Download presentation
Presentation is loading. Please wait.
Published byあつとし いそみ Modified over 6 years ago
1
VMPCS-OGC Virtual Machine Protection and Checking System using Out-of-Guest Control
ferify
2
Why cant we have synergy between the Hypervisor and VM Guest?
Since a Hypervisor (Bare Metal) has less processes … and Since a Hypervisor is at arms length from the end users … and Since a Hypervisor is administered by an admin, with no web browsers and user based processes … and Since a Hypervisor can have a small code base (<50k lines or code), there is less of a chance of errors in the code running on the hypervisor ...and… Since a VM Guest can have great usability … but Since with a great usability VM Guest OS has greater chance of many process .. and Since it has a greater chance of having many applications … and Since it has many applications, it has a better chance of having more developers and therefor due to all of the above, the VM Guest OS has a greater chance of being low assurance, …
3
Scenario Remotely accessible Virtual Machine
Legitimate Secure user1 account Compromised legitimate user2 account Root access gained from user2 account or root privilege gained through a poorly created application Many Virtual Machine Introspection solutions protect the kernel and the OS from corruption
4
Why cannot the Hypervisor better protect the VM Guest, perhaps it can protect the VM Guests files
VM Guest OS must access its files from the Hypervisor Hypervisor security code determines if access is granted or not from a file table of file attributes No matter what happens on the VM Guest, access is determined by the Hypervisor Hypervisor Hypervisor security code VM Guest file access File Memory Location
5
Introduction to ferify
Goal: Prevent unauthorized access to user’s files from other users/processes including root. Protect the user’s files directly from the hypervisor. ferify is based on DRAKVUF, “…a virtualization based agentless black-box binary analysis system…” The VM Guest should not affect the security measures Minimal footprint that is nearly undetectable Linux based protection system using system call interrupts
6
Methodology
8
What is monitored All processes, current and future
All file access requests through the trapped system calls are compared to an ACL table on the Hypervisor Credentials of running processes User process changes (fork-as-user, then access a file) All execution requests are trapped via system calls and compared to ACLs on the Hypervisor with a denied by default / white listing Attempts at kernel modification are trapped via system calls and denied The kernel system call memory locations are compared when used
9
Future Work for VMPCS-OGC
How can ferify be used as a Honeypot and can we lean real time what are the vectors of malware insertion? How can Red Teaming be performed on ferify? How can ferify be enhanced to perform extended messaging (using drakvuf/libvmi/altp2m there is great access to all processes and users) and what kind of messaging should be enabled? Can ferify be extended to perform file privacy even when the file protected is accessible by legitimate users, such as database files (can we create extended groups for obfuscation, or a file prevention mechanism based on fork-as-user, then file access)? Can we use drakvuf to extend Windows7 or Windows10 to protect files?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.