Multi-Aspect Profiling of Kernel Rootkit Behavior
Size: px
Start display at page:

Download "Multi-Aspect Profiling of Kernel Rootkit Behavior"

Transcription

1 Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nürnberg, Germany

2 Rootkits Stealthy malware Hide attacker Modifying the OS kernel in memory Injecting new code Threat model: Root privileges Full memory access 2

3 In the news 3

4 Rootkit techniques 4

5 Rootkit techniques adore-ng Linux 2.4/2.6 Kernel module Adds custom functions 5

6 Rootkit techniques adore-ng hp Linux 2.4/2.6 Kernel module Adds custom functions Linux 2.4 Kernel module Modifies kernel objects 6

7 Profiling a rootkit? Quickly reveal behavior Tool for malware investigators Honeypot environment This is hard, rootkits are highly privileged! 7

8 Profiling: Determining behavior 1. What code does it run? 2. What kernel objects does it modify? 3. How does it modify control flow? 4. What system calls are affected at userlevel? 8

9 PoKeR: Architecture Virtual Machine User-level Applications Right-Before Detection Guest Kernel Logging and Context Tracking Virtual Machine Monitor Log Kernel Symbols & Kernel Object Types Kernel Object Interpretation Profile 9

10 PoKeR: Architecture Right-Before Detection Logging and Context Tracking 10

11 Right before detection? Applications VM Guest OS VMM NICKLE Module Standard Shadow 11

12 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Standard Shadow 12

13 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Guest Kernel Instruction Fetch Standard Shadow 13

14 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Standard Shadow 14

15 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Other Memory Access Standard Shadow 15

16 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Standard Shadow 16

17 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Other Memory Access Guest Kernel Instruction Fetch Standard Shadow 17

18 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Memory Access Standard Shadow 18

19 Right before detection? Applications VM Guest OS Memory Access VMM NICKLE Module Memory Access Standard Compare Shadow 19

20 What code does it run? Compare standard and shadow memories Extract code as you go 20

21 PoKeR: Architecture Virtual Machine User-level Applications Right-Before Detection Guest Kernel Logging and Context Tracking Virtual Machine Monitor Log Kernel Symbols & Kernel Object Types Kernel Object Interpretation Profile 21

22 Kernel Symbols & Kernel Object Types Logging and Context Tracking Log Kernel Object Interpretation 22

23 Logging and context tracking Logging rootkit code Execution Reads Writes 23

24 What kernel objects does it modify? We have memory writes from rootkit code Use static analysis to build a map Kernel with debug symbols 24

25 What about dynamic allocation? Some objects are allocated dynamically 25

26 What about dynamic allocation? Some objects are allocated dynamically Static Objects Dynamic Objects init_task 0xc xc11c

27 Simple observation #1 Static Objects Dynamic Objects 27

28 Simple observation #1 Static Objects Dynamic Objects 28

29 Simple observation #2 The rootkit is just as ignorant as we are It will find dynamic objects by starting at static ones 29

30 Combat tracking Track rootkit reads Build a map of dynamic memory Reverse VMI 30

31 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 31

32 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 32

33 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 33

34 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 34

35 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 35

36 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 36

37 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 37

38 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 38

39 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 39

40 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 40

41 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 41

42 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 42

43 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 43

44 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output 44

45 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output Write to 0xc11b

46 Combat tracking example Static Objects Dynamic Objects init_task 0xc xc11c0000 Memory Map 0xc Output Write to 0xc11b0056 ->euid 46

47 How does it modify control flow? Kernel hooks Function pointers Part of existing data objects Could be statically or dynamically allocated This is a subset of the previous point 47

48 Results adore Name Code Kernel Objects Modified adore instr sys_call_table[2,4,5,6,18,37,39,84,106] sys_call_table[107,120,141,195,196,220] adore 733 instr sys_call_table[1,2,6,26,37,39,120,141,220] 0.53 proc_net->subdir->next->(...)->next->get_info proc_root_inode_operations->lookup adore-ng instr proc_net->subdir->next->(...)->next->get_info proc_root_inode_operations->lookup proc_root_operations->readdir ext3_dir_operations->readdir ext3_file_operations->write unix_dgram_ops->recvmsg 48

