Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
UsingHardwareFeaturesforIncreasedDebuggingTransparencyFengweiZhang,KevinLeach,AngelosStavrou,
HainingWang,andKunSun.InS&P'15.
FengweiZhang
WayneStateUniversity CSC6991TopicsinComputerSecurity 1
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 2
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 3
MoOvaOon
• MalwareaXacksstaOsOcs– Symantecblockedanaverageof247,000aXacksperday[1]
– McAfee(IntelSecurity)reported8,000,000newmalwaresamplesinthefirstquarterin2014[2]
– Kasperskyreportedmalwarethreatshavegrown34%withover200,000newthreatsperdaylastyear[3]
• ComputersystemshavevulnerableapplicaOonsthatcouldbeexploitedbyaXackers.
WayneStateUniversity CSC6991TopicsinComputerSecurity 4
TradiOonalMalwareAnalysis
• UsingvirtualizaOontechnologytocreateanisolatedexecuOonenvironmentformalwaredebugging
• RunningmalwareinsideaVM• RunninganalysistoolsoutsideaVM
Hardware
Hypervisor (VMM)
Virtual Machine
WayneStateUniversity CSC6991TopicsinComputerSecurity 5
TradiOonalMalwareAnalysis
• UsingvirtualizaOontechnologytocreateanisolatedexecuOonenvironmentformalwaredebugging
• RunningmalwareinsideaVM• RunninganalysistoolsoutsideaVM
Hardware
Hypervisor (VMM)
Virtual Machine
Malware
WayneStateUniversity CSC6991TopicsinComputerSecurity 6
TradiOonalMalwareAnalysis
• UsingvirtualizaOontechnologytocreateanisolatedexecuOonenvironmentformalwaredebugging
• RunningmalwareinsideaVM• RunninganalysistoolsoutsideaVM
Hardware
Hypervisor (VMM)
Virtual Machine
Analysis
Tool
Malware
WayneStateUniversity CSC6991TopicsinComputerSecurity 7
TradiOonalMalwareAnalysis
LimitaOons:• DependingonhypervisorsthathavealargeTCB(e.g.,
Xenhas500KSLOCand245vulnerabiliOesinNVD) ︎• Incapableofanalyzingrootkitswiththesameorhigher
privilegelevel(e.g.,hypervisorandfirmwarerootkits)︎• UnabletoanalyzearmoredmalwarewithanO-
virtualizaOonoranO-emulaOontechniques
Hardware
Hypervisor (VMM)
Virtual Machine
Analysis
Tool
Malware
WayneStateUniversity CSC6991TopicsinComputerSecurity 8
OurApproach
Wepresentabare-metaldebuggingsystemcalledMalTthatleveragesSystemManagementModeformalwareanalysis︎• UsesSystemManagementModeasahardwareisolated
execuOonenvironmenttorunanalysistoolsandcandebughypervisors ︎
• Movesanalysistoolsfromhypervisor-layertohardware-layerthatachievesahighleveloftransparency
Hardware
Hypervisor (VMM)
Virtual Machine
Analysis
Tool
Malware
WayneStateUniversity CSC6991TopicsinComputerSecurity 9
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 10
Background:SystemManagementMode
SystemManagementMode(SMM)isspecialCPUmodeexisOnginx86architecture,anditcanbeusedasahardwareisolatedexecuOonenvironment.• OriginallydesignedforimplemenOngsystemfuncOons(e.g.,powermanagement)
• IsolatedSystemManagementRAM(SMRAM)thatisinaccessiblefromOS
• OnlywaytoenterSMMistotriggeraSystemManagementInterrupt(SMI)
• ExecuOngRSMinstrucOontoresumeOS(ProtectedMode)
WayneStateUniversity CSC6991TopicsinComputerSecurity 11
Background:SystemManagementMode
ApproachesforTriggeringaSystemManagementInterrupt(SMI)• Soiware-based:WritetoanI/OportspecifiedbySouthbridge
datasheet(e.g.,0x2BforIntel)• Hardware-based:Networkcard,keyboard,hardwareOmers
Protected Mode
Normal OS
System Management Mode
Isolated Execution Environment
SMIHandler
Isolated SMRAM
Highest privilege
Interrupts disabled
SMM entry
SMM exit
Softwareor
Hardware
Trigger SMI
RSM
WayneStateUniversity CSC6991TopicsinComputerSecurity 12
Background:SoiwareLayers
Application
Operating System
Hypervisor (VMM)
Firmware (BIOS) SMM
Hardware
WayneStateUniversity CSC6991TopicsinComputerSecurity 13
Background:HardwareLayout
CPUNorthbridge
(memory controller hub)MMU and IOMMU
Graphic card slot
Memory bus
Memory slots
Southbridge(I/O controller hub)
PCI bus
PCI slots
BIOS Super I/O
LPC bus
Keyboard
Mouse
Serial port
IDE
SATA
Audio
USB
CMOS
Front-side bus
PCIe bus
Internal bus
WayneStateUniversity CSC6991TopicsinComputerSecurity 14
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 15
SystemArchitecture
• TradiOonallymalwaredebuggingusesvirtualizaOonoremulaOon ︎
• MalTdebugsmalwareonabare-metalmachine,andremainstransparentinthepresenceofexisOnganO-debugging,anO-VM,andanO-emulaOontechniques.
