Mitigating Exploits, Rootkits and Advanced Persistent Threats

Size: px

Start display at page:

Download "Mitigating Exploits, Rootkits and Advanced Persistent Threats"

Polly Mills
6 years ago
Views:

1 Mitigating Exploits, Rootkits and Advanced Persistent Threats David Durham, Senior Principal Engineer Intel Corporation Hot Chips Tutorial 1 Hot Chips 2014 Tutorial

2 Agenda Problem Better Protection Solid Foundations Usages Minimizing TCB Summary 2 Hot Chips 2014 Tutorial

3 Problem Better Protection Solid Foundations Usages Minimizing TCB Summary 3 Hot Chips 2014 Tutorial

Increasingly Sophisticated Attacks Operation Aurora: Google announced an attack targeting it and what is believed to be more than 30 other companies.

groups and criminals Reuters Nov 30, 2010 The Heartbleed Vulnerability: What It Is and How It Affects You: Heartbleed is not a virus, but rather a mistake written into OpenSSL April 2014 Banking

4 Increasingly Sophisticated Attacks Operation Aurora: Google announced an attack targeting it and what is believed to be more than 30 other companies. CNET January 12, 2010 Stuxnet: a novel way to use computers to sabotage an enemy's lifeline infrastructure suggests a powerful new kind of weapon is moving within reach of weak states, militant groups and criminals Reuters Nov 30, 2010 The Heartbleed Vulnerability: What It Is and How It Affects You: Heartbleed is not a virus, but rather a mistake written into OpenSSL April 2014 Banking Malware (SpyEye) Monitors Victims by Hijacking Webcams and Microphones May 2012, PCWorld Meet Flame, The Massive Spy Malware designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. May 2012, Wired 4 Hot Chips 2014 Tutorial

5 Malware Signatures More & More Malware samples continue sharp rise Polymorphic viruses Methods of packing, redistributing existing malware Looking for known malware misses 0-days and targeted attacks 5 Hot Chips 2014 Tutorial

Emerging Stack Pivoting Exploits Bypass Common Security- APSA13-02 exploit: 6 http://blogs.

6 0-Day: Vulnerability, Armed, Exploited Sample: APSA13-02 Exploit Analysis Stack Pivot Shared Address Space Stack Pivot RET write RET Code RET write Sand write box write Stack Heap Emerging Stack Pivoting Exploits Bypass Common Security- APSA13-02 exploit: 6 Hot Chips 2014 Tutorial

7 Generalized Attack Vectors Circumvent Disable Shared Address Space Shared Address Space FuncA FuncB Malware Damage Resource Input Validation Bypass Internal Functions Return Oriented Programming Valid kernel components Attack External Depend encies Corrupt driver / malicious code Shared Address Space Data Pages write write write Comp write A Inject/Modify write write Comp write B write Buffer Overflow Eavesdrop Shared Address Space Write Secret Secret Key Read Malware 7 Hot Chips 2014 Tutorial

8 Problem Better Protection Solid Foundations Usages Minimizing TCB Summary 8 Hot Chips 2014 Tutorial

9 Monitor Report Paradigm Shift Signature Behavior Malicious App App Anti- Virus Attack OS Kernel IA Processor Monitor behavior Detect onset of the attack Prevent suspicious access Behavior-based detection to stop zero-day attacks 9 Hot Chips 2014 Tutorial

Putting the Defenses Together Trusted Launch Measurement Software Isolation Device Isolation Crypto Acceleration Introspection Acceleration Supervisory

VT-d Intel MPX VM Functions Intel SGX Intel Trusted Execution Technology (Intel TXT) Intel Virtualization Technology (Intel VT) for Directed I/O (Intel

10 Putting the Defenses Together Trusted Launch Measurement Software Isolation Device Isolation Crypto Acceleration Introspection Acceleration Supervisory Execution Prevention Forward Looking Buffer Overflow Protections Minimal TCB Intel AES- NI Intel TXT Intel OS Guard Intel VT Virtualization Exceptions Intel VT-d Intel MPX VM Functions Intel SGX Intel Trusted Execution Technology (Intel TXT) Intel Virtualization Technology (Intel VT) for Directed I/O (Intel VT-d) Intel Virtualization Technology (Intel VT) Intel Memory Protection Extensions (Intel MPX) Intel Software Guard Extensions (Intel SGX) 10 Hot Chips 2014 Tutorial

Evolution of Memory Protections Privilege levels based on protection rings Multiple virtual machine isolation Granular isolation within an address space Page Level

11 Evolution of Memory Protections Privilege levels based on protection rings Multiple virtual machine isolation Granular isolation within an address space Page Level Protections OS VM VM VM VM Ring-3 OS OS OS OS Ring-0 IA IA VMM IA Memory View EPT IA IA IA IA Reduce the attack surface while minimizing overhead 11 Hot Chips 2014 Tutorial

12 Overlaying Granular Protections Memory Manager Memory Manager Page Tables Special Drivers Driver Needing PT Access Other Driver Library Routines (e.g., bcopy) Other Driver Accommodates existing OS methodology and legacy code 12 Hot Chips 2014 Tutorial

13 Accelerating Granular Isolation Intel Virtualization Technology (Intel VT) enables protections beyond the OS Overlays additional protections and monitoring policies by enabling memory views Provides continuous detection of illicit behaviors Process Kernel module Further Subdivide OS and Applications DLL App Code JIT Kernel module Kernel module Kernel Accelerated using VM Functions and Virtualization Exceptions Measured Launch Additional Monitoring: Privileged software monitors OS activity Monitor 13 Hot Chips 2014 Tutorial

14 Extended Page Tables for Isolation within VM VM Function (VMFUNC) to switch EPTs under guest Virtualization Exceptions (VE) directly notify guest of EPT access violations VMFUNC Memory View 1 Memory View 2 VM 0 VMFUNC EPT Walker TLBs CPU 0 Use VMFUNC to cross EPT domains Hypervisor Intel VT-x with EPT Physical Pages #VE Extended Page Tables (EPT) Extended Page Table Pointer List indexed by VMFUNC Report EPT Violations Via VE 14 Intel Hot Chips 2014 Tutorial Virtualization Technology for IA-32, Intel 64 and Intel Architecture (Intel VT-x)

15 Granular Isolation (Before) Execution View1 Additional Overhead View2 R-X EPT fault R-- R-- VMX Root Monitor R-X EPT fault R-X R-- R-- (read-only) R-X (read-execute) 15 Hot Chips 2014 Tutorial

16 Granular Isolation with VM Functions Execution EPT 1 EPT 2 R-X R-- VMFUNC 0 R-- R-X R-X R-- (read-only) R-X (read-execute) VMFUNC 0 R-- Enforce Control Flow Integrity with Intel VT 16 Hot Chips 2014 Tutorial

Guest #VE Handler R-X R-X R-- (read-only) R-X (readexecute)

17 Monitoring with Virtualization Exceptions Execution EPT 1 Guest code EPT 2 Page using VMFUNC0 VMFUNC (0) R-X R-- R-- Guest #VE Handler R-X R-X R-- (read-only) R-X (readexecute) R-- EPT Exceptions directed to the guest 17 Hot Chips 2014 Tutorial

18 VM Function for Switching Relative Performance Comparison Varies Varies Context Switching Privilege Level State Save Virtual Machine Switching Monitor Overhead VMFUNC Switching New Paging Hierarchy 18 Hot Chips 2014 Tutorial

Layering Virtualization and Introspection Inner Guest 1 VIDT VIDT Memory X View Memory X View W View Memory Inner VMM vepts Server VMM VMX-root with Nested VT septs Intel CPU w/ VT-x2 Handler #VE

19 Layering Virtualization and Introspection Inner Guest 1 VIDT VIDT Memory X View Memory X View W View Memory Inner VMM vepts Server VMM VMX-root with Nested VT septs Intel CPU w/ VT-x2 Handler #VE Inner Guest N Inner VMM N Root VMM supports VT nesting (with EPT shadowing) Root VMM and guest opt-in to enable features VMFUNC switches authorized EPTs without engaging VMM(s) EPT violations reported via #VE to guest directly No VM Exits for guest policies No additional overhead for VMMs Root VMM decides which pages #VE and which will VM Exit Disambiguates copy-on-write and other VMM notification needs EPT Violation ->#VE controls Enables efficient introspection across multiple VMs 19 Hot Chips 2014 Tutorial

Revisiting Attack Vectors FuncA Circumvent Shared Address Space FuncB Malware Disable Shared Address Space Damage Resource Input Validation Bypass Internal Functions Return Oriented Programming

20 Revisiting Attack Vectors FuncA Circumvent Shared Address Space FuncB Malware Disable Shared Address Space Damage Resource Input Validation Bypass Internal Functions Return Oriented Programming Inject/Modify Shared Address Space Valid kernel components Attack External Depend encies Corrupt driver / malicious code Eavesdrop Shared Address Space write write Hidden Page write Comp write A write write Comp write B write Buffer Overflow Write Secret Secret Key Read Malware Overlay memory views to monitor software behavior 20 Hot Chips 2014 Tutorial

21 Problem Better Protection Solid Foundations Usages Minimizing TCB Summary 21 Hot Chips 2014 Tutorial

22 Overlaying Protections: Things to Consider Registers Memory Mappings Async Events May also address external devices depending on usage 22 Hot Chips 2014 Tutorial

Monitoring Processor Registers VMM can be configured to intercept changes to: Model Specific Registers Control Registers Debug Registers Descriptor Tables (IDTR ) Mode dependent VMCS determines what

23 Monitoring Processor Registers VMM can be configured to intercept changes to: Model Specific Registers Control Registers Debug Registers Descriptor Tables (IDTR ) Mode dependent VMCS determines what registers to monitor GPRs including the stack pointer can be checked at boundaries and on events Guest Memory Memory mov View View CR VMX-root Memory View VMCS Selects what exits Intel VT CPU Registers VM Exit Monitor processor state to prevent attacks 23 Hot Chips 2014 Tutorial

24 Page Table Edit Control CR3 Target List Write Protect!W!W!W Prevent attacks that remap virtual memory 24 Hot Chips 2014 Tutorial

25 Interrupts & Asynchronous Events Protect Interrupt Descriptor Table & Register Trust Interrupt Service Routines or own ISR stub Stub code protects state Stack General Purpose Registers IDTR Exiting Base Limit IDTR IDT Read Only ISRs ISRs ISRs Read Only Protect or intercept asynchronous paths 25 Hot Chips 2014 Tutorial

Covered by EPT policy Address Space D e v i c e s D R A M Memory View Intel VT-d protects against

26 Devices Device space configuration Programmed IO in/out Relocation of device registers in memory/bar change Trigger VM Exit Memory Mapped IO Device registers Covered by EPT policy DMA Buffers in memory Covered by EPT policy Address Space D e v i c e s D R A M Memory View Intel VT-d protects against compromised devices 26 Intel Virtualization Technology (Intel VT) for Directed I/O (Intel VT-d) Hot Chips 2014 Tutorial

27 Problem Better Protection Solid Foundations Usages Minimizing TCB Summary 27 Hot Chips 2014 Tutorial

McAfee Deep Defender Overview McAfee DeepSAFE technology in the McAfee Deep Defender product can safely monitor writes to critical memory assets The Deep Defender component within the operating