49 Results hp rootkit Action Value Kernel Object R 0xc677c000 hash[600] R 0x a hash[600]-> R 0xc76d8000 hash[600]-> R 0xc hash[600]->prev_task W 0xc hash[600]->->prev_task W 0xc76d8000 hash[600]->prev_task-> 49

50 Performance Normalized Slo ow-down QEMU PoKeR not profiling PoKeR profiling UnixBench Kernel Compile 50

51 Limitations Lack of formal completeness Cannot reveal the reason for modifications Combat tracking evasion Assume VMM isolation Kernel rootkits only 51

52 Related work Panorama CCS 07 HookFinder NDSS 08 HookMap RAID 08 K-Tracer NDSS 09 52

53 Your three take aways PoKeR: Virtualization based rootkit profiler Combat Tracking allows us to track dynamic data objects Tells what a rootkit does in order to help an expert determine why it does it 53

Similar documents

Defeating Return-Oriented Rootkits with Return-less Kernels

Defeating Return-Oriented Rootkits with Return-less Kernels 5 th ACM SIGOPS EuroSys Conference, Paris, France April 15 th, 2010 Defeating Return-Oriented Rootkits with Return-less Kernels Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram Department of Computer

More information

Virtual Machine Introspection Bhushan Jain

Virtual Machine Introspection Bhushan Jain Virtual Machine Introspection Bhushan Jain Computer Science Department Stony Brook University 1 Traditional Environment Operating System 2 Traditional Environment Process Descriptors Kernel Heap Operating

More information

Extended Page Tables (EPT) A VMM must protect host physical memory Multiple guest operating systems share the same host physical memory VMM typically implements protections through page-table shadowing

More information

Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory

Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory Kernel Malware Analysis with Un-tampered and Temporal Views of Dynamic Kernel Memory Junghwan Rhee 1, Ryan Riley 2, Dongyan Xu 1, and Xuxian Jiang 3 1 Purdue University, {rhee,dxu}@cs.purdue.edu 2 Qatar

More information

Arsenal. Shadow-Box: Lightweight Hypervisor-Based Kernel Protector. Seunghun Han, Jungwhan Kang (hanseunghun

Arsenal. Shadow-Box: Lightweight Hypervisor-Based Kernel Protector. Seunghun Han, Jungwhan Kang (hanseunghun Arsenal Shadow-Box: Lightweight Hypervisor-Based Kernel Protector Seunghun Han, Jungwhan Kang (hanseunghun ultract)@nsr.re.kr Who are we? - Senior security researcher at NSR (National Security Research

More information

CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 1 Operating System Quandary Q: What is the primary goal of

More information

HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity

HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity 31 st IEEE Symposium on Security & Privacy, Oakland CA, May 16-19 2010 HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity Zhi Wang, Xuxian Jiang North Carolina State

More information

Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing

Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing Ryan Riley Xuxian Jiang Dongyan Xu Purdue University George Mason University Purdue University rileyrd@cs.purdue.edu xjiang@gmu.edu

More information

CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system

More information

OS Security IV: Virtualization and Trusted Computing

OS Security IV: Virtualization and Trusted Computing 1 OS Security IV: Virtualization and Trusted Computing Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab2 More questions? 3 Virtual machine monitor +-----------+----------------+-------------+

More information

CSE543 - Computer and Network Security Module: Virtualization

CSE543 - Computer and Network Security Module: Virtualization CSE543 - Computer and Network Security Module: Virtualization Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Operating System Quandary Q: What is the primary goal of system

More information

Subverting the Linux Kernel Linux Kernel Rootkits 101

Subverting the Linux Kernel Linux Kernel Rootkits 101 Subverting the Linux Kernel Linux Kernel Rootkits 101 Kernel Rootkits? A collection of program(s) that hide an attacker's presence and activities on a compromised system Typically allows an attacker to

