SlideShare ist ein Scribd-Unternehmen logo
1 von 22
Downloaden Sie, um offline zu lesen
National Institute of Advanced Industrial Science and Technology
l iKernel Memory Protection
by an Insertable Hypervisorby an Insertable Hypervisor
which has VM Introspection
and Stealth Breakpoints
Kuniyasu Suzaki*, Toshiki Yagi*, Kazukuni Kobara*,
Toshiaki Ishiyama ‡
* N i l I i f Ad d I d i l S i d T h l (AIST)* National Institute of Advanced Industrial Science and Technology(AIST)
‡ FFRI, Inc., Japan
The 9th International Workshop on Security (IWSEC) at Hirosaki, Japan, 27/August/2014
National Institute of Advanced Industrial Science and Technology
O liOutline
M i i• Motivation
• Requirements for our countermeasure
– Insertable hypervisor
– VM Introspection
– Stealth Breakpoints
• ImplementationImplementation
• Performance evaluation of current prototype
R l t d k• Related works
• Conclusion
National Institute of Advanced Industrial Science and Technology
Motivation 1/2Motivation 1/2
• C rrent De ice Dri ers are• Current Device Drivers are
– Key components:
D i D i b id b t l i l f ti t d• Device Drivers bridge between logical space of operating system and
physical space of devices.
– Intelligent:Intelligent:
• Device Drivers are stackable and can add intelligent functions. The
intelligent functions include sensitive data (e.g., secret keys for disk
ti d f th ti ti t bl f t l t )encryption, passwords for authentication, tables of access control, etc).
National Institute of Advanced Industrial Science and Technology
Motivation 2/2Motivation 2/2
• Are De ice Dri ers safe?• Are Device Drivers safe?
– Device Drivers were thought to be safe since they run in
privilege mode However device drivers become a target ofprivilege mode. However, device drivers become a target of
attacks as the importance is increased, and vulnerabilities are
revealed.
– Stuxnet[5] and Duqu[3] are famous attacks for device drivers.
• They are targeted attacks on nuclear reactor, chemical plant, etc.y g p
– If target device driver works on a critical infrastructure, the
availability is important. The countermeasures must be taken
without stopping the operating system.
National Institute of Advanced Industrial Science and Technology
Th t M d lThreat Model
• 2 attack vectors2 attack vectors
– Attack on device driver’s code
• Code injection attack• Code injection attack
– The aim is to take control and run malware.
• Sabotage on infrastructure systems• Sabotage on infrastructure systems
– Even if the attack cannot get the full control, failure (Blue
Screen of Death of Windows) is enough because the attacker
wants to stop the system.
– Attack on device driver’s sensitive data
• Data Falsification
– Change the sensitive data and cause sabotage.
• Information leakage
– Steal sensitive data in device drivers.
National Institute of Advanced Industrial Science and Technology
DriverGuad: hypervisor whichDriverGuad: hypervisor which
protects device drivers
A C l ( hi li h)• Access Control (white list approach)
– Accesses to code and sensitive data of device drivers are verified.
– Legitimate accesses are allowed.
• Don’t stop the OS. It’s the attacker’s purpose!
– When a malicious access is detected, the DriverGuard brings the
control to low Interrupt ReQuest Level (IRQL).
• Target is device driver on Windows 7 32bit
– Code regiong
• A write access is hooked and brought to IRQL.
– Sensitive data region
• All accesses are hooked. Access from legitimate code region is allowed,
but access from non- legitimate code region is brought to IRQL.
National Institute of Advanced Industrial Science and Technology
R i t f C tRequirements for Countermeasure
• Insertable hypervisor to an existing OS• Insertable hypervisor to an existing OS
– Most systems use preinstalled OS (Windows), especially
Industrial Control Systems (ICS) They want to add onIndustrial Control Systems (ICS). They want to add on
security.
• VM IntrospectionVM Introspection
– DriverGuard needs to recognize memory map and behavior
of OS.of OS.
– DriverGuard protects code region using VM Introspection.
• Stealth Breakpoints• Stealth Breakpoints
– DriverGuard must hooks and investigates accesses to
sensitive data but current breakpoint is not suitablesensitive data, but current breakpoint is not suitable.
National Institute of Advanced Industrial Science and Technology
Insertable HypervisorInsertable Hypervisor
• Thin type-I (bare-metal) hypervisor
P th h hit t (BitVi [VEE’09])– Para-passthrough architecture (BitVisor[VEE’09])
• No Device Model. Guest OS can access devices directly.
Small Trusted Computing Base (TCB)– Small Trusted Computing Base (TCB)
• No HostOS make small TCB.
• DriverGuard uses Chainload function of GRUB boot loader• DriverGuard uses Chainload function of GRUB boot-loader.
