SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob...
-
date post
22-Dec-2015 -
Category
Documents
-
view
224 -
download
1
Transcript of SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob...
![Page 1: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/1.jpg)
SubVirt: Implementing malware with virtual
machines
Yi-Min WangChad VerbowskiHelen J. WangJacob R. Lorch
Microsoft Research
Samuel T. KingPeter M. Chen
University of Michigan
![Page 2: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/2.jpg)
2/23
Motivation
• Attackers and defenders strive for control– Attackers monitor and perturb execution
• Avoid defenders
– Defenders detect and remove attacker– Control by lower layers
Hardware
Operating system
App1 App2Attackers Defenders
![Page 3: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/3.jpg)
3/23
Virtual-machine based rootkits (VMBRs)
• VMM runs beneath the OS– Effectively new processor privilege
level
• Fundamentally more control• No visible states or events• Easy to develop malicious services
![Page 4: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/4.jpg)
4/23
Virtual-machine based rootkits (VMBRs)
Hardware
Target OS
App1 App2
Beforeinfection
Hardware
Target OS
App1 App2
VMM
Attacksystem
Afterinfection
![Page 5: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/5.jpg)
5/23
Outline
• Installing a VMBR• Maintaining control• Malicious services
• Defending against this threat
• Proof-of-concept VMBRs
Attacker’sperspective
Defender’sperspective
![Page 6: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/6.jpg)
6/23
Installation
• Assume attacker has kernel privilege– Traditional remote exploit– Bribe employee– Malicious bootable CD-Rom
• Install during shutdown– Few processes running– Efforts to prevent notification of activity
![Page 7: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/7.jpg)
7/23
Installing a VMBR
• Modify the boot sequence
BIOS
Masterboot
recordBoot
sector OS
![Page 8: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/8.jpg)
8/23
Installing a VMBR
• Modify the boot sequence
BIOS
BIOS
Masterboot
recordBoot
sector OS
VMBRloads
![Page 9: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/9.jpg)
9/23
Maintaining control
• Hardware reset VMBR loses control• Illusion of reset w/o losing control• Reboot easy, shutdown harder
BIOS
BIOS
Masterboot
recordBoot
sector OS
VMBRloads
![Page 10: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/10.jpg)
10/23
Maintaining control
• ACPI BIOS used for low power mode– Spin down disks– Display low power mode– Change power LED
• Illusion of power off, emulate shutdown
• Control the power button
• System functionally unchanged
![Page 11: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/11.jpg)
11/23
Malicious services
• Advantages of high and low layer malware– Provides low layer implementation– Still easy to implement services
• Use a separate attack OS to implement
Hardware
Target OS
App1 App2
VMM
Attack OS
App
![Page 12: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/12.jpg)
12/23
Malicious services
• Zero interaction malicious services– E.g., phishing web server
• Passive monitoring– E.g., keystroke logger, file system
scanner
• Active execution modifications– E.g., defeat VM detection technique
• All easy to implement
![Page 13: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/13.jpg)
13/23
Defending against VMBRs
• Detecting VMBRs– Perturbations
• Where to run detection software
![Page 14: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/14.jpg)
14/23
VMBR perturbations
• Inherent– Timing of key events– Space
• Hardware artifacts– Device differences– Processor not fully virtualizable– See paper for more details
• Software artifacts– VM icon– Device names
Easy tohide
Hard tohide
![Page 15: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/15.jpg)
15/23
Security software above
• Attack state not visible– Can only detect side effects, e.g.,
timing
• VMBR can manipulate execution– Clock controlled by VMBR– Prevent security service from running– Turn off network– Disable notification of intrusion
![Page 16: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/16.jpg)
16/23
Security software below
• More control, direct access to resources– Could detect states or events
• Secure VMM and/or secure hardware
• Boot from safe medium– Unplug machine from wall
![Page 17: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/17.jpg)
17/23
Proof-of-concept VMBRs
• VMware / Linux host • Virtual PC / Windows XP host• Host OS was attack OS• Malware payload ~100MB
compressed• Non fully virtualizable ISA
– To defeat would degrade performance• Software emulated devices
– Host OSes had wide range of drivers
![Page 18: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/18.jpg)
18/23
Proof-of-concept VMBRs
• Implemented four malicious services– Phishing web server– Keystroke logger + password parser– File system scanner– Countermeasure to detection tool
• Installation scripts and modules• ACPI shutdown emulation
– Both sleep states and power button control
![Page 19: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/19.jpg)
19/23
Related work
• Layer below attacks– Kernel layer rootkits
• VMMs for security– Trusted VMMs: Terra, NGSCB– Detect intrusions: VMI, IntroVirt– Isolation: NSA’s NetTop– Analyze intrusions: ReVirt
• Current defenses– Secure/trusted boot– Pioneer
![Page 20: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/20.jpg)
20/23
Conclusion
• Realistic threat– Qualitatively more control– Still easy to implement service– Proof-of-concept VMBRs could be detected– HW enhancements might make more
effective
• Defending is possible– Best way it for defenders to control low
layers
![Page 21: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/21.jpg)
21/23
Questions
![Page 22: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/22.jpg)
22/23
Hardware artifacts
• Non fully virtualizable processor
• Computer have diverse hardware– Allow target OS to provide drivers– Device DMA unsafe, might expose VMBR– Results in different / incomplete visible HW
• Enhancements to MMU– Allow target OS to run many drivers
directly
![Page 23: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/23.jpg)
23/23
Software artifacts
• Implementations make VMM visible
• VMware / Virtual PC hypercalls– E.g. GetVersion()
• VMware icon• Name of virtual hardware• Etc…
![Page 24: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/24.jpg)
24/23
Performance
• Non fully virtualizable hardware tradeoff– Performance vs. perfect virtualization– Dynamic binary translation– Paravirtualization
• Simplified driver interface
• Effects of HW enhancements unknown
![Page 25: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/25.jpg)
25/23
Impact of VM enhanced hardware
• VMBR allow target to run most HW– Only emulate devices needed for virt
• E.g., disk, network
– Target can drive everything else• Display, USB
• Better device performance• Smaller VMBR payload
![Page 26: SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.](https://reader035.fdocuments.in/reader035/viewer/2022062407/56649d7f5503460f94a631c1/html5/thumbnails/26.jpg)
26/23
Defeating the “redpill”
• Easy to detect VM on non-virt. x86 • “Redpill” uses instructions that
leak info
• Interpose on key windows functions– Fixup the “redpill” app to avoid VM
detect
• Uses virtual-machine introspection