More information

Virtualization and Security

Virtualization and Security Virtualization and Security Steve Riley Senior Security Strategist Microsoft Trustworthy Computing steve.riley@microsoft.com http://blogs.technet.com/steriley 1 2 New! Evolution Usage scenarios 1. One

More information

CS 550 Operating Systems Spring Introduction to Virtual Machines

CS 550 Operating Systems Spring Introduction to Virtual Machines CS 550 Operating Systems Spring 2018 Introduction to Virtual Machines 1 How to share a physical computer Operating systems allows multiple processes/applications to run simultaneously Via process/memory

More information

An overview of virtual machine architecture

An overview of virtual machine architecture An overview of virtual machine architecture Outline History Standardized System Components Virtual Machine Basics Process VMs System VMs Virtualizing Process Summary and Taxonomy History In ancient times:

More information

Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection ACSAC 2018

Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection ACSAC 2018 Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection ACSAC 2018 Sergej Proskurin, 1 Tamas Lengyel, 3 Marius Momeu, 1 Claudia Eckert, 1 and Apostolis Zarras 2 1 2 Maastricht

More information

Virtualization. Pradipta De

Virtualization. Pradipta De Virtualization Pradipta De pradipta.de@sunykorea.ac.kr Today s Topic Virtualization Basics System Virtualization Techniques CSE506: Ext Filesystem 2 Virtualization? A virtual machine (VM) is an emulation

More information

CIS 5373 Systems Security

CIS 5373 Systems Security CIS 5373 Systems Security Topic 3.1: OS Security Basics of secure design Endadul Hoque Slide Acknowledgment Contents are based on slides from Ninghui Li (Purdue), John Mitchell (Stanford), Dan Boneh (Stanford)

More information

Return-Oriented Rootkits

Return-Oriented Rootkits Return-Oriented Rootkits Ralf Hund Troopers March 10, 2010 What is Return-Oriented Programming? New emerging attack technique, pretty hyped topic Gained awareness in 2007 in Hovav Shacham s paper The Geometry

More information

Virtual Machine Security

Virtual Machine Security Virtual Machine Security CSE443 - Spring 2012 Introduction to Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ 1 Operating System Quandary Q: What is the primary goal

More information

CFRS : Kernel Forensics and Analysis

CFRS : Kernel Forensics and Analysis CFRS 775-001: Kernel Forensics and Analysis Computer Forensics Program (http://cfrs.gmu.edu) Department of Electrical and Computer Engineering (https://ece.gmu.edu/) Volgenau School of Engineering (http://volgenau.gmu.edu/)

More information

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization

CSCI 8530 Advanced Operating Systems. Part 19 Virtualization CSCI 8530 Advanced Operating Systems Part 19 Virtualization Virtualization This is a very old idea It appears in many different forms A variety of commercial products exist The idea has become hot again

More information

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms

Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim Page 1 Motivation (1) Operating systems separate system

More information

CSE Computer Security

CSE Computer Security CSE 543 - Computer Security Lecture 25 - Virtual machine security December 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Implementation and Results Experimental Platform Exact specification

More information

The DNS system is organized in a structure.

The DNS system is organized in a structure. Agenda DNS security review Virtualization fundamentals What defenders can do with virtualization (Livewire) What attackers can do with virtualization (Subvirt) Summary 1/37 The DNS system is organized

More information

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor? Mr. Jacob Torrey May 13, 2014 Dartmouth College 153 Brooks Road, Rome, NY 315.336.3306 http://ainfosec.com @JacobTorrey torreyj@ainfosec.com

More information

Countering Persistent Kernel Rootkits Through Systematic Hook Discovery

Countering Persistent Kernel Rootkits Through Systematic Hook Discovery Countering Persistent Kernel Rootkits Through Systematic Hook Discovery Zhi Wang, Xuxian Jiang Weidong Cui Xinyuan Wang North Carolina State University Microsoft Research George Mason University Abstract.

