SlideShare ist ein Scribd-Unternehmen logo
1 von 39
Downloaden Sie, um offline zu lesen
Virtual Machine
Introspection
Tamas K Lengyel
tamas@tklengyel.com
Thomas Kittel
kittel@sec.in.tum.de
Agenda
1. Motivation
2. What is VMI + Xen + demos
– Isolation
– Interpretation
– Interposition
3. Cloud security + open problems
– Kernel code integrity
4. Conclusion
Our motivation
● Malware collection
● Malware analysis
● Intrusion detection
● Intrusion prevention
● Stealthy debugging
● Cloud security
● Mobile security
Not our motivation
● DRM
● MITM
● Espionage
● Stealth rootkits
Common approaches
● In-guest agents
– Easy to implement
– No isolation
● Network monitor
– Has isolation
– Limited or no context
● Scan VM disk and memory
– Has isolation and context
– Passive view
What is VMI
● Reconstruct high-level state information from
hardware view
– Similar concept to deep packet inspection
● Isolation
– Increased resiliency
● Interpretation
– Complete view of the system
● Interposition
– Control over the execution flow
Isolation
● Reconstruct state without executing code in the
guest
– Avoid in-guest hooks
● Tampering is hard(er)
– Hypervisor based isolation
– Increased trust in the code
● Performance gain
– No “anti-virus storm”
Interpretation
● Understand virtual hardware
– Heavy focus on memory
– vCPU, disk & network
● Reconstruction of state is hard and error-prone
– Complexity
– Requires lots of reverse engineering for Windows
● What data can we trust?
31c3 Presentation - Virtual Machine Introspection
Paging woes
● x86, x86+PS, x86+PAE, IA32E
● Bits 9-11 of the PTE are available bits for the OS
to use as it sees fit
● Paging is different for Windows and Linux!
– if (entry & (1 << 11)) and not entry & (1 << 10)
● Accurate reconstruction is complex
Paging woes
● Paged out memory
– Find and interpret swap file on disk
– Semantics of the swap file defined by the OS
– More complexity
● Xen to the rescue
– Inject page faults via the hypervisor!
– Memory pages can be transparently brought back
– Takes time
– Available starting with Xen 4.5
Paging woes
● Forensics tools need to scan for potential page
tables
overlay = {'VOLATILITY_MAGIC': [ None, {
'DTBSignature' : [ None, ['VolatilityMagic',
dict(value = "x03x00x1bx00")
]],
…
● This is actually a signature for a process
● With VMI we can just use the CR3 from the vCPU
Mapping the kernel
● Requires debug data
● Microsoft gives easy access to it
– Proprietary format
– Has been reverse engineered
– Rekall nicely dumps it into JSON format
● Linux is more problematic
– No cross-distro central repository available
– Fedora DarkServer is a step in the right direction
Scanning woes
● Scanning for the kernel, processes, files, etc.
– Relying on pool tag headers
– 4-byte description (KDBG, Proc, File, etc.)
– Meta-information about type of kernel heap allocation
● Partial structures, old structures, false positives
– Memory doesn't get reset to zero on free
– More heuristics needed to validate hits
– More heuristics = more complexity = more fragile
Anti-forensics
● 2012: One-byte Modification for Breaking Memory
Forensic Analysis
● 2014: ADD - Complicating Memory Forensics
Through Memory Disarray
Fundamental problems with trusting data!
● Scanning for weak signatures
● Inconsistent memory state
Interposition
● Coherent view into the system
● Avoid scanning
– KDBG scan can be avoided:
vCPU0 FS/GS → _KPCR → Kernel!
– Heap allocations can be monitored directly
● Native support built into Xen, no custom patching!
– Designed for debugging
– Relatively unknown and undocumented feature
Tracing on Xen
● 4 types of events currently supported (Intel only)
– MOV-TO-CR0/CR3/CR4
– Debugging breakpoints (INT3)
– Extended Page Table (EPT) violations
– Monitor Trap Flag (MTF) singlestepping
● The hardware would support many more
– See full list in Intel SDM 3c 25.1.3
LibVMI – http://libvmi.com
● Hypervisor agnostic C library
– Xen, KVM & raw memory dump support
– x86, x86+PS, x86+PAE, IA32E, ARM
– Windows and Linux guest support
– Python interface
– Write code once, deploy on all supported hypervisors
– Read & write memory
– Wrapper around Xen events!
– LGPL
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
Malware files in memory
● Write-caching buffers writes to the disk
● Temporary files only ever present in memory!
– Common for malware droppers
● Have to catch the delete event or the memory
could get recycled
● Interposition is critical
–
DRAKVUF – http://drakvuf.com
● Agentless dynamic malware analyzer
– GPLv2
– Built on Xen, LibVMI, Volatility & Rekall
● No in-guest agents = no in-guest artifacts
– Malware sample started externally
– Monitor both user- and kernel-mode malware
– Extract ephemeral artifacts
VMIDBG
● Fresh out of the oven!
– GDB integration!
– https://github.com/Zentific/vmidbg
● Stealthy debugging
– Currently supports Linux
– WinDBG integration next!
– Check the readme ;)
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
Cloud security
● Separate security policy for each cloud user
