Using Hardware Features for Increased Debugging Transparencywebpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/3-MalT.pdf · – McAfee (Intel Security) reported 8,000,000 new malware

UsingHardwareFeaturesforIncreasedDebuggingTransparencyFengweiZhang,KevinLeach,AngelosStavrou,

HainingWang,andKunSun.InS&P'15.

FengweiZhang

WayneStateUniversity CSC6991TopicsinComputerSecurity 1

Overview

•  MoOvaOon•  Background:SystemManagementMode(SMM)

•  SystemArchitecture•  EvaluaOon:TransparencyandPerformance•  ConclusionsandFutureDirecOons


Overview




MoOvaOon

•  MalwareaXacksstaOsOcs–  Symantecblockedanaverageof247,000aXacksperday[1]

– McAfee(IntelSecurity)reported8,000,000newmalwaresamplesinthefirstquarterin2014[2]

–  Kasperskyreportedmalwarethreatshavegrown34%withover200,000newthreatsperdaylastyear[3]

•  ComputersystemshavevulnerableapplicaOonsthatcouldbeexploitedbyaXackers.


TradiOonalMalwareAnalysis

•  UsingvirtualizaOontechnologytocreateanisolatedexecuOonenvironmentformalwaredebugging

•  RunningmalwareinsideaVM•  RunninganalysistoolsoutsideaVM

Hardware

Hypervisor (VMM)

Virtual Machine





Hardware

Hypervisor (VMM)

Virtual Machine

Malware





Hardware

Hypervisor (VMM)

Virtual Machine

Analysis

Tool

Malware



LimitaOons:•  DependingonhypervisorsthathavealargeTCB(e.g.,

Xenhas500KSLOCand245vulnerabiliOesinNVD) ︎•  Incapableofanalyzingrootkitswiththesameorhigher

privilegelevel(e.g.,hypervisorandfirmwarerootkits)︎•  UnabletoanalyzearmoredmalwarewithanO-

virtualizaOonoranO-emulaOontechniques

Hardware

Hypervisor (VMM)

Virtual Machine

Analysis

Tool

Malware


OurApproach

Wepresentabare-metaldebuggingsystemcalledMalTthatleveragesSystemManagementModeformalwareanalysis︎•  UsesSystemManagementModeasahardwareisolated

execuOonenvironmenttorunanalysistoolsandcandebughypervisors ︎

•  Movesanalysistoolsfromhypervisor-layertohardware-layerthatachievesahighleveloftransparency

Hardware

Hypervisor (VMM)

Virtual Machine

Analysis

Tool

Malware


Overview




Background:SystemManagementMode

SystemManagementMode(SMM)isspecialCPUmodeexisOnginx86architecture,anditcanbeusedasahardwareisolatedexecuOonenvironment.•  OriginallydesignedforimplemenOngsystemfuncOons(e.g.,powermanagement)

•  IsolatedSystemManagementRAM(SMRAM)thatisinaccessiblefromOS

•  OnlywaytoenterSMMistotriggeraSystemManagementInterrupt(SMI)

•  ExecuOngRSMinstrucOontoresumeOS(ProtectedMode)


Background:SystemManagementMode

ApproachesforTriggeringaSystemManagementInterrupt(SMI)•  Soiware-based:WritetoanI/OportspecifiedbySouthbridge

datasheet(e.g.,0x2BforIntel)•  Hardware-based:Networkcard,keyboard,hardwareOmers

Protected Mode

Normal OS

System Management Mode

Isolated Execution Environment

SMIHandler

Isolated SMRAM

Highest privilege

Interrupts disabled

SMM entry

SMM exit

Softwareor

Hardware

Trigger SMI

RSM


Background:SoiwareLayers

Application

Operating System

Hypervisor (VMM)

Firmware (BIOS) SMM

Hardware


Background:HardwareLayout

CPUNorthbridge

(memory controller hub)MMU and IOMMU

Graphic card slot

Memory bus

Memory slots

Southbridge(I/O controller hub)

PCI bus

PCI slots

BIOS Super I/O

LPC bus

Keyboard

Mouse

Serial port

IDE

SATA

Audio

USB

CMOS

Front-side bus

PCIe bus

Internal bus


Overview




SystemArchitecture

•  TradiOonallymalwaredebuggingusesvirtualizaOonoremulaOon ︎

•  MalTdebugsmalwareonabare-metalmachine,andremainstransparentinthepresenceofexisOnganO-debugging,anO-VM,andanO-emulaOontechniques.

