follow the whiterabbit towards consolidation of on the
play

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly - PowerPoint PPT Presentation

Jan 25, 2024 •340 likes •548 views

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection IFIP SEC 2018 Sergej Proskurin, 1 Julian Kirsch, 1 and Apostolis Zarras 2 1 Technical University of Munich 2 Maastricht University

  1. Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection IFIP SEC 2018 Sergej Proskurin, 1 Julian Kirsch, 1 and Apostolis Zarras 2 1 Technical University of Munich 2 Maastricht University 19.09.2018 S. Proskurin et al. IFIP SEC 2018 1 / 19

  2. “Follow the white rabbit.” — The Matrix S. Proskurin et al. IFIP SEC 2018 2 / 19

  3. “Follow the white rabbit.” — The Matrix bluepill redpill S. Proskurin et al. IFIP SEC 2018 2 / 19

  4. Introduction & Background Technical University ofMunich Modern Operating Systems (OSes) provide a large attack surface ▸ 334 system calls in Linux kernel v4.18 (excluding compatibility system calls for 32-bit) ▸ Malware can gain the same privileges as OSes → Bypass or disable security mechanisms Move security applications out of the OS [1]: ▸ Place security applications into a small environment with higher privileges → Employ system virtualization S. Proskurin et al. IFIP SEC 2018 3 / 19

  5. Introduction & Background Technical University ofMunich System Virtualization virtual ISA VMM ISA Hardware Some background on system virtualization: “x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of s****. [...] That’s all x86 virtualization is.” — An openbsd-misc email by Theo de Raadt S. Proskurin et al. IFIP SEC 2018 4 / 19

  6. Introduction & Background Technical University ofMunich System Virtualization VM 0 virtual ISA VMM ISA Hardware Some background on system virtualization: “x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of s****. [...] That’s all x86 virtualization is.” — An openbsd-misc email by Theo de Raadt S. Proskurin et al. IFIP SEC 2018 4 / 19

  7. Introduction & Background Technical University ofMunich System Virtualization VM 0 Applications OS virtual ISA VMM ISA Hardware Some background on system virtualization: “x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of s****. [...] That’s all x86 virtualization is.” — An openbsd-misc email by Theo de Raadt S. Proskurin et al. IFIP SEC 2018 4 / 19

  8. Introduction & Background Technical University ofMunich System Virtualization System virtualization employed for different purposes ▸ Malware detection [4] and analysis [2, 5] ▸ System integrity validation [6] Benefits of system virtualization ▸ Narrow attack surface ▸ Strong isolation capabilities ▸ Complete view over the VM’s state S. Proskurin et al. IFIP SEC 2018 5 / 19

  9. Introduction & Background Technical University ofMunich System Virtualization System virtualization employed for different purposes ▸ Malware detection [4] and analysis [2, 5] ▸ System integrity validation [6] Benefits of system virtualization ▸ Narrow attack surface ▸ Strong isolation capabilities ▸ Complete view over the VM’s state How can we analyze OS internals from the outside? Employ Virtual Machine Introspection (VMI) [4] techniques S. Proskurin et al. IFIP SEC 2018 5 / 19

  10. Introduction & Background Technical University ofMunich Virtual Machine Introspection & The Semantic Gap Virtual Machine Introspection [4] Excerpt of the OS binary state ▸ Analyze and manipulate the guest OS state 1 20 00 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 from the outside of the VM 3 00 80 54 0C 00 00 FF FF 02 00 00 00 00 01 40 00 4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ▸ Binary state of guest OSes needs interpretation 5 01 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 6 BA EC FE FF 00 00 00 00 80 CF 66 28 00 80 FF FF ▸ Map the binary state to OS data structures 7 [ . . . ] → Lack of semantic information The Semantic Gap problem [1] ▸ Use semantic information of the guest OS and virtual hardware to bridge the Semantic Gap [7] S. Proskurin et al. IFIP SEC 2018 6 / 19

  11. Introduction & Background Technical University ofMunich Virtual Machine Introspection & The Semantic Gap Virtual Machine Introspection [4] Excerpt of the OS binary state ▸ Analyze and manipulate the guest OS state 1 20 00 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 from the outside of the VM 3 00 80 54 0C 00 00 FF FF 02 00 00 00 00 01 40 00 4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ▸ Binary state of guest OSes needs interpretation 5 01 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 6 BA EC FE FF 00 00 00 00 80 CF 66 28 00 80 FF FF ▸ Map the binary state to OS data structures 7 [ . . . ] → Lack of semantic information task_struct thread_info state The Semantic Gap problem [1] stack ▸ Use semantic information of the guest OS and virtual hardware usage to bridge the Semantic Gap [7] ... S. Proskurin et al. IFIP SEC 2018 6 / 19