● Start live monitoring before compromise happens
– Baseline of integrity
● Monitor and protect critical components & paths
– IDT, GDT, SSDT, In-line hooks, etc.
● Trust data that is essential
– If modifying it means it crashes the system, malware
(probably) won’t touch it
But wait..
● Can we really trust any data?
● Hardware reports incomplete trap information
– Read-modify-write (fixed in software in Xen 4.5)
● The Tagged Translation Lookaside Buffer!
– Intel VPID & AMD ASID (2008)
– Entries only visible from within the same context
– The page tables don’t necessarily represent what
translation the guest actually uses
The tagged TLB
● Unique tag for each vCPU so cached entries
survive VMEXIT/VMENTRY
● A rootkit in the guest could muck with the
pagetables after a translation is cached
– Only in-guest code can access the cache!
● Effectiveness varies based on hypervisor and OS
– Xen assigns new tag on each guest MOV-TO-CR3
– Windows 7 frequently flushes global pages
Cloud security
● No need to move everything outside
● Secure in-guest agents
– Better performance, better visibility
– Hybrid approach
– Hardware support coming: Intel #VE
● Alternative approaches
– Reduce the size of the guest system
– MirageOS, NetBSD rumpkernels, OSv
Secure in-guest kernel
● Blacklist approach
– Deny malicious changes
– Need to enumerate all possible things that could go wrong
● Whitelist approach
– Allow only verified changes
– Need to enumerate all valid changes that we want to allow
Kernel Code Integrity
● Linux employs run-time code self-patching
● Need to differentiate between legitimate and
malicious changes
● Load-time patching (architecture specific)
– Load-time patching can be validated during load time
● Run-time patching eg. for hardware hot-plugging
– Run-time patching has to be validated continuously
Kernel run-time patching – Examples
● SMP Locks
– vCPU hot-plug
– Locks needed only if more than one vCPU is present
– Could be used to replace entire functions
● Jump Labels
– In a certain software state some branches are very unlikely
– Jumps are patched out if a function is not required
– The code must be consistent with the systems state
Simple Validation Approaches
● Lock the kernel
– Deny all changes to the code at run-time
– Disables legitimate run-time patching
● Hash the kernel
– White-list all known kernel states
– Number of hashes to maintain grows unbounded
– Separating code from data is non-trivial
– Weird memory optimizations
●
Linux kernel has portions of its large code pages also
mapped into user-space processes
Trap and validate using VMI
● Only allow patching on predefined code locations
– For these locations the patching mechanism is known
– Patches can be retraced and understood
– The patch must match the systems state
● Code patching is not an atomic operation
– System needs to be aware about the intermediate states
● Trap write events to kernel code
– Validate that the current change is not malicious
Summary
● VMI supports a wide spectrum of applications
– Isolation, Interpretation, Interposition
– Balance depends on your use-case
– Pure VMI is not a requirement for all cases
– Hardware support is improving
● Tools are open-source!
– LibVMI http://libvmi.com
– DRAKVUF http://drakvuf.com
● Find us
– #libvmi on Freenode | @tklengyel | kittel@sec.in.tum.de
Acknowledgement
● Zentific: Steve, Matt & Russ
● LibVMI: Bryan & Tony
● Volatility: MHL, moyix, Andrew & gleeda
● Rekall: Scudette
● DARPA: Mudge
● TUM: George, Sebastian & Jonas
Food for thought
Run-time trust may “require deep changes to the way we construct
systems, as we would need a way to tie its low-level implementation to
a high-level semantic description of its runtime behavior in a way that is
verifiable (it would do no good if programs could claim malicious
behavior was something innocent). We can summarize this research
path by asking whether we can ensure that a program
1) says what it does; 2) does what it says; and 3) can prove it.”
Brendan Dolan-Gavitt
Appendix
● https://randomascii.wordpress.com/2013/02/20/symbols-on-
linux-part-three-linux-versus-windows/
● https://archive.org/details/ShmooCon2014_ADD_Complicating
_Memory_Forensics_Through_Memory_Disarray
● http://volatility-labs.blogspot.com/2014/02/add-next-big-threat-
to-memory.html
● http://www.rekall-forensic.com/posts/2014-02-19-profiles.html
● http://www.rekall-forensic.com/posts/2014-02-21-do-we-need-
kdbg.html
● http://www.rekall-forensic.com/posts/2014-10-25-pagefile.html
Appendix
● http://www.sec.in.tum.de/assets/Uploads/acsacmmfkittel.pdf
● http://www.sec.in.tum.de/assets/Uploads/scalability-fidelity-
stealth.pdf
● http://www.sec.in.tum.de/assets/Uploads/pitfalls-virtual-
machine.pdf
● http://www.sec.in.tum.de/assets/Uploads/lengyelshcis2.pdf
● http://www.sec.in.tum.de/assets/Uploads/virtual-machine-
introspection.pdf
● http://xenproject.org/help/presentations-and-
videos/video/latest/xpus14-vm-security-on-the-outside-
looking-in-by-steven-maresca-of-zentific.html

