Multi-Aspect Profiling of Kernel Rootkit Behavior
|
|
- Vernon Bailey
- 5 years ago
- Views:
Transcription
1 Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nürnberg, Germany
2 Rootkits Stealthy malware Hide attacker Modifying the OS kernel in memory Injecting new code Threat model: Root privileges Full memory access 2
3 In the news 3
4 Rootkit techniques 4
5 Rootkit techniques adore-ng Linux 2.4/2.6 Kernel module Adds custom functions 5
6 Rootkit techniques adore-ng hp Linux 2.4/2.6 Kernel module Adds custom functions Linux 2.4 Kernel module Modifies kernel objects 6
7 Profiling a rootkit? Quickly reveal behavior Tool for malware investigators Honeypot environment This is hard, rootkits are highly privileged! 7
8 Profiling: Determining behavior 1. What code does it run? 2. What kernel objects does it modify? 3. How does it modify control flow? 4. What system calls are affected at userlevel? 8
9 PoKeR: Architecture Virtual Machine User-level Applications Right-Before Detection Guest Kernel Logging and Context Tracking Virtual Machine Monitor Log Kernel Symbols & Kernel Object Types Kernel Object Interpretation Profile 9
10 PoKeR: Architecture Right-Before Detection Logging and Context Tracking 10
11 Right before detection? Applications VM Guest OS VMM NICKLE Module Standard Shadow 11
12 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Standard Shadow 12
13 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Guest Kernel Instruction Fetch Standard Shadow 13
14 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Standard Shadow 14
15 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Other Memory Access Standard Shadow 15
16 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Standard Shadow 16
17 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Other Memory Access Guest Kernel Instruction Fetch Standard Shadow 17
18 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Memory Access Standard Shadow 18
19 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Memory Access Standard Compare Shadow 19
20 What code does it run? Compare standard and shadow memories Extract code as you go 20
21 PoKeR: Architecture Virtual Machine User-level Applications Right-Before Detection Guest Kernel Logging and Context Tracking Virtual Machine Monitor Log Kernel Symbols & Kernel Object Types Kernel Object Interpretation Profile 21
22 Kernel Symbols & Kernel Object Types Logging and Context Tracking Log Kernel Object Interpretation 22
23 Logging and context tracking Logging rootkit code Execution Reads Writes 23
24 What kernel objects does it modify? We have memory writes from rootkit code Use static analysis to build a map Kernel with debug symbols 24
25 What about dynamic allocation? Some objects are allocated dynamically 25
26 What about dynamic allocation? Some objects are allocated dynamically Static Objects Dynamic Objects init_task 0xc xc11c
27 Simple observation #1 Static Objects Dynamic Objects 27
28 Simple observation #1 Static Objects Dynamic Objects 28
29 Simple observation #2 The rootkit is just as ignorant as we are It will find dynamic objects by starting at static ones 29
30 Combat tracking Track rootkit reads Build a map of dynamic memory Reverse VMI 30
31 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 31
32 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 32
33 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 33
34 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 34
35 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 35
36 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 36
37 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 37
38 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 38
39 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 39
40 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 40
41 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 41
42 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 42
43 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 43
44 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 44
45 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output Write to 0xc11b
46 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output Write to 0xc11b0056 ->euid 46
47 How does it modify control flow? Kernel hooks Function pointers Part of existing data objects Could be statically or dynamically allocated This is a subset of the previous point 47
48 Results adore Name Code Kernel Objects Modified adore instr sys_call_table[2,4,5,6,18,37,39,84,106] sys_call_table[107,120,141,195,196,220] adore 733 instr sys_call_table[1,2,6,26,37,39,120,141,220] 0.53 proc_net->subdir->next->(...)->next->get_info proc_root_inode_operations->lookup adore-ng instr proc_net->subdir->next->(...)->next->get_info proc_root_inode_operations->lookup proc_root_operations->readdir ext3_dir_operations->readdir ext3_file_operations->write unix_dgram_ops->recvmsg 48
49 Results hp rootkit Action Value Kernel Object R 0xc677c000 hash[600] R 0x a hash[600]-> R 0xc76d8000 hash[600]-> R 0xc hash[600]->prev_task W 0xc hash[600]->->prev_task W 0xc76d8000 hash[600]->prev_task-> 49
50 Performance Normalized Slo ow-down QEMU PoKeR not profiling PoKeR profiling UnixBench Kernel Compile 50
51 Limitations Lack of formal completeness Cannot reveal the reason for modifications Combat tracking evasion Assume VMM isolation Kernel rootkits only 51
