Upload
tamas-k-lengyel
View
1.568
Download
1
Embed Size (px)
Citation preview
Virtual Machine Introspection to Detect and ProtectTamas K. [email protected]@zentific.comhttps://github.com/tklengyel
Agenda
1. Motivation & Cloud security
2. Xen
3. Virtual Machine Introspection
I. Isolation
II. Interpretation
III. Interposition
4. Demo
5. Public release of new tools
Motivation
This is my PhD topic
● Malware collection & analysis
DARPA Cyber Fast Track
● Cloud IDS/IPS prototype
Up-and-coming field
Cloud Security?
● Virtualization is a magic box of invulnerability
● Why bother if Cloud instances are short-lived and easily wiped?
● Isn't worth the cost of overhead
● It's not going to happen to me
● I'll just use my existing tools and be fine
Wrong!
Cloud Security
● In-guest AV / HIDS
✗ No isolation● Network IDS
✗ Limited or no context● Scan VM disk and memory
✗ No interposition
Better than nothing
Cloud Security!
● Move protection out from the VM
✔ Hypervisor based isolation● Full view of the VM state
✔ Interpret virtual hardware to see processes, users, connections, files..
● Actively monitor & control
✔ Interposition
Xen
Bare-metal VMM
Runs in VMX root
Minimal interface
Everything else is a domain, with one being special (dom0)
Isolation
We could move the security stack to dom0..
.. or move it into its own domain!
Xen allows for advanced disaggregation and role delegation
With some caveats..
Access control in Xen
Xen Security Modules (XSM)
– Disabled by default.
– Only usable starting with 4.3
In the guest kernel!
– if (!xen_initial_domain())
return -EPERM;
– We patched that in Linux 3.8
In XenStore (ignore for now)
– Domain meta info is only a plus
Access control in Xen
Security is no longer part of the TCB
Can be 1:1, 1:many or many:many
Designed for multi-tenant cloud deployments
Security doesn't mean the same thing for everyone
Interpretation
Interpreting the guest virtual hardware
– Memory– VCPU
Memory interpretation:
– Paging, paging, paging
OS interpretation:
– Debug symbols!
LibVMI + Rekall
LibVMI
– Xen and KVM support– Paging support for
● x86, x86+PAE, x86_64 & ARM– OS support
● Windows, Linux
Rekall
– Generates nice debug profiles– ..and lots of other fancy stuff
Finding Windows
Volatility: brute-force search
● “KDBG” scan● Easily hidden + lots of false positives
LibVMI + Rekall: use hardware info!
● VCPU0 FS/GS register → KPCR● KPCR – relative offset = Windows!● It is binding, malware can't touch it
Understanding Windows
Volatility: use the in-memory KDBG struct.
– Can be tampered with
– Heavily encoded in Windows 8 64-bit
LibVMI + Rekall: use the pre-generated debug profiles!
– Works with Windows 8 64-bit as well
– Different attacker model
Interposition
Scanning VM memory gets you a lot
– Volatility's pooltag scans
But it's not bulletproof and introduces TOCTOU issues
Interposition: induce & trap VMEXITs
Forward to security domain
Interposition
Intel to the rescue:CPUID, GETSEC, INVD, XSETBV, INVEPT, INVVPID, VMCALL, VMCLEAR, VMLAUNCH, VMPTRLD, VMPTRST, VMRESUME, VMXOFF, VMXON
And optionally:
CLTS, HLT, IN, INS/INSB/INSW/INSD, OUT, INVLPG, INVPCID, LGDT, LIDT, LLDT, LTR, SGDT, SIDT, SLDT, STR, LMSW, MONITOR, MOV from CR3, MOV from CR8, MOV to CR0, MOV to CR3, MOV to CR4, MOV to CR8, MOV DR, MWAIT, INT3, INT0, MTF ….
See the full list in Intel SDM 3c 25.1.3
Interposition with LibVMI
● MOV-TO-CR0/3/4– New process being scheduled, CPU feature
enabled/disabled, TLB flush, etc.
● EPT violation– Trap R/W/X of any memory page in the guest
– Invisible to the guest
– Needs to be reset after hit
● Singlestepping– Intel Monitor Trap Flag (MTF)
● Debug events (INT3)
Demo time!
http://goo.gl/XMSJ7y
DKOM no more!
It's still on the heap!
Demo time!
http://goo.gl/XMSJ7y
DRAKVUF
“Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System” - ACSAC 2014
http://drakvuf.com
Anyone gets the name reference?
Conclusion
● Cloud security requires new tools and new approaches
● VMI is rapidly maturing to fill the gap
● Dealing with rootkits is easier externally
● Tools are open-source (GPL/LGPL)
● Patches are welcome ;)
What's ahead
VMI gets you a lot.. but there are blind-spots
– Virt-DMA, emulation..● Who watches the watcher?
– SMM/AMT based VMM integrity check● Xen on ARM
– “Cloud” security for your phone/car!
Shout-out
Cheers to the Zentific crew
– Steve, Matt & Russ
To the Volatility crew
– MHL, Andrew, Gleeda & Moyix
To the Rekall crew
– Scudette
To Mudge
– Thanks for the CFT!
Thanks!