BIOSExisting System
GRUB D i G d
Go back to GRUBApplications
(User Space)
GRUB DriverGuard
(resides in memory)
chain loader
Preinstalled OS
DriverGuard
(hypervisor) Insert at boot time
NTLDR Windows
(Windows Bootloader)
(hypervisor)
Hardware
National Institute of Advanced Industrial Science and Technology
VM IntrospectionVM Introspection
• DriverGuard must recognize the memory map and
behavior of the guest OS since it needs to know memory
regions for code and sensitive data. The function is called
“VM introspection”.
– Ether[CCS’08] on Xen, LibVM on KVM, Xen, and QEMU.
– Unfortunately, they requires Host OS and Device Model.
• DriverGuard uses GreenKiller [BlackHat’08]
– GreenKiller has VM Introspection which is built on BitVisor– GreenKiller has VM Introspection which is built on BitVisor.
Unfortunately, GreenKiller is designed for Windows XP which
has no ASLR (Address Space Layout Randomization).( p y )
National Institute of Advanced Industrial Science and Technology
VM Introspection for ASLRVM Introspection for ASLR
• ASLR (Address Space Layout Randomization).( p y )
– It allocates the starting address of code and data at random
and prevents attacks which assume fixed address (e.g., buffer
overflow attack).
– Some implementations of ASLR have little entropy and are
vulnerable for Brute Force Attack [CCS’04].
• DriverGuard uses the technique of brute force attack
– The search space is not wide. DriverGuard checks the header
(44 bytes) of each page of kernel space.
National Institute of Advanced Industrial Science and Technology
VM Introspection of DriverGuard
② System Call “IopLoadDriver”
VM Introspection of DriverGuard
Windows kernel
loads a driver
Driver A
(protected)
③ Detect Sensitive Data Region① Boot parameter (MD5 of device driver)
Hooked by DriverGard
DriverGuard
A tagged region used by  
System call “ExAllocatePoolWithTag”
① Boot parameter (MD5 of device driver)
tells a driver identification to protect
All Code Section becomes 
Write‐protected 
A tagged rata region becomes 
Read/Write‐protected 
Physical Memory
Driver A
Code
Driver A
Data
Write Protect Tagged data region
Read/Write Protect
National Institute of Advanced Industrial Science and Technology
Protection mechanismProtection mechanism
• Code region• Code region
– Windows sets Read-Only protection on code region.
Wh i i i d h d i i– When a write access is issued to the code region, it causes
exception handler (Bug Check Code) which leads Blue
Screen of Death (BSoD)Screen of Death (BSoD).
– DriverGuard hooks the exception handler and brings the
control to low Interrupt ReQuest Level (IRQL).control to low Interrupt ReQuest Level (IRQL).
• Sensitive data region
Windows offers no protection mechanism on data region– Windows offers no protection mechanism on data region.
– The technique of Stealth breakpoints is used, because current
breakpoint technique is not adequate for our purposebreakpoint technique is not adequate for our purpose.
National Institute of Advanced Industrial Science and Technology
W k i t t b k i tWeak points on current breakpoints
B k i h i i d h k b• Breakpoint technique is used to hook accesses, but
current Breakpoint is not enough for our purpose.
– Software breakpoint
• It replaces a target instruction with software fault
instruction (INT 3 on X86) and causes software fault.
• Unfortunately, it is not used for data because it must
execute software fault.
– Hardware breakpoint
• It sets an address to cause interrupt . It can be used for data.
• Unfortunately, the number of hardware breakpoint is
limited because it uses debug register on X86.
National Institute of Advanced Industrial Science and Technology
Stealth breakpointsStealth breakpoints [ACSAC’05]
• Stealth Breakpoints is developed to analyze malware• Stealth Breakpoints is developed to analyze malware.
– Because malware detects current breakpoints and changes its
behaviorbehavior.
• Stealth Breakpoints manipulates page table entry (PTE)
and causes page fault when an access come to the breakand causes page fault, when an access come to the break
point.
Pros– Pros
• No limit of the number
• It can treat code and data regionsIt can treat code and data regions
– Cons
• The unit is page (4KB)p g ( )
• Slower than software fault
National Institute of Advanced Industrial Science and Technology
Mechanism of Stealth BreakpointsMechanism of Stealth Breakpoints
• P-bit (Persistent-bit) for swap out is used.
CR3 Page Table Directory
Process A (Normal)
③ The page fault from
legitimate code is allowed.
( ) p
0x88001000 0x41101000
0x88002000 0x41102000
0x88003000 0x41103000 Physical Memory
legitimate code is allowed.
… …
… … 0x41101000
0x41102000
0 41103000
…
① Set the P-bit (Persistent