28 McAfee Deep Defender Overview McAfee DeepSAFE technology in the McAfee Deep Defender product can safely monitor writes to critical memory assets The Deep Defender component within the operating system understands the O/S layout and rootkit techniques The DeepSAFE component uses CPU primitives to monitor CPU and memory so that pages containing sensitive code and data are access-controlled 28 Hot Chips 2014 Tutorial

29 Providing Better Protections Input Audio Storage Video 29 Hot Chips 2014 Tutorial

30 Problem Better Protection Solid Foundations Usages Minimizing TCB Summary 30 Hot Chips 2014 Tutorial

31 Democratizing Security Software relies on a Trusted Execution Environment (TEE) in case other defenses fail Isolated hardware and restricted modes limit use A future where there are enough TEEs for all? TEE VIPs Only Scaling Trusted Execution Environments for the many 31 Hot Chips 2014 Tutorial

32 Trust How Many? Trusted Computing Base (TCB): Set of all hardware, firmware & software part of a trusted environment Minimizing the TCB: Remove Software Stacks Remove Drivers Remove Devices Remove Firmware... Trust us 32 Hot Chips 2014 Tutorial

33 Trust The Processor 33 Hot Chips 2014 Tutorial

Scaling Trust with a Minimal TCB Threat surface reduction Define

extraneous components from the trust boundary Reduce TCB to the

environment Intel Software Guard Extensions Programming Reference:

34 Scaling Trust with a Minimal TCB Threat surface reduction Define precise trust boundaries Proxy App Proxy App Proxy App Remove extraneous components from the trust boundary Reduce TCB to the processor OS VMM Processor Scalable security within mainstream environment Intel Software Guard Extensions Programming Reference: 34 Hot Chips 2014 Tutorial

35 Utilize Existing Instruction Set Security Primitives E.g. Intel Advanced Encryption Standard New Instructions: AESKEYGENASSIST AESIMC ShiftRows() InvShiftRows() SubBytes() InvSubBytes() MixColumns() AddRoundKey() AddRoundKey() AESENC AESENCLAST InvShiftRows() ShiftRows() InvSubBytes() SubBytes() InvMixColumns() AddRoundKey() AddRoundKey() AESDEC AESDECLAST And many more Enclave App A Enclave App B OS VMM 35 Hot Chips 2014 Tutorial

36 Problem Better Protection Solid Foundations Usages Minimizing TCB Summary 36 Hot Chips 2014 Tutorial

37 Summary Increasingly sophisticated attacks require better defenses Moving from signatures to behavioral models Next generation processors deliver new capabilities for advanced software monitoring and protection Ability to layer protections over legacy software Minimizing the Trusted Computing Base is the next step 37 Hot Chips 2014 Tutorial

38 Biography David Durham is a Senior Principal Engineer and Director in Intel Labs. His research team developed anti-malware and cryptographic security features currently found in hundreds of millions of Intel processors. David also developed policy-based network management technologies, created security solutions shipping in Intel vpro platforms and worked with McAfee to deliver virtualization-based anti-malware products. Collaborating with industry leaders, his team developed IEEE security protocols and advanced network access control capabilities now embedded in tens of millions of Intel platforms. He is a prolific author on computer communications, having written a book, multiple publications and several Internet protocol standards deployed in millions of connected devices. David received two Intel Achievement Awards, was granted over 100 US and international patents and earned his B.S. and M.S. degrees in Computer Engineering from Rensselaer Polytechnic Institute. 38 Hot Chips 2014 Tutorial

39 Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling , or go to: Intel Virtualization Technology (Intel VT) requires a computer system with an enabled Intel processor, BIOS, and virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit Intel, Look Inside and the Intel logo are trademarks of Intel Corporation in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright Intel Corporation. All rights reserved. 39 Hot Chips 2014 Tutorial

Intel Cache Acceleration Software for Windows* Workstation

Intel Cache Acceleration Software for Windows* Workstation Release 3.1 Release Notes July 8, 2016 Revision 1.3 INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS