Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contents Introduction Available OSF Solutions for VM UFO Design Implementation Evaluation Discussion Conclusions References.

Published byEmery Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "Contents Introduction Available OSF Solutions for VM UFO Design Implementation Evaluation Discussion Conclusions References."— Presentation transcript:

1

2 Contents Introduction Available OSF Solutions for VM UFO Design Implementation Evaluation Discussion Conclusions References

3 1. Introduction Operating System fingerprinting(OSF) is the process of identifying the OS variant and version OSF is helpful for the administrators to properly decide the security policy to protect their systems. memory analyzing can only be done when we know exactly the OS version of the OS inside the VM, because every OS variant, and also OS version, is very different in the internal structure

4 Unfortunately, available OSF approaches against VM have many problems. They fail badly against modern OS-es having none or minimal customization. some methods are not as fast as we would desire. some methods depend on the hypervisors, and can only recognize particular OS-es.

5 2. Available OSF Solutions for VM 1. Network-based OSF:-all the network-based OSF methods suffer some major problems. 2. They either rely on scanning open ports on the target, or on examining the replied packets. 3. network-based OSF is quite slow. 4. It is a trend that the administrators are more aware of OSF issue, and start to deploy antifinger OS solutions, such as ipmorph in their system to fool all the current network-based OSF methods

6 Memory Introspection(MI):- MI is the method of inspecting and analyzing the raw memory of the guest VM from the host VM, to understand the context and status of the guest. Inspecting File-system Content:- This approach is feasible because in principle, the host VM can access to the guest’s FS, and reads its content. This method is already used by a tool named virt-inspector. there are some significant problems with this approach. Firstly, if the guest uses an unknown FS, it is impossible for the host to mount its FS and access its content.

7 We desire a better OSF tool with the following six requirements. 1. It gives an accurate fingerprint result. 2. It does not depend on the compiler used to compile the OS. 3. It is more resilient against OS tweaking. 4. It is not easy to be fooled by currently available anti- OSF tools. 5. It is faster, and should not cause any negative impact on the guest performance. 6. It can work with all kind of hypervisors.

8 3. UFO Design Modern OSes mainly function in protected mode to take advantage of various features offered by Intel architecture. Intel Protected Mode:-Protected mode is an operational mode of Intel compatible CPU, allowing system software to utilize features not available in the obsolete real-mode, such as virtual memory, paging, etc.

9 OS Parameters:- an OS uses several facilities, making a set of OS parameters, defined as followings. Segment parameters:-segment parameters have the following three attributes: segment selector, segment base and segment limit, representing the selector, the base and the limit of the segment, respectively. Task Register parameter(TR):-it consists of the segment selector, and segment limit attributes, representing the selector and limit of the TSS segment, respectively. GDT parameter:-The GDT can be located by the its base and limit. IDT parameter:- IDT parameter has IDT limit as its only attribute. Feature parameters:-It has 64-bit,Fast-syscal, non- executable facility

10 UFO Fingerprinting Method:-To perform fingerprinting, we have to prepare signatures for all the OS-es we want to identify. Generate a signature for each OS, and put them into a database of signatures, called the signature database. Match each VM parameter against a corresponding parameter in the signature. for each segment parameter, the corresponding signature parameter is the segment parameter of the ring level that the VM segment parameter is functioning in. the fingerprinting process would return the exact OS as the result

11 Generate OS signatures:- A naive approach to gather all the possible parameters is to have a tool running in the host VM, and this tool periodically queries the targeted VM for its OS parameters. it is not guaranteed that such an external tool can collect all the possible values of all OS parameters. OS behaves in the same way under different hypervisors, our signatures are hypervisor independent, and can be reused by all the hypervisors

12 4. Implementation To generate the OS signatures, we have a tool named UFO-profiler. We implemented UFO-profiler based on the QEMU emulator. UFO-profiler instruments QEMU to record every time the related OS parameters change their values. OS is run in UFO-profiler, and the profiling process starts when the VM switches to protected mode, and ends when the VM shutdowns.

13 following Intel instructions are instrumented by UFO-profiler: mov, int, sysenter, sysexit,syscall, sysret, jmp far, call far, lds, les, lfs, lgs,lgdt, lidt, ltr, wrmsr, loadall, and iret. UFO-profiler must also instrument to monitor some low level activities that modifies OS parameters.

14 5. Evaluation Evaluation against various OS-es available shows that UFO is extremely fast. UFO identifies the OS variant with 100% accuracy. If it cannot give out the exact OS version, UFO can report a range of versions for the answer. In the case the UFO cannot identify the OS due to the missing signature, it can still give out the best match OSes, which have the highest score.

15 6. Discussion It handles the security threat as in cloud enviroment. we assume that the hypervisor is secure, and can not be breached from inside the guest VM. For the small modifications to the OS, UFO can still give a hint about the OS thanks to its fuzzy detection, which is close in many cases. The other problem is that UFO is not always able to give out the exact version of the OS.

16 7.Conclusions UFO is a novel method of fingerprinting OS running inside VM. designed specifically for VM environment, UFO can quickly identify the OS variants and OS versions with excellent accuracy.

17 8. Reference https://www.defcon.org/images/defcon-18/dc-18- presentations/Quynh/DEFCON-18-Quynh-OS- Fingerprinting-VM.pdf

18 Thank you

Download ppt "Contents Introduction Available OSF Solutions for VM UFO Design Implementation Evaluation Discussion Conclusions References."

Similar presentations

Configuration management

Configuration management
EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.

EUROSEC 2011 Gábor Pék, Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics.
Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.

Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher 12 April, 2007.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.

Using VMX within Linux We explore the feasibility of executing ROM-BIOS code within the Linux x86_64 kernel.
Unit 4 Chapter-1 Multitasking. The Task State Segment.

Unit 4 Chapter-1 Multitasking. The Task State Segment.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Intel 80386 MP.

Intel MP.
Microprocessors system architectures – IA32 real and virtual-8086 mode Jakub Yaghob.

Microprocessors system architectures – IA32 real and virtual-8086 mode Jakub Yaghob.
Variability Oriented Programming – A programming abstraction for adaptive service orientation Prof. Umesh Bellur Dept. of Computer Science & Engg, IIT.

Variability Oriented Programming – A programming abstraction for adaptive service orientation Prof. Umesh Bellur Dept. of Computer Science & Engg, IIT.
The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.

The Future of Correct Software George Necula. 2 Software Correctness is Important ► Where there is software, there are bugs ► It is estimated that software.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Business Intelligence Michael Gross Tina Larsell Chad Anderson.

Business Intelligence Michael Gross Tina Larsell Chad Anderson.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
LINUX Virtualization Running other code under LINUX.

LINUX Virtualization Running other code under LINUX.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
UNIT 2 Memory Management Unit and Segment Description and Paging

UNIT 2 Memory Management Unit and Segment Description and Paging

Similar presentations

Ads by Google