Presentation is loading. Please wait.

Presentation is loading. Please wait.

SubVirt: Implementing malware with virtual machines

Published byMartha Perry Modified over 9 years ago

Similar presentations

Presentation on theme: "SubVirt: Implementing malware with virtual machines"— Presentation transcript:

1 SubVirt: Implementing malware with virtual machines
2006 IEEE Symposium on Security and Privacy (S&P) SubVirt: Implementing malware with virtual machines 14 pages, cited: 163 Samuel T. King, Peter M. Chen (University of Michigan) Yi-Min Wang, Chad Verbowski, Helen J. Wang, and Jacob R. Lorch (Microsoft Research) proof-of-concept By Mike Hsiao,

2 Outline Introduction Virtual machines
Virtual-machine based rootkit design and implementation Evaluation Defending against virtual-machine based rootkits Related work Conclusions

3 Introduction New type of malware
Virtual-machine based rootkit (VMBR) installs a VM monitor underneath an existing operating system and hoists the original operating system into a virtual machine. rootkit: tools used to hide malicious activities VMBR are hard to detect and remove because their state cannot be accessed by software running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system

4 Introduction (cont’d)
A major goal of malware writers is control. Controlling the system allows malware to remain invisible by lying to or disabling intrusion detection software. Lower layers can control upper layers. If the defender’s security service occupies a lower layer than the malware, then that security service should be able to detect, contain, and remove the malware. E.g., ps, kernel-level rootkit, check the integrity of the kernel ds, hide/check memory footprint,

5 Virtual machines A virtual-machine monitor (VMM) manages the resources of the underlying hardware and provides an abstraction of one or more virtual machines. Multiplexing computer’s hardware Isolate all resources of each virtual computer VM services are implemented outside the guest they are serving in order to avoid perturbing the guest.

6 Virtual machines (cont’d)
VM services debug operating systems and system configurations migrate live machines detect or prevent intrusions Software running outside of a VM views low-level VM state such as disk blocks, network packets, and memory. Software inside the VM interprets this state as high-level abstractions such as files, TCP connections, and variables. It is called the semantic gap. Virtual-machine introspection (VMI) [18, 27] describes techniques that enables a VM service to understand and modify states and events within the guest. [18] T. Garfinkel and M. Rosenblum, “A Virtual Machine Introspection Based Architecture for Intrusion Detection,” in proc. NDSS, 2003. [27] A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen, “Detecting past and present intrusions through vulnerability-specific predicates,” in proc. SOSP, 2005.

7 Virtual-machine based rootkit design and implementation
3.1 describes how a VMBR is installed on an existing system. 3.2 describes the techniques VMBRs use to implement malicious services, and 3.3 discusses the example malicious services we implemented. 3.4 explains how VMBRs maintain control over the system. They implemented two proof-of-concept VMBRs for the x86 platform using Virtual PC and VMware Workstation VMMs. The Virtual PC VMBR uses a minimized version of Windows XP for the host OS and the VMware VMBR uses Gentoo Linux. They modify the host Windows XP kernel, Virtual PC, and the host Linux kernel. (They don’t have VMware source code.)

8 Installation To insert itself beneath an existing system, a VMBR manipulate the system boot sequence to ensure that the VMBR loads before the target OS. After the VMBR loads, it boots the target OS using the VMM. As a result, the target OS runs normally, but the VMBR sits silently beneath it.

9 Installation (cont’d)
Master boot record Boot sector BIOS OS Original Boot sequence VMBR loads BIOS Master boot record Boot sector BIOS OS Modified Boot sequence

10 Installation (cont’d)
To install a VMBR on a computer, an attacker must first gain access to the system with sufficient privileges to modify the system boot sequence. exploit a remote vulnerability fool a user into installing malicious software bribe an OEM or vendor corrupt a bootable CDROM or DVD image on P2P Install the VMBR’s state on persistent storage unused blocks elsewhere on the disk (Windows) Disable swapping and use the swap partition (Linux)

11 Installation (cont’d)
Modify the system’s boot sequence to ensure our VMBR loads before the target OS modify the boot records on the primary hard disk But, anti-malware applications detect modifications to the hard disk’s boot blocks. But, the author manipulate the boot blocks during the final stages of shutdown (after most processes and kernel subsystems have exited). Windows XP: registers a LastChanceShutdown Notification event handler They use the low-level disk driver to copy our VMBR boot code (to bypass the file system layer). Linux: modify the boot sequence using user-mode code They modify the shutdown scripts so that our installation code runs after all processes have been killed but before the system shuts down.