52 Related work Panorama CCS 07 HookFinder NDSS 08 HookMap RAID 08 K-Tracer NDSS 09 52
53 Your three take aways PoKeR: Virtualization based rootkit profiler Combat Tracking allows us to track dynamic data objects Tells what a rootkit does in order to help an expert determine why it does it 53
Defeating Return-Oriented Rootkits with Return-less Kernels
5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer
More informationVirtual Machine Introspection Bhushan Jain
Virtual Machine Introspection Bhushan Jain Computer Science Department Stony Brook University 1 Traditional Environment Operating System 2 Traditional Environment Process Descriptors Kernel Heap Operating
More informationExtended Page Tables (EPT) A VMM must protect host physical memory Multiple guest operating systems share the same host physical memory VMM typically implements protections through page-table shadowing
More informationKernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory
Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory Junghwan Rhee 1, Ryan Riley 2, Dongyan Xu 1, and Xuxian Jiang 3 1 Purdue University, {rhee,dxu}@cs.purdue.edu 2 Qatar
More informationArsenal. Shadow-Box: Lightweight Hypervisor-Based Kernel Protector. Seunghun Han, Jungwhan Kang (hanseunghun
Arsenal Shadow-Box: Lightweight Hypervisor-Based Kernel Protector Seunghun Han, Jungwhan Kang (hanseunghun ultract)@nsr.re.kr Who are we? - Senior security researcher at NSR (National Security Research
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of
More informationHyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity
31 st IEEE Symposium on Security & Privacy, Oakland CA, May 16-19 2010 HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State
More informationGuest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing
Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing Ryan Riley Xuxian Jiang Dongyan Xu Purdue University George Mason University Purdue University rileyrd@cs.purdue.edu xjiang@gmu.edu
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
More informationOS Security IV: Virtualization and Trusted Computing
1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 More questions? 3 Virtual machine monitor +-----------+----------------+-------------+
More informationCSE543 - Computer and Network Security Module: Virtualization
CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system
More informationSubverting the Linux Kernel Linux Kernel Rootkits 101
Subverting the Linux Kernel Linux Kernel Rootkits 101 Kernel Rootkits? A collection of program(s) that hide an attacker's presence and activities on a compromised system Typically allows an attacker to
More informationVirtualization and Security
Virtualization and Security Steve Riley Senior Security Strategist Microsoft Trustworthy Computing steve.riley@microsoft.com http://blogs.technet.com/steriley 1 2 New! Evolution Usage scenarios 1. One
More informationCS 550 Operating Systems Spring Introduction to Virtual Machines
CS 550 Operating Systems Spring 2018 Introduction to Virtual Machines 1 How to share a physical computer Operating systems allows multiple processes/applications to run simultaneously Via process/memory
More informationAn overview of virtual machine architecture
An overview of virtual machine architecture Outline History Standardized System Components Virtual Machine Basics Process VMs System VMs Virtualizing Process Summary and Taxonomy History In ancient times:
More informationHiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection ACSAC 2018
Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection ACSAC 2018 Sergej Proskurin, 1 Tamas Lengyel, 3 Marius Momeu, 1 Claudia Eckert, 1 and Apostolis Zarras 2 1 2 Maastricht
More informationVirtualization. Pradipta De
Virtualization Pradipta De pradipta.de@sunykorea.ac.kr Today s Topic Virtualization Basics System Virtualization Techniques CSE506: Ext Filesystem 2 Virtualization? A virtual machine (VM) is an emulation
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 3.1: OS Security Basics of secure design Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Dan Boneh (Stanford)
More informationReturn-Oriented Rootkits
Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry
More informationVirtual Machine Security
Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal
More informationCFRS : Kernel Forensics and Analysis
CFRS 775-001: Kernel Forensics and Analysis Computer Forensics Program (http://cfrs.gmu.edu) Department of Electrical and Computer Engineering (https://ece.gmu.edu/) Volgenau School of Engineering (http://volgenau.gmu.edu/)
More informationCSCI 8530 Advanced Operating Systems. Part 19 Virtualization
CSCI 8530 Advanced Operating Systems Part 19 Virtualization Virtualization This is a very old idea It appears in many different forms A variety of commercial products exist The idea has become hot again
More informationReturn-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim Page 1 Motivation (1) Operating systems separate system
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 25 - Virtual machine security December 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Implementation and Results Experimental Platform Exact specification
More informationThe DNS system is organized in a structure.
Agenda DNS security review Virtualization fundamentals What defenders can do with virtualization (Livewire) What attackers can do with virtualization (Subvirt) Summary 1/37 The DNS system is organized
More informationIntel s Virtualization Extensions (VT-x) So you want to build a hypervisor?
Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Mr. Jacob Torrey May 13, 2014 Dartmouth College 153 Brooks Road, Rome, NY 315.336.3306 http://ainfosec.com @JacobTorrey torreyj@ainfosec.com
More informationCountering Persistent Kernel Rootkits Through Systematic Hook Discovery
Countering Persistent Kernel Rootkits Through Systematic Hook Discovery Zhi Wang, Xuxian Jiang Weidong Cui Xinyuan Wang North Carolina State University Microsoft Research George Mason University Abstract.
More informationA Survey on Virtualization Technologies
A Survey on Virtualization Technologies Virtualization is HOT Microsoft acquires Connectix Corp. EMC acquires VMware Veritas acquires Ejascent IBM, already a pioneer Sun working hard on it HP picking up
More informationOperating Systems 4/27/2015
Virtualization inside the OS Operating Systems 24. Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view
More informationVirtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels
Virtualization Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels 1 What is virtualization? Creating a virtual version of something o Hardware, operating system, application, network, memory,
More informationVirtual Machines. Part 1: 54 years ago. Operating Systems In Depth VIII 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.
Virtual Machines Part 1: 54 years ago Operating Systems In Depth VIII 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. It s 1964 The Beatles appear on the Ed Sullivan show IBM wants a multiuser
More informationModule 1: Virtualization. Types of Interfaces
Module 1: Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform
More informationIntroduction to Virtual Machines
Introduction to Virtual Machines abstraction and interfaces virtualization Vs. abstraction computer system architecture process virtual machines system virtual machines Abstraction Abstraction is a mechanism
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationCSCE 410/611: Virtualization!
CSCE 410/611: Virtualization! Definitions, Terminology! Why Virtual Machines?! Mechanics of Virtualization! Virtualization of Resources (Memory)! Some slides made available Courtesy of Gernot Heiser, UNSW.!
More informationAt one time, desktop computers were one
Virtual Machine Introspection Observation or Interference? As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to monitor VM behavior. A survey
More informationCode Validation for Modern OS Kernels
Code Validation for Modern OS Kernels Thomas Kittel Technische Universität München Munich, Germany kittel@sec.in.tum.de Jonas Pfoh FireEye, Inc. Wilsdruffer Str. 27 Dresden, Germany jonas.pfoh@fireeye.com
More informationOptimization Techniques
Smalltalk Implementation: Optimization Techniques Prof. Harry Porter Portland State University 1 Optimization Ideas Just-In-Time (JIT) compiling When a method is first invoked, compile it into native code.
More informationIMPROVED KERNEL SECURITY THROUGH MEMORY LAYOUT RANDOMIZATION IPCCC 2013
IMPROVED KERNEL SECURITY THROUGH MEMORY LAYOUT RANDOMIZATION IPCCC 2013 Dannie M. Stanley Graduate Student Special thanks to my advisors: Professors Dongyan Xu and Eugene Spafford INTRODUCTION PROBLEM
More informationCOMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy
COMPUTER ARCHITECTURE Virtualization and Memory Hierarchy 2 Contents Virtual memory. Policies and strategies. Page tables. Virtual machines. Requirements of virtual machines and ISA support. Virtual machines:
More informationA Pre-Kernel Agent Platform for Security Assurance
A Pre-Kernel Agent Platform for Security Assurance Yung-Chuan Lee Department of Computer Science Southern Illinois University Carbondale, Illinois 62901 Email: ylee@cs.siu.edu Shahram Rahimi Department
More informationW4118: virtual machines
W4118: virtual machines Instructor: Junfeng Yang References: Modern Operating Systems (3 rd edition), Operating Systems Concepts (8 th edition), previous W4118, and OS at MIT, Stanford, and UWisc Virtual
More informationPortland State University ECE 587/687. Virtual Memory and Virtualization
Portland State University ECE 587/687 Virtual Memory and Virtualization Copyright by Alaa Alameldeen and Zeshan Chishti, 2015 Virtual Memory A layer of abstraction between applications and hardware Programs
More informationA Framework for Prototyping and Testing Data-Only Rootkit Attacks
1 A Framework for Prototyping and Testing Data-Only Rootkit Attacks Ryan Riley ryan.riley@qu.edu.qa Qatar University Doha, Qatar Version 1.0 This is a preprint of the paper accepted in Elsevier Computers
More informationVirtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.
