Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vinod Ganapathy vg@iisc.ac.in securely How to snapshot memory Vinod Ganapathy vg@iisc.ac.in.

Published by福 宦 Modified over 5 years ago

Similar presentations

Presentation on theme: "Vinod Ganapathy vg@iisc.ac.in securely How to snapshot memory Vinod Ganapathy vg@iisc.ac.in."— Presentation transcript:

1 Vinod Ganapathy vg@iisc.ac.in
securely How to snapshot memory Vinod Ganapathy

2 The layer-below principle
The lower you go, the more control you have User app User app Least control Utilities & Libraries ls, ps, & bash utilities libc gcc Operating System Syscalls IDT Kernel Code Process List Memory I/O devices CPU Hardware Most control Vinod Ganapathy - EECS Symposium

3 Example: Malware detection
User app Utilities & Libraries Operating System Hardware Vinod Ganapathy - EECS Symposium

4 Example: Malware detection
User app Malware detector Utilities & Libraries Operating System Hardware Vinod Ganapathy - EECS Symposium

5 Example: Malware detection
User app Malware detector Trusted Layer Utilities & Libraries TCB cat ps ls Operating System Hardware Vinod Ganapathy - EECS Symposium

6 Libraries may be compromised!
User app Malware detector Utilities & Libraries cat ps ls Operating System Hardware Vinod Ganapathy - EECS Symposium

7 Vinod Ganapathy - EECS Symposium
Solution: Query the OS Query with syscall 1 2 OS reads file User app Malware detector 3 Returns true file content Utilities & Libraries 2 1 3 Operating System System call API TCB Hardware Vinod Ganapathy - EECS Symposium

8 What if the OS is malicious?
User app Malware detector Utilities & Libraries Operating System System call API Is it game over? Hardware Vinod Ganapathy - EECS Symposium

9 How does an OS get infected?
Exploits of kernel vulnerabilities: Injecting malicious code by exploiting a memory error in the kernel Privilege escalation attacks: Exploit a root process and use resulting administrative privileges to update the kernel Social engineering attacks: Trick user into installing fake kernel updates Defeated via signature verification of kernel updates Trivial to perform prior to the Windows Vista OS Vinod Ganapathy - EECS Symposium

10 How prevalent are OS infections?
2010 Microsoft report: 7% of all infections from client machines due to rootkits[1] 2016 HummingBad Android rootkit:[2] Up to 85 million Android devices infected? Earns malware authors $300,000 each week through fraudulent mobile advertisements Used in many high-profile incidents: Torpig and Storm botnets Sony BMG (2005), Greek wiretapping (2004/5) [1] Microsoft Malware Protection Center, “Some Observations on Rootkits,” January 2010, [2] CheckPoint Software, “From HummingBad to Worse,” July 2016, Vinod Ganapathy - EECS Symposium

11 How can we detect OS infection?
Ask for help from the layers below User app Malware detector Utilities & Libraries Operating System System call API Is it game over? TCB Hypervisor (a.k.a. Virtual Machine Monitor) Hardware Vinod Ganapathy - EECS Symposium

12 Vinod Ganapathy - EECS Symposium
How low can we go? User app Malware detector Utilities & Libraries Operating System Is it game over? Hypervisor [Bluepill, Subvert] TCB Hardware Vinod Ganapathy - EECS Symposium

13 Vinod Ganapathy - EECS Symposium
How low can we go? User app Malware detector Utilities & Libraries Operating System Is it game over? Hardware ??? [Stuxnet, Trojaned ICs] TCB Vinod Ganapathy - EECS Symposium

14 Vinod Ganapathy - EECS Symposium
Today’s talk Memory forensics: Using memory snapshots to detect system infection. Volatility Foundation Vinod Ganapathy - EECS Symposium

15 Potentially rootkit-infected
Modus operandi Target machine Potentially rootkit-infected User app User app Utilities & Libraries Operating System Kernel Code Process List Syscall Hardware Physical Memory TCB Vinod Ganapathy - EECS Symposium

16 Potentially rootkit-infected
Modus operandi Target machine Potentially rootkit-infected Analysis machine Trusted User app User app Utilities & Libraries Operating System Kernel Code Process List Syscall Hardware Physical Memory TCB Vinod Ganapathy - EECS Symposium