12 Malicious services VMBRs use a separate attack OS to deploy malware that is invisible from the perspective of the target OS but is still easy to implement. Three categories (malicious services) those that need not interact with the target system at all E.g., spam relays, DDoS zombies, phishing web servers those that observe information about the target system VMBRs can use virtual-machine introspection to help observe and understand the software-level abstractions in the target OS and applications. Not affect the virtual devices presented to the target OS. E.g., VMBRs enable logging of hardware-level data (e.g., keystrokes, packets) E.g., if a target application uses an encrypted socket, attackers can use virtual-machine introspection to trap all SSL socket write calls and log the clear-text data before it is encrypted. those that intentionally perturb the execution of the target system The third class of malicious service deliberately modifies the execution of the target system. A VMBR can customize the VMM’s device emulation layer to modify hardware-level data.

13 Example malicious services
The author implemented a phishing web server, in another VM a keystroke logger, in the VMM keyboard control module a service that scans the target file system looking for sensitive files, and use VM introspection to scan the target OS’s file system to copy the password file a defense countermeasure that defeats a current virtual-machine detector. redpill [39] [39] J. Rutkowska. Red Pill... or how to detect VMM using (almost) one CPU instruction, 2005.

14 Maintaining control To avoid being removed, a VMBR must protect its state by maintaining control of the system. The only time the VMBR loses control of the system is in the period of time after the system powers up until the VMBR starts. The first code is BIOS. By restarting the virtual hardware, VMBRs provide the illusion of resetting the underlying physical hardware without relinquishing control. VMBRs can also emulate system shutdowns such that the system appears to shutdown, but the VMBR remains running on the system. We use ACPI sleep states to emulate system shutdowns and to avoid system power-downs. When the user “powers-up” the system by pressing the power button the VMBR resumes. (powers-off only suspends the VMBR)

15 Evaluation VMware-based VMBR Virtual PC-based VMBR
Run on a Dell Optiplex Workstation with a 2.8 GHz Pentium 4 and 1 GB of RAM compromises a RedHat Enterprise Linux 4 target system VMBR image 228/95 MB (un-/uncompressed) Virtual PC-based VMBR a Compaq Deskpro EN with a 1 GHz Pentium 4 and 256 MB of RAM compromises a Windows XP target system VMBR image 251/106 MB (un-/uncompressed)

16 Evaluation – installation/boot time (sec)
Actual memory usage is 3% for the extra VMM.

17 Defending against virtual-machine based rootkits
Security software below the VMBR Such detection software can read physical memory or disk and look for signatures or anomalies that indicate the presence of a VMBR. Other low-level techniques such as secure boot can ensure the integrity of the boot sequence and prevent a VMBR from gaining control before the target OS. Intel’s LaGrande [25], AMD’s platform for trustworthy computing [2], and Copilot [36]. Boot from a safe medium such as a CD-ROM, USB drive or network boot server Use a secure VMM [17] (Terra) does not by itself stop a VMBR, but does retain control over the system

18 Defending against virtual-machine based rootkits (cont’d)
Security software above the VMBR (CPU overhead) by comparing the running time of benchmarks against wall-clock time (memory and disk space) extra paging activity may increase the running time of the program (I/O devices) VMMs only emulate a small number of virtual devices (often with customized interfaces to improve performance) (x86 processor features) sidt

19 Related work Layer-below attacks
operating system kernel Using virtual machines to enhance security VMs to detect intrusions, analyze intrusions isolate services encrypt network traffic implement honeypots Detect the presence of VMMs Inserting new software layers into existing systems A key feature of all these applications is that they preserve compatibility with existing systems by not modifying interfaces of the existing layers. E.g., file system, firewall

20 Comments Considering the characteristics of VM in security issues.
VMM layer VM Image can be ”power on/off” Some people don’t like VM environment. How to detect that I’m in a VM? How do I know my host/VMM/VM/OS is secure? Can other vulnerable or hostile VM penetrate my VM? Auditing mechanisms (such as VMMs) are benefits or harms for me? Provide better visibility!

Download ppt "SubVirt: Implementing malware with virtual machines"

Similar presentations

Virtualization Dr. Michael L. Collard

Virtualization Dr. Michael L. Collard
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 11 Windows Server 2008 Virtualization.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 11 Windows Server 2008 Virtualization.
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Virtualization 101.

Virtualization 101.
Virtualization 101.

Virtualization 101.
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 3 Desktop Virtualization McGraw-Hill.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.

About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter objectives are listed in the beginning.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008

Similar presentations

Ads by Google