Date post: | 13-Jul-2015 |
Category: |
Technology |
Upload: | francesco-gadaleta |
View: | 233 times |
Download: | 2 times |
HyperForce: Hypervisor-enForced Execution of Security-Critical Code
Francesco Gadaleta, Nick Nikiforakis, J.T. Muehlberg, Wouter JoosenK a t h o l i e k e U n i v e r s i t e i t L e u v e n B e l g i u m
cryptography
malware policy management virtualization compliance hashing attack key logger framework
engineering technology network system library botnet computer buffer overflow
compiler secure embedded security low level instruction virtual machine countermeasure hardware
malicious legislation language
A 2010 report by McAfee, revealed that the cost to corporations of work time lost due to virus attacks
was $6.3m/day
Employee salary: 3000$
Employee salary/day: 100$
Num. of employees wasting work time: 63000
A Fox News report in 2009 estimated that $86b is lost worldwide annually.
2007 Malware Report by Computer Economics on the annual worldwide economic damage caused by malicious code attacks on organizations showed that the costs were $13.3 billion
Phase 1: collecting addresses of data structures to protect
hypervisor
guest kernel
trusted module
phys addr
sizeflags
0xC1234567
12811111111
0xC3214567
12811111111
0xC421456A
6411111111
0xC521456C
411111111
WE SAIDhelloROOTKITty
guest memory spacehypervisor memory space
phys addr size hash
0xC1234567 128 abcd
0xC3214567 128 abde
0xC421456A 64 1234
0xC521456C 4 4321
hypervisor
guest kernel
Phase 2: check integrity within the hypervisor mem. space
WE SAIDhelloROOTKITty
guest memory spacehypervisor memory space
phys addr size hash
0xC1234567 128 abcd
0xC3214567 128 abde
0xC421456A 64 1234
0xC521456C 4 4321
guest memory spacehypervisor memory space
hypervisor
guest kernel
Phase 3: repair compromised objects (*)
WE SAIDhelloROOTKITty
(*) if original content has been provided
Performance
Checks occur at specific moments
Problem must be relaxed (split huge lists of objects)
Guest introspection and mapping guest memory from hypervisor is not cheap
In-hypervisor approach
HYPERVISOR
HARDWARE (VT-D)physical
virtual
hardware (virtual) device raises interrupt
guest kernel executes interrupt handler
interrupt handler is the monitoring code
IDT
monitor(trusted)code
guest kernel
HYPERVISOR
HARDWARE (VT-D)physical
virtual
hardware (virtual) device raises interrupt
guest kernel executes interrupt handler
interrupt handler is the monitoring code
IDT
monitor(trusted)code
guest kernel
HYPERVISOR
HARDWARE (VT-D)physical
virtual
hardware (virtual) device raises interrupt
guest kernel executes interrupt handler
interrupt handler is the monitoring code
IDT
monitor(trusted)code
guest kernel
Performancehardware&software
CPU Intel Core 2 Duo Pro VT-D
RAM 4GB
Hypervisor Linux KVM-drv
Virtual machine QEMU-kvm
Performancecontext switch
mem. map
in-host speedup
26%
19%
page fault 7%
mem. lat 11%
0 1.25 2.50 3.75 5.00
0 1,750 3,500 5,250 7,000
0 1.25 2.50 3.75 5.00
0 37.5 75.0 112.5 150.0
HelloRootkittyHello with HyperForce
Performancecontext switch
fork syscall
10%
8%
in-guest speedup
open/close syscall 10%
signal handling
0 2.5 5.0 7.5 10.0
51%
0 500 1,000 1,500 2,000
0 1.25 2.50 3.75 5.00
0 2.5 5.0 7.5 10.0
HelloRootkittyHello with HyperForce
Performancedetection time
0 2.5 5.0 7.5 10.0
Detection of 1 over 15000 critical kernel objects (worst case)
HelloRootkittyHello with HyperForce
We presented a framework to enforce in-guest execution of critical code
What now?
We will be all virtualized soondon’t worry that’s good!
We presented a framework to enforce in-guest execution of critical code
What now?
Specifically related to mitigation of rootkitsHelloRootkitty protects with small performance impact
We will be all virtualized soondon’t worry that’s good!
We presented a framework to enforce in-guest execution of critical code
What now?
Specifically related to mitigation of rootkitsHelloRootkitty protects with small performance impact
We will be all virtualized soondon’t worry that’s good!
We presented a framework to enforce in-guest execution of critical code
What now?
Specifically related to mitigation of rootkitsHelloRootkitty protects with small performance impact
We will be all virtualized soondon’t worry that’s good!
HelloRootkitty in HyperForce does it much faster
Use the framework for other types of mitigation
Store something “smarter” in the protected memory area
What’s next?
Use the framework for other types of mitigation
Store something “smarter” in the protected memory area
. collecting guest system data
. no interference with malware
. isolation from corrupted system
What’s next?
Thank you.
Feel free to contact me!
[email protected] http://frag.gadaleta.org
@fragadaleta
tefsom
DISCLAIMER:I rarely tweet about computer security