bit) to 0 by DriverGuard.② Legitimate Access
0x41103000
…
…
0 88001000 0 41101000
CR3 Page Table Directory
Process B (Malicious)
0x88001000 0x41101000
0x88002000 0x41102000
0x88003000 0x41103000
③’ The page fault from
non legitimate code is
denied by DriverGuard.
… …
… …
① Set the P-bit (Persistent
bit) to 0 by DriverGuard.②’ Malicious Access
National Institute of Advanced Industrial Science and Technology
Behavior of DriverGuardBehavior of DriverGuard
with Stealth Breakpoints
A n access is issued.
Gate of
Page Table
VMX non-root
(Driver)
VMX root
(DriverGuard)
① Page fault occurred.
VMEnter to DriverGurad.VMEnter
Investigate the access
non legitimate
② Set hardware breakpoint
(The next instruction is set.)
③ Enable PTE
(Set 1 on P-bit of Page Table Entry)
legitimate
infinite IRQL
(Set 1 on P bit of Page Table Entry)
VMExit from DriverGurad.
The access is allowed.
The next instruction
VMEit
④ Trap hardware breakpoint
VMEnter to DriverGurad.
⑤ Clear hardware breakpoint
⑥ Disenable PTE
The next instruction
cases hardware breakpoint
VMEnter
(Set 0 on P-bit of Page Table Entry)
VMExit from DriverGurad.
The next instruction is
executed. VMEit
National Institute of Advanced Industrial Science and Technology
Implementation of DriverGuardImplementation of DriverGuard
• Dri erG ard is based on BitVisor [VEE’09]• DriverGuard is based on BitVisor [VEE’09]
• Target is Windows 7 (32 bit)
– Limitations
• Page size is 4KB. Windows cannot treat PSE: Page Size Extension.
Hib i i d• Hibernation is not treated.
• Device Driver is loaded with IopLoadDriver system call.
• Sensitive data is allocated by tagged memory (which causes SystemSensitive data is allocated by tagged memory (which causes System
call “ExAllocatePoolWithTag”)
• Core2 Duo E6850 (3GHz)( )
– DriverGuard uses 170 MB memory.
• It means that the memory for Windows 7 is reduced.
National Institute of Advanced Industrial Science and Technology
Overhead on Core2DuoOverhead on Core2Duo
• The overhead was measured by DriverGuard.
– The first VMEnter and last VMExit was not measured, because the time is,
measured in the DriverGuard.
– VMEnter and VMExit spend thousands of CPU cycles on Core2 Duo.
VMEnter
VMX non-root
(Driver)
VMX root
(DriverGuard)
① Page fault occurred
② Set Hardware breakpoint
③ Enable PTE
5 usecVMExit
Access to
sensitive data
④ Trap Hardware breakpoint
⑤ Clear Hardware breakpoint
⑤ Disenable PTE
VMEnter
18 usec
⑤ Disenable PTE
22 usecVMExit
National Institute of Advanced Industrial Science and Technology
Overhead on Core2DuoOverhead on Core2Duo
• The overhead caused by DriverGuard was 9 usec, while VMExit
and VMEnter used 13 usec.
• Most part of the time was used by VMExit and VMEnter.
VMEnter
VMX non-root
(Driver)
VMX root
(DriverGuard) Time used by
DriverGuard
① Page fault occurred
② Set Hardware breakpoint
③ Enable PTE
5 usec
5 usecVMExit
Access to
sensitive data
13 usec
used by
VMExit and
VMEnter
④ Trap Hardware breakpoint
⑤ Clear Hardware breakpoint
⑤ Disenable PTE
VMEnter
18 usec
4 usec
VMEnter.
⑤ Disenable PTE
22 usecVMExit
National Institute of Advanced Industrial Science and Technology
OverheadOverhead
• The o erhead time is hea for one access to normal• The overhead time is heavy for one access to normal
memory.
h h d i bl f i i d hi h• The overhead is acceptable for sensitive data which are
used a few times, for example, authentication.
• The overhead of VMEnter/VMExit is improved on current
CPU
– The overhead of the prototype was measured on Core2 Duo.
National Institute of Advanced Industrial Science and Technology
Related WorksRelated Works
• Hypervisor which protect devices• Hypervisor which protect devices
– SecVisor[SOSP’10]
• It requires additional hyper-calls• It requires additional hyper-calls.
– HUKO[NDSS’11]
• It is designed to protect the kernel from untrusted device driver.It is designed to protect the kernel from untrusted device driver.
• Taint tracking technique is useful to prevent information
leakageleakage.
– Some hypervisors have taint tracking
• TTAnalyze [EICAR’06] TEMU[ICISS’08] V2E[VEE’12]TTAnalyze [EICAR 06], TEMU[ICISS 08], V2E[VEE 12]
– They take much time, because they must track a target data all
time.
National Institute of Advanced Industrial Science and Technology
ConclusionConclusion
• We propose a thin hypervisor “DriverGurad” whichp p yp
protect Device Driver’s Memory.
– DriverGurd uses techniques of VM Introspection and Stealthq p
Breakpoints.
– It protects code and sensitive data region of device driver.
– It does not stop the guest OS in order to be used in infrastructure
systems.
A k l d tAcknowledgement
This work was in part supported by the Strategic Information and Communications R&D Promotion Programme
(SCOPE) of the Ministry of Internal Affairs and Communications, Japan.

