HyperForce: Hypervisor-enForced Execution of Security-Critical Code

Francesco Gadaleta, Nick Nikiforakis, J.T. Muehlberg, Wouter JoosenK a t h o l i e k e U n i v e r s i t e i t L e u v e n B e l g i u m

what’s the matter?

virtualization technology

our countermeasure

conclusion

Outline

cryptography

malware policy management virtualization compliance hashing attack key logger framework

engineering technology network system library botnet computer buffer overflow

compiler secure embedded security low level instruction virtual machine countermeasure hardware

malicious legislation language

security is an issue

A 2010 report by McAfee, revealed that the cost to corporations of work time lost due to virus attacks

was $6.3m/day

Employee salary: 3000$

Employee salary/day: 100$

Num. of employees wasting work time: 63000

A Fox News report in 2009 estimated that $86b is lost worldwide annually.

2007 Malware Report by Computer Economics on the annual worldwide economic damage caused by malicious code attacks on organizations showed that the costs were $13.3 billion

DEMO TIME

VIRTUALIZATION T E C H N O L O G Y

HYPERVISOR

HARDWARE (VT-D)

Nice, but...

Hardware costs

Maintainance costs (sys admin, power consumption)

Performance costs

ROOTKITS:A PROBLEM

ROOTKIT

malicious

dangerous

detection

insidious

hard

stealthy

WE SAIDhelloROOTKITty

Phase 1: collecting addresses of data structures to protect

hypervisor

guest kernel

trusted module

phys addr

sizeflags

0xC1234567

12811111111

0xC3214567

12811111111

0xC421456A

6411111111

0xC521456C

411111111

WE SAIDhelloROOTKITty

guest memory spacehypervisor memory space

phys addr size hash

0xC1234567 128 abcd

0xC3214567 128 abde

0xC421456A 64 1234

0xC521456C 4 4321

hypervisor

guest kernel

Phase 2: check integrity within the hypervisor mem. space

WE SAIDhelloROOTKITty

guest memory spacehypervisor memory space

phys addr size hash

0xC1234567 128 abcd

0xC3214567 128 abde

0xC421456A 64 1234

0xC521456C 4 4321

guest memory spacehypervisor memory space

hypervisor

guest kernel

Phase 3: repair compromised objects (*)

WE SAIDhelloROOTKITty

(*) if original content has been provided

Performance

Checks occur at specific moments

Problem must be relaxed (split huge lists of objects)

Guest introspection and mapping guest memory from hypervisor is not cheap

In-hypervisor approach

HyperForce APPROACH

HYPERVISOR

HARDWARE (VT-D)

guest kernel

monitor(trusted)code

HYPERVISOR

HARDWARE (VT-D)physical

virtual

hardware (virtual) device raises interrupt

guest kernel executes interrupt handler

interrupt handler is the monitoring code

IDT

monitor(trusted)code

guest kernel

HYPERVISOR

HARDWARE (VT-D)physical

virtual

hardware (virtual) device raises interrupt

guest kernel executes interrupt handler

interrupt handler is the monitoring code

IDT

monitor(trusted)code

guest kernel

HYPERVISOR

HARDWARE (VT-D)physical

virtual

hardware (virtual) device raises interrupt

guest kernel executes interrupt handler

interrupt handler is the monitoring code

IDT

monitor(trusted)code

guest kernel

Performancehardware&software

CPU Intel Core 2 Duo Pro VT-D

RAM 4GB

Hypervisor Linux KVM-drv

Virtual machine QEMU-kvm

Performancecontext switch

mem. map

in-host speedup

26%

19%

page fault 7%

mem. lat 11%

0 1.25 2.50 3.75 5.00

0 1,750 3,500 5,250 7,000

0 1.25 2.50 3.75 5.00

0 37.5 75.0 112.5 150.0

HelloRootkittyHello with HyperForce

Performancecontext switch

fork syscall

10%

8%

in-guest speedup

open/close syscall 10%

signal handling

0 2.5 5.0 7.5 10.0

51%

0 500 1,000 1,500 2,000

0 1.25 2.50 3.75 5.00

0 2.5 5.0 7.5 10.0

HelloRootkittyHello with HyperForce

Performancedetection time

0 2.5 5.0 7.5 10.0

Detection of 1 over 15000 critical kernel objects (worst case)

HelloRootkittyHello with HyperForce

Is this working?

CONCLUSION

What now?

We will be all virtualized soondon’t worry that’s good!

We presented a framework to enforce in-guest execution of critical code

What now?

We will be all virtualized soondon’t worry that’s good!

We presented a framework to enforce in-guest execution of critical code

What now?

Specifically related to mitigation of rootkitsHelloRootkitty protects with small performance impact

We will be all virtualized soondon’t worry that’s good!

We presented a framework to enforce in-guest execution of critical code

What now?

Specifically related to mitigation of rootkitsHelloRootkitty protects with small performance impact

We will be all virtualized soondon’t worry that’s good!

We presented a framework to enforce in-guest execution of critical code

What now?

Specifically related to mitigation of rootkitsHelloRootkitty protects with small performance impact

We will be all virtualized soondon’t worry that’s good!

HelloRootkitty in HyperForce does it much faster

Use the framework for other types of mitigation

What’s next?

Use the framework for other types of mitigation

Store something “smarter” in the protected memory area

What’s next?

Use the framework for other types of mitigation

Store something “smarter” in the protected memory area

. collecting guest system data

. no interference with malware

. isolation from corrupted system

What’s next?

Thank you.

Feel free to contact me!

francesco.gadaleta@cs.kuleuven.be http://frag.gadaleta.org

@fragadaleta

tefsom

DISCLAIMER:I rarely tweet about computer security