Más contenido relacionado

Was ist angesagt?

Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with XenTamas K Lengyel
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureTamas K Lengyel
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisTamas K Lengyel
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализаPositive Hack Days
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingTamas K Lengyel
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecPacSecJP
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009James Morris
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jarsPacSecJP
 

Was ist angesagt? (20)

Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Virtual Machine Introspection with Xen
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with Xen
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
 
BSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysis
 
Hacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysisHacktivity 2016: Stealthy, hypervisor based malware analysis
Hacktivity 2016: Stealthy, hypervisor based malware analysis
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsLinux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century Threats
 
Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009Linux Kernel Security Overview - KCA 2009
Linux Kernel Security Overview - KCA 2009
 
Kasza smashing the_jars
Kasza smashing the_jarsKasza smashing the_jars
Kasza smashing the_jars
 

Ähnlich wie 31c3 Presentation - Virtual Machine Introspection

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
cfengine3 at #lspe
cfengine3 at #lspecfengine3 at #lspe
cfengine3 at #lspeChris Westin
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesPriyanka Aash
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBakry3
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenBitdefender Enterprise
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
Linux Virtualization
Linux VirtualizationLinux Virtualization
Linux VirtualizationOpenVZ
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013dotCloud
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Docker, Inc.
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Black Duck by Synopsys
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?Maciej Lasyk
 

Ähnlich wie 31c3 Presentation - Virtual Machine Introspection (20)

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
cfengine3 at #lspe
cfengine3 at #lspecfengine3 at #lspe
cfengine3 at #lspe
 
OpenVZ Linux Containers
OpenVZ Linux ContainersOpenVZ Linux Containers
OpenVZ Linux Containers
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
Linux Virtualization
Linux VirtualizationLinux Virtualization
Linux Virtualization
 
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013Lightweight Virtualization with Linux Containers and Docker | YaC 2013
Lightweight Virtualization with Linux Containers and Docker | YaC 2013
 
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013Lightweight Virtualization with Linux Containers and Docker I YaC 2013
Lightweight Virtualization with Linux Containers and Docker I YaC 2013
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 

Último

Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...Splashtop Inc
 
Enterprise Content Managements Solutions
Enterprise Content Managements SolutionsEnterprise Content Managements Solutions
Enterprise Content Managements SolutionsIQBG inc
 
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityLarge Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityRandy Shoup
 
Mobile App Development process | Expert Tips
Mobile App Development process | Expert TipsMobile App Development process | Expert Tips
Mobile App Development process | Expert Tipsmichealwillson701
 
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsMUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsUniversity of Antwerp
 
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevLeveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevpmgdscunsri
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsconfluent
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern
 
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
BusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptxBusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptx
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptxAGATSoftware
 
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...telebusocialmarketin
 
Revolutionize Your Field Service Management with FSM Grid
Revolutionize Your Field Service Management with FSM GridRevolutionize Your Field Service Management with FSM Grid
Revolutionize Your Field Service Management with FSM GridMathew Thomas
 
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurMinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurPriyadarshini T
 
User Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeUser Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeKaylee Miller
 
VuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckVuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckNaval Singh
 
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxCYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxBarakaMuyengi
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfICS
 
Einstein Copilot Conversational AI for your CRM.pdf
Einstein Copilot Conversational AI for your CRM.pdfEinstein Copilot Conversational AI for your CRM.pdf
Einstein Copilot Conversational AI for your CRM.pdfCloudMetic
 
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...MyFAA
 
Mobile App Development company Houston
Mobile  App  Development  company HoustonMobile  App  Development  company Houston
Mobile App Development company Houstonjennysmithusa549
 

Último (20)

Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
Splashtop Enterprise Brochure - Remote Computer Access and Remote Support Sof...
 
