Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Download as ODP, PDF1 like2,586 views
Virtual machine introspection (VMI) allows security tools to be run externally to virtual machines for improved isolation, visibility, and control. VMI provides full interpretation of the virtual hardware and memory to detect malware. It can actively monitor VM events and memory through techniques like EPT trap interposition. The speaker demonstrated these capabilities using open source tools like LibVMI and DRAKVUF for dynamic malware analysis. VMI is presented as an important approach for cloud and mobile security going forward.
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
- 1. Virtual Machine Introspection to Detect and Protect Tamas K. Lengyel tklengyel@sec.in.tum.de tamas.lengyel@zentific.com https://github.com/tklengyel
- 2. Agenda 1. Motivation & Cloud security 2. Xen 3. Virtual Machine Introspection I. Isolation II. Interpretation III. Interposition 4. Demo 5. Public release of new tools
- 3. Motivation This is my PhD topic ● Malware collection & analysis DARPA Cyber Fast Track ● Cloud IDS/IPS prototype Up-and-coming field
- 4. Cloud Security? ● Virtualization is a magic box of invulnerability ● Why bother if Cloud instances are short-lived and easily wiped? ● Isn't worth the cost of overhead ● It's not going to happen to me ● I'll just use my existing tools and be fine Wrong!
- 5. Cloud Security ● In-guest AV / HIDS ✗ No isolation ● Network IDS ✗ Limited or no context ● Scan VM disk and memory ✗ No interposition Better than nothing
- 6. Cloud Security! ● Move protection out from the VM ✔ Hypervisor based isolation ● Full view of the VM state ✔ Interpret virtual hardware to see processes, users, connections, files.. ● Actively monitor & control ✔ Interposition
- 7. Xen Bare-metal VMM Runs in VMX root Minimal interface Everything else is a domain, with one being special (dom0)
- 8. Isolation We could move the security stack to dom0.. .. or move it into its own domain! Xen allows for advanced disaggregation and role delegation With some caveats..
- 9. Access control in Xen Xen Security Modules (XSM) – Disabled by default. – Only usable starting with 4.3 In the guest kernel! – if (!xen_initial_domain()) return -EPERM; – We patched that in Linux 3.8 In XenStore (ignore for now) – Domain meta info is only a plus
- 10. Access control in Xen Security is no longer part of the TCB Can be 1:1, 1:many or many:many Designed for multi-tenant cloud deployments Security doesn't mean the same thing for everyone
- 11. Interpretation Interpreting the guest virtual hardware – Memory – VCPU Memory interpretation: – Paging, paging, paging OS interpretation: – Debug symbols!
- 12. LibVMI + Rekall LibVMI – Xen and KVM support – Paging support for ● x86, x86+PAE, x86_64 & ARM – OS support ● Windows, Linux Rekall – Generates nice debug profiles – ..and lots of other fancy stuff
- 13. Finding Windows Volatility: brute-force search ● “KDBG” scan ● Easily hidden + lots of false positives LibVMI + Rekall: use hardware info! ● VCPU0 FS/GS register → KPCR ● KPCR – relative offset = Windows! ● It is binding, malware can't touch it
- 14. Understanding Windows Volatility: use the in-memory KDBG struct. – Can be tampered with – Heavily encoded in Windows 8 64-bit LibVMI + Rekall: use the pre-generated debug profiles! – Works with Windows 8 64-bit as well – Different attacker model
- 15. Interposition Scanning VM memory gets you a lot – Volatility's pooltag scans But it's not bulletproof and introduces TOCTOU issues Interposition: induce & trap VMEXITs Forward to security domain
- 16. Interposition Intel to the rescue: CPUID, GETSEC, INVD, XSETBV, INVEPT, INVVPID, VMCALL, VMCLEAR, VMLAUNCH, VMPTRLD, VMPTRST, VMRESUME, VMXOFF, VMXON And optionally: CLTS, HLT, IN, INS/INSB/INSW/INSD, OUT, INVLPG, INVPCID, LGDT, LIDT, LLDT, LTR, SGDT, SIDT, SLDT, STR, LMSW, MONITOR, MOV from CR3, MOV from CR8, MOV to CR0, MOV to CR3, MOV to CR4, MOV to CR8, MOV DR, MWAIT, INT3, INT0, MTF …. See the full list in Intel SDM 3c 25.1.3
- 17. Interposition with LibVMI ● MOV-TO-CR0/3/4 – New process being scheduled, CPU feature enabled/disabled, TLB flush, etc. ● EPT violation – Trap R/W/X of any memory page in the guest – Invisible to the guest – Needs to be reset after hit ● Singlestepping – Intel Monitor Trap Flag (MTF) ● Debug events (INT3)
- 19. DKOM no more! It's still on the heap!
- 21. DRAKVUF “Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System” - ACSAC 2014 http://drakvuf.com Anyone gets the name reference?
- 22. Conclusion ● Cloud security requires new tools and new approaches ● VMI is rapidly maturing to fill the gap ● Dealing with rootkits is easier externally ● Tools are open-source (GPL/LGPL) ● Patches are welcome ;)
- 23. What's ahead VMI gets you a lot.. but there are blind-spots – Virt-DMA, emulation.. ● Who watches the watcher? – SMM/AMT based VMM integrity check ● Xen on ARM – “Cloud” security for your phone/car!
- 24. Shout-out Cheers to the Zentific crew – Steve, Matt & Russ To the Volatility crew – MHL, Andrew, Gleeda & Moyix To the Rekall crew – Scudette To Mudge – Thanks for the CFT!
- 25. Thanks!