  12. Motivation Technical University ofMunich Conventional VMI frameworks ▸ Employ VMI-aware VMMs (Xen, KVM, etc.) Issue: Target systems must be explicitely set up for VMI before operation ▸ Increases the administrative overhead ▸ Constraints employment of VMI S. Proskurin et al. IFIP SEC 2018 7 / 19

  13. Motivation Technical University ofMunich Conventional VMI frameworks ▸ Employ VMI-aware VMMs (Xen, KVM, etc.) Issue: Target systems must be explicitely set up for VMI before operation ▸ Increases the administrative overhead ▸ Constraints employment of VMI Idea: Combine VMI along with on-the-fly virtualization → WhiteRabbit VMI framework for forensic analysis ▸ Based on the idea of the Blue Pill rootkit [9] ▸ Employs Intel VT-x and ARM virtualization extensions S. Proskurin et al. IFIP SEC 2018 7 / 19

  14. Goals Technical University ofMunich (1) Virtual Machine Monitor ▸ Take over control of a running Linux (idea not limited to any OS) (2) Hiding from (split-personality) malware in memory ▸ Employ Second Stage Address Translation (3) (Remote) Virtual Machine Introspection ▸ Expose LibVMI interface to local or remote applications S. Proskurin et al. IFIP SEC 2018 8 / 19

  15. Goal 1: WhiteRabbit VMM Technical University ofMunich VM 0 non-root ring3 Applications VMX 0 g Device OS n i driver r root VMX ring0 WhiteRabbit Hardware (x86-64) Microkernel architecture designed for on-the-fly virtualization S. Proskurin et al. IFIP SEC 2018 9 / 19

  16. Goal 1: WhiteRabbit VMM Technical University ofMunich VM 0 non-root ring3 Applications VMX 0 ring3 g Device OS I/O VMI Mem Mgt n i driver r root VMX ring0 WhiteRabbit Hardware (x86-64) Microkernel architecture designed for on-the-fly virtualization ▸ Subsystems placed in user space (ring 3 on Intel; EL0 on ARM) ▸ I/O drivers isolated from the guest ▸ Establish a secure communication channel ▸ Leverage unused I/O devices or hardware multiplexing (e.g., Intel VT-d, ARM SMMU) S. Proskurin et al. IFIP SEC 2018 9 / 19

  17. Goal 1: WhiteRabbit VMM Technical University ofMunich VM 0 non-root ring3 Applications VMX 0 ring3 g Device OS I/O VMI Mem Mgt n i driver r root VMX ring0 WhiteRabbit Hardware (x86-64) Microkernel architecture designed for on-the-fly virtualization ▸ Only essential functionality in ring 0 on Intel (VMX root) and EL2 on ARM ▸ Reduced size and complexity of the VMM ▸ Can be deployed in an OS-dependent or OS-independent way S. Proskurin et al. IFIP SEC 2018 9 / 19

  18. Goal 1: On-the-Fly Virtualization Technical University ofMunich A VMM distributes its tasks across [8] : ▸ Allocator ▸ Dispatcher ▸ Interpreter S. Proskurin et al. IFIP SEC 2018 10 / 19

  19. Goal 1: On-the-Fly Virtualization Technical University ofMunich The Allocator Applications OS Hardware The allocator moves a running OS into a virtual environment S. Proskurin et al. IFIP SEC 2018 11 / 19

  20. Goal 1: On-the-Fly Virtualization Technical University ofMunich The Allocator VM 0 Applications OS Applications OS WhiteRabbit Hardware Hardware The allocator moves a running OS into a virtual environment S. Proskurin et al. IFIP SEC 2018 11 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Driving and virtualizing control systems: the Open Source approach used in WhiteRabbit Javier

Driving and virtualizing control systems: the Open Source approach used in WhiteRabbit Javier

Driving and virtualizing control systems: the Open Source approach used in WhiteRabbit Javier Muoz Mellid & Samuel Iglesias Gonsalvez Academia-Industry Matching event on Technology of Controls for Accelerators and Detectors November 2013

462 views • 31 slides
Debt Consolidation Presenter: Esteban Arze Debt Consolidation Have you ever wondered if there

Debt Consolidation Presenter: Esteban Arze Debt Consolidation Have you ever wondered if there

Debt Consolidation Presenter: Esteban Arze Debt Consolidation Have you ever wondered if there is a connection between health and wealth? Better decisions Clarity Less stress Less medical bills Debt Consolidation American household debt

629 views • 23 slides
Objectives Follow Sets Explain the purpose of the follow set. Dr. Mattox Beckman Be able

Objectives Follow Sets Explain the purpose of the follow set. Dr. Mattox Beckman Be able

