Contents Introduction Available OSF Solutions for VM UFO Design Implementation Evaluation Discussion Conclusions References.

Slides:



Advertisements
Similar presentations
Configuration management
Advertisements

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Unit 4 Chapter-1 Multitasking. The Task State Segment.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intel MP.
Microprocessors system architectures – IA32 real and virtual-8086 mode Jakub Yaghob.
Variability Oriented Programming – A programming abstraction for adaptive service orientation Prof. Umesh Bellur Dept. of Computer Science & Engg, IIT.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Business Intelligence Michael Gross Tina Larsell Chad Anderson.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Virtualization for Cloud Computing
LINUX Virtualization Running other code under LINUX.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
UNIT 2 Memory Management Unit and Segment Description and Paging
Microprocessor system architectures – IA32 segmentation Jakub Yaghob.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Benefits: Increased server utilization Reduced IT TCO Improved IT agility.
1 Software Testing and Quality Assurance Lecture 33 – Software Quality Assurance.
CHAPTER 2: COMPUTER-SYSTEM STRUCTURES Computer system operation Computer system operation I/O structure I/O structure Storage structure Storage structure.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Session objectives Discuss whether or not virtualization makes sense for Exchange 2013 Describe supportability of virtualization features Explain sizing.
CS533 Concepts of Operating Systems Jonathan Walpole.
High Performance Computing on Virtualized Environments Ganesh Thiagarajan Fall 2014 Instructor: Yuzhe(Richard) Tang Syracuse University.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
Oracle's Distributed Database Bora Yasa. Definition A Distributed Database is a set of databases stored on multiple computers at different locations and.
Dynamic and Secure Application Consolidation with Nested Virtualization and Library OS in Cloud Kouta Sannomiya and Kenichi Kourai (Kyushu Institute of.
Disco : Running commodity operating system on scalable multiprocessor Edouard et al. Presented by Vidhya Sivasankaran.
02/09/2010 Industrial Project Course (234313) Virtualization-aware database engine Final Presentation Industrial Project Course (234313) Virtualization-aware.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Virtual 8086 Mode  The supports execution of one or more 8086, 8088, 80186, or programs in an protected-mode environment.  An 8086.
Security Vulnerabilities in A Virtual Environment
Modeling Virtualized Environments in Simalytic ® Models by Computing Missing Service Demand Parameters CMG2009 Paper 9103, December 11, 2009 Dr. Tim R.
Cryptography and Network Security Sixth Edition by William Stallings.
Full and Para Virtualization
Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,
Efficient software-based fault isolation Robert Wahbe, Steven Lucco, Thomas Anderson & Susan Graham Presented by: Stelian Coros.
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
OSes: 2. Structs 1 Operating Systems v Objective –to give a (selective) overview of computer system architectures Certificate Program in Software Development.
Page Replacement Implementation Issues Text: –Tanenbaum ch. 4.7.
Microprocessor system architectures – IA32 security
Information Security - 2. Task Switching Every process has an associated Task State Segment, whose starting point is stored in the Task register. A task.
Chapter 7 Memory Management Eighth Edition William Stallings Operating Systems: Internals and Design Principles.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
Virtualization for Cloud Computing
Virtualization.
Virtualization D. J. Foreman 2009.
Breaking Up is Hard to Do
Current Generation Hypervisor Type 1 Type 2.
COMBINED PAGING AND SEGMENTATION
Anton Burtsev February, 2017
Lecture 24 Virtual Machine Monitors
Running other code under LINUX
Architectural Support for OS
Shielding applications from an untrusted cloud with Haven
Architectural Support for OS
CSE 471 Autumn 1998 Virtual memory
Autonomous Network Alerting Systems and Programmable Networks
First Generation 32–Bit microprocessor
CS295: Modern Systems Virtualization
Presentation transcript:

Contents Introduction Available OSF Solutions for VM UFO Design Implementation Evaluation Discussion Conclusions References

1. Introduction Operating System fingerprinting(OSF) is the process of identifying the OS variant and version OSF is helpful for the administrators to properly decide the security policy to protect their systems. memory analyzing can only be done when we know exactly the OS version of the OS inside the VM, because every OS variant, and also OS version, is very different in the internal structure

Unfortunately, available OSF approaches against VM have many problems. They fail badly against modern OS-es having none or minimal customization. some methods are not as fast as we would desire. some methods depend on the hypervisors, and can only recognize particular OS-es.

2. Available OSF Solutions for VM 1. Network-based OSF:-all the network-based OSF methods suffer some major problems. 2. They either rely on scanning open ports on the target, or on examining the replied packets. 3. network-based OSF is quite slow. 4. It is a trend that the administrators are more aware of OSF issue, and start to deploy antifinger OS solutions, such as ipmorph in their system to fool all the current network-based OSF methods

Memory Introspection(MI):- MI is the method of inspecting and analyzing the raw memory of the guest VM from the host VM, to understand the context and status of the guest. Inspecting File-system Content:- This approach is feasible because in principle, the host VM can access to the guest’s FS, and reads its content. This method is already used by a tool named virt-inspector. there are some significant problems with this approach. Firstly, if the guest uses an unknown FS, it is impossible for the host to mount its FS and access its content.

We desire a better OSF tool with the following six requirements. 1. It gives an accurate fingerprint result. 2. It does not depend on the compiler used to compile the OS. 3. It is more resilient against OS tweaking. 4. It is not easy to be fooled by currently available anti- OSF tools. 5. It is faster, and should not cause any negative impact on the guest performance. 6. It can work with all kind of hypervisors.

3. UFO Design Modern OSes mainly function in protected mode to take advantage of various features offered by Intel architecture. Intel Protected Mode:-Protected mode is an operational mode of Intel compatible CPU, allowing system software to utilize features not available in the obsolete real-mode, such as virtual memory, paging, etc.

OS Parameters:- an OS uses several facilities, making a set of OS parameters, defined as followings. Segment parameters:-segment parameters have the following three attributes: segment selector, segment base and segment limit, representing the selector, the base and the limit of the segment, respectively. Task Register parameter(TR):-it consists of the segment selector, and segment limit attributes, representing the selector and limit of the TSS segment, respectively. GDT parameter:-The GDT can be located by the its base and limit. IDT parameter:- IDT parameter has IDT limit as its only attribute. Feature parameters:-It has 64-bit,Fast-syscal, non- executable facility

UFO Fingerprinting Method:-To perform fingerprinting, we have to prepare signatures for all the OS-es we want to identify. Generate a signature for each OS, and put them into a database of signatures, called the signature database. Match each VM parameter against a corresponding parameter in the signature. for each segment parameter, the corresponding signature parameter is the segment parameter of the ring level that the VM segment parameter is functioning in. the fingerprinting process would return the exact OS as the result

Generate OS signatures:- A naive approach to gather all the possible parameters is to have a tool running in the host VM, and this tool periodically queries the targeted VM for its OS parameters. it is not guaranteed that such an external tool can collect all the possible values of all OS parameters. OS behaves in the same way under different hypervisors, our signatures are hypervisor independent, and can be reused by all the hypervisors

4. Implementation To generate the OS signatures, we have a tool named UFO-profiler. We implemented UFO-profiler based on the QEMU emulator. UFO-profiler instruments QEMU to record every time the related OS parameters change their values. OS is run in UFO-profiler, and the profiling process starts when the VM switches to protected mode, and ends when the VM shutdowns.

following Intel instructions are instrumented by UFO-profiler: mov, int, sysenter, sysexit,syscall, sysret, jmp far, call far, lds, les, lfs, lgs,lgdt, lidt, ltr, wrmsr, loadall, and iret. UFO-profiler must also instrument to monitor some low level activities that modifies OS parameters.

5. Evaluation Evaluation against various OS-es available shows that UFO is extremely fast. UFO identifies the OS variant with 100% accuracy. If it cannot give out the exact OS version, UFO can report a range of versions for the answer. In the case the UFO cannot identify the OS due to the missing signature, it can still give out the best match OSes, which have the highest score.

6. Discussion It handles the security threat as in cloud enviroment. we assume that the hypervisor is secure, and can not be breached from inside the guest VM. For the small modifications to the OS, UFO can still give a hint about the OS thanks to its fuzzy detection, which is close in many cases. The other problem is that UFO is not always able to give out the exact version of the OS.

7.Conclusions UFO is a novel method of fingerprinting OS running inside VM. designed specifically for VM environment, UFO can quickly identify the OS variants and OS versions with excellent accuracy.

8. Reference presentations/Quynh/DEFCON-18-Quynh-OS- Fingerprinting-VM.pdf

Thank you