Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine...
Transcript of Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine...
![Page 1: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/1.jpg)
Transparent System Introspection in Support of Analyzing Stealthy Malware
Kevin LeachUniversity of Virginia
Computer Engineering
May 12, 2015
![Page 2: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/2.jpg)
Breaking Down the Title
• Transparent System Introspection in Support of Analyzing Stealthy Malware
1. Stealthy Malware• Malware that hides itself from analysis
2. Introspection• Acquisition of data about malware behavior
3. Transparency• Sample cannot tell if it is under analysis
Problem Introduction and Motivation 2K. Leach – Ph.D. Proposal
![Page 3: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/3.jpg)
Malware Proliferation
K. Leach – Ph.D. Proposal Problem Motivation 3
![Page 4: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/4.jpg)
Malware Analysis
• Analysts want to quickly identify malware behavior
• What damage does it do?• How does it infect a system?• How do we defend against it?
K. Leach – Ph.D. Proposal Problem Motivation 4
![Page 5: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/5.jpg)
Stealthy Malware
• Adversary wants to hide from user and analyst• Prevent user from knowing
• Don’t want user to end a malicious process• Prevent analyst from developing a defense
• Make zero-days last as long as possible
• Malware that hides itself is stealthy• More effort required to analyze
• Over 30% of malware exhibits stealth
K. Leach – Ph.D. Proposal Problem Motivation 5
![Page 6: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/6.jpg)
Artifacts and Stealthy Malware
• To maintain secrecy, adversary uses artifacts to detect analysis techniques
• Timing (nonfunctional) artifacts – overhead introduced by analysis
• Single-stepping instructions with debugger is slow• Imperfect VM environment does not match native speed
• Functional artifacts – features introduced by analysis• isDebuggerPresent() – legitimate feature abused by
adversaries• Incomplete emulation of some instructions by VM• Device names (hard drive named “VMWare disk”)
• Too much effort to fully analyze each stealthy sample• Automated techniques exist, but they fail against stealthy samples• Manual analysis is time consuming and expensive
K. Leach – Ph.D. Proposal Problem Motivation 6
![Page 7: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/7.jpg)
Introspection• Understanding program behavior• Debugger introspects program to access its raw data
• Read variables• Reconstruct stack traces• Write variables to change execution path
• Analyst infers behavior of a sample from interpreting and changing this raw data
• Virtual Machine Introspection (VMI)• Plugin for a Virtual Machine Manager (slowdown)• Helper process inside guest VM (detectable process)
• If this sample is stealthy, the acquired introspection data may not be accurate
K. Leach – Ph.D. Proposal Problem Motivation 7
![Page 8: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/8.jpg)
Transparency
• We want accurate introspection even in the presence of stealthy malware
• We want transparency – no artifacts produced by analysis
• We want transparent system introspection tools to solve this ‘debugging transparency problem’
K. Leach – Ph.D. Proposal Problem Motivation 8
![Page 9: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/9.jpg)
Research Question
• Can we develop a transparent introspection technique that admits analyzing stealthy malware?
1. Can we transparently acquire snapshots of process memory?
2. Can we reconstruct the semantics of these snapshots?
3. Can we transparently alter the execution path of the program?
K. Leach – Ph.D. Proposal Problem Statement 9
![Page 10: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/10.jpg)
Formal Thesis Statement
It is possible to develop a transparent debugging system capable of reading variable values, reconstructing stack traces, and writing variable values by combining hardware assisted memory acquisition, process introspection, and CPU interposition.
K. Leach – Ph.D. Proposal 10
![Page 11: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/11.jpg)
Proposal Overview
1. Hardware-assisted introspection• Transparently acquire program data
• PCI Express• System Management Mode (SMM)
2. Transparent program introspection• Transparently reconstruct program semantics from data
3. CPU Interposition• Transparently change program data to affect execution
• Black box testing of Android malware• Patching quadcopter firmware
K. Leach – Ph.D. Proposal Proposal Outline 11
We propose yes!
![Page 12: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/12.jpg)
Proposed Architecture
K. Leach – Ph.D. Proposal Proposed System Architecture 12
![Page 13: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/13.jpg)
Hardware-Assisted Introspection
•Two proposed approaches• PCI-Express based
• Few timing artifacts• Functional artifact
(DMA access performance counter)• System Management Mode
• Significant timing artifacts• No functional artifacts
K. Leach – Ph.D. Proposal Component 1: Physical Memory Acquisition 13
![Page 14: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/14.jpg)
PCI Express Memory Acquisition
• Use Xilinx ML507• Gigabit Ethernet• PCI Express Connector
K. Leach – Ph.D. Proposal Component 1, Approach 1: PCI-e Hardware 14
To remote host
To SUT
![Page 15: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/15.jpg)
PCI Express Memory Acquisition
• Proposed Experiments• Compare performance of SUT when
uninstrumented and instrumented on indicative workloads
• Note deviation in performance• If medians are within margin of error, we conclude
success• Use RAMSpeed Benchmarks
• Runs instructions from each unit on x86(i.e., INT, FLOAT, SSE, MMX)
• Records throughput of RAM only (not cache)
K. Leach – Ph.D. Proposal Component 1, Approach 1: PCI-e Hardware 15
![Page 16: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/16.jpg)
PCI Express Preliminary Results
K. Leach – Ph.D. Proposal Component 1, Approach 1: Preliminary Results 16
RAMSpeed Benchmark Results (n=500)
0.4% between medians
![Page 17: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/17.jpg)
PCI Express Memory Acquisition
• Fast, low overhead• Under 1%, within margin of error• Not practically measurable by malware
• Potentially presents functional artifacts• DMA access performance counter
K. Leach – Ph.D. Proposal Component 1, Approach 1 Summary 17
![Page 18: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/18.jpg)
System Management Mode
• Intel x86 feature provides small, transparent, trusted computing base
• SMM akin to Protected Mode• System Management Interrupt (SMI) to enter
SMM• SMI Handler executed in SMM
• Code stored in System Management RAM (SMRAM)
• Trust only the BIOS
K. Leach – Ph.D. Proposal Component 1, Approach 2: SMM 18
![Page 19: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/19.jpg)
SMM Architecture
K. Leach – Ph.D. Proposal Component 1, Approach 2: SMM Description 19
OS/Program code
Continue OS/program
execution
SMI Handler
Protected Mode System Management Mode
SMI occurs
Resume from SMM
1. Find program in memory2. Dump to remote host3. Configure next SMI
![Page 20: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/20.jpg)
SMM Experiments
• Measure time elapsed during each SMM-related operation
1. SMM Switch after SMI2. Find target program3. Configure next SMI4. Switch back from SMM
(Under 12𝜇𝜇𝑠𝑠 total)
• Measure system overhead when configuring SMIs:1. Retired far control transfer instructions2. Retired near return instructions3. Retired taken branch instructions4. Retired instructions (i.e., per-instruction)
K. Leach – Ph.D. Proposal Component 1, Approach 2: Proposed Experiments 20
![Page 21: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/21.jpg)
SMM Preliminary Results
K. Leach – Ph.D. Proposal Component 1, Approach 2: Preliminary Results 21
Stepping Methods Windows
pi ls ps pwd tar
Far control 2 2 2 3 2
Near returns 30 21 22 28 29
Taken branches 565 479 527 384 245
All instructions 973 880 897 859 704
Linux
Far control 2 3 2 2 2
Near returns 26 41 28 10 15
Taken branches 192 595 483 134 159
All instructions 349 699 515 201 232
For reference, state-of-the-art Ether yields an overhead of roughly 3000x for a similar operation.