Follow Sets Follow Sets Objectives Follow Sets Explain the purpose of the follow set. Dr. Mattox Beckman Be able to compute a follow set. University of Illinois at Urbana-Champaign Department of Computer Science Follow Sets Follow

88 views • 5 slides
GOALS COLLABORATIVE TEACHER IMPROVED CLASSROOM SCHOOL CONSOLIDATION WORKSPACES UTILIZATION

GOALS COLLABORATIVE TEACHER IMPROVED CLASSROOM SCHOOL CONSOLIDATION WORKSPACES UTILIZATION

PROGRAMMING SCHOOL CONSOLIDATION PK-8 TERRACE HILLS / COLLINS PK-8 SCHOOL CONSOLIDATION PROJECT IS COMMITTED TO EMBRACING EPISDS STRATEGIC PRIORITIES & LEARNING GOALS. PROJECT BASED LEARNING BREAK OUT AREAS SAFE CAMPUS WITH FRESH

759 views • 7 slides
Consolidation and Regionalization Efforts Michelle Frederick, P.E.

Consolidation and Regionalization Efforts Michelle Frederick, P.E.

State Water Resources Control Board, Division of Drinking Water Consolidation and Regionalization Efforts Michelle Frederick, P.E. Caitlin Juarez Consolidation Coordinators Topics

688 views • 26 slides
ISO 20022 messaging in the context of the T2-T2S Consolidation project 1 st meeting of the

ISO 20022 messaging in the context of the T2-T2S Consolidation project 1 st meeting of the

ISO 20022 messaging in the context of the T2-T2S Consolidation project 1 st meeting of the Target Consolidation Contact Group (TCCG) Frankfurt, 06 February 2018 Agenda Objectives Principles related to ISO 20022 Migration Current

102 views • 9 slides
Tax Consolidation Presenter : P V Srinivasan pvs@pvsadvisors.com Mobile: +919845057597 1

Tax Consolidation Presenter : P V Srinivasan pvs@pvsadvisors.com Mobile: +919845057597 1

The Chamber of Tax Consultants Bangalore Study Group Meeting January 28, 2020 Tax Consolidation Presenter : P V Srinivasan pvs@pvsadvisors.com Mobile: +919845057597 1 Tax Consolidation - Concept Supreme Court in Govind Saran Ganga Saran

473 views • 10 slides
LSCU-GCUA Strategic Consolidation A little about me SVP, Association Services LSCU: 8+

LSCU-GCUA Strategic Consolidation A little about me SVP, Association Services LSCU: 8+

LSCU-GCUA Strategic Consolidation A little about me SVP, Association Services LSCU: 8+ years Prior to: American Cancer Society Amazing family 2-Time FSU Graduate HUGE Sports Fan Did I mention FSU? Consolidation Town Halls

719 views • 20 slides
Characterization & Analysis of a Server Consolidation Benchm ark on Xen Padm a Apparao

Characterization & Analysis of a Server Consolidation Benchm ark on Xen Padm a Apparao

Characterization & Analysis of a Server Consolidation Benchm ark on Xen Padm a Apparao Ravi Iyer, Don Newell, Xiaomin Zhang, Tom Adelmeyer Intel Corporation Nov 16 th , 2007 1 Background Virtualization and consolidation are a

571 views • 17 slides
Consolidation Rate Chapter 9 Consolidation Model 1 4/2/2015 Consolidation Rate

Consolidation Rate Chapter 9 Consolidation Model 1 4/2/2015 Consolidation Rate

4/2/2015 Consolidation Rate Chapter 9 Consolidation Model 1 4/2/2015 Consolidation Rate 1 1 Coefficient of

361 views • 8 slides
Water Protection Program Water Regionalization/Consolidation Benefits of

Water Protection Program Water Regionalization/Consolidation Benefits of

Water Protection Program Water Regionalization/Consolidation Benefits of Regionalization/Consolidation Easier to meet and sustain regulatory standards Spreads capital and operational costs among more users Greater financial strength

424 views • 10 slides
Straw Proposal Business Programs Follow-up Business Program Follow-up Topic Follow-up

Straw Proposal Business Programs Follow-up Business Program Follow-up Topic Follow-up

Triennial Plan II: Straw Proposal Business Programs Follow-up Business Program Follow-up Topic Follow-up How does EMs list of measures compare with other programs? What are the costs that make custom more expensive than

523 views • 13 slides
Can consolidation targets be achieved and if so, how? OSCAR Inc Organisation Sunshine Coast

Can consolidation targets be achieved and if so, how? OSCAR Inc Organisation Sunshine Coast

Can consolidation targets be achieved and if so, how? OSCAR Inc Organisation Sunshine Coast Association of Residents Greg Smith, President Suggested points to cover Does OSCAR have a view on consolidation targets as expressed in the SEQ

364 views • 12 slides
Village and Town of Pawling Consolidation Public Meeting Village and Town of Pawling

Village and Town of Pawling Consolidation Public Meeting Village and Town of Pawling

Village and Town of Pawling Consolidation Public Meeting Village and Town of Pawling Consolidation Study August 25, 2020 Introductions Laberge Group Benjamin H. Syden, AICP, Vice President Kathleen Rooney, Local Government Specialist

407 views • 25 slides
Pathology Consolidation in England 29 th August 2019 NHS England and NHS Improvement 1. The

Pathology Consolidation in England 29 th August 2019 NHS England and NHS Improvement 1. The

Pathology Consolidation in England 29 th August 2019 NHS England and NHS Improvement 1. The drivers History of consolidation in the NHS Results : The Carter review The opportunity Report saw 5bn of value opportunity 2020- 21, if

352 views • 31 slides
Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo

Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo

Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo Padma Apparao, Ravi Iyer, Don Newell *Hardware Architecture Lab Intel Corporation 1 IISWC 2008 Outline Server Consolidation Asymmetric

334 views • 14 slides
Overview ! !

Overview ! !

428 views • 8 slides
CS5412: SPRING 2012 CLOUD COMPUTING Lecture 1 Ken Birman Welcome to CS 5412... 2 A completely

CS5412: SPRING 2012 CLOUD COMPUTING Lecture 1 Ken Birman Welcome to CS 5412... 2 A completely

CS5412 Spring 2012 (Cloud Computing: Birman) 1 CS5412: SPRING 2012 CLOUD COMPUTING Lecture 1 Ken Birman Welcome to CS 5412... 2 A completely new course dedicated to the technology behind cloud computing! In my country of Khazackstan, many

588 views • 46 slides
MIKE AMBINDER, PhD VALVE DATA TO DRIVE DECISION-MAKING HOW AND WHY VALVE USES DATA TO DRIVE THE

MIKE AMBINDER, PhD VALVE DATA TO DRIVE DECISION-MAKING HOW AND WHY VALVE USES DATA TO DRIVE THE

MIKE AMBINDER, PhD VALVE DATA TO DRIVE DECISION-MAKING HOW AND WHY VALVE USES DATA TO DRIVE THE CHOICES WE MAKE Data to Drive Decision-Making Decision-Making at Valve Introduction to experimental design Data collection/analysis

813 views • 52 slides
Combining Cooperative and Adversarial Coevolution in the Context of Pac-Man by Alexander Dockhorn

Combining Cooperative and Adversarial Coevolution in the Context of Pac-Man by Alexander Dockhorn

Combining Cooperative and Adversarial Coevolution in the Context of Pac-Man by Alexander Dockhorn and Rudolf Kruse Institute for Intelligent Cooperating Systems Department for Computer Science, Otto von Guericke University Magdeburg

326 views • 21 slides
Governing Equations 4. The governing equations are mathematical statements of the physical

Governing Equations 4. The governing equations are mathematical statements of the physical

1. We start our development of a numerical method for simulations of multifluid and multiphase flows by a DNS of Multiphase Flows Direct Numerical short discussion of the governing equations. Simulations of Multiphase Flows-2

274 views • 9 slides
Foundations of Energy Harvesting and Energy Cooperating Wireless Communications Aylin Yener Penn

Foundations of Energy Harvesting and Energy Cooperating Wireless Communications Aylin Yener Penn

WiOpt 2017 GREENNET Keynote May 19, 2017 Foundations of Energy Harvesting and Energy Cooperating Wireless Communications Aylin Yener Penn State (on leave at Stanford) yener@{engr.psu, stanford}.edu Introduction Wireless Communications

1.03k views • 84 slides
Capital Structure II Corporate Finance and Incentives Lars Jul Overby Department of Economics

Capital Structure II Corporate Finance and Incentives Lars Jul Overby Department of Economics

Capital Structure II Corporate Finance and Incentives Lars Jul Overby Department of Economics University of Copenhagen December 2010 Lars Jul Overby (D of Economics - UoC) Capital Structure II 12/10 1 / 25 Capital structure The firms

441 views • 25 slides
CS 744: Big Data Systems Shivaram Venkataraman Fall 2018 ADMINISTRIVIA - Assignment 1 -

CS 744: Big Data Systems Shivaram Venkataraman Fall 2018 ADMINISTRIVIA - Assignment 1 -

CS 744: Big Data Systems Shivaram Venkataraman Fall 2018 ADMINISTRIVIA - Assignment 1 - Projects - Piazza MOTIVATION Storing large amounts of semi-structured data - Traditionally done using database systems Varied processing needs - low

388 views • 20 slides

More recommend