Debugging Client
GDB-like
Debugger
Debugging Server
SMI
handler
Debugged
application
1) Trigger SMI
2) Debug command
3) Response message
Inspect
application
Breakpoint
WayneStateUniversity CSC6991TopicsinComputerSecurity 16
Step-by-stepDebugginginMalT
• DebuggingprograminstrucOon-by-instrucOon ︎• UsingperformancecounterstotriggeranSMIforeachinstrucOon
Protected Mode System Management Mode
SMI Handler
SMI Handler
SMM entry
SMM entry
SMM exit
SMM exit
inst1inst2inst3
...
instn
CPU control flow
EIP
Trigger SMI
RSM
Trigger SMI
RSM
WayneStateUniversity CSC6991TopicsinComputerSecurity 17
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 18
EvaluaOon:TransparencyAnalysis• Twosubjects:1)runningenvironmentand2)debuggeritself︎– Runningenvironmentsofadebugger︎
• SMMv.s.virtualizaOon/emulaOon ︎– Sideeffectsintroducedbyadebuggeritself︎
• CPU,cache,memory,I/O,BIOS,andOming• Towardstruetransparency ︎– MalTisnotfullytransparent(e.g.,externalOmingaXack)butincreased︎
– DrawaXenOontohardware-basedapproachforaddressingdebuggingtransparency
WayneStateUniversity CSC6991TopicsinComputerSecurity 19
EvaluaOon:PerformanceAnalysis• TestbedSpecificaOon︎– Motherboard:ASUSM2V-MXSE︎– CPU:2.2GHzAMDLE-1250 ︎– Chipsets:AMDK8Northbridge+VIAVT8237rSouthbridge︎– BIOS:Coreboot+SeaBIOS
Evaluation: Performance Analysis
I Testbed SpecificationI Motherboard: ASUS M2V-MX SEI CPU: 2.2 GHz AMD LE-1250I Chipsets: AMD K8 Northbridge + VIA VT8237r SouthbridgeI BIOS: Coreboot + SeaBIOS
Table: SMM Switching and Resume (Time: µs)
Operations Mean STD 95% CISMM switching 3.29 0.08 [3.27,3.32]SMM resume 4.58 0.10 [4.55,4.61]Total 7.87
19
WayneStateUniversity CSC6991TopicsinComputerSecurity 20
EvaluaOon:PerformanceAnalysisEvaluation: Performance Analysis
Table: Stepping Overhead on Windows and Linux (Unit: Times ofSlowdown)
Stepping Methods Windows Linux⇡ ⇡
Far control transfer 2 2Near return 30 26Taken branch 565 192Instruction 973 349
20
WayneStateUniversity CSC6991TopicsinComputerSecurity 21
Overview
• MoOvaOon• Background:SystemManagementMode(SMM)
• SystemArchitecture• EvaluaOon:TransparencyandPerformance• ConclusionsandFutureDirecOons
WayneStateUniversity CSC6991TopicsinComputerSecurity 22
ConclusionsandFutureWork• WedevelopedMalT,abare-mataldebuggingsystemthat
employsSMMtoanalyzemalware– Hardware-assistedsystem;doesnotusevirtualizaOonoremulaOon
technology ︎– ProvidingamoretransparentexecuOonenvironment︎– ThoughtesOngexisOnganO-debugging,anO-VM,andanO-emulaOon
techniques,MalTremainstransparent
• Futurework Remote Debugger (“client”)
GDBServer
IDAProTool
GDBClient
Debugging Target (“server”)
SMIHandler
Debuggedapplication
Debug command
Response message
SMM PMGeneric Interaface
WayneStateUniversity CSC6991TopicsinComputerSecurity 23
ReferencesReferences I
[1] Symantec, “Internet Security Threat Report, Vol. 19 Main Report,” http:
//www.symantec.com/content/en/us/enterprise/other resources/b-istr main report v19 21291018.en-us.pdf,
2014.