Debugging Client

GDB-like

Debugger

Debugging Server

SMI

handler

Debugged

application

1) Trigger SMI

2) Debug command

3) Response message

Inspect

application

Breakpoint


Step-by-stepDebugginginMalT

•  DebuggingprograminstrucOon-by-instrucOon ︎•  UsingperformancecounterstotriggeranSMIforeachinstrucOon

Protected Mode System Management Mode

SMI Handler

SMI Handler

SMM entry

SMM entry

SMM exit

SMM exit

inst1inst2inst3

...

instn

CPU control flow

EIP

Trigger SMI

RSM

Trigger SMI

RSM


Overview




EvaluaOon:TransparencyAnalysis•  Twosubjects:1)runningenvironmentand2)debuggeritself︎–  Runningenvironmentsofadebugger︎

•  SMMv.s.virtualizaOon/emulaOon ︎–  Sideeffectsintroducedbyadebuggeritself︎

•  CPU,cache,memory,I/O,BIOS,andOming•  Towardstruetransparency ︎– MalTisnotfullytransparent(e.g.,externalOmingaXack)butincreased︎

– DrawaXenOontohardware-basedapproachforaddressingdebuggingtransparency


EvaluaOon:PerformanceAnalysis•  TestbedSpecificaOon︎– Motherboard:ASUSM2V-MXSE︎–  CPU:2.2GHzAMDLE-1250 ︎–  Chipsets:AMDK8Northbridge+VIAVT8237rSouthbridge︎–  BIOS:Coreboot+SeaBIOS

Evaluation: Performance Analysis

I Testbed SpecificationI Motherboard: ASUS M2V-MX SEI CPU: 2.2 GHz AMD LE-1250I Chipsets: AMD K8 Northbridge + VIA VT8237r SouthbridgeI BIOS: Coreboot + SeaBIOS

Table: SMM Switching and Resume (Time: µs)

Operations Mean STD 95% CISMM switching 3.29 0.08 [3.27,3.32]SMM resume 4.58 0.10 [4.55,4.61]Total 7.87

19


EvaluaOon:PerformanceAnalysisEvaluation: Performance Analysis

Table: Stepping Overhead on Windows and Linux (Unit: Times ofSlowdown)

Stepping Methods Windows Linux⇡ ⇡

Far control transfer 2 2Near return 30 26Taken branch 565 192Instruction 973 349

20


Overview




ConclusionsandFutureWork•  WedevelopedMalT,abare-mataldebuggingsystemthat

employsSMMtoanalyzemalware–  Hardware-assistedsystem;doesnotusevirtualizaOonoremulaOon

technology ︎–  ProvidingamoretransparentexecuOonenvironment︎–  ThoughtesOngexisOnganO-debugging,anO-VM,andanO-emulaOon

techniques,MalTremainstransparent

•  Futurework Remote Debugger (“client”)

GDBServer

IDAProTool

GDBClient

Debugging Target (“server”)

SMIHandler

Debuggedapplication

Debug command

Response message

SMM PMGeneric Interaface


ReferencesReferences I

[1] Symantec, “Internet Security Threat Report, Vol. 19 Main Report,” http:

//www.symantec.com/content/en/us/enterprise/other resources/b-istr main report v19 21291018.en-us.pdf,

2014.

[2] McAfee, “Threats Report: First Quarter 2014,”

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014-summary.pdf.

[3] Kaspersky Lab, “Kaspersky Security Bulletin 2013,” http://media.kaspersky.com/pdf/KSB 2013 EN.pdf.