Weitere ähnliche Inhalte

Was ist angesagt?

CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
Digital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing BaseDigital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing BaseSajid Marwat
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiKuniyasu Suzaki
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMTamas K Lengyel
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentationCHIACHE lee
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM VirtualizationMarcel Winandy
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacksinside-BigData.com
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 

Was ist angesagt? (20)

CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
Digital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing BaseDigital Rights Management and Trusted Computing Base
Digital Rights Management and Trusted Computing Base
 
Defense
DefenseDefense
Defense
 
No[1][1]
No[1][1]No[1][1]
No[1][1]
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
 
RISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzakiRISC-V-Day-Tokyo2018-suzaki
RISC-V-Day-Tokyo2018-suzaki
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
 
ACS-2010
ACS-2010ACS-2010
ACS-2010
 
Thesis presentation
Thesis presentationThesis presentation
Thesis presentation
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM Virtualization
 
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other AttacksExploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
Exploiting Modern Microarchitectures: Meltdown, Spectre, and other Attacks
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 

Andere mochten auch

Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Kuniyasu Suzaki
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...Kuniyasu Suzaki
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Kuniyasu Suzaki
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224Kuniyasu Suzaki
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17:  An introduction to Xen Project VirtualisationRootlinux17:  An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 

Andere mochten auch (6)

Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies Nested Virtual Machines and Proxies
Nested Virtual Machines and Proxies
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
Linux Symposium 2009 Slide Suzaki "Effect of readahead and file system block ...
 
Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)Report for S4x14 (SCADA Security Scientific Symposium 2014)
Report for S4x14 (SCADA Security Scientific Symposium 2014)
 
Io t security-suzki-20170224
Io t security-suzki-20170224Io t security-suzki-20170224
Io t security-suzki-20170224
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17:  An introduction to Xen Project VirtualisationRootlinux17:  An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
 

Ähnlich wie Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints (IWSEC2014)

IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
 
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGADesign, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGAVivek Venugopalan
 
Embedded presentation
Embedded presentationEmbedded presentation
Embedded presentationrohancool
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSFelipe Prado
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processorsNebyueAwoke
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basicsBHAWESH RAJPAL
 
Software Protection Techniques
Software Protection TechniquesSoftware Protection Techniques
Software Protection TechniquesChaitanya Anpat
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guideintertelinvestigations
 
Mentoring Session with Innovesia: Advance Robotics
Mentoring Session with Innovesia: Advance RoboticsMentoring Session with Innovesia: Advance Robotics
Mentoring Session with Innovesia: Advance RoboticsDony Riyanto
 

Ähnlich wie Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints (IWSEC2014) (20)

IOT Exploitation
IOT Exploitation	IOT Exploitation
IOT Exploitation
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
 
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGADesign, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
 
Embedded presentation
Embedded presentationEmbedded presentation
Embedded presentation
 
2020 safecomp-sep18
2020 safecomp-sep182020 safecomp-sep18
2020 safecomp-sep18
 
Faults inside System Software
Faults inside System SoftwareFaults inside System Software
Faults inside System Software
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
 
Designing and implementing malicious processors
Designing and implementing malicious processorsDesigning and implementing malicious processors
Designing and implementing malicious processors
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Ethical hacking basics
Ethical hacking basicsEthical hacking basics
Ethical hacking basics
 
Software Protection Techniques
Software Protection TechniquesSoftware Protection Techniques
Software Protection Techniques
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
Mentoring Session with Innovesia: Advance Robotics
Mentoring Session with Innovesia: Advance RoboticsMentoring Session with Innovesia: Advance Robotics
Mentoring Session with Innovesia: Advance Robotics
 