Virtual Machines Part 2: starting 19 years ago Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. Operating Systems In Depth IX 2 Copyright 2018 Thomas W. Doeppner.
More informationSecurity versus Energy Tradeoffs in Host-Based Mobile Malware Detection
Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H. Andrés Lagar-Cavilla #, Alexander Varshavsky #, Vinod Ganapathy *, and Liviu Iftode * * Rutgers University
More informationVirtualization. Virtualization
Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine
More informationCSCE 410/611: Virtualization
CSCE 410/611: Virtualization Definitions, Terminology Why Virtual Machines? Mechanics of Virtualization Virtualization of Resources (Memory) Some slides made available Courtesy of Gernot Heiser, UNSW.
More informationVirtualization and memory hierarchy
Virtualization and memory hierarchy Computer Architecture J. Daniel García Sánchez (coordinator) David Expósito Singh Francisco Javier García Blas ARCOS Group Computer Science and Engineering Department
More informationCSE 237B Fall 2009 Virtualization, Security and RTOS. Rajesh Gupta Computer Science and Engineering University of California, San Diego.
CSE 237B Fall 2009 Virtualization, Security and RTOS Rajesh Gupta Computer Science and Engineering University of California, San Diego. Overview What is virtualization? Types of virtualization and VMs
More informationBuilding Trustworthy Intrusion Detection Through Virtual Machine Introspection
Building Trustworthy Intrusion Detection Through Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer Science, University of Pisa IAS Conference,
More informationSecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity
SecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig Carnegie Mellon University Kernel rootkits Motivation Malware inserted into OS kernels Anti
More informationMonitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015
Monitoring Hypervisor Integrity at Runtime Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015 Motivation - Server Virtualization Trend x86 servers were virtualized
More informationCloud Computing Virtualization
Cloud Computing Virtualization Anil Madhavapeddy anil@recoil.org Contents Virtualization. Layering and virtualization. Virtual machine monitor. Virtual machine. x86 support for virtualization. Full and
More informationSpectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick
Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre
More informationAutoscopy Jr.: Intrusion Detec3on for Embedded Control Systems
Autoscopy Jr.: Intrusion Detec3on for Embedded Control Systems Jason Reeves, Ashwin Ramaswamy, Michael Locasto, Sergey Bratus, and Sean Smith CSRS 2011 Dartmouth College September 24, 2011 1 Outline Mo3va3on
More informationLearning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels
Learning Outcomes Extended OS An appreciation that the abstract interface to the system can be at different levels. Virtual machine monitors (VMMs) provide a lowlevel interface An understanding of trap
More informationOperating system hardening
Operating system Comp Sci 3600 Security Outline 1 2 3 4 5 6 What is OS? Hardening process that includes planning, ation, uration, update, and maintenance of the operating system and the key applications
More informationAdvanced Memory Management
Advanced Memory Management Main Points Applications of memory management What can we do with ability to trap on memory references to individual pages? File systems and persistent storage Goals Abstractions
More informationAn External Integrity Checker for Increasing Security of Open Source Operating Systems
An External Integrity Checker for Increasing Security of Open Source Operating Systems Hiromasa Shimada, Tsung-Han Lin, Ning Li Distributed and Ubiquitous Computing Lab., Waseda University, Japan Background!
More informationChapter 5 C. Virtual machines
Chapter 5 C Virtual machines Virtual Machines Host computer emulates guest operating system and machine resources Improved isolation of multiple guests Avoids security and reliability problems Aids sharing
More informationVirtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader
Virtualization Device Emulator Testing Technology Speaker: Qinghao Tang Title 360 Marvel Team Leader 1 360 Marvel Team Established in May 2015, the first professional could computing and virtualization
More informationCERIAS Tech Report LiveDM: Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging by Junghwan Rhee,
CERIAS Tech Report 2010-02 LiveDM: Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging by Junghwan Rhee, Dongyan Xu Center for Education and Research Information
More informationSTM/PE & XHIM. Eugene D. Myers Trust Mechanisms Information Assurance Research NSA/CSS Research Directorate May 24, 2018
STM/PE & XHIM Eugene D. Myers Trust Mechanisms Information Assurance Research NSA/CSS Research Directorate May 24, 2018 Overview SMM STM STM/PE XHIM, an STM/PE application Future Plans System Management
More informationShadow-Box: The Practical and Omnipotent Sandbox
Shadow-Box: The Practical and Omnipotent Sandbox Seunghun Han National Security Research Institute hanseunghun@nsr.re.kr Junghwan Kang National Security Research Institute ultract@nsr.re.kr Wook Shin National
More informationNested Virtualization Friendly KVM
Nested Virtualization Friendly KVM Sheng Yang, Qing He, Eddie Dong 1 Virtualization vs. Nested Virtualization Single-Layer Virtualization Multi-Layer (Nested) Virtualization (L2) Virtual Platform (L1)
More informationSystem Virtual Machines
System Virtual Machines Outline Need and genesis of system Virtual Machines Basic concepts User Interface and Appearance State Management Resource Control Bare Metal and Hosted Virtual Machines Co-designed
More informationVirtualization. Adam Belay
Virtualization Adam Belay What is a virtual machine Simulation of a computer Running as an application on a host computer Accurate Isolated Fast Why use a virtual machine? To run multiple
More informationIntroduction to Virtual Machines. Michael Jantz
Introduction to Virtual Machines Michael Jantz Acknowledgements Slides adapted from Chapter 1 in Virtual Machines: Versatile Platforms for Systems and Processes by James E. Smith and Ravi Nair Credit to
More informationLecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems
Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction
More informationCSC 5930/9010 Cloud S & P: Virtualization
CSC 5930/9010 Cloud S & P: Virtualization Professor Henry Carter Fall 2016 Recap Network traffic can be encrypted at different layers depending on application needs TLS: transport layer IPsec: network
More informationMaking Dynamic Instrumentation Great Again
Making Dynamic Instrumentation Great Again Malware Research Team @ @xabiugarte [advertising space ] Deep Packer Inspector https://packerinspector.github.io https://packerinspector.com Many instrumentation
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationOS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.
Virtualization Basics Motivation OS Virtualization CSC 456 Final Presentation Brandon D. Shroyer Types of Virtualization Process virtualization (Java) System virtualization (classic, hosted) Emulation
More informationProcess Out-Grafting: An Efficient Out-of-VM Approach for Fine-Grained Process Execution Monitoring
Process Out-Grafting: An Efficient Out-of-VM Approach for Fine-Grained Process Execution Monitoring Deepa Srinivasan Zhi Wang Xuxian Jiang Dongyan Xu NC State University NC State University NC State University
More informationA high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT
A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT Dongyang Zhan a, Lin Ye a, Hongli Zhang a, Binxing Fang a,b, Huhua Li a, Yang Liu a, Xiaojiang Du c, Mohsen Guizani
More information, Inc
Monthly Research SELinux in Virtualization and Containers, Inc http://www.ffri.jp Ver 1.00.02 1 SELinux in Virtualization and Containers Virtualization security with SELinux Threat model of operating system
More informationAn Introduction to Platform Security
presented by An Introduction to Platform Security Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Brent Holtsclaw and John Loucaides (Intel) Legal Notice No computer system can be
More informationAtomizer: Fast, Scalable and Lightweight Heap Analyzer for Virtual Machines in a Cloud Environment
Atomizer: Fast, Scalable and Lightweight Heap Analyzer for Virtual Machines in a Cloud Environment Salman Javaid Aleksandar Zoranic Irfan Ahmed Golden G. Richard III University of New Orleans Greater New
More informationLECTURE 5: MEMORY HIERARCHY DESIGN
LECTURE 5: MEMORY HIERARCHY DESIGN Abridged version of Hennessy & Patterson (2012):Ch.2 Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology is more expensive
More informationTrustDump: Reliable Memory Acquisition on Smartphones
TrustDump: Reliable Memory Acquisition on Smartphones He Sun 1,2,3,4, Kun Sun 4, Yuewu Wang 1,2, Jiwu Jing 1,2, and Sushil Jajodia 4 1 Data Assurance and Communication Security Research Center, CAS 2 State
More informationTowards High Assurance Networks of Virtual Machines
Towards High Assurance Networks of Virtual Machines Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa, Italy 2 Department of Computer Science, University of Pisa,
More informationCopyright 2012, Elsevier Inc. All rights reserved.
Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Introduction Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology
More informationThe Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36
The Challenges of X86 Hardware Virtualization GCC- Virtualization: Rajeev Wankar 36 The Challenges of X86 Hardware Virtualization X86 operating systems are designed to run directly on the bare-metal hardware,
More informationComputer Architecture. A Quantitative Approach, Fifth Edition. Chapter 2. Memory Hierarchy Design. Copyright 2012, Elsevier Inc. All rights reserved.
Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Programmers want unlimited amounts of memory with low latency Fast memory technology is more expensive per
More informationMemory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos
Memory Analysis Part II. Basic Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previous classes Files, steganography, watermarking Source of digital evidence
More informationDifference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski
Difference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski What is Virtual machine monitor (VMM)? Guest OS Guest OS Guest OS Virtual machine
More informationETHICAL HACKING & COMPUTER FORENSIC SECURITY
ETHICAL HACKING & COMPUTER FORENSIC SECURITY Course Description From forensic computing to network security, the course covers a wide range of subjects. You will learn about web hacking, password cracking,
More informationFast access ===> use map to find object. HW == SW ===> map is in HW or SW or combo. Extend range ===> longer, hierarchical names
Fast access ===> use map to find object HW == SW ===> map is in HW or SW or combo Extend range ===> longer, hierarchical names How is map embodied: --- L1? --- Memory? The Environment ---- Long Latency
More informationCopyright 2012, Elsevier Inc. All rights reserved.
Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology is more
More informationIntel VMX technology
Intel VMX technology G. Lettieri 28 Oct. 2015 1 The Virtual Machine Monitor In the context of hardware-assisted virtualization, it is very common to introduce the concept of a Virtual Machine Monitor (VMM).
More informationConcepts. Virtualization
Concepts Virtualization Concepts References and Sources James Smith, Ravi Nair, The Architectures of Virtual Machines, IEEE Computer, May 2005, pp. 32-38. Mendel Rosenblum, Tal Garfinkel, Virtual Machine
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationVirtualization Enabled Integrity Services (VIS)
Virtualization Enabled Integrity Services (VIS) Vedvyas Shanbhogue, Ravi Sahita, Uday Savagaonkar (vedvyas.shanbhogue@intel.com, ravi.sahita@intel.com, uday.savagaonkar@intel.com) Intel Motivation Malware
More informationSPIN Operating System
SPIN Operating System Motivation: general purpose, UNIX-based operating systems can perform poorly when the applications have resource usage patterns poorly handled by kernel code Why? Current crop of
More informationSystem Virtual Machines
System Virtual Machines Outline Need and genesis of system Virtual Machines Basic concepts User Interface and Appearance State Management Resource Control Bare Metal and Hosted Virtual Machines Co-designed
More informationSecure In-VM Monitoring Using Hardware Virtualization
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif Georgia Institute of Technology Atlanta, GA, USA msharif@cc.gatech.edu Wenke Lee Georgia Institute of Technology Atlanta, GA, USA wenke@cc.gatech.edu
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationTime-traveling Forensic Analysis of VM-based High-interaction Honeypots
Time-traveling Forensic Analysis of VM-based High-interaction Honeypots Deepa Srinivasan, Xuxian Jiang Department of Computer Science North Carolina State University dsriniv@ncsu.edu, jiang@cs.ncsu.edu
More information