17 Potentially rootkit-infected
Modus operandi Target machine Potentially rootkit-infected Analysis machine Trusted User app User app Utilities & Libraries Operating System Kernel Code Process List Syscall Snapshot of memory pages Hardware Physical Memory TCB Vinod Ganapathy - EECS Symposium

18 Vinod Ganapathy - EECS Symposium
Research questions How do we analyze memory snapshots? Large body of work (~15 years) on this topic. How can we snapshot memory pages without involving the target’s OS? Focus of this talk! Vinod Ganapathy - EECS Symposium

19 Snapshot acquisition mechanism
Tamper resistance Performance isolation Snapshot consistency 1 2 3 Vinod Ganapathy - EECS Symposium

20 Target should not interfere with snapshot acquisition
Tamper resistance Tamper resistance Performance isolation Snapshot consistency Target should not interfere with snapshot acquisition Vinod Ganapathy - EECS Symposium

21 Target should not interfere with snapshot acquisition
Tamper resistance Tamper resistance Performance isolation Snapshot consistency Virtualization Target should not interfere with snapshot acquisition Operating System Hypervisor can fetch memory from virtual machine without OS involvement Virtual Hardware Physical Memory Hypervisor Vinod Ganapathy - EECS Symposium

22 Target should not interfere with snapshot acquisition
Tamper resistance Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor Target should not interfere with snapshot acquisition Operating System Co-processor uses DMA OS on target involved in DMA setup Malicious OS can hide portions of memory with malicious content Hardware Physical Memory Vinod Ganapathy - EECS Symposium

23 Performance isolation
Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor Do not halt the target during snapshot acquisition Necessary for situations where frequent snapshot acquisition is necessary Hypervisor-based acquisition requires pausing the virtual machine Co-processor can operate in concert with target Vinod Ganapathy - EECS Symposium

24 Snapshot consistency Consistent snapshot Inconsistent snapshot

25 Vinod Ganapathy - EECS Symposium
Snapshot consistency Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor Snapshot should faithfully represent target’s state at a given instant in time Operating System CONSISTENT T F1 F2 Hardware Physical Memory CONSISTENT NULL T + δ F1 F2 Vinod Ganapathy - EECS Symposium

26 Vinod Ganapathy - EECS Symposium
Snapshot consistency Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor Snapshot should faithfully represent target’s state at a given instant in time Operating System INCONSISTENT F1 F2 T T + δ Hardware Co-processor cannot pause target. Snapshot may contain pages obtained at different instants in time Physical Memory Vinod Ganapathy - EECS Symposium

27 Vinod Ganapathy - EECS Symposium
Introducing SnipSnap Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor SnipSnap New hardware-based design for memory snapshotting. Proposed deployment? Via die-stacked manufacturing. Vinod Ganapathy - EECS Symposium

28 Vinod Ganapathy - EECS Symposium
Die-stacked chip On-chip memory (high-speed) CPU and Memory controller Picture courtesy of AMD Vinod Ganapathy - EECS Symposium

29 Traditional (off-chip)
Die-stacked chip Traditional (off-chip) DRAM memory On-chip memory (high-speed) Memory bus CPU and Memory controller Design space of methods to use the on-chip memory still a topic of active debate in the computer architecture community. Picture courtesy of AMD Vinod Ganapathy - EECS Symposium

30 Our use of die-stacking
On-chip DRAM treated as a page-granularity cache of off-chip DRAM memory Every address accessed by the CPU will result in the page frame being fetched to on-chip DRAM Cache of off-chip DRAM memory Off-chip DRAM On-chip DRAM Memory bus Memory controller Crypto logic CPU Vinod Ganapathy - EECS Symposium

31 Triggering snapshot acquisition
Off-chip DRAM On-chip DRAM Memory bus Memory controller Crypto logic CPU Trigger = Device that communicates to the CPU to enter snapshot acquisition mode: Physical device attached to South/NorthBridge that sends a non-maskable interrupt NIC with Wake-on-LAN-like feature Vinod Ganapathy - EECS Symposium

32 Snapshot acquisition mode
1 Off-chip DRAM CoW Cache Memory bus Memory controller Crypto logic CPU Memory controller splits on-chip DRAM into two parts: Cache of off-chip DRAM memory Copy-on-Write (CoW) area Vinod Ganapathy - EECS Symposium

33 Snapshot acquisition mode
2 Off-chip DRAM CoW Cache Fi Fi Memory bus Memory controller Crypto logic CPU Hardware brings one page frame of off-chip DRAM at a time to on-chip DRAM cache Vinod Ganapathy - EECS Symposium

34 Snapshot acquisition mode
3 Off-chip DRAM + Page# + Rand# Fi CoW Cache Memory bus Memory controller Crypto logic CPU Crypto logic digitally signs contents of page: Random nonce used to prevent replay attacks Same nonce used for all pages in snapshot Vinod Ganapathy - EECS Symposium

35 Snapshot acquisition mode
4 Off-chip DRAM + Page# + Rand# Fi CoW Cache Memory bus Memory controller Crypto logic CPU Disk Hardware instructs OS to write signed page to external medium: Even if OS is infected, it cannot cheat, since integrity of page is protected by the hardware Vinod Ganapathy - EECS Symposium

36 Snapshot acquisition mode
5 Off-chip DRAM Fj CoW Cache Fj Memory bus Memory controller Crypto logic CPU CPU continues to execute concurrently: If it writes to page Fj that has not yet been copied  Memory controller makes a copy of the original page in the Copy-on-Write area When hardware ready to snapshot Fj, copy created from Copy-on-Write area Vinod Ganapathy - EECS Symposium

37 At conclusion of acquisition
+ 0 + R F0 + 1 + R F1 + N + R FN Consistent snapshot of off-chip memory at instant when acquisition was initiated Snapshot is tamper-resistant even to a corrupted OS Obtained without pausing target machine If OS attempts to hide malicious activity, will be evident because CoW will capture original page. Vinod Ganapathy - EECS Symposium

38 Vinod Ganapathy - EECS Symposium
Security analysis + 0 + R F0 + 1 + R F1 + N + R FN Malicious OS cannot: Corrupt pages in snapshot: Integrity Hide pages from snapshot: Completeness Replay old snapshot: Freshness “Clean” itself during snapshot acquisition because Copy-on-Write stores original page: External control Verified SnipSnap’s design using the TLA+ model checker [Lamport] If OS attempts to hide malicious activity, will be evident because CoW will capture original page. Vinod Ganapathy - EECS Symposium

39 Evaluation Hardware emulator using a NUMA system. Evaluated:
Memory-intensive workloads canneal, dedup, memcached, graph500, mcf, cfar10, mnist Effectiveness of performance-isolation claim Time to procure full snapshot of memory

40 Application performance with virtual machine-based snapshotting

41 Application performance with SnipSnap-based snapshotting

42 Thank you Vinod Ganapathy
Google “Secure, Consistent, High-Performance Memory Snapshotting” for a copy of the paper

Download ppt "Vinod Ganapathy vg@iisc.ac.in securely How to snapshot memory Vinod Ganapathy vg@iisc.ac.in."

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
Chap 2 System Structures.

Chap 2 System Structures.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.

Malwares – Types & Defense Raghunathan Srinivasan Sept 25, 2007 CSE 466/598 Computer Systems Security.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
© 2004, D. J. Foreman 1 O/S Organization. © 2004, D. J. Foreman 2 Topics  Basic functions of an OS ■ Dev mgmt ■ Process & resource mgmt ■ Memory mgmt.

© 2004, D. J. Foreman 1 O/S Organization. © 2004, D. J. Foreman 2 Topics  Basic functions of an OS ■ Dev mgmt ■ Process & resource mgmt ■ Memory mgmt.
Operating System Support Focus on Architecture

Operating System Support Focus on Architecture
OS Fall ’ 02 Introduction Operating Systems Fall 2002.

OS Fall ’ 02 Introduction Operating Systems Fall 2002.
OS Spring’03 Introduction Operating Systems Spring 2003.

OS Spring’03 Introduction Operating Systems Spring 2003.
OS Spring’04 Introduction Operating Systems Spring 2004.

OS Spring’04 Introduction Operating Systems Spring 2004.
Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.

Jiang Wang, Joint work with Angelos Stavrou and Anup Ghosh CSIS, George Mason University HyperCheck: a Hardware Assisted Integrity Monitor.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 UCR Firmware Attacks and Security introduction.

1 UCR Firmware Attacks and Security introduction.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
G53SEC 1 Reference Monitors Enforcement of Access Control.

G53SEC 1 Reference Monitors Enforcement of Access Control.
Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Architecture for Protecting Critical Secrets in Microprocessors Ruby Lee Peter Kwan Patrick McGregor Jeffrey Dwoskin Zhenghong Wang Princeton Architecture.

Similar presentations

Ads by Google