Mehr von Kuniyasu Suzaki

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)Kuniyasu Suzaki
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)Kuniyasu Suzaki
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告Kuniyasu Suzaki
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference  (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference  (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)Kuniyasu Suzaki
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?Kuniyasu Suzaki
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)Kuniyasu Suzaki
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017Kuniyasu Suzaki
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationKuniyasu Suzaki
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアルKuniyasu Suzaki
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Kuniyasu Suzaki
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点Kuniyasu Suzaki
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Kuniyasu Suzaki
 
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...Kuniyasu Suzaki
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportKuniyasu Suzaki
 
私立大学情報教育協会大学 情報セキュリティ研究講習会
私立大学情報教育協会大学 情報セキュリティ研究講習会私立大学情報教育協会大学 情報セキュリティ研究講習会
私立大学情報教育協会大学 情報セキュリティ研究講習会Kuniyasu Suzaki
 
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...Kuniyasu Suzaki
 
EuroSec2011 Slide "Memory Deduplication as a Threat to the Guest OS" by Kuniy...
EuroSec2011 Slide "Memory Deduplication as a Threat to the Guest OS" by Kuniy...EuroSec2011 Slide "Memory Deduplication as a Threat to the Guest OS" by Kuniy...
EuroSec2011 Slide "Memory Deduplication as a Threat to the Guest OS" by Kuniy...Kuniyasu Suzaki
 
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "Kuniyasu Suzaki
 

Mehr von Kuniyasu Suzaki (20)

RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
RISC-Vのセキュリティ技術(TEE, Root of Trust, Remote Attestation)
 
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
遠隔デバイスとの信頼を築くための技術とその標準(TEEP RATS)
 
IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告IETF111 RATS: Remote Attestation ProcedureS 報告
IETF111 RATS: Remote Attestation ProcedureS 報告
 
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference  (Reboot Oriented IoT, ACSAC2021)Slide presented at FIT 2021 Top Conference  (Reboot Oriented IoT, ACSAC2021)
Slide presented at FIT 2021 Top Conference (Reboot Oriented IoT, ACSAC2021)
 
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
ACSAC2020 "Return-Oriented IoT" by Kuniyasu Suzaki
 
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
TEE (Trusted Execution Environment)は第二の仮想化技術になるか?
 
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
3種類のTEE比較(Intel SGX, ARM TrustZone, RISC-V Keystone)
 
BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017BMC: Bare Metal Container @Open Source Summit Japan 2017
BMC: Bare Metal Container @Open Source Summit Japan 2017
 
USENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory DisaggregationUSENIX NSDI17 Memory Disaggregation
USENIX NSDI17 Memory Disaggregation
 
OSセキュリティチュートリアル
OSセキュリティチュートリアルOSセキュリティチュートリアル
OSセキュリティチュートリアル
 
Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護Bitvisorをベースとした既存Windowsのドライバメモリ保護
Bitvisorをベースとした既存Windowsのドライバメモリ保護
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 
仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点仮想化技術によるマルウェア対策とその問題点
仮想化技術によるマルウェア対策とその問題点
 
Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)Technology Used in Virtual Machine (Jan 2008)
Technology Used in Virtual Machine (Jan 2008)
 
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
EuroSec2012 "Effects of Memory Randomization, Sanitization and Page Cache on ...
 
ACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 ReportACM SOSP11 & SOCC11 & PLOS11 Report
ACM SOSP11 & SOCC11 & PLOS11 Report
 
私立大学情報教育協会大学 情報セキュリティ研究講習会
私立大学情報教育協会大学 情報セキュリティ研究講習会私立大学情報教育協会大学 情報セキュリティ研究講習会
私立大学情報教育協会大学 情報セキュリティ研究講習会
 
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
Linux Symposium 2011 "Analysis of Disk Access Patterns on File Systems for Co...
 
EuroSec2011 Slide "Memory Deduplication as a Threat to the Guest OS" by Kuniy...
EuroSec2011 Slide "Memory Deduplication as a Threat to the Guest OS" by Kuniy...EuroSec2011 Slide "Memory Deduplication as a Threat to the Guest OS" by Kuniy...
EuroSec2011 Slide "Memory Deduplication as a Threat to the Guest OS" by Kuniy...
 