Enterprise Content Managements Solutions
Enterprise Content Managements SolutionsEnterprise Content Managements Solutions
Enterprise Content Managements Solutions
 
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of SimplicityLarge Scale Architecture -- The Unreasonable Effectiveness of Simplicity
Large Scale Architecture -- The Unreasonable Effectiveness of Simplicity
 
Mobile App Development process | Expert Tips
Mobile App Development process | Expert TipsMobile App Development process | Expert Tips
Mobile App Development process | Expert Tips
 
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow ModelsMUT4SLX: Extensions for Mutation Testing of Stateflow Models
MUT4SLX: Extensions for Mutation Testing of Stateflow Models
 
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDevLeveling Up your Branding and Mastering MERN: Fullstack WebDev
Leveling Up your Branding and Mastering MERN: Fullstack WebDev
 
Unlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insightsUnlocking the Power of IoT: A comprehensive approach to real-time insights
Unlocking the Power of IoT: A comprehensive approach to real-time insights
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data Mesh
 
20140812 - OBD2 Solution
20140812 - OBD2 Solution20140812 - OBD2 Solution
20140812 - OBD2 Solution
 
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
BusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptxBusinessGPT  - SECURITY AND GOVERNANCE  FOR GENERATIVE AI.pptx
BusinessGPT - SECURITY AND GOVERNANCE FOR GENERATIVE AI.pptx
 
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
Telebu Social -Whatsapp Business API : Mastering Omnichannel Business Communi...
 
Revolutionize Your Field Service Management with FSM Grid
Revolutionize Your Field Service Management with FSM GridRevolutionize Your Field Service Management with FSM Grid
Revolutionize Your Field Service Management with FSM Grid
 
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young EntrepreneurMinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
MinionLabs_Mr. Gokul Srinivas_Young Entrepreneur
 
User Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller ResumeUser Experience Designer | Kaylee Miller Resume
User Experience Designer | Kaylee Miller Resume
 
VuNet software organisation powerpoint deck
VuNet software organisation powerpoint deckVuNet software organisation powerpoint deck
VuNet software organisation powerpoint deck
 
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptxCYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
CYBER SECURITY AND CYBER CRIME COMPLETE GUIDE.pLptx
 
Practical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdfPractical Advice for FDA’s 510(k) Requirements.pdf
Practical Advice for FDA’s 510(k) Requirements.pdf
 
Einstein Copilot Conversational AI for your CRM.pdf
Einstein Copilot Conversational AI for your CRM.pdfEinstein Copilot Conversational AI for your CRM.pdf
Einstein Copilot Conversational AI for your CRM.pdf
 
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
Take Advantage of Mx Tracking Flight Scheduling Solutions to Streamline Your ...
 
Mobile App Development company Houston
Mobile  App  Development  company HoustonMobile  App  Development  company Houston
Mobile App Development company Houston
 