![Page 22: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/22.jpg)
Process Introspection
1. Hardware-assisted introspection• Transparently acquire program data
• PCI Express• System Management Mode (SMM)
2. Transparent program introspection• Transparently reconstruct program semantics from data
3. CPU Interposition• Transparently change program data to affect execution
• Black box testing of Android malware• Patching quadcopter firmware
K. Leach – Ph.D. Proposal Component 2 22
![Page 23: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/23.jpg)
Program Introspection
• First component gives us raw memory• Periodic snapshots from PCI-e or SMM support
• We want useful semantic information from snapshots• Variables• Activation records
K. Leach – Ph.D. Proposal Component 2: Introspection 23
![Page 24: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/24.jpg)
Program Introspection
• Assume access to source code for ground truth• Two versions of binary
• “Deployed” version represents the sample we would analyze• “Instrumented” version helps us hypothesize locations of semantic
information
• Report fraction of variables correctly identified in Deployed binary
• Report fraction of function calls correctly identified in runtime stack trace
K. Leach – Ph.D. Proposal Component 2: Introspection 24
![Page 25: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/25.jpg)
Introspection Experiments
• Consider indicative programs:• Wuftpd 2.6.0 (with CVE-2000-0573)• Nullhttpd 0.5.0 (with CVE-2002-1496)
• Run programs on indicative test cases• Gather ground truth on instrumented binary• Gather variable and stack trace information on deployed
binary• Report fraction of variables correctly reported• Report stack trace as a function of sampling frequency
(recall component 1 is polling-based)
K. Leach – Ph.D. Proposal Component 2: Proposed Experiments 25
![Page 26: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/26.jpg)
Introspection Preliminary Results
K. Leach – Ph.D. Proposal Component 2: Preliminary Results 26
nullhttpd wuftpdLocals 43% 133/306 46% 202/436Stack 65% 168/260 56% 119/214
Globals 100% 77/77 92% 4218/4580Overall 59% 378/643 90% 4539/5230
![Page 27: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/27.jpg)
Introspection Preliminary Results
K. Leach – Ph.D. Proposal Component 2: Preliminary Results 27
![Page 28: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/28.jpg)
Introspection Preliminary Results
K. Leach – Ph.D. Proposal Component 2: Preliminary Results 28
![Page 29: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/29.jpg)
1. Hardware-assisted introspection• Transparently acquire program data
• PCI Express• System Management Mode (SMM)
2. Transparent program introspection• Transparently reconstruct program semantics from data
3. CPU Interposition• Transparently change program data to affect execution
• Black box testing of Android malware• Patching quadcopter firmware
K. Leach – Ph.D. Proposal Component 3 29
![Page 30: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/30.jpg)
CPU Interposition
• Interposer sits between platform mainboard and CPU• Allows snooping and changing all signals to CPU
• In practice, far too slow for full scale debugging• We propose using this hardware to insert instructions
• Component 2 permits reading values, but we also want to write values
• Alternatively, we can insert instructions to change software
K. Leach – Ph.D. Proposal Component 3: CPU Interposition 30
![Page 31: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/31.jpg)
Risk Mitigation: 2 Options
• Propose two potential avenues to explore CPU interposition
• Support black box testing of Android Malware• Support patching of ARM-based firmware in
autonomous aerial vehicles• Propose fail early experiments, pick one option
to take to completion• This component is speculative• Fail-early to help us ensure timely completion of
satisfactory component
K. Leach – Ph.D. Proposal Component 3: Risk Mitigation Strategy 31
![Page 32: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/32.jpg)
Option 1: Android Black Boxing
• CPU Interposition allows inserting instructions to change variable values
• Assume we know location of a variable• Component 2 gives us the location• Also must consider variables only in registers
• Specifically, find locations implicated in branches• Stealthy malware may have a branch instruction to decide
the presence of artifacts• if (artifact) then x; else y;
• We want to change ‘artifact’ so we can exercise a different branch in the program
• Fail early experiment: retarget component 2 for ARM
K. Leach – Ph.D. Proposal Component 3, Option 1: Android Malware 32
![Page 33: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/33.jpg)
Option 1: Proposed Experiments
• Overarching question: what fraction of the outcomes of branches can we successfully change?
• Consider every branch in program reachable via given test cases
• Every branch has an associated register it checks• Attempt inserting instruction to change value of variable
before branch• If we can change the outcome of a branch 80% of the time,
we are successful • Can repeat if we fail: 5 repeats yields 99.97% success (3 sigma
rule)
K. Leach – Ph.D. Proposal Component 3, Option 1: Proposed Experiments 33
![Page 34: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/34.jpg)
Option 2: Save the Quadcopters
• Program repair permits automatically patching software
• Quadcopters are realtime, resource-constrained platforms that fail
• Cannot change source code or reflash EEPROM while running
K. Leach – Ph.D. Proposal Component 3, Option 2: Quadcopters 34
![Page 35: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/35.jpg)
Option 2: Quadcopter Firmware
• CPU interposition allows inserting instructions, but not removing them
• We want to convert a given patch to a sequence of instructions for insertion while running
• We can undo some instructions• add rax, rax, 5 can be undone withsub rax, rax, 5
• We must also deploy the patch transparently• After current program counter to ensure execution• Before target location of insertion
K. Leach – Ph.D. Proposal Component 3, Option 2: Quadcopter Firmware 35
![Page 36: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/36.jpg)
Option 2: Proposed Experiments
• Early failure: classify indicative patches according to general operations
• We hypothesize that patches consist of categories of general ‘building block’ operations (e.g., ‘remove call to function’)
• This approach is feasible if we can take 100 indicative patches and manually convert 80 of them into fewer than 10 building block operations
• Assume we have a patch and desired deployment location• Periodically check program counter and compare to desired
location• Determine whether to deploy the patch based on comparison• We are successful if we insert and exercise 80% of patches (3
sigma rule as before)
K. Leach – Ph.D. Proposal Component 3, Option 2: Proposed Experiments 36
![Page 37: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/37.jpg)
Publications Supporting Research1. K. Leach, W. Weimer. HOPS: Towards Transparent Introspection. In preparation.
2. K. Leach. LO-PHI: Low Observable Physical Host Instrumentation. Under review at USENIX 2015. February 2015.
3. F. Zhang, K. Leach, A. Stavrou, H. Wang. Using Hardware Features for Increased Debugging Transparency. In the 36th IEEE Symposium on Security and Privacy (Oakland 2015). To appear.
4. F. Zhang, K. Leach, H. Wang, A. Stavrou. TrustLogin: Securing Password-Login on Commodity Operating Systems. In Proceedings of the 10th ACM Symposium on Information, Computer, and Communications Security (ASIACCS2015). Singapore. Acceptance rate: 17.8%.
5. F. Zhang, H. Wang, K. Leach, A. Stavrou. A Framework to Secure Peripherals at Runtime. Proceedings of the 19th European Symposium on Research in Computer Security (ESORICS 2014). September 2014. Wroclaw, Poland. Acceptance rate: 24.7%.
6. F. Zhang, K. Leach, K. Sun, A. Stavrou. Spectre: A Dependable System Introspection Framework. In the 43rd IEEE/IFIP International Conference on Dependable Systems and Networks(DSN 2013). June 24-27, Budapest, Hungary. Acceptance rate: 19%.
7. K. Leach. Barley: Combining Control Flow with Resource Consumption to Detect Jump-based ROP Attacks. In the 43rd IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2013). June 24-27, Budapest, Hungary. Acceptance rate: 33%
K. Leach – Ph.D. Proposal Publications 37
![Page 38: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/38.jpg)
Proposed Timeline and Venues
• Typical venues:• USENIX (January/February)• RAID (April/May)• ACSAC (May/June)• ACM CCS (May)• ASPLOS (July)• NDSS (August)• IEE S&P (November/December)
K. Leach – Ph.D. Proposal Proposed schedule and venues 38
![Page 39: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/39.jpg)
Summary
• Three components to provide debugging transparency• Hardware-assisted memory acquisition
• PCI-e presents low overhead• SMM exposes few functional artifacts
• Program Introspection• Use snapshots to reconstruct useful semantic information
• CPU Interposition• Allow writing variable values to help exercise different paths of
execution in a sample
• Questions?
K. Leach – Ph.D. Proposal 39
![Page 40: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/40.jpg)
Why ARM vs. x86?