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
ASPLOS2011 workshop RESoLVE "Effect of Disk Prefetching of Guest OS "
 

Kürzlich hochgeladen

IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 

Kürzlich hochgeladen (20)

IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints (IWSEC2014)

  • 1. National Institute of Advanced Industrial Science and Technology l iKernel Memory Protection by an Insertable Hypervisorby an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints Kuniyasu Suzaki*, Toshiki Yagi*, Kazukuni Kobara*, Toshiaki Ishiyama ‡ * N i l I i f Ad d I d i l S i d T h l (AIST)* National Institute of Advanced Industrial Science and Technology(AIST) ‡ FFRI, Inc., Japan The 9th International Workshop on Security (IWSEC) at Hirosaki, Japan, 27/August/2014
  • 2. National Institute of Advanced Industrial Science and Technology O liOutline M i i• Motivation • Requirements for our countermeasure – Insertable hypervisor – VM Introspection – Stealth Breakpoints • ImplementationImplementation • Performance evaluation of current prototype R l t d k• Related works • Conclusion
  • 3. National Institute of Advanced Industrial Science and Technology Motivation 1/2Motivation 1/2 • C rrent De ice Dri ers are• Current Device Drivers are – Key components: D i D i b id b t l i l f ti t d• Device Drivers bridge between logical space of operating system and physical space of devices. – Intelligent:Intelligent: • Device Drivers are stackable and can add intelligent functions. The intelligent functions include sensitive data (e.g., secret keys for disk ti d f th ti ti t bl f t l t )encryption, passwords for authentication, tables of access control, etc).
  • 4. National Institute of Advanced Industrial Science and Technology Motivation 2/2Motivation 2/2 • Are De ice Dri ers safe?• Are Device Drivers safe? – Device Drivers were thought to be safe since they run in privilege mode However device drivers become a target ofprivilege mode. However, device drivers become a target of attacks as the importance is increased, and vulnerabilities are revealed. – Stuxnet[5] and Duqu[3] are famous attacks for device drivers. • They are targeted attacks on nuclear reactor, chemical plant, etc.y g p – If target device driver works on a critical infrastructure, the availability is important. The countermeasures must be taken without stopping the operating system.
  • 5. National Institute of Advanced Industrial Science and Technology Th t M d lThreat Model • 2 attack vectors2 attack vectors – Attack on device driver’s code • Code injection attack• Code injection attack – The aim is to take control and run malware. • Sabotage on infrastructure systems• Sabotage on infrastructure systems – Even if the attack cannot get the full control, failure (Blue Screen of Death of Windows) is enough because the attacker wants to stop the system. – Attack on device driver’s sensitive data • Data Falsification – Change the sensitive data and cause sabotage. • Information leakage – Steal sensitive data in device drivers.
  • 6. National Institute of Advanced Industrial Science and Technology DriverGuad: hypervisor whichDriverGuad: hypervisor which protects device drivers A C l ( hi li h)• Access Control (white list approach) – Accesses to code and sensitive data of device drivers are verified. – Legitimate accesses are allowed. • Don’t stop the OS. It’s the attacker’s purpose! – When a malicious access is detected, the DriverGuard brings the control to low Interrupt ReQuest Level (IRQL). • Target is device driver on Windows 7 32bit – Code regiong • A write access is hooked and brought to IRQL. – Sensitive data region • All accesses are hooked. Access from legitimate code region is allowed, but access from non- legitimate code region is brought to IRQL.
  • 7. National Institute of Advanced Industrial Science and Technology R i t f C tRequirements for Countermeasure • Insertable hypervisor to an existing OS• Insertable hypervisor to an existing OS – Most systems use preinstalled OS (Windows), especially Industrial Control Systems (ICS) They want to add onIndustrial Control Systems (ICS). They want to add on security. • VM IntrospectionVM Introspection – DriverGuard needs to recognize memory map and behavior of OS.of OS. – DriverGuard protects code region using VM Introspection. • Stealth Breakpoints• Stealth Breakpoints – DriverGuard must hooks and investigates accesses to sensitive data but current breakpoint is not suitablesensitive data, but current breakpoint is not suitable.