31c3 Presentation - Virtual Machine Introspection

  • 1. Virtual Machine Introspection Tamas K Lengyel tamas@tklengyel.com Thomas Kittel kittel@sec.in.tum.de
  • 2. Agenda 1. Motivation 2. What is VMI + Xen + demos – Isolation – Interpretation – Interposition 3. Cloud security + open problems – Kernel code integrity 4. Conclusion
  • 3. Our motivation ● Malware collection ● Malware analysis ● Intrusion detection ● Intrusion prevention ● Stealthy debugging ● Cloud security ● Mobile security
  • 4. Not our motivation ● DRM ● MITM ● Espionage ● Stealth rootkits
  • 5. Common approaches ● In-guest agents – Easy to implement – No isolation ● Network monitor – Has isolation – Limited or no context ● Scan VM disk and memory – Has isolation and context – Passive view
  • 6. What is VMI ● Reconstruct high-level state information from hardware view – Similar concept to deep packet inspection ● Isolation – Increased resiliency ● Interpretation – Complete view of the system ● Interposition – Control over the execution flow
  • 7. Isolation ● Reconstruct state without executing code in the guest – Avoid in-guest hooks ● Tampering is hard(er) – Hypervisor based isolation – Increased trust in the code ● Performance gain – No “anti-virus storm”
  • 8. Interpretation ● Understand virtual hardware – Heavy focus on memory – vCPU, disk & network ● Reconstruction of state is hard and error-prone – Complexity – Requires lots of reverse engineering for Windows ● What data can we trust?
  • 10. Paging woes ● x86, x86+PS, x86+PAE, IA32E ● Bits 9-11 of the PTE are available bits for the OS to use as it sees fit ● Paging is different for Windows and Linux! – if (entry & (1 << 11)) and not entry & (1 << 10) ● Accurate reconstruction is complex
  • 11. Paging woes ● Paged out memory – Find and interpret swap file on disk – Semantics of the swap file defined by the OS – More complexity ● Xen to the rescue – Inject page faults via the hypervisor! – Memory pages can be transparently brought back – Takes time – Available starting with Xen 4.5
  • 12. Paging woes ● Forensics tools need to scan for potential page tables overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "x03x00x1bx00") ]], … ● This is actually a signature for a process ● With VMI we can just use the CR3 from the vCPU
  • 13. Mapping the kernel ● Requires debug data ● Microsoft gives easy access to it – Proprietary format – Has been reverse engineered – Rekall nicely dumps it into JSON format ● Linux is more problematic – No cross-distro central repository available – Fedora DarkServer is a step in the right direction
  • 14. Scanning woes ● Scanning for the kernel, processes, files, etc. – Relying on pool tag headers – 4-byte description (KDBG, Proc, File, etc.) – Meta-information about type of kernel heap allocation ● Partial structures, old structures, false positives – Memory doesn't get reset to zero on free – More heuristics needed to validate hits – More heuristics = more complexity = more fragile
  • 15. Anti-forensics ● 2012: One-byte Modification for Breaking Memory Forensic Analysis ● 2014: ADD - Complicating Memory Forensics Through Memory Disarray Fundamental problems with trusting data! ● Scanning for weak signatures ● Inconsistent memory state
  • 16. Interposition ● Coherent view into the system ● Avoid scanning – KDBG scan can be avoided: vCPU0 FS/GS → _KPCR → Kernel! – Heap allocations can be monitored directly ● Native support built into Xen, no custom patching! – Designed for debugging – Relatively unknown and undocumented feature
  • 17. Tracing on Xen ● 4 types of events currently supported (Intel only) – MOV-TO-CR0/CR3/CR4 – Debugging breakpoints (INT3) – Extended Page Table (EPT) violations – Monitor Trap Flag (MTF) singlestepping ● The hardware would support many more – See full list in Intel SDM 3c 25.1.3
  • 18. LibVMI – http://libvmi.com ● Hypervisor agnostic C library – Xen, KVM & raw memory dump support – x86, x86+PS, x86+PAE, IA32E, ARM – Windows and Linux guest support – Python interface – Write code once, deploy on all supported hypervisors – Read & write memory – Wrapper around Xen events! – LGPL
  • 21. Malware files in memory ● Write-caching buffers writes to the disk ● Temporary files only ever present in memory! – Common for malware droppers ● Have to catch the delete event or the memory could get recycled ● Interposition is critical –
  • 22. DRAKVUF – http://drakvuf.com ● Agentless dynamic malware analyzer – GPLv2 – Built on Xen, LibVMI, Volatility & Rekall ● No in-guest agents = no in-guest artifacts – Malware sample started externally – Monitor both user- and kernel-mode malware – Extract ephemeral artifacts
  • 23. VMIDBG ● Fresh out of the oven! – GDB integration! – https://github.com/Zentific/vmidbg ● Stealthy debugging – Currently supports Linux – WinDBG integration next! – Check the readme ;)