[2] McAfee, “Threats Report: First Quarter 2014,”
http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2014-summary.pdf.
[3] Kaspersky Lab, “Kaspersky Security Bulletin 2013,” http://media.kaspersky.com/pdf/KSB 2013 EN.pdf.
22
WayneStateUniversity CSC6991TopicsinComputerSecurity 24
PaperDiscussion• NicholasBurton• MALTisaSystemManagementModebaseddebuggingframeworkusedto
analyzemalware.Itisabaremetaldebuggingsystemthatallowshightransparency.BaremetaldebuggingisusedbecausemalwareoienhasanO-virtualizaOonmeasuresthatchangeitsbehaviorwhenitdiscoversitisinavirtualmachineoremulaOonenvironment.UsingSMMMALThasring-2privilegeandhasasmallerTrustedCodeBasethananydebuggerthatdependsonvirtualizaOon.MALTisaneffecOvedebuggerthatisgenerallyunhinderedbyarmoredmalwarethathasanO-VMandanO-debuggingsoiware,howeveritisincapableofdebuggingrootkitsatthering-2privilegelevel.MALTisiniOallytriggeredbyaserialmessagearrivingattheCOM1port,whichhasbeenreconfiguredtosendanSMI.DuringdebuggingthecurrentEIPvalueischeckedagainstthebreakpoint,whentheyareequalaneventinLAPICissettooverflowtotriggertheSMI.VulnerabiliOesthatSMMhascanbeusedtostopMALTbeingthatitisSMM-based.AXackssuchascachepoisoningandmemoryreclamaOon,howevertheseissueshavebeenfixedbyimplementaOonofSMRRandlockingtheSMRAMrespecOvely.
WayneStateUniversity CSC6991TopicsinComputerSecurity 25
PaperDiscussion• JacobBednard• Thispaperproposesandimplementsanewtechniquefortransparentdebugging
basedinSystemManagementModecalledMaLT.ThemoOvaOonforthistechniqueisthatmalwarecandetectthepresenceofvirtualmachinesandemulaOonandchoosetoremainstealthybynotunpackingit’scontents.MaLTshowsthatadebuggerplacedintoSMMbyCorebootonbootcanremaintransparenttomalware.Inshort,thecoreprocessofMaLTallowstheplacementofbreakpointsintocodethatmodifytheO/SinstrucOonsettocallanSMIandopentheMaLTenvironmentforintrospecOon.WhenthecurrentcycleiscompleteforMaLT,itthenextinstrucOonintheregisterstoresumethepreviousoperaOon.ThebenefitthatMaLThasisthatitoperatesinRing-1/-2space.Thatis,MaLToperatesclosetobaremetal.TheMaLTprogramcanbeaccessedandusedthroughaserialterminalwhichallowsausertoreadmemoryandlaunchbreakpoints.TheonlysignaturethatMaLTmayleavebehindisaside-channelbasedOmingdetecOonmethodinwhichmalwaremonitors3rdpartyOmestampstoseeiftherehavebeenanybreaksinprocessorexecuOon.
WayneStateUniversity CSC6991TopicsinComputerSecurity 26
PaperDiscussion• SuryaMani• Thispapertalksaboutthedeficiencyofadvancedmalwareanalysistechniques
usingvirtualizaOonandemulaOontechniquestopreventmalwareaXack.Themalwarehastheabilitytodetectthepresenceofabovetechniquesandhidesitself,makingthesystemmorevulnerable.ThepaperdiscussesindetailaboutMALTadebuggingframeworkusingSystemManagementMode(SMM).ThefollowingaretheadvantagesofusingMALTtechniques.ItishardwareassistedmalwareanalysiswhichcandorootkitanalysisandkerneldebuggingwithoutusingOS.InMALT,eitherserialportorperformancecounterisusedtotriggerSMI(SystemManagementInterrupt)andalsouseshardwarebreakpointtechniquestherebyincreasingtransparencyandreducingvulnerability.MALTexecutesinSSMRing-2levelhenceitiscapableofdebuggingusermode,kernelmodeandhypervisorlevelrootkits.SinceMALTcodedoesruninbaremetalmachine,itdoesnotchangeanycodeinoperaOngsystem.MALTusesrebootapproachtorestoreasystemtocleanstatehencebyleavingitvulnerabletomalwareaXackduringreboot.
WayneStateUniversity CSC6991TopicsinComputerSecurity 27
Reminders
• Paperreviews
• ResearchTopics
• NextClass:TransportaOonSecurity
• NextWeekWayneStateUniversity CSC6991TopicsinComputerSecurity 28