More information

A Survey on Virtualization Technologies

A Survey on Virtualization Technologies A Survey on Virtualization Technologies Virtualization is HOT Microsoft acquires Connectix Corp. EMC acquires VMware Veritas acquires Ejascent IBM, already a pioneer Sun working hard on it HP picking up

More information

Operating Systems 4/27/2015

Operating Systems 4/27/2015 Virtualization inside the OS Operating Systems 24. Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view

More information

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels Virtualization Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels 1 What is virtualization? Creating a virtual version of something o Hardware, operating system, application, network, memory,

More information

Virtual Machines. Part 1: 54 years ago. Operating Systems In Depth VIII 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Virtual Machines. Part 1: 54 years ago. Operating Systems In Depth VIII 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. Virtual Machines Part 1: 54 years ago Operating Systems In Depth VIII 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. It s 1964 The Beatles appear on the Ed Sullivan show IBM wants a multiuser

More information

Module 1: Virtualization. Types of Interfaces

Module 1: Virtualization. Types of Interfaces Module 1: Virtualization Virtualization: extend or replace an existing interface to mimic the behavior of another system. Introduced in 1970s: run legacy software on newer mainframe hardware Handle platform

More information

Introduction to Virtual Machines

Introduction to Virtual Machines Introduction to Virtual Machines abstraction and interfaces virtualization Vs. abstraction computer system architecture process virtual machines system virtual machines Abstraction Abstraction is a mechanism

More information

T Jarkko Turkulainen, F-Secure Corporation

T Jarkko Turkulainen, F-Secure Corporation T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In

More information

CSCE 410/611: Virtualization!

CSCE 410/611: Virtualization! CSCE 410/611: Virtualization! Definitions, Terminology! Why Virtual Machines?! Mechanics of Virtualization! Virtualization of Resources (Memory)! Some slides made available Courtesy of Gernot Heiser, UNSW.!

More information

At one time, desktop computers were one

At one time, desktop computers were one Virtual Machine Introspection Observation or Interference? As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to monitor VM behavior. A survey

More information

Code Validation for Modern OS Kernels

Code Validation for Modern OS Kernels Code Validation for Modern OS Kernels Thomas Kittel Technische Universität München Munich, Germany kittel@sec.in.tum.de Jonas Pfoh FireEye, Inc. Wilsdruffer Str. 27 Dresden, Germany jonas.pfoh@fireeye.com

More information

Optimization Techniques

Optimization Techniques Smalltalk Implementation: Optimization Techniques Prof. Harry Porter Portland State University 1 Optimization Ideas Just-In-Time (JIT) compiling When a method is first invoked, compile it into native code.

More information

IMPROVED KERNEL SECURITY THROUGH MEMORY LAYOUT RANDOMIZATION IPCCC 2013

IMPROVED KERNEL SECURITY THROUGH MEMORY LAYOUT RANDOMIZATION IPCCC 2013 IMPROVED KERNEL SECURITY THROUGH MEMORY LAYOUT RANDOMIZATION IPCCC 2013 Dannie M. Stanley Graduate Student Special thanks to my advisors: Professors Dongyan Xu and Eugene Spafford INTRODUCTION PROBLEM

More information

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy COMPUTER ARCHITECTURE Virtualization and Memory Hierarchy 2 Contents Virtual memory. Policies and strategies. Page tables. Virtual machines. Requirements of virtual machines and ISA support. Virtual machines:

More information

A Pre-Kernel Agent Platform for Security Assurance

A Pre-Kernel Agent Platform for Security Assurance A Pre-Kernel Agent Platform for Security Assurance Yung-Chuan Lee Department of Computer Science Southern Illinois University Carbondale, Illinois 62901 Email: ylee@cs.siu.edu Shahram Rahimi Department

More information

W4118: virtual machines

W4118: virtual machines W4118: virtual machines Instructor: Junfeng Yang References: Modern Operating Systems (3 rd edition), Operating Systems Concepts (8 th edition), previous W4118, and OS at MIT, Stanford, and UWisc Virtual

More information

Portland State University ECE 587/687. Virtual Memory and Virtualization

Portland State University ECE 587/687. Virtual Memory and Virtualization Portland State University ECE 587/687 Virtual Memory and Virtualization Copyright by Alaa Alameldeen and Zeshan Chishti, 2015 Virtual Memory A layer of abstraction between applications and hardware Programs

More information

A Framework for Prototyping and Testing Data-Only Rootkit Attacks

A Framework for Prototyping and Testing Data-Only Rootkit Attacks 1 A Framework for Prototyping and Testing Data-Only Rootkit Attacks Ryan Riley ryan.riley@qu.edu.qa Qatar University Doha, Qatar Version 1.0 This is a preprint of the paper accepted in Elsevier Computers

More information

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved.

Virtual Machines. Part 2: starting 19 years ago. Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. Virtual Machines Part 2: starting 19 years ago Operating Systems In Depth IX 1 Copyright 2018 Thomas W. Doeppner. All rights reserved. Operating Systems In Depth IX 2 Copyright 2018 Thomas W. Doeppner.

More information

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H. Andrés Lagar-Cavilla #, Alexander Varshavsky #, Vinod Ganapathy *, and Liviu Iftode * * Rutgers University

More information

Virtualization. Virtualization

Virtualization. Virtualization Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine

More information

CSCE 410/611: Virtualization

CSCE 410/611: Virtualization CSCE 410/611: Virtualization Definitions, Terminology Why Virtual Machines? Mechanics of Virtualization Virtualization of Resources (Memory) Some slides made available Courtesy of Gernot Heiser, UNSW.

More information

Virtualization and memory hierarchy

Virtualization and memory hierarchy Virtualization and memory hierarchy Computer Architecture J. Daniel García Sánchez (coordinator) David Expósito Singh Francisco Javier García Blas ARCOS Group Computer Science and Engineering Department

More information

CSE 237B Fall 2009 Virtualization, Security and RTOS. Rajesh Gupta Computer Science and Engineering University of California, San Diego.

CSE 237B Fall 2009 Virtualization, Security and RTOS. Rajesh Gupta Computer Science and Engineering University of California, San Diego. CSE 237B Fall 2009 Virtualization, Security and RTOS Rajesh Gupta Computer Science and Engineering University of California, San Diego. Overview What is virtualization? Types of virtualization and VMs

More information

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Building Trustworthy Intrusion Detection Through Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer Science, University of Pisa IAS Conference,

More information

SecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity

SecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity SecVisor: A Tiny Hypervisor for Lifetime Kernel Code Integrity Arvind Seshadri, Mark Luk, Ning Qu, Adrian Perrig Carnegie Mellon University Kernel rootkits Motivation Malware inserted into OS kernels Anti

More information

Monitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015

Monitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015 Monitoring Hypervisor Integrity at Runtime Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015 Motivation - Server Virtualization Trend x86 servers were virtualized

More information

Cloud Computing Virtualization

Cloud Computing Virtualization Cloud Computing Virtualization Anil Madhavapeddy anil@recoil.org Contents Virtualization. Layering and virtualization. Virtual machine monitor. Virtual machine. x86 support for virtualization. Full and

More information

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment Orin Thomas @orinthomas Jeff Melnick Jeff.Melnick@Netwrix.com In this session Vulnerability types Spectre Meltdown Spectre

More information

Autoscopy Jr.: Intrusion Detec3on for Embedded Control Systems

Autoscopy Jr.: Intrusion Detec3on for Embedded Control Systems Autoscopy Jr.: Intrusion Detec3on for Embedded Control Systems Jason Reeves, Ashwin Ramaswamy, Michael Locasto, Sergey Bratus, and Sean Smith CSRS 2011 Dartmouth College September 24, 2011 1 Outline Mo3va3on

More information

Learning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels

Learning Outcomes. Extended OS. Observations Operating systems provide well defined interfaces. Virtual Machines. Interface Levels Learning Outcomes Extended OS An appreciation that the abstract interface to the system can be at different levels. Virtual machine monitors (VMMs) provide a lowlevel interface An understanding of trap

More information

Operating system hardening

Operating system hardening Operating system Comp Sci 3600 Security Outline 1 2 3 4 5 6 What is OS? Hardening process that includes planning, ation, uration, update, and maintenance of the operating system and the key applications

More information

Advanced Memory Management

Advanced Memory Management Advanced Memory Management Main Points Applications of memory management What can we do with ability to trap on memory references to individual pages? File systems and persistent storage Goals Abstractions

More information

An External Integrity Checker for Increasing Security of Open Source Operating Systems

An External Integrity Checker for Increasing Security of Open Source Operating Systems An External Integrity Checker for Increasing Security of Open Source Operating Systems Hiromasa Shimada, Tsung-Han Lin, Ning Li Distributed and Ubiquitous Computing Lab., Waseda University, Japan Background!

