hacktivity2014: virtual machine introspection to detect and protect
TRANSCRIPT
![Page 1: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/1.jpg)
Virtual Machine Introspection to Detect and ProtectTamas K. [email protected]@zentific.comhttps://github.com/tklengyel
![Page 2: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/2.jpg)
Agenda
1. Motivation & Cloud security
2. Xen
3. Virtual Machine Introspection
I. Isolation
II. Interpretation
III. Interposition
4. Demo
5. Public release of new tools
![Page 3: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/3.jpg)
Motivation
This is my PhD topic
● Malware collection & analysis
DARPA Cyber Fast Track
● Cloud IDS/IPS prototype
Up-and-coming field
![Page 4: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/4.jpg)
Cloud Security?
● Virtualization is a magic box of invulnerability
● Why bother if Cloud instances are short-lived and easily wiped?
● Isn't worth the cost of overhead
● It's not going to happen to me
● I'll just use my existing tools and be fine
Wrong!
![Page 5: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/5.jpg)
Cloud Security
● In-guest AV / HIDS
✗ No isolation● Network IDS
✗ Limited or no context● Scan VM disk and memory
✗ No interposition
Better than nothing
![Page 6: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/6.jpg)
Cloud Security!
● Move protection out from the VM
✔ Hypervisor based isolation● Full view of the VM state
✔ Interpret virtual hardware to see processes, users, connections, files..
● Actively monitor & control
✔ Interposition
![Page 7: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/7.jpg)
Xen
Bare-metal VMM
Runs in VMX root
Minimal interface
Everything else is a domain, with one being special (dom0)
![Page 8: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/8.jpg)
Isolation
We could move the security stack to dom0..
.. or move it into its own domain!
Xen allows for advanced disaggregation and role delegation
With some caveats..
![Page 9: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/9.jpg)
Access control in Xen
Xen Security Modules (XSM)
– Disabled by default.
– Only usable starting with 4.3
In the guest kernel!
– if (!xen_initial_domain())
return -EPERM;
– We patched that in Linux 3.8
In XenStore (ignore for now)
– Domain meta info is only a plus
![Page 10: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/10.jpg)
Access control in Xen
Security is no longer part of the TCB
Can be 1:1, 1:many or many:many
Designed for multi-tenant cloud deployments
Security doesn't mean the same thing for everyone
![Page 11: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/11.jpg)
Interpretation
Interpreting the guest virtual hardware
– Memory– VCPU
Memory interpretation:
– Paging, paging, paging
OS interpretation:
– Debug symbols!
![Page 12: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/12.jpg)
LibVMI + Rekall
LibVMI
– Xen and KVM support– Paging support for
● x86, x86+PAE, x86_64 & ARM– OS support
● Windows, Linux
Rekall
– Generates nice debug profiles– ..and lots of other fancy stuff
![Page 13: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/13.jpg)
Finding Windows
Volatility: brute-force search
● “KDBG” scan● Easily hidden + lots of false positives
LibVMI + Rekall: use hardware info!
● VCPU0 FS/GS register → KPCR● KPCR – relative offset = Windows!● It is binding, malware can't touch it
![Page 14: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/14.jpg)
Understanding Windows
Volatility: use the in-memory KDBG struct.
– Can be tampered with
– Heavily encoded in Windows 8 64-bit
LibVMI + Rekall: use the pre-generated debug profiles!
– Works with Windows 8 64-bit as well
– Different attacker model
![Page 15: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/15.jpg)
Interposition
Scanning VM memory gets you a lot
– Volatility's pooltag scans
But it's not bulletproof and introduces TOCTOU issues
Interposition: induce & trap VMEXITs
Forward to security domain
![Page 16: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/16.jpg)
Interposition
Intel to the rescue:CPUID, GETSEC, INVD, XSETBV, INVEPT, INVVPID, VMCALL, VMCLEAR, VMLAUNCH, VMPTRLD, VMPTRST, VMRESUME, VMXOFF, VMXON
And optionally:
CLTS, HLT, IN, INS/INSB/INSW/INSD, OUT, INVLPG, INVPCID, LGDT, LIDT, LLDT, LTR, SGDT, SIDT, SLDT, STR, LMSW, MONITOR, MOV from CR3, MOV from CR8, MOV to CR0, MOV to CR3, MOV to CR4, MOV to CR8, MOV DR, MWAIT, INT3, INT0, MTF ….
See the full list in Intel SDM 3c 25.1.3
![Page 17: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/17.jpg)
Interposition with LibVMI
● MOV-TO-CR0/3/4– New process being scheduled, CPU feature
enabled/disabled, TLB flush, etc.
● EPT violation– Trap R/W/X of any memory page in the guest
– Invisible to the guest
– Needs to be reset after hit
● Singlestepping– Intel Monitor Trap Flag (MTF)
● Debug events (INT3)
![Page 18: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/18.jpg)
Demo time!
http://goo.gl/XMSJ7y
![Page 19: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/19.jpg)
DKOM no more!
It's still on the heap!
![Page 20: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/20.jpg)
Demo time!
http://goo.gl/XMSJ7y
![Page 21: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/21.jpg)
DRAKVUF
“Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System” - ACSAC 2014
http://drakvuf.com
Anyone gets the name reference?
![Page 22: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/22.jpg)
Conclusion
● Cloud security requires new tools and new approaches
● VMI is rapidly maturing to fill the gap
● Dealing with rootkits is easier externally
● Tools are open-source (GPL/LGPL)
● Patches are welcome ;)
![Page 23: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/23.jpg)
What's ahead
VMI gets you a lot.. but there are blind-spots
– Virt-DMA, emulation..● Who watches the watcher?
– SMM/AMT based VMM integrity check● Xen on ARM
– “Cloud” security for your phone/car!
![Page 24: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/24.jpg)
Shout-out
Cheers to the Zentific crew
– Steve, Matt & Russ
To the Volatility crew
– MHL, Andrew, Gleeda & Moyix
To the Rekall crew
– Scudette
To Mudge
– Thanks for the CFT!
![Page 25: Hacktivity2014: Virtual Machine Introspection to Detect and Protect](https://reader034.vdocuments.net/reader034/viewer/2022052508/55a103371a28abec078b465b/html5/thumbnails/25.jpg)
Thanks!