Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

CyberSEED: Virtual Machine Introspection to Detect and Protect

2.726 Aufrufe

Veröffentlicht am

It's turtles all the way down!

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

CyberSEED: Virtual Machine Introspection to Detect and Protect

  1. 1. @CSICyberSEED Virtual Machine Introspection to Detect and Protect “It’s turtles all the way down!” Tamas K Lengyel @tklengyel
  2. 2. @CSICyberSEED # whoami • Senior Security Researcher at Novetta • PhD Student at UConn CSE • DARPA Cyber Fast Track participant • Maintainer of Xen, DRAKVUF & LibVMI
  3. 3. @CSICyberSEED Outline • Brief look at the current security model • Virtualization • Virtual Machine Introspection • It’s turtles all the way down!
  4. 4. @CSICyberSEED Current security model Low privilege High privilege
  5. 5. @CSICyberSEED Current security model Low privilege High privilege X
  6. 6. @CSICyberSEED The problem: Rootkits Low privilege High privilege
  7. 7. @CSICyberSEED The problem: Rootkits Low privilege High privilege X
  8. 8. @CSICyberSEED Virtualization Low privilege High privilege Higher privilege
  9. 9. @CSICyberSEED Virtual Machine Introspection Use the hypervisor for additional security! X X X X
  10. 10. @CSICyberSEED How? ● Isolation: provided by the hypervisor ● Interpretation: use forensics tools ○ LibVMI, Rekall, Volatility ● Interposition: use hardware extensions ○ Intel EPT, #VE
  11. 11. @CSICyberSEED But wait, this looks familiar.. X X XX X
  12. 12. @CSICyberSEED The million dollar question What protects the hypervisor?
  13. 13. @CSICyberSEED It’s turtles all the way down! A well-known scientist (some say it was Bertrand Russel) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said: "What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise." The scientist gave a superior smile before replying, "What is the tortoise standing on?" "You're very clever, young man, very clever," said the old lady. "But it's turtles all the way down!" — Hawking, A Brief History of Time
  14. 14. @CSICyberSEED Add some more layers Nested hypervisors Root hypervisor
  15. 15. @CSICyberSEED But why stop there? System Management Mode Dual-monitor mode Hypervisor SMM VM No nested hypervisor in SMM The real root hypervisor with reference implementation available! Only OEM access on most hw
  16. 16. @CSICyberSEED There is more! SMM Hypervisor SMM VM Intel Management Engine No reference implementation No documentation Only Intel has access
  17. 17. @CSICyberSEED The bottom line • Adding layers doesn’t solve the problem • Only increases the cost of breaking through • Building cross-layer tools is hard • That’s the whole point • Barrier erodes with time
  18. 18. @CSICyberSEED What’s the catch? • Keeping lower layers as small as possible • More code = more attack surface • Users should have the ability to inspect these layers • Lower the layer the fewer folks have insight/access • Isn’t that the perfect setup for DRM? • It may be about security - but not necessarily yours!
  19. 19. @CSICyberSEED Thanks! Tamas K Lengyel tamas@tklengyel.com tlengyel@novetta.com @tklengyel LibVMI http://libvmi.com DRAKVUF http://drakvuf.com

×