• Preliminary investigation supports CPU interposition for ARM platforms
• x86 challenges• CPU interposition is not precise enough for proposed use cases• Hardware is prohibitively expensive (>$35,000)
• ARM benefits• CPU interposition is better supported by community• Hardware is much cheaper (~$3,000)
K. Leach – Ph.D. Proposal Doctoral Dissertation Proposal 40
![Page 41: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/41.jpg)
Known Artifacts (1)
Anti-debuggingAPI Calls isDebuggerPresent
NtQueryInformationProcess.ProcessInformationCheckRemoteDebuggerPresentNtSetInformationThread with ThreadInformationClass = 0x11DebugActiveProcess prevents attaching other debuggers
PEB Field IsDebugged flagNtGlobalFlags
Detection ForceFlag in heap headerUnhandledExceptionFilter calls user-defined function, but terminates in a debugging processTEB contains valid pointer under debugCtrl-C raises exception under debug, signal handler not scoped by debuggerRogue INT-3 instructionsTrap flag register manipulation thwarts tracersentryPoint RVA = 0 erases magic MZ value in PE filesZwClose system call with invalid paramters raises exception in attached debuggerDirect context modification confuses debuggers0x2D interrupt causes program to stop raising exceptionsUndocumented 0xF1 instructionSearching for CC instructionsTLS-callback to perform checks
K. Leach – Ph.D. Proposal Doctoral Dissertation Proposal 41
![Page 42: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/42.jpg)
Known Artifacts (2)
Anti-VirtualizationVMWare Virtualized device identifiers contain well-known strings
Checkvm software searches for VMWare hooks in memoryWell-known locations/strings associated with VMWare Tools
Other LDTR registerIDTR register (Red Pill)Magic I/O port (0x5658, ‘VX’)Invalid instruction behaviorMemory deduplication to detect hypervisors
Anti-emulationBochs Visible debug portQEMU Cpuid returns less specific information
Accessing reserved MSRs raises General Protection (GP) exception on bare metalExecution instruction longer than 15 bytes raises GP exception on bare metalUndocumented icebp instructions hangs QEMU (bare metal raises exception)Unaligned memory references raise exceptions in bare metal; unsupported by QEMUBit 3 of FPU Control World register always 1 on bare metal, QEMU contains a 0
Other Use CPU bugs or errata to create CPU fingerprints via public chipset documentation
K. Leach – Ph.D. Proposal Doctoral Dissertation Proposal 42
![Page 43: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/43.jpg)
Remarks on SMM
• SMM is generalizable• Every Intel platform since 386 includes SMM
• Relatively small trusted code base (TCB)• TCB restricted to BIOS
• Thousands of lines of code• VMI systems require trust to extend to kernel and VMM
• Millions of lines of code
• Configuration of subsequent SMI necessary for periodicity
• Also ensures transparency (DOS attacks from kernel space)• Configured according to available performance counters
K. Leach – Ph.D. Proposal Doctoral Dissertation Proposal 43
![Page 44: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/44.jpg)
SMM Preliminary Results
K. Leach – Ph.D. Proposal Doctoral Dissertation Proposal 44
Operation Mean (𝜇𝜇𝑠𝑠) STD (𝜇𝜇𝑠𝑠)
SMM Switch 3.29 0.08
Program Acquisition 2.19 0.09
SMI Configuration 1.66 0.06
SMM Resume 4.58 0.10
Total 11.72
0%
20%
40%
60%
80%
100%
SMM Breakdown
SMM Resume
SMI Configuration
Program Acquisition
SMM Switch
![Page 45: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/45.jpg)
Clarifying Stack Traces
K. Leach – Ph.D. Proposal Doctoral Dissertation Proposal 45
![Page 46: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/46.jpg)
More on ARM Branches
• ARM branching instructions• B, BL, BX, BLX, BXJ (one register operand)• IT (x, y, z, cond)• CBZ CBNZ (one register operand)• TBB TBH (two register operands)
K. Leach – Ph.D. Proposal Doctoral Dissertation Proposal 46
![Page 47: Transparent System Introspection in Support of Analyzing ...€¦ · • Virtual Machine Introspection (VMI) • Plugin for a Virtual Machine Manager (slowdown) • Helper process](https://reader036.fdocuments.in/reader036/viewer/2022062604/5fc0ba43009a74319c4d6267/html5/thumbnails/47.jpg)
Relating Quadcopters to Malware
• Technical challenges posed by patching quadcopter firmware are indicative of challenges in stealthy malware analysis
• If we insert the patch too early, self-verifying code could prevent patch from executing
• Failure to path requires repeated attempt• This is the heart of transparent breakpointing
K. Leach – Ph.D. Proposal Doctoral Dissertation Proposal 47