Upload
harriet-pittman
View
25
Download
0
Tags:
Embed Size (px)
DESCRIPTION
SubVirt: Implementing malware with virtual machines. Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R.Lorch Microsoft Research Publication: Security and Privacy, 2006 IEEE Symposium. Presenter: Radha Maldhure. Goal. - PowerPoint PPT Presentation
Citation preview
SubVirt: Implementing malware with virtual machines
Authors: Samuel T. King, Peter M. Chen
University of MichiganYi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R.Lorch
Microsoft Research
Publication: Security and Privacy, 2006 IEEE Symposium.
Presenter: Radha Maldhure
Goal
Attacker run malicious software and avoid detection
understand and defend against threat
Attacker Defender
More control
OS
Hardware
App1 App2
Attacker
Defender
Attacker Defender
VMM
Fig: architecture of VMM ( used by VMware and VirtualPC )
VM
VM runs guest OS and guest application
Host application and host OS provides convenient access to I/O devices and run VM services
VMI = set of techniques that enable VM service to understand & modify states\ events in guest
What is the presentation about?
• Virtual-machine based rootkit (VMBR)– installation– malicious services– maintaining control
• Defending against VMBR– control below VMBR– control above VMBR
VMBR
Hardware
Target OS
App1 App2
VMM
Attacksystem
Afterinfection
Hardware
Target OS
App1 App2
Beforeinfection
Attack system = Attack OS + malware
invisible User mode
Installation
Gain sufficient privileges
Install VMBR’s state on persistent storage
Modify system’s boot sequence ( VMBR loads before target OS )
Insert VMBR beneath target OS
Manipulate boot sequence
Attain privileged level(= modifying boot records)
!! Need to be done at final stage of shutdown
Malicious services (MS)There are three types
2.MS observes data from target system e.g. use keystroke loggers to obtain sensitive info like password
3.MS modifies the execution of the target
system e.g. delete email
1.MS with no communication with target systeme.g. phishing web servers
Maintaining Control
System powers-up
BIOS
VMBR stateCode
VMBR!!! Avoid reboots and shutdowns
Handle reboots: restarting the virtual hardware rather than resetting the underlying physical hardware
Handle shutdowns: use ACPI sleep states to emulate system shutdown
Fig: Booting the System
System is compromised
DefenseCan see only virtualized state
Security Software
VMBR
Security Software
Can see the actual state and state of VMBR
Security Softwarebelow VMBR
Basic idea: Detector’s view of system does not go through
VMBR’s virtualization layer
Ways:– Boot from safe medium such as CD-ROM,
USB + physically unplug before booting– Use secure VMM
Security Softwareabove VMBR
Basic idea: Security Software below VMBR is inconvenient
Ways:– Compare running time of software in VM with
benchmarks against wall-clock time– Run a program that requires entire memory or
disk space
Contribution
• Explored the design and implementation of VMBR
• Explored techniques for detecting VMBR
Weakness
• VMBR is difficult to install
• VMBR require reboot before they can run
• Have more impact on the overall system
Suggestions
• The Ideas suggested by paper is good but needs many implementations both on attacker’s side and defender’s side
• Defense not convenient for end users
• Some ideas are not clear
Questions?
Quote for the day
“No defeat is final until we stop trying”