Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh

Conference: RAID 2010Advisor: Yuh-Jye LeeReporter: Yi-Hsiang YangEmail: M9915016@mail.ntust.edu.tw

12011/4/28

OutlineIntroductionRelated WorkSystem ArchitectureImplementationEvaluationConclusion

22011/4/28

Introduction • Virtual Machine Monitors (VMMs)• Deep isolation of untrusted software components• Attackers towards VMM vulnerabilities

• HyperCheck • Works at the BIOS level • CPU System Management Mode (SMM)

32011/4/28

Related workCopilot employed a special PCI device to poll the physical

memory of the host and send it to an admin station periodically

HyperGuard Rutkowska et al. suggested using SMM of the x86 CPU to monitor the integrity of the hypervisors

DeepWatch also offers detection of hypervisor rootkits by using the embedded micro-controller(s) in the chipset. Relying on hardware-assisted virtualization technologies such as Intel VT-d

Flicker uses a TPM based method to provide a minimum Trusted Code Base (TCB), which can be used to detect the modification to the kernels

42011/4/28

Threat modelSystem Management Mode (SMM)

Intel386 SL and Intel486 SL processorsThe processor enters SMM when the external

SMM interrupt pin (SMI#) is activated or received from the advanced programmable interrupt controller (APIC)

Processor switches to a separate address space, called system management RAM (SMRAM)

52011/4/28

Attacker’s capabilitiesExploit vulnerabilities in any software after

bootup. Eg. compromise a guest domain and escape to the privileged domainModify the hypervisor code or data using any

known or zero-day attacks. Eg. DMA attack

62011/4/28

General AssumptionsAttacker cannot tamper with PCI NIC using the

same driver interfaceSMRAM is properly setup by BIOS upon boot

time and lockedLimitations

Analysis cannot protect against attacks that modify the dynamically generated function pointers

72011/4/28

In-scope AttacksAims to detect the in-memory Ring-0 level rootkits

Rookits A set of programs and code that allows a

permanent or consistentModifies the memory and/or registers Runs in the kernel levelEg . idt-hook rootkit

Modifies the interrupt descriptor table (IDT) Gains the control of the complete system

2011/4/28 8

System ArchitectureHyperCheck is composed of three key components

Physical memory acquiring moduleReads the contents of the physical memory Sends data to the analysis module

Analysis moduleChecks the memory contents and verifies if anything is

alteredCPU register checking module

Reads the registers and validates

92011/4/28

System Architecture

102011/4/28

System ArchitectureHyperCheck should not rely on any software runningUse hardware

PCI Ethernet card– as memory acquiring moduleSMM to read the CPU registers

Uses the CR3 register Translate the virtual addresses to the physical

addresses

112011/4/28

System Architecture-Acquiring the physical memoryTwo ways to acquire the physical memory

Software method/dev/kmem on Linux or \Device\PhysicalMemory on

Windows If the operating system or the hypervisor is compromised

Hardware methodUses a PCI deviceDepends less on the integrity of the operating system or

the hypervisor

122011/4/28

System Architecture-Acquiring the physical memoryHyperCheck puts drivers into the SMM codeTo prevent from a malicious NIC driver in the OS

to spoof the SMM driverUse a secret key obtained from the monitor machine

when booting up and stored in the SMRAMDenial of service(DoS) attacks

Advanced Configuration and Power Interface (ACPI) Allow the operating system to control the state of the

devices

132011/4/28

System Architecture-Translating the physical memoryThree properties of the kernel memory

Linear mappingKernel memory is linearly mapped to physical memory

Static natureContents of monitoring part of hypervisor have to be

staticPersistence

Memory will not swap to the hard disk

142011/4/28

System Architecture-Reading and verifying the CPU registersEthernet card cannot read the CPU registersUse SMM in x86 CPU

