Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
CONTENTS ● Introduction ● Rootkit defense overview ● Access control model for kernel data protection ● Architecture of VMHUKO ● Implementation ● Conclusion and future work ● References ● Queries
INTRODUCTION Virtualization technology has become a hot topic with the development of computer architectures which are usedin the Cloud Computing Environment. Core part of virtualization is the Virtual Machine Monitor (VMM). VMM is a software layer lying between the operating system and hardware. Present days kernel-level attacks such as rootkits are severe threats to operating system if kernel doesn’t have defense code. To protect the kernel from these attacks VMM is a good platform to counter the threat. Placing security software on VMM will help in defending rootkits from executing unauthorized code in kernel space.
We still have some limitations in this method. 1.Kernel data attacks which are not introduced by any unauthorized code but modify existing kernel data. 2.New kernel code execution can’t be refused as hardware manufacturers export new drivers every day and it is impossible to authorize all these drivers. Here we present a system called VMhuko that protects the kernel data Contd.,
Rootkit defense overview Generally kernel data can be divided into two types: 1.control data 2.non-control data Rootkits can hijack kernel control flow by modifying control data and redirect it to perform malicious actions. Non-control data attacks are difficult to find as they don’t change the control flow. Direct Kernel Object Manipulation(DKOM) is a famous technique where rootkits can hide malicious objects. System performance will be progressively worse due to non-control data attacks. To combat rootkits, all critical kernel data access should be checked and interpreted using operating system knowledge.
Kernel level software has full access to kernel components, to prevent corruption it is necessary to monitor kernel module execution. Kernel module execution is modeled at machine instruction level as low level instruction can access memory and CPU directly. A kernel module execution can be defined as the process of memory and CPU state updating. To represent kernel module execution we define a transition function where, ‘I’, all possible instructions,‘I m ⊆ I’ set of instructions belongs to kernel module. ‘M’, ‘C’, set of all possible memory states and CPU states,‘M p ⊆ M’, ‘C p ⊆ C’ set of all memory states and CPU states related to system security. Access control model for kernel data protection
M p and C p are important system resources and services accessed by loadable kernel module. There are two types of objects: 1.kernel objects 2.hardware objects Access control monitor mediates every memory and CPU state updates of M p and C p. Our security policy restricts I m to access M p and C p directly instead kernel module can interact with the rest kernel via functions. Contd.,
Architecture of VMHUKO VMhuko is designed to provide real-time protection mechanism for OS which is vulnerable to kernel level attack. VMhuko architecture has three parts 1.Security VM 2.Guest VM 3.VMM Four components of VMhuko a.Enforcer b.Memory Monitor c.Security Policy d.Controller
a. Enforcer This is the key component in VMhuko which is designed to analyze unauthorized kernel data access and take corresponding action. Here we have three modules: 1.Analyzer 2.Intrusion Counter 3.Instruction Emulator
b. Memory monitor This component is used to capture the unauthorized data access and send it to Enforcer. VMhuko actively monitors data access by making full use of hardware page fault mechanism and source code knowledge for kernel data access. VMhuko uses a technique called “shadow paging” which maintains two versions of page tables. 1.guest page tables(GPTs) which are controlled by guest OS. 2.shadow page tables(SPTs) which are controlled by the VMM. Identification of static kernel objects is easy but identifying dynamic kernel objects becomes a challenge. VMhuko approach is based on key observation, all dynamic data must be accessible from global kernel data objects. We mark pointer-valued fields of global variables as protected areas. When any one of these areas are accessed then it will be trapped into VMM, and VMhuko will reconstruct the original kernel object pointed by pointer-valued fields.
c. Security Policy Our protecting model is to make all attempted readings and writings of security- critical data checked for validity at VMM which then takes appropriate action according to policy. I m can access M p and C p via read and write instruction directly. I m can influence the important states of M p and C p using call operation. VMhuko’s kernel policy contains Static kernel object, which is fixed when kernel is built Dynamic kernel object, which can be determined at run time.
d. Controller Controller provides an interface for administrators to communicate with the VMM. VMM provides hypercall through which controller can transfer the information to it. When VMM detects an attack, it notifies the controller all the related information including the attack operation and the response results. Our system creates communication channel via shared memory.
Implementation We will implement VMhuko prototype using Xen for VMM, Ubuntu 8.04 in the security VM and CentOS in the Guest VM with Hardware Virtual Machine (HVM) mode which can be executed without modification. There are four components for this Implementation a.Memory access mediation b.Instruction Emulation c.Policy d.Controller
a. Memory access mediation Mediating memory access is the key issue to our system. We identify the pages that need to be protected and set page flag as Not- Writable or Not-Present based on Policy. If flag is set to Not-Writable, we can trap Write access. If flag is set to Not-Present, we can trap both Read and Write access. If any code tries to access these pages then it causes a page fault.
Contd.,
b. Instruction Emulation VMhuko needs to handle the normal access action. Operating system will not be aware of special page fault while execution without VMM. Implementation details for instruction emulations are as follows:
Contd., We use hvm_emulate_prepare to prepare the emulation environment. hvm_emulate_one is used to perform the instruction emulation. Emulation component can not handle all faulting instructions, only few special instructions can be executed on real hardware environment. This limitation does not affect the system defense in our experiment.
c. Policy Kernel rootkit defending techniques depends on policy. Set of policies are defined based on access control model with kernel objects. There are some specific access control policies which include both static and dynamic objects.
d. Controller Controller will reside in the Security VM. The basic process is implemented as follows: 1.We use xc_evtchn_open to open the event channel in user space. 2.We apply alloc_xenheap_pages to allocate shared memory in VMM. 3.We map to controller using xc_map_foreign_range.
Conclusion and Related work VMhuko is a system which can detect and prevent both static and dynamic kernel data attacks. The system is effective to protect the OS kernel and the computational overhead is affordable. In the future, we will explain methods to reduce performance overhead for the system. With the help of expert knowledge, we can split kernel data structures into 1.none-security part 2.security part which are then centralized in dedicated pages. Putting enforcement in VMM will be a better choice.
References “Detecting Dynamic Data Kernel Rootkit Attacks via VMM-based Guest-Transparent Monitoring”, by J. Rhee, R. Riley, D. Xu and X. Jiang “An Architecture for Secure Active Monitoring Using Virtualization”, by BD. Payne, M. Carbone, M. Sharif and W. Lee " Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing“, by R. Riley, X. Jiang, and D. Xu " Xen and the art of virtualization“, by P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield.
QUERIES ??