22


PaperDiscussion•  NicholasBurton•  MALTisaSystemManagementModebaseddebuggingframeworkusedto

analyzemalware.Itisabaremetaldebuggingsystemthatallowshightransparency.BaremetaldebuggingisusedbecausemalwareoienhasanO-virtualizaOonmeasuresthatchangeitsbehaviorwhenitdiscoversitisinavirtualmachineoremulaOonenvironment.UsingSMMMALThasring-2privilegeandhasasmallerTrustedCodeBasethananydebuggerthatdependsonvirtualizaOon.MALTisaneffecOvedebuggerthatisgenerallyunhinderedbyarmoredmalwarethathasanO-VMandanO-debuggingsoiware,howeveritisincapableofdebuggingrootkitsatthering-2privilegelevel.MALTisiniOallytriggeredbyaserialmessagearrivingattheCOM1port,whichhasbeenreconfiguredtosendanSMI.DuringdebuggingthecurrentEIPvalueischeckedagainstthebreakpoint,whentheyareequalaneventinLAPICissettooverflowtotriggertheSMI.VulnerabiliOesthatSMMhascanbeusedtostopMALTbeingthatitisSMM-based.AXackssuchascachepoisoningandmemoryreclamaOon,howevertheseissueshavebeenfixedbyimplementaOonofSMRRandlockingtheSMRAMrespecOvely.


PaperDiscussion•  JacobBednard•  Thispaperproposesandimplementsanewtechniquefortransparentdebugging

basedinSystemManagementModecalledMaLT.ThemoOvaOonforthistechniqueisthatmalwarecandetectthepresenceofvirtualmachinesandemulaOonandchoosetoremainstealthybynotunpackingit’scontents.MaLTshowsthatadebuggerplacedintoSMMbyCorebootonbootcanremaintransparenttomalware.Inshort,thecoreprocessofMaLTallowstheplacementofbreakpointsintocodethatmodifytheO/SinstrucOonsettocallanSMIandopentheMaLTenvironmentforintrospecOon.WhenthecurrentcycleiscompleteforMaLT,itthenextinstrucOonintheregisterstoresumethepreviousoperaOon.ThebenefitthatMaLThasisthatitoperatesinRing-1/-2space.Thatis,MaLToperatesclosetobaremetal.TheMaLTprogramcanbeaccessedandusedthroughaserialterminalwhichallowsausertoreadmemoryandlaunchbreakpoints.TheonlysignaturethatMaLTmayleavebehindisaside-channelbasedOmingdetecOonmethodinwhichmalwaremonitors3rdpartyOmestampstoseeiftherehavebeenanybreaksinprocessorexecuOon.


PaperDiscussion•  SuryaMani•  Thispapertalksaboutthedeficiencyofadvancedmalwareanalysistechniques

usingvirtualizaOonandemulaOontechniquestopreventmalwareaXack.Themalwarehastheabilitytodetectthepresenceofabovetechniquesandhidesitself,makingthesystemmorevulnerable.ThepaperdiscussesindetailaboutMALTadebuggingframeworkusingSystemManagementMode(SMM).ThefollowingaretheadvantagesofusingMALTtechniques.ItishardwareassistedmalwareanalysiswhichcandorootkitanalysisandkerneldebuggingwithoutusingOS.InMALT,eitherserialportorperformancecounterisusedtotriggerSMI(SystemManagementInterrupt)andalsouseshardwarebreakpointtechniquestherebyincreasingtransparencyandreducingvulnerability.MALTexecutesinSSMRing-2levelhenceitiscapableofdebuggingusermode,kernelmodeandhypervisorlevelrootkits.SinceMALTcodedoesruninbaremetalmachine,itdoesnotchangeanycodeinoperaOngsystem.MALTusesrebootapproachtorestoreasystemtocleanstatehencebyleavingitvulnerabletomalwareaXackduringreboot.


Reminders

•  Paperreviews

•  ResearchTopics

•  NextClass:TransportaOonSecurity

•  NextWeekWayneStateUniversity CSC6991TopicsinComputerSecurity 28

Documents

Using Hardware Features for Increased Debugging Transparencywebpages.eng.wayne.edu/~fy8421/17fa-csc6991/slides/3-MalT.pdf · – McAfee (Intel Security) reported 8,000,000 new malware