When switches to SMM it saves the register context in the SMRAM

Focuses on monitoring two registers:IDTR

Should never change after system initialization CR3

Translate the physical addresses of the hypervisor kernel code and data

152011/4/28

ImplementationHyperCheck-I

Virtual machine uses QEMUAnalysis module runs on the host of QEMUPlaced NIC driver into the SMMProgram runs in the SMM and collects and sends out the

CPU registers via the Ethernet cardQuick Prototyping and DebuggingQEMU network card is much lower than a real NIC device

(10MB/s)Performance may not reflect the real world performance

162011/4/28

Implementation-Memory Acquiring moduleSMM code is one part of BIOSUsing SMM for ”Other Purposes”. Phrack Magazine, 2008

Writes the SMM code in 16bit assembly Uses a user level program to open the SMRAM Copy the assembly code to the SMRAMProgram the transferring part in assembly

Assembly code is compiled to an ELF object file Write a loader parse the ELF object file and load the code and

data to the SMMModified the existing Linux E1000 driver to initialize the

network card

172011/4/28

Implementation-Memory Acquiring moduleTwo transmission descriptors per packet

Header NIC is already initialized by OS

Data Prepare Descriptor table and write it to the Transmit Descriptor

Tail (TDT) register of the NIC Secret key

Create a random seed to selectively hash the data for one-time pad encryption

Serial random numbers indexes of the positions of the memory being scanned

182011/4/28

Implementation-Analysis moduleCentOS 5.3

Tcpdump to filter the packets from the acquiring module and output is sent to the analysis module

Recovers the contents using the same secret keyWritten in a Perl script reads the input and checks for any

anomaliesCompares every two consecutive memory snapshots Check the integrity of the control data and code

Control data includes IDT table, hypercall table and exception table of Xen

192011/4/28

Implementation-CPU register checking moduleTriggering SMI to enter SMM

SMI is often used for power management, and Southbridge provides some timers to monitor the state of a device

Employ the Ethernet card to trigger the SMI event Checking the registers in SMMReporting the result

202011/4/28

ImplementationHyperCheck-II

Target Xen 3.1 Intel E1000 Ethernet card SMM NIC driver from the QEMU VM does not work on the

physical machineNIC can access the SMRAM in a QEMU VM

Reserved 12MB for HyperCheck by using mem parameterMonitor

Analysis moduleUsed for performance measurement

212011/4/28

EvaluationHyperCheck-I

Dell Precision 690 8GB RAM 3.0GHz Intel Xeon CPU with two cores The host : CentOS 5.3 64bitQEMU version was 0.10.2Xen version was 3.3.1 Domain 0 was CentOS 5.3 32bit with PAE

HyperCheck-II Dell Optiplex GX 260 2.0GHz Intel Pentium 4 CPU 512MB memory Xen 3.1 and Linux 2.6.18 Domain 0 is CentOS 5.4

222011/4/28

Evaluation-DetectionHDD DMA attacks to modify the Xen hypervisor and

Domain 0Four attacks to Xen hypervisor and Two attacks to Domain

0Modified pcnet NIC in QEMU to attack Linux and

Windows operating systems

232011/4/28

Evaluation-Monitoring overhead

24

Internal NIC transfer FIFO is 16KB

2011/4/28

Evaluation-OperationTwo programs

Use Dummy SMM code Time for switching between protected mode & SMM

Use the registers to simulate the verification of IDTR and CR3

Sending the data : 73 Million cycles. Accessing the main memory : 5.28 Million cycles. The total time is 80 Million cycles

252011/4/28

Evaluation- Overhead of the operations

262011/4/28

EvaluationReading memory contents and comparing

Total 230 ms49 ms for only comparing the data

272011/4/28

Evaluation

282011/4/28

ConclusionIntroduced HyperCheck-a hardware-assisted tamper

detection frameworkRely on CPU System Managed Mode (SMM)Implemented two prototypes : QEMU and physical x86

machineHyperCheck operation is relatively lightweight

Produce and communicate a scan of the state of the protected software in less than 40ms

292011/4/28

Thanks for listening!Q&A

2011/4/28 30