nighthawk transparent system introspection from ring 3
play

Nighthawk: Transparent System Introspection from Ring -3 ESORICS - PowerPoint PPT Presentation

May 20, 2023 •40 likes •470 views

Nighthawk: Transparent System Introspection from Ring -3 ESORICS 2019 Lei Zhou ( ) , Jidong Xiao 1 , Kevin Leach 5 , Westley Weimer 5 , F ) , Guojun Wang I ( Central South University,

  1. Nighthawk: