Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.

Slides:

Advertisements

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Bart Miller. Outline Definition and goals Paravirtualization System Architecture The Virtual Machine Interface Memory Management CPU Device I/O Network,

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,

A critical assault upon “A Comparison of Software and Hardware Techniques for x86 Virtualization” Chris Smowton.

Presented by Boris Yurovitsky

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor Fall 2014 Presented By: Probir Roy.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #29-1 Chapter 33: Virtual Machines Virtual Machine Structure Virtual Machine.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

LINUX Virtualization Running other code under LINUX.

Xen and the Art of Virtualization Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, Andrew Warfield.

Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.

Tanenbaum 8.3 See references

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Virtualization Concept. Virtualization  Real: it exists, you can see it.  Transparent: it exists, you cannot see it  Virtual: it does not exist, you.

Zen and the Art of Virtualization Paul Barham, et al. University of Cambridge, Microsoft Research Cambridge Published by ACM SOSP’03 Presented by Tina.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Virtualization Concepts Presented by: Mariano Diaz.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Stealthy Malware Detection Through VMM-based “Out-of-the-Box” Semantic View Reconstruction CCS’07, Alexandria, VA, Oct 29 – Nov 2, 2007 Xuxian Jiang, Xinyuan.

Virtual Machine Monitors: Technology and Trends Jonathan Kaldor CS614 / F07.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.

Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.

 Introduction  Prior research  Problem overview  HookSafe Design  Implementation  Evaluation  Experiment result Conclusion.

G53SEC 1 Reference Monitors Enforcement of Access Control.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.

Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.

Operating Systems Security

Security Vulnerabilities in A Virtual Environment

Full and Para Virtualization

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.

Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,

Lecture 12 Virtualization Overview 1 Dec. 1, 2015 Prof. Kyu Ho Park “Understanding Full Virtualization, Paravirtualization, and Hardware Assist”, White.

Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :

Enforcing Executing-Implies-Verified with the Integrity-Aware Processor Michael LeMay Carl A. Gunter University of Illinois at Urbana-Champaign Modified.

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw (ONL)

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,

VMM Based Rootkit Detection on Android

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.

Harvesting Free Windows CPU Cycles for Linux Applications using Sandboxing Rasmus Andersen Dept. of Computer Science, University of Copenhagen, Denmark.

Virtualization.

Virtual Machine Monitors

Presented by Mike Marty

Lecture 24 Virtual Machine Monitors

Running other code under LINUX

VMPCS-OGC Virtual Machine Protection and Checking System using Out-of-Guest Control ferify.

OS Virtualization.

Practical Rootkit Detection with RAI

Virtualization Techniques

Preventing Performance Degradation on Operating System Reboots

Chapter 33: Virtual Machines

Computer Security: Art and Science, 2nd Edition

CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors

Sai Krishna Deepak Maram, CS 6410

Countering Kernel Rootkits with Lightweight Hook Protection

Lecture 3: Main Memory.

CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors

Chapter 33: Virtual Machines

Presentation transcript:

Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw

Outline The problem and why it is important Our solution and why it is better System Threat Defined Kernel-mode Rootkit syscall table hook Preliminary Design Defensive syscall integrity LKM Android VMM Preliminary Results

The Problem Detecting rootkits on Android smart phones This is important because: Smart phone use is tremendously growing (with Android becoming the market share leader in 4Q 2010) Phones are starting to be used like mini computers Phones carry lots of sensitive data (more than a computer at times) GPS location, contacts, text messages, call data, People make purchases on their phones (billing info)

The Problem (cont.) Rootkits are a major problem on any traditional monolithic operating system on our desktop computers Android OS is built upon the Linux kernel This means that many of the attack methods (LKM rootkits) that are targeted for the Linux OS may be applicable to Android Currently, high power consumption is a major flaw in the existing prevention methods

Our Solution Two part solution: VMM layer to live below the guest Android OS Layer below approach to ensure integrity of the LKM that lives as an extension to the kernel This is necessary in the to avoid malicious rootkit countermeasures, such as corrupting or disabling a protection mechanism Minimal execution in the VMM to preserve power LKM that monitors the integrity of the syscall table and corresponding functions Integrity checks at regular intervals

System Threat Defined The syscall table can be hooked on Android Hooking the syscall table is one of the most common actions performed by kernel- mode rootkits, and thus a prime place to look for rootkit activity

Preliminary Design: VMM Android VMM lives a layer below the guest operating system, the Android kernel Android VMM will check integrity of the LKM that monitors the syscall table

Preliminary Design: VMM (cont.) Reproduce VMM design described in “Embedded VMM for Portable Virtual Machines” Booting and Initialization VMM image contains guest OSes as binary data Enable Cache and MMU Guest OS Loading Load each OS at a separate physical address Individual virtual machine state structure Memory Management Manage VMM page tables Shadow page tables for guest OS

Preliminary Design: VMM (cont.) Full virtualization through hardware virtualization extensions. Modified QEMU ARMv7 CPU Emulator to trap to VMM upon privileged instruction execution. Bhardwaj et al. A Choices Hypervisor on the ARM Architecture. Bhardwaj et al. Kalla et al. Embedded VMM for Portable Virtual Machines

Preliminary Design (cont.) LKM periodically checks integrity of syscall table and functions pointed to Root of trust is placed within the VMM The VMM checks integrity of this LKM from a layer below

Preliminary Results (boot time) Boot times of normal Android (zImage) image versus the VMM (zVmm) image were measured. The results on the next slide demonstrate the average of three boots for each image. The Linux ‘time’ utility was used to obtain the ‘real’, ‘user’, and ‘sys’ running times of each boot. The ‘boot time’ was measured as the time from booting the image in the Android emulator to the time it took for the emulator to boot up and unlock the initial screen.

Preliminary Results (boot time)

Preliminary Results (cont.) Faux Rootkit LKM is currently hooking open(), close(), read(), and write() on load This functionality will be used to obtain the GPS coordinates or the phone contacts list as an example of malicious software in action Further investigation required to complete this behavior

Preliminary Results (cont.) Protection LKM is still in design phase Can leverage same build environment as Faux Rootkit LKM Integrity checking options: Must be loaded first and archive syscall table pointer on load to ensure no tampering (hard to guarantee load order without putting more responsibility on VMM, and this is still hard) Compare syscall table in memory to syscall table on disk Capabilities table with white-listed processes enforced Would prevent user-mode access of GPS, call log database, and phone contacts database based on observed data from normal operation enforced as a rule