More information

Chapter 5 C. Virtual machines

Chapter 5 C. Virtual machines Chapter 5 C Virtual machines Virtual Machines Host computer emulates guest operating system and machine resources Improved isolation of multiple guests Avoids security and reliability problems Aids sharing

More information

Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader

Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader Virtualization Device Emulator Testing Technology Speaker: Qinghao Tang Title 360 Marvel Team Leader 1 360 Marvel Team Established in May 2015, the first professional could computing and virtualization

More information

CERIAS Tech Report LiveDM: Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging by Junghwan Rhee,

CERIAS Tech Report LiveDM: Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging by Junghwan Rhee, CERIAS Tech Report 2010-02 LiveDM: Temporal Mapping of Dynamic Kernel Memory for Dynamic Kernel Malware Analysis and Debugging by Junghwan Rhee, Dongyan Xu Center for Education and Research Information

More information

STM/PE & XHIM. Eugene D. Myers Trust Mechanisms Information Assurance Research NSA/CSS Research Directorate May 24, 2018

STM/PE & XHIM. Eugene D. Myers Trust Mechanisms Information Assurance Research NSA/CSS Research Directorate May 24, 2018 STM/PE & XHIM Eugene D. Myers Trust Mechanisms Information Assurance Research NSA/CSS Research Directorate May 24, 2018 Overview SMM STM STM/PE XHIM, an STM/PE application Future Plans System Management

More information

Shadow-Box: The Practical and Omnipotent Sandbox

Shadow-Box: The Practical and Omnipotent Sandbox Shadow-Box: The Practical and Omnipotent Sandbox Seunghun Han National Security Research Institute hanseunghun@nsr.re.kr Junghwan Kang National Security Research Institute ultract@nsr.re.kr Wook Shin National

More information

Nested Virtualization Friendly KVM

Nested Virtualization Friendly KVM Nested Virtualization Friendly KVM Sheng Yang, Qing He, Eddie Dong 1 Virtualization vs. Nested Virtualization Single-Layer Virtualization Multi-Layer (Nested) Virtualization (L2) Virtual Platform (L1)

More information

System Virtual Machines

System Virtual Machines System Virtual Machines Outline Need and genesis of system Virtual Machines Basic concepts User Interface and Appearance State Management Resource Control Bare Metal and Hosted Virtual Machines Co-designed

More information

Virtualization. Adam Belay

Virtualization. Adam Belay Virtualization Adam Belay What is a virtual machine Simulation of a computer Running as an application on a host computer Accurate Isolated Fast Why use a virtual machine? To run multiple

More information

Introduction to Virtual Machines. Michael Jantz

Introduction to Virtual Machines. Michael Jantz Introduction to Virtual Machines Michael Jantz Acknowledgements Slides adapted from Chapter 1 in Virtual Machines: Versatile Platforms for Systems and Processes by James E. Smith and Ravi Nair Credit to

More information

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems

Lecture 10. Pointless Tainting? Evaluating the Practicality of Pointer Tainting. Asia Slowinska, Herbert Bos. Advanced Operating Systems Lecture 10 Pointless Tainting? Evaluating the Practicality of Pointer Tainting Asia Slowinska, Herbert Bos Advanced Operating Systems December 15, 2010 SOA/OS Lecture 10, Pointer Tainting 1/40 Introduction

More information

CSC 5930/9010 Cloud S & P: Virtualization

CSC 5930/9010 Cloud S & P: Virtualization CSC 5930/9010 Cloud S & P: Virtualization Professor Henry Carter Fall 2016 Recap Network traffic can be encrypted at different layers depending on application needs TLS: transport layer IPsec: network

More information

Making Dynamic Instrumentation Great Again

Making Dynamic Instrumentation Great Again Making Dynamic Instrumentation Great Again Malware Research Team @ @xabiugarte [advertising space ] Deep Packer Inspector https://packerinspector.github.io https://packerinspector.com Many instrumentation

More information

Operating System Security

Operating System Security Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.

