Transcript Rootkit-Resistant Disks

Web Canary
-- client honey pot
UTSA
f :V  V
Architecture of Web canary.
2
f :V  V
Implementation of Web canary.
 Test-bed – Dell Precision 690 workstation with
Dual-core 3.0 GHz CPU, 8GB memory
 VM -- 256M memory, 8 GB disk space
 Host OS – Windows XP x64 sp2
 Guest OS – Windows XP sp2
 VM – Vmware Workstation
 Browser – IE 6.0 SP2
3
f :V  V
Guest OS
Guest OS – VMware Workstation: isolation, easy
reverting.
PS -- Persistent Storage (PS) which is a shared folder
between the guest OS and the host OS. In the guest
OS, only the BHO and Capture Client can write to this
folder.
Snapshot -- a pristine state, a tool of VMworkstation
4
f :V  V
Design of Capture client(1)
Capture Client: monitor files, processes and registry changes in the
Windows OS at kernel level. supports exclusion lists to filter out the
normal changes.
The Capture client consists of two components:
The kernel drivers operate in kernel space and use event-based
detection mechanisms for monitoring the system's state changes.
The user space process captures the state changes from the
kernel drivers and filters the events based on the exclusion lists
5
f :V  V
Design of Capture client(2)
Exclusion lists
Since some events occur during normal operation, exclusion lists
allow to ignore certain type of events.
Kernel Drivers
kernel drivers to monitor the system by using the existing kernel
callback mechanism of the kernel that notifies registered drivers
when a certain event happens.
These callbacks invoke functions inside of a kernel driver and pass
the actual event information so that it can be monitored.
6
f :V  V
Design of Capture client(3)
CmRegistryCallback
PsSetCreateProcessNotifyRoutine
FilterLoad, FltRegisterFilter(filtering I/O operations)
e.g. A driver calls CmRegisterCallback to register a
RegistryCallback routine.
by passing a user allocated buffer from user space into kernel space
where the kernel drivers, we can copy information into that buffer, so
the application can process it in user space.
7
f :V  V
BHO
BHO -- A Browser Helper Object (BHO) which
can capture all the URLs visited by IE. It then
writes the URLs to a log the in PS(Permanent
storage).
They create a browser add-on to capture the
URLs requests made by the browser.
8
f :V  V
Canary Server
Canary Server -- shows the health state of the guest OS
and can start, stop or revert the VM. send the detected
malicious URLs to a remote central server with user's
permission.
Controls the VMware servers using the VMware C API
Host OS
Auto-reversion -- auto-reversion of the VM to its pristine
state upon the detection of unauthorized events.
9
f :V  V
Analysis Engine
Analysis Engine – reads the log files of the BHO and
Capture Client and correlates system changes to the
URL according the rule.
Host OS
Rules -- Upon receiving system change events and
visited URLs, correlate them together according to the
time interval.
10
f :V  V
Conclusion
Present a system that can leverage a large, distributed network of users, who
simply by using a standard Web browser, silently collaborate to detect and
report malicious Web pages.
The advantages of this method are that it can get meaningful
URLs from users and easily visit Web pages that require CAPTCHAs or passwords.
11
Appendix 1
Windows Driver Kit: Kernel-Mode Driver Architecture
PsSetCreateProcessNotifyRoutine
adds a driver-supplied callback routine to, or removes it from, a list of routines to be
called whenever a process is created or deleted.
CmRegisterCallback
The CmRegisterCallback routine registers a RegistryCallback routine.
12
Appendix 2
Windows Driver Kit: Installable File System Drivers
FltRegisterFilter
FltRegisterFilter registers a minifilter driver.
FilterLoad
The FilterLoad function dynamically loads a minifilter driver into the system.
13
Appendix 3
Boost::regex library
Use it to describe the filer rule (RE).
14
f :V  V
Questions
1. The method that correlating URL to malicious Web pages according to time
interval seems not always right.
2. Try to distribute the browser running on VM is not quite impractical.
3. The idea of real distributed users is good. But how to protect the server
which used for collecting various users’ information. The server is the most
vulnerable unit in the whole system. And if attacker use the client to send a
lot of benign URL as a malicious URL to server, How to distinguish them?
15
Thank you!
16