  • 26. Cloud security ● Separate security policy for each cloud user ● Start live monitoring before compromise happens – Baseline of integrity ● Monitor and protect critical components & paths – IDT, GDT, SSDT, In-line hooks, etc. ● Trust data that is essential – If modifying it means it crashes the system, malware (probably) won’t touch it
  • 27. But wait.. ● Can we really trust any data? ● Hardware reports incomplete trap information – Read-modify-write (fixed in software in Xen 4.5) ● The Tagged Translation Lookaside Buffer! – Intel VPID & AMD ASID (2008) – Entries only visible from within the same context – The page tables don’t necessarily represent what translation the guest actually uses
  • 28. The tagged TLB ● Unique tag for each vCPU so cached entries survive VMEXIT/VMENTRY ● A rootkit in the guest could muck with the pagetables after a translation is cached – Only in-guest code can access the cache! ● Effectiveness varies based on hypervisor and OS – Xen assigns new tag on each guest MOV-TO-CR3 – Windows 7 frequently flushes global pages
  • 29. Cloud security ● No need to move everything outside ● Secure in-guest agents – Better performance, better visibility – Hybrid approach – Hardware support coming: Intel #VE ● Alternative approaches – Reduce the size of the guest system – MirageOS, NetBSD rumpkernels, OSv
  • 30. Secure in-guest kernel ● Blacklist approach – Deny malicious changes – Need to enumerate all possible things that could go wrong ● Whitelist approach – Allow only verified changes – Need to enumerate all valid changes that we want to allow
  • 31. Kernel Code Integrity ● Linux employs run-time code self-patching ● Need to differentiate between legitimate and malicious changes ● Load-time patching (architecture specific) – Load-time patching can be validated during load time ● Run-time patching eg. for hardware hot-plugging – Run-time patching has to be validated continuously
  • 32. Kernel run-time patching – Examples ● SMP Locks – vCPU hot-plug – Locks needed only if more than one vCPU is present – Could be used to replace entire functions ● Jump Labels – In a certain software state some branches are very unlikely – Jumps are patched out if a function is not required – The code must be consistent with the systems state
  • 33. Simple Validation Approaches ● Lock the kernel – Deny all changes to the code at run-time – Disables legitimate run-time patching ● Hash the kernel – White-list all known kernel states – Number of hashes to maintain grows unbounded – Separating code from data is non-trivial – Weird memory optimizations ● Linux kernel has portions of its large code pages also mapped into user-space processes
  • 34. Trap and validate using VMI ● Only allow patching on predefined code locations – For these locations the patching mechanism is known – Patches can be retraced and understood – The patch must match the systems state ● Code patching is not an atomic operation – System needs to be aware about the intermediate states ● Trap write events to kernel code – Validate that the current change is not malicious
  • 35. Summary ● VMI supports a wide spectrum of applications – Isolation, Interpretation, Interposition – Balance depends on your use-case – Pure VMI is not a requirement for all cases – Hardware support is improving ● Tools are open-source! – LibVMI http://libvmi.com – DRAKVUF http://drakvuf.com ● Find us – #libvmi on Freenode | @tklengyel | kittel@sec.in.tum.de
  • 36. Acknowledgement ● Zentific: Steve, Matt & Russ ● LibVMI: Bryan & Tony ● Volatility: MHL, moyix, Andrew & gleeda ● Rekall: Scudette ● DARPA: Mudge ● TUM: George, Sebastian & Jonas
  • 37. Food for thought Run-time trust may “require deep changes to the way we construct systems, as we would need a way to tie its low-level implementation to a high-level semantic description of its runtime behavior in a way that is verifiable (it would do no good if programs could claim malicious behavior was something innocent). We can summarize this research path by asking whether we can ensure that a program 1) says what it does; 2) does what it says; and 3) can prove it.” Brendan Dolan-Gavitt
  • 38. Appendix ● https://randomascii.wordpress.com/2013/02/20/symbols-on- linux-part-three-linux-versus-windows/ ● https://archive.org/details/ShmooCon2014_ADD_Complicating _Memory_Forensics_Through_Memory_Disarray ● http://volatility-labs.blogspot.com/2014/02/add-next-big-threat- to-memory.html ● http://www.rekall-forensic.com/posts/2014-02-19-profiles.html ● http://www.rekall-forensic.com/posts/2014-02-21-do-we-need- kdbg.html ● http://www.rekall-forensic.com/posts/2014-10-25-pagefile.html
  • 39. Appendix ● http://www.sec.in.tum.de/assets/Uploads/acsacmmfkittel.pdf ● http://www.sec.in.tum.de/assets/Uploads/scalability-fidelity- stealth.pdf ● http://www.sec.in.tum.de/assets/Uploads/pitfalls-virtual- machine.pdf ● http://www.sec.in.tum.de/assets/Uploads/lengyelshcis2.pdf ● http://www.sec.in.tum.de/assets/Uploads/virtual-machine- introspection.pdf ● http://xenproject.org/help/presentations-and- videos/video/latest/xpus14-vm-security-on-the-outside- looking-in-by-steven-maresca-of-zentific.html