by hook redirector to determine exact kernel hook being accessed.  After hook redirector processes the actual read or write on shadow hook, trampoline executes HAP specific overwritten instruction, if any, before returning to original program.

 Five byte jmp instruction is used to detour control from HAP instruction to Trampoline code.  When HAP instruction occupies more than five bytes, rest space is filled with NOP instr.  When it has less than five bytes, subsequent instruction is overwritten to make space.

 Read/ Write Indirection:  Trampoline code prepares hook related context info like HAP address and machine register address  Redirector uses this info to find which hook is being read or written and then identify corresponding shadow hook.  For each redirected hook read access, hook indirection layer in addition performs a consistency check.  Any difference indicates original hook has been compromised.  For write access, if write operation is legitimate, both shadow hook and original hook are updated.

 Run time LKM and Hook Tracking”  In Linux, kernel objects are allocated/deallocated through SLAB.  There are only two instructions for this.  Before these instruction return, code checks whether SLAB manages particular kernel object containing hook.  If so, hypercall will be issued to HookSafe to track hook creation and termination.  For hooks in LKM, relative offset to base address where the module is loaded is fixed.  Hence, hooks runtime location can be calculated.

 Two sets of experiments are conducted.  First set is to evaluate HookSafe’s effectiveness in preventing real-world rootkits. It prevented all of them from modifying protected hooks and hiding themselves.  The second set of experiment is to measure performance overhead induced. Which resulted to be around 6%.

 In experiments, HookSafe takes two sets of kernel hooks.  The first set includes 5,881 kernel hooks in preallocated memory area and dynamic loaded kernel module.  The second set is from 39 kernel objects that will be dynamically allocated from kernel heap.

 Hijacks a number of kernel hooks and gains control over kernel execution. Also has user level control program named ava that can send detailed instruction to rootkit.  Adore-ng is loaded in guest OS not protected by HookSafe and showed it can successfully hide a running process  Experiment is repeated in same OS protected by HookSafe. Rootkit failed to hide process

 By analyzing the experiment, it was found that rootkit was able to locate and modify certain kernel hooks at their original locations.  But since control flows related to these hooks are now determined by shadow hooks, this rootkit failed to hijack control flow and thus was unable to hide running processes.  Also, check is performed for comparing original hook and shadow hook at each access. Hence kernel hooks were identified which were manipulated by adore-ng.

 HookSafe’s runtime overhead is measured on 10 tasks including UnixBench and Unix Kernel Decompression and compilation. Also its throughput degradation is measured on a web server using ApacheBench.  The guest OS is a default installation on Ubuntu server  In Apache test, Apache web server is used to serve a web page of 8K bytes.

 HookSafe is a hypervisor-based lightweight system that can protect thousands of kernel hooks from being hijacked by Kernel rootkits.  HookSafe overcomes a critical challenge of Protection Granularity Gap by introducing a thin hook indirection layer.  Experimental result with nine real-world rootkits show HookSafe is effective in defeating their hijacking attempts.  Performance benchmark shows that HookSafe only adds about 6% performance overhead.

 Zhi Wang, Xuxian Jiang, Weidong Cui, Peng Ning, Countering kernel rootkits with lightweight hook protection, Proceedings of the 16th ACM conference on Computer and communications security, November 09-13,  Wang, X. Jiang, W. Cui, and X. Wang. Countering Persistent Kernel Rootkits through Systematic Hook Discovery. In RAID ’08: Proceedings of the 11th International Symposium on Recent advances in Intrusion detection,  R. Hund, T. Holz, and F. Freiling. Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms. In security’09.  Ralph Hund, Thorsten Holz, Felix C. Freiling, Return oriented rootkits: Bypassing Kernel code integrity protection Mechanism.