More information

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization.

OS Virtualization. Why Virtualize? Introduction. Virtualization Basics 12/10/2012. Motivation. Types of Virtualization. Virtualization Basics Motivation OS Virtualization CSC 456 Final Presentation Brandon D. Shroyer Types of Virtualization Process virtualization (Java) System virtualization (classic, hosted) Emulation

More information

Process Out-Grafting: An Efficient Out-of-VM Approach for Fine-Grained Process Execution Monitoring

Process Out-Grafting: An Efficient Out-of-VM Approach for Fine-Grained Process Execution Monitoring Process Out-Grafting: An Efficient Out-of-VM Approach for Fine-Grained Process Execution Monitoring Deepa Srinivasan Zhi Wang Xuxian Jiang Dongyan Xu NC State University NC State University NC State University

More information

A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT

A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT A high-performance virtual machine filesystem monitor in cloud-assisted cognitive IoT Dongyang Zhan a, Lin Ye a, Hongli Zhang a, Binxing Fang a,b, Huhua Li a, Yang Liu a, Xiaojiang Du c, Mohsen Guizani

More information

, Inc

, Inc Monthly Research SELinux in Virtualization and Containers, Inc http://www.ffri.jp Ver 1.00.02 1 SELinux in Virtualization and Containers Virtualization security with SELinux Threat model of operating system

More information

An Introduction to Platform Security

An Introduction to Platform Security presented by An Introduction to Platform Security Spring 2018 UEFI Seminar and Plugfest March 26-30, 2018 Presented by Brent Holtsclaw and John Loucaides (Intel) Legal Notice No computer system can be

More information

Atomizer: Fast, Scalable and Lightweight Heap Analyzer for Virtual Machines in a Cloud Environment

Atomizer: Fast, Scalable and Lightweight Heap Analyzer for Virtual Machines in a Cloud Environment Atomizer: Fast, Scalable and Lightweight Heap Analyzer for Virtual Machines in a Cloud Environment Salman Javaid Aleksandar Zoranic Irfan Ahmed Golden G. Richard III University of New Orleans Greater New

More information

LECTURE 5: MEMORY HIERARCHY DESIGN

LECTURE 5: MEMORY HIERARCHY DESIGN LECTURE 5: MEMORY HIERARCHY DESIGN Abridged version of Hennessy & Patterson (2012):Ch.2 Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology is more expensive

More information

TrustDump: Reliable Memory Acquisition on Smartphones

TrustDump: Reliable Memory Acquisition on Smartphones TrustDump: Reliable Memory Acquisition on Smartphones He Sun 1,2,3,4, Kun Sun 4, Yuewu Wang 1,2, Jiwu Jing 1,2, and Sushil Jajodia 4 1 Data Assurance and Communication Security Research Center, CAS 2 State

More information

Towards High Assurance Networks of Virtual Machines

Towards High Assurance Networks of Virtual Machines Towards High Assurance Networks of Virtual Machines Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa, Italy 2 Department of Computer Science, University of Pisa,

More information

Copyright 2012, Elsevier Inc. All rights reserved.

Copyright 2012, Elsevier Inc. All rights reserved. Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Introduction Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology

More information

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36

The Challenges of X86 Hardware Virtualization. GCC- Virtualization: Rajeev Wankar 36 The Challenges of X86 Hardware Virtualization GCC- Virtualization: Rajeev Wankar 36 The Challenges of X86 Hardware Virtualization X86 operating systems are designed to run directly on the bare-metal hardware,

More information

Computer Architecture. A Quantitative Approach, Fifth Edition. Chapter 2. Memory Hierarchy Design. Copyright 2012, Elsevier Inc. All rights reserved.

Computer Architecture. A Quantitative Approach, Fifth Edition. Chapter 2. Memory Hierarchy Design. Copyright 2012, Elsevier Inc. All rights reserved. Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Programmers want unlimited amounts of memory with low latency Fast memory technology is more expensive per

More information

Memory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos

Memory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos Memory Analysis Part II. Basic Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previous classes Files, steganography, watermarking Source of digital evidence

More information

Difference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski

Difference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski Difference Engine: Harnessing Memory Redundancy in Virtual Machines (D. Gupta et all) Presented by: Konrad Go uchowski What is Virtual machine monitor (VMM)? Guest OS Guest OS Guest OS Virtual machine

More information

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

ETHICAL HACKING & COMPUTER FORENSIC SECURITY ETHICAL HACKING & COMPUTER FORENSIC SECURITY Course Description From forensic computing to network security, the course covers a wide range of subjects. You will learn about web hacking, password cracking,

More information

Fast access ===> use map to find object. HW == SW ===> map is in HW or SW or combo. Extend range ===> longer, hierarchical names

Fast access ===> use map to find object. HW == SW ===> map is in HW or SW or combo. Extend range ===> longer, hierarchical names Fast access ===> use map to find object HW == SW ===> map is in HW or SW or combo Extend range ===> longer, hierarchical names How is map embodied: --- L1? --- Memory? The Environment ---- Long Latency

More information

Copyright 2012, Elsevier Inc. All rights reserved.

Copyright 2012, Elsevier Inc. All rights reserved. Computer Architecture A Quantitative Approach, Fifth Edition Chapter 2 Memory Hierarchy Design 1 Introduction Programmers want unlimited amounts of memory with low latency Fast memory technology is more

More information

Intel VMX technology

Intel VMX technology Intel VMX technology G. Lettieri 28 Oct. 2015 1 The Virtual Machine Monitor In the context of hardware-assisted virtualization, it is very common to introduce the concept of a Virtual Machine Monitor (VMM).

More information

Concepts. Virtualization

Concepts. Virtualization Concepts Virtualization Concepts References and Sources James Smith, Ravi Nair, The Architectures of Virtual Machines, IEEE Computer, May 2005, pp. 32-38. Mendel Rosenblum, Tal Garfinkel, Virtual Machine

More information

Malware

Malware reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or

More information

Virtualization Enabled Integrity Services (VIS)

Virtualization Enabled Integrity Services (VIS) Virtualization Enabled Integrity Services (VIS) Vedvyas Shanbhogue, Ravi Sahita, Uday Savagaonkar (vedvyas.shanbhogue@intel.com, ravi.sahita@intel.com, uday.savagaonkar@intel.com) Intel Motivation Malware

More information

SPIN Operating System

SPIN Operating System SPIN Operating System Motivation: general purpose, UNIX-based operating systems can perform poorly when the applications have resource usage patterns poorly handled by kernel code Why? Current crop of

More information

System Virtual Machines

System Virtual Machines System Virtual Machines Outline Need and genesis of system Virtual Machines Basic concepts User Interface and Appearance State Management Resource Control Bare Metal and Hosted Virtual Machines Co-designed

More information

Secure In-VM Monitoring Using Hardware Virtualization

Secure In-VM Monitoring Using Hardware Virtualization Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif Georgia Institute of Technology Atlanta, GA, USA msharif@cc.gatech.edu Wenke Lee Georgia Institute of Technology Atlanta, GA, USA wenke@cc.gatech.edu

More information

Advanced Systems Security: Ordinary Operating Systems

Advanced Systems Security: Ordinary Operating Systems Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:

More information

CS 356 Operating System Security. Fall 2013

CS 356 Operating System Security. Fall 2013 CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database

More information

Time-traveling Forensic Analysis of VM-based High-interaction Honeypots

Time-traveling Forensic Analysis of VM-based High-interaction Honeypots Time-traveling Forensic Analysis of VM-based High-interaction Honeypots Deepa Srinivasan, Xuxian Jiang Department of Computer Science North Carolina State University dsriniv@ncsu.edu, jiang@cs.ncsu.edu

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback