Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Detection via Virtual Machine Monitoring Wenke Lee.

Published byTrista Raef Modified over 9 years ago

Similar presentations

Presentation on theme: "Malware Detection via Virtual Machine Monitoring Wenke Lee."— Presentation transcript:

1 Malware Detection via Virtual Machine Monitoring Wenke Lee

2 Host-Based Monitoring Monitor host activities to detect the presence of malware – Compromised applications, malware, etc. Run malware on host (a “controlled” environment”, e.g., a sandbox) to understand its behavior – Analyze malware runtime data to understand malicious activities, input conditions, etc. The host monitors and malware analyzers need to be tamper resistant and transparent to malware

3 Host-Based Monitoring (cont’d) Virtual machine provides the separation required for tamper resistance and transparency – Security VM monitors the application VMs – Challenges: timely and fine-grained Current research projects – Memory monitoring framework – Malware analysis tools/platform

4 Why Monitor Memory? The only reliable source on the current state of a computer system is memory Nearly endless data for security, forensics, etc – Running and (some) killed processes – Encryption keys and decrypted data – Network sockets and data – OS-level accounting information – User input (e.g., key strokes, mouse movement) – Screen captures and graphical elements – And much more!

5 Monitoring Memory on Production-Level Systems (1)Passive Monitoring: Viewing memory in A i from S without any timing synchronization between the two virtual machines (2)Active Monitoring: Viewing memory in A i from S with event notification being sent from A i to S to permit monitoring at relevant times (3)Locating Valuable Data: Applying models obtained from supervised learning to find critical data structures within the raw memory view (1)Passive Monitoring: Viewing memory in A i from S without any timing synchronization between the two virtual machines (2)Active Monitoring: Viewing memory in A i from S with event notification being sent from A i to S to permit monitoring at relevant times (3)Locating Valuable Data: Applying models obtained from supervised learning to find critical data structures within the raw memory view

6 Passive Monitoring Monitoring application periodically views memory from another virtual machine -- technique known as VM introspection Mapping “raw memory view” to virtual addresses and symbols requires the steps shown in figure below. Address and symbol mapping can be performed by a VM introspection library (e.g., XenAccess) Monitoring application periodically views memory from another virtual machine -- technique known as VM introspection Mapping “raw memory view” to virtual addresses and symbols requires the steps shown in figure below. Address and symbol mapping can be performed by a VM introspection library (e.g., XenAccess) BD Payne, M Carbone, and W Lee. Secure and Flexible Monitoring of Virtual Machines. In ACSAC 2007.

7 The XenAccess Library The only open source VM introspection library Access to virtual addresses, kernel symbols, and more Works with Xen and dd-style memory image files Released in Spring 2006 Maintained by GTISC to encourage more research http://www.xenaccess.org

8 Active Monitoring BD Payne, M Carbone, M Sharif, and W Lee. An Arch for Secure Active Monitoring Using Virtualization. In Oakland 2008. Monitoring application receives event notification from Guest VM when code execution reaches one of the hooks installed in the Guest VM kernel. Hooks and all associated code are protected from tampering using hypervisor-enforced memory protections (i.e., User VM can not modify these security-critical components). Hooks invoke trampoline, which transfers control to the security application. Monitoring application receives event notification from Guest VM when code execution reaches one of the hooks installed in the Guest VM kernel. Hooks and all associated code are protected from tampering using hypervisor-enforced memory protections (i.e., User VM can not modify these security-critical components). Hooks invoke trampoline, which transfers control to the security application.

9 Ether Use Intel VT hardware virtualization extensions to provide instruction execution on actual hardware Extend the Xen hypervisor to leverage Intel VT for malware analysis Provides for both instruction-by-instruction examination of malware, and also coarser grained system call-by-system call examination System Diagram:

10 Ether: Experiments We created two tools to test the Ether framework: – EtherUnpack: extracts hidden code from obfuscatd malware – EtherTrace: Records system calls executed by obfuscated malware We then compared both of these tools to current academic and industry approaches – EtherUnpack: we compared how well current tools extract hidden code by obfuscating a test binary and looking for a known string in the extracted code – EtherTrace: we obfuscated a test binary which executes a set of known operations, and then observe if they were logged by the tool

11 Ether: EtherUnpack Results Packing ToolPolyUnpackRenovoEtherUnpack Armadillono yes Aspacknoyes Asprotectyes FSGyes MEWyes MoleBoxnoyes Morphineyes Obsidiumno yes PECompactnoyes Themidanoyes Themida VMno yes UPXyes UPX Scrambledyes WinUPacknoyes Yoda’s Protectornoyes

12 Ether: EtherTrace Results Packing ToolNorman SandboxAnubisEtherTrace Noneyes Armadillono yes UPXyes Upackyes Themidayes PECompactyes ASPackyes FSGyes ASProtectyesnoyes WinUpackyes tElockyesnoyes PKLITE32yes Yoda’s Protectornoyes NsPackyes MEWyes nPackyes RLPackyes RCryptoryes

13 Thank You!

Download ppt "Malware Detection via Virtual Machine Monitoring Wenke Lee."

Similar presentations

CS533 Concepts of Operating Systems Class 14 Virtualization and Exokernels.

CS533 Concepts of Operating Systems Class 14 Virtualization and Exokernels.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Efficient VM Introspection in KVM and Performance Comparison with Xen

Efficient VM Introspection in KVM and Performance Comparison with Xen
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.

A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
Virtualization for Cloud Computing

Virtualization for Cloud Computing
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Virtualization Concepts Presented by: Mariano Diaz.

Virtualization Concepts Presented by: Mariano Diaz.
Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.

Secure & flexible monitoring of virtual machine University of Mazandran Science & Tecnology By : Esmaill Khanlarpour January.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.

Similar presentations

Ads by Google