  • 8. National Institute of Advanced Industrial Science and Technology Insertable HypervisorInsertable Hypervisor • Thin type-I (bare-metal) hypervisor P th h hit t (BitVi [VEE’09])– Para-passthrough architecture (BitVisor[VEE’09]) • No Device Model. Guest OS can access devices directly. Small Trusted Computing Base (TCB)– Small Trusted Computing Base (TCB) • No HostOS make small TCB. • DriverGuard uses Chainload function of GRUB boot loader• DriverGuard uses Chainload function of GRUB boot-loader. BIOSExisting System GRUB D i G d Go back to GRUBApplications (User Space) GRUB DriverGuard (resides in memory) chain loader Preinstalled OS DriverGuard (hypervisor) Insert at boot time NTLDR Windows (Windows Bootloader) (hypervisor) Hardware
  • 9. National Institute of Advanced Industrial Science and Technology VM IntrospectionVM Introspection • DriverGuard must recognize the memory map and behavior of the guest OS since it needs to know memory regions for code and sensitive data. The function is called “VM introspection”. – Ether[CCS’08] on Xen, LibVM on KVM, Xen, and QEMU. – Unfortunately, they requires Host OS and Device Model. • DriverGuard uses GreenKiller [BlackHat’08] – GreenKiller has VM Introspection which is built on BitVisor– GreenKiller has VM Introspection which is built on BitVisor. Unfortunately, GreenKiller is designed for Windows XP which has no ASLR (Address Space Layout Randomization).( p y )
  • 10. National Institute of Advanced Industrial Science and Technology VM Introspection for ASLRVM Introspection for ASLR • ASLR (Address Space Layout Randomization).( p y ) – It allocates the starting address of code and data at random and prevents attacks which assume fixed address (e.g., buffer overflow attack). – Some implementations of ASLR have little entropy and are vulnerable for Brute Force Attack [CCS’04]. • DriverGuard uses the technique of brute force attack – The search space is not wide. DriverGuard checks the header (44 bytes) of each page of kernel space.
  • 11. National Institute of Advanced Industrial Science and Technology VM Introspection of DriverGuard ② System Call “IopLoadDriver” VM Introspection of DriverGuard Windows kernel loads a driver Driver A (protected) ③ Detect Sensitive Data Region① Boot parameter (MD5 of device driver) Hooked by DriverGard DriverGuard A tagged region used by   System call “ExAllocatePoolWithTag” ① Boot parameter (MD5 of device driver) tells a driver identification to protect All Code Section becomes  Write‐protected  A tagged rata region becomes  Read/Write‐protected  Physical Memory Driver A Code Driver A Data Write Protect Tagged data region Read/Write Protect
  • 12. National Institute of Advanced Industrial Science and Technology Protection mechanismProtection mechanism • Code region• Code region – Windows sets Read-Only protection on code region. Wh i i i d h d i i– When a write access is issued to the code region, it causes exception handler (Bug Check Code) which leads Blue Screen of Death (BSoD)Screen of Death (BSoD). – DriverGuard hooks the exception handler and brings the control to low Interrupt ReQuest Level (IRQL).control to low Interrupt ReQuest Level (IRQL). • Sensitive data region Windows offers no protection mechanism on data region– Windows offers no protection mechanism on data region. – The technique of Stealth breakpoints is used, because current breakpoint technique is not adequate for our purposebreakpoint technique is not adequate for our purpose.
  • 13. National Institute of Advanced Industrial Science and Technology W k i t t b k i tWeak points on current breakpoints B k i h i i d h k b• Breakpoint technique is used to hook accesses, but current Breakpoint is not enough for our purpose. – Software breakpoint • It replaces a target instruction with software fault instruction (INT 3 on X86) and causes software fault. • Unfortunately, it is not used for data because it must execute software fault. – Hardware breakpoint • It sets an address to cause interrupt . It can be used for data. • Unfortunately, the number of hardware breakpoint is limited because it uses debug register on X86.
  • 14. National Institute of Advanced Industrial Science and Technology Stealth breakpointsStealth breakpoints [ACSAC’05] • Stealth Breakpoints is developed to analyze malware• Stealth Breakpoints is developed to analyze malware. – Because malware detects current breakpoints and changes its behaviorbehavior. • Stealth Breakpoints manipulates page table entry (PTE) and causes page fault when an access come to the breakand causes page fault, when an access come to the break point. Pros– Pros • No limit of the number • It can treat code and data regionsIt can treat code and data regions – Cons • The unit is page (4KB)p g ( ) • Slower than software fault
  • 15. National Institute of Advanced Industrial Science and Technology Mechanism of Stealth BreakpointsMechanism of Stealth Breakpoints • P-bit (Persistent-bit) for swap out is used. CR3 Page Table Directory Process A (Normal) ③ The page fault from legitimate code is allowed. ( ) p 0x88001000 0x41101000 0x88002000 0x41102000 0x88003000 0x41103000 Physical Memory legitimate code is allowed. … … … … 0x41101000 0x41102000 0 41103000 … ① Set the P-bit (Persistent bit) to 0 by DriverGuard.② Legitimate Access 0x41103000 … … 0 88001000 0 41101000 CR3 Page Table Directory Process B (Malicious) 0x88001000 0x41101000 0x88002000 0x41102000 0x88003000 0x41103000 ③’ The page fault from non legitimate code is denied by DriverGuard. … … … … ① Set the P-bit (Persistent bit) to 0 by DriverGuard.②’ Malicious Access
  • 16. National Institute of Advanced Industrial Science and Technology Behavior of DriverGuardBehavior of DriverGuard with Stealth Breakpoints A n access is issued. Gate of Page Table VMX non-root (Driver) VMX root (DriverGuard) ① Page fault occurred. VMEnter to DriverGurad.VMEnter Investigate the access non legitimate ② Set hardware breakpoint (The next instruction is set.) ③ Enable PTE (Set 1 on P-bit of Page Table Entry) legitimate infinite IRQL (Set 1 on P bit of Page Table Entry) VMExit from DriverGurad. The access is allowed. The next instruction VMEit ④ Trap hardware breakpoint VMEnter to DriverGurad. ⑤ Clear hardware breakpoint ⑥ Disenable PTE The next instruction cases hardware breakpoint VMEnter (Set 0 on P-bit of Page Table Entry) VMExit from DriverGurad. The next instruction is executed. VMEit
  • 17. National Institute of Advanced Industrial Science and Technology Implementation of DriverGuardImplementation of DriverGuard • Dri erG ard is based on BitVisor [VEE’09]• DriverGuard is based on BitVisor [VEE’09] • Target is Windows 7 (32 bit) – Limitations • Page size is 4KB. Windows cannot treat PSE: Page Size Extension. Hib i i d• Hibernation is not treated. • Device Driver is loaded with IopLoadDriver system call. • Sensitive data is allocated by tagged memory (which causes SystemSensitive data is allocated by tagged memory (which causes System call “ExAllocatePoolWithTag”) • Core2 Duo E6850 (3GHz)( ) – DriverGuard uses 170 MB memory. • It means that the memory for Windows 7 is reduced.
  • 18. National Institute of Advanced Industrial Science and Technology Overhead on Core2DuoOverhead on Core2Duo • The overhead was measured by DriverGuard. – The first VMEnter and last VMExit was not measured, because the time is, measured in the DriverGuard. – VMEnter and VMExit spend thousands of CPU cycles on Core2 Duo. VMEnter VMX non-root (Driver) VMX root (DriverGuard) ① Page fault occurred ② Set Hardware breakpoint ③ Enable PTE 5 usecVMExit Access to sensitive data ④ Trap Hardware breakpoint ⑤ Clear Hardware breakpoint ⑤ Disenable PTE VMEnter 18 usec ⑤ Disenable PTE 22 usecVMExit
  • 19. National Institute of Advanced Industrial Science and Technology Overhead on Core2DuoOverhead on Core2Duo • The overhead caused by DriverGuard was 9 usec, while VMExit and VMEnter used 13 usec. • Most part of the time was used by VMExit and VMEnter. VMEnter VMX non-root (Driver) VMX root (DriverGuard) Time used by DriverGuard ① Page fault occurred ② Set Hardware breakpoint ③ Enable PTE 5 usec 5 usecVMExit Access to sensitive data 13 usec used by VMExit and VMEnter ④ Trap Hardware breakpoint ⑤ Clear Hardware breakpoint ⑤ Disenable PTE VMEnter 18 usec 4 usec VMEnter. ⑤ Disenable PTE 22 usecVMExit
  • 20. National Institute of Advanced Industrial Science and Technology OverheadOverhead • The o erhead time is hea for one access to normal• The overhead time is heavy for one access to normal memory. h h d i bl f i i d hi h• The overhead is acceptable for sensitive data which are used a few times, for example, authentication. • The overhead of VMEnter/VMExit is improved on current CPU – The overhead of the prototype was measured on Core2 Duo.
  • 21. National Institute of Advanced Industrial Science and Technology Related WorksRelated Works • Hypervisor which protect devices• Hypervisor which protect devices – SecVisor[SOSP’10] • It requires additional hyper-calls• It requires additional hyper-calls. – HUKO[NDSS’11] • It is designed to protect the kernel from untrusted device driver.It is designed to protect the kernel from untrusted device driver. • Taint tracking technique is useful to prevent information leakageleakage. – Some hypervisors have taint tracking • TTAnalyze [EICAR’06] TEMU[ICISS’08] V2E[VEE’12]TTAnalyze [EICAR 06], TEMU[ICISS 08], V2E[VEE 12] – They take much time, because they must track a target data all time.
  • 22. National Institute of Advanced Industrial Science and Technology ConclusionConclusion • We propose a thin hypervisor “DriverGurad” whichp p yp protect Device Driver’s Memory. – DriverGurd uses techniques of VM Introspection and Stealthq p Breakpoints. – It protects code and sensitive data region of device driver. – It does not stop the guest OS in order to be used in infrastructure systems. A k l d tAcknowledgement This work was in part supported by the Strategic Information and Communications R&D Promotion Programme (SCOPE) of the Ministry of Internal Affairs and Communications, Japan.