Transcript SubVirt: Implementing malware with virtual machines

Seminar of “Virtual Machines” course
By : F. Zahmatkesh
University of Science and Technology of Mazandaran, Babol
[email protected]
December 24,2009
Preview

Malware
 Short for malicious software
 Software acts on computer system
 W/O the knowledge of user
 A general term
Implementing malware with virtual machines
2/29
Preview(cont’d)

Control
 Major goal of malware, to
 Monitor,
 Intercept,
 Modify
states and action of other software.
 Allows malware to remain invisible by
 Lying to
 Disabling
intrusion detection software.
Implementing malware with virtual machines
3/29
Preview(cont’d)

Rootkit
 A malware
 A software system designed to obscure this fact:
 System has been compromised.
 Tools used to hide malicious activities
 Types:
1.
2.
3.
4.
5.
6.
Hardware/Firmware level
Hypervisor level
Boot loader level
Kernel level
Library level
Application level
Implementing malware with virtual machines
4/29
Agenda

Attackers and defenders strive for control
 Attackers monitor and perturb execution
 Avoid defenders
 Defenders detect and remove attacker
 Control by lower layers
 Both migrated to low-level OS code
Attackers
App1
App2
Defenders
Operating system
Hardware
 Hope to help defenders
Implementing malware with virtual machines
5/29
Outline
Virtual Machines advantages
 Subvirt Project

 VMBRs, a new class of threat
 Installing a VMBR
 Maintaining control
Attacker’s
perspective
 Malicious services
 Proof-of-concept VMBRs
 Example malicious services
Defending against this threat
 Trends toward virtualization
 Related Work
 Conclusion

Implementing malware with virtual machines
6/29
Virtual Machines
Multiplexing HW
 Powerful platform to add service

o Debug OS
o Migrate live machine
o Detect/prevent intrusion
o Attest for code integrity

A problem
o Non-Visible states/events of guest
 VMI is the solution.
Implementing malware with virtual machines
7/29
BUT…
 Despite
all of it’s advantages
“Technology of Virtual Machine”
can provide a powerful platform
to build malware.
Implementing malware with virtual machines
8/29
Virtual-Machine Based Rootkits (VMBRs)
App1
App2
Attack
system
App1
Target OS
Target OS
VMM
Hardware
Hardware
Before
infection
App2
After
infection
Implementing malware with virtual machines
9/29
Virtual-Machine Based Rootkits (VMBRs)
(cont’d)

Hypervisor level Rootkit


Classic VM Architecture
VMM runs beneath the OS
o Effectively new processor privilege level
Fundamentally more control

Target system into a virtual machine

 Little to no difference

Run of malware in the VMM or Attack System(2nd VM)
Implementing malware with virtual machines
10/29
Virtual-Machine Based Rootkits (VMBRs)
(cont’d)


Isolation
Visible states or events of target system
o Easy to modify

No visible states or events of VMBR

Easy to develop malicious services
 Run in Separate, general-purpose OS
 Invisible to detection software in target
 Uses VMI

Hard to detect and remove
Implementing malware with virtual machines
11/29
Installing VMBR

Attacker => kernel privilege
 Traditional remote exploit
 Fool user to install malware
 Bribe OEM or vendor

VMBR’s state on persistent storage.

VMBR modifies system boot sequence.
 Master Boot record
 Final stages of shut down
 Few processes running
 Efforts to prevent notification of activity
Implementing malware with virtual machines
12/29
Installing VMBR(cont’d)

The boot sequence
Master
Boot
boot
BIOS record sector
OS
Implementing malware with virtual machines
13/29
Installing VMBR(cont’d)

Modify the boot sequence
BIOS
VMBR
loads
Master
boot
Boot
BIOS record sector
OS
Implementing malware with virtual machines
14/29
Maintaining control



To avoid being removed
Must protect its state
Only time VMBR loses control
 Period of time after the sys powers up until the VMBR starts
 System BIOS
BIOS
VMBR
loads
Master
boot
Boot
BIOS record sector
OS
Implementing malware with virtual machines
15/29
Maintaining control(cont’d)

Loses control when the system is powered-off
 Reboots
○ Restarting the virtual hardware
 Shutdowns
○ The system appears to shutdown
 ACPI sleep states
- Switch hardware into a low-power mode
Spin down hard disks
Turning off fans
Place monitor into a power-saving mode
Implementing malware with virtual machines
16/29
Malicious services
Use a separate attack OS to implement
 Run invisible malicious services

 Traditional malware with no fear of detection
App
App1
Attack OS
App2
Target OS
VMM
Hardware
Implementing malware with virtual machines
17/29
Malicious services(cont’d)

Malicious services into three categories:
1.
Zero interaction malicious services
○
2.
Passive monitoring
○
3.
E.g., phishing web server
E.g., keystroke logger, network packets
Active execution modifications
○
E.g., delete e-mail, modify network communication
VMBR supports all above
 All easy to implement

Implementing malware with virtual machines
18/29
Evaluate:Proof-of-concept VMBRs
Disk
Space
VMM+
Attack
OS
Memo
Space
Install
Time
Target Boot
w/o VMBR
Target Boot
After
Emulated
Reboot
Target Boot
After
Emulated
Shutdown
Host Boot
After
Power-Off
Host Boot+
Target Boot
After
Power-Off
VMWare
Based
VMBR
(Linux
Target)
228
MB
3%
24
53
74
96
52
145
Virtual
PC
Based
VMBR
(Win XP
Target)
251
MB
3%
262
23
54
N/A
45
101
Evaluate
Experimental setup: All experiments for the VMware-based VMBR run on a Dell Optiplex Workstation with a 2.8 GHz Pentium 4 and 1
GB of RAM. All experiments for the Virtual PC-based VMBR run on a Compaq Deskpro EN with a 1 GHz Pentium 4 and 256 MB of RAM.
Our VMware-based VMBR compromises a RedHat Enterprise Linux 4 target system, and our Virtual PC-based VMBR compromises a
Windows XP target system.
Implementing malware with virtual machines
19/29
Example Malicious Services

Using proof-of-concept VMBR’s, we
implemented four malicious services.
Phishing web server
2. Keystroke logger
3. File system Scanner
4. Countermeasure to detection tool
1.
Implementing malware with virtual machines
20/29
Defending against VMBRs
Detecting VMBR’s presence
 Hard to detect

 virtualizes state seen by target
 Ideal VMBR modifies no state inside target

Does leave signs
 Intrusion detection system can observe

Where to run detection software
o Below VMBR
o Above VMBR
Implementing malware with virtual machines
21/29
Security software below

More control, direct access to resources
 Could observe/detect states or events

Ways to gain control below
1. Secure hardware
•
•
•
E.g., Intel’s LaGrande
E.g., AMD’s platform for trustworthy computing
E.g., Copilot all propose hardware
Implementing malware with virtual machines
22/29
Security software below(cont’d)
2. Secure VMM
•
VMBR between VMM and target OS
•
Stops VMBR from modifying the boot sequence above secure VMM
3. Secure boot
•
Ensures integrity of the boot sequence
4. Boot from safe medium
•
CD-ROM, USB drive or network boot server
VMBR can avoid it !
•
•
•
Unplug machine from wall
E.g., Strider GhostBuster
Implementing malware with virtual machines
23/29
Security software above

Traditional techniques aren’t able to detect VMBR.

Attack state not visible
 Can only detect side effects

VMBR perturbations(side effects) include:
1. Increase in CPU overhead
○ Timing differences
Implementing malware with virtual machines
24/29
Security software above(cont’d)
2. Use of memory and disk space
Run a program that requires entire machine’s memo/disk space
o
3. Not virtualizing all I/O devices
o Directly access to non-virtualized devices
•
Drivers access physical memo
4. Leak of VMM’s information by Sensitive, non-privileged
instructions
o
Execute them at a lower processor privilege level (rings 1 - 3)
Implementing malware with virtual machines
25/29
Trends toward virtualization

Towards hardware virtualization support

Intel and AMD
 More practical VMBRs




Reduce the amount of state needed to support VMBRs
Reduce the amount of time needed to boot VMBRs
Allow hardware devices to perform at full capacity
Towards widespread VMM use
 Helps defenders detect/prevent VMBRs
 Secure VMM
Implementing malware with virtual machines
26/29
Related work
1.
Layer below attacks

2.
Projects use VMMs for security




3.
Kernel layer rootkits
Trusted VMMs: Terra, NGSCB
Detect intrusions: VMI, IntroVirt
Isolation: NSA’s NetTop
Analyze intrusions: ReVirt
Project detect presence of VMM

Pioneer
Implementing malware with virtual machines
27/29
Conclusion

VMBR
 Qualitatively more control
 Still easy to implement service
 HW enhancements might make more effective
 Defending is possible by controlling low layers
 When compared to traditional malwares,
○ More state
○ More difficult to install
○ Reboot needed to run
○ More of an impact
Implementing malware with virtual machines
28/29
Reference

ST. King, PM. Chen, YM. Wang, C. Verbowski, HJ.
Wang, JR. Lorch, "SubVirt : Implementing malware
with Virtual Machines" ,In the Proceedings of the
IEEE Symposium on Security and Privacy,May
2006.
Implementing malware with virtual machines
29/29

Thanks for paying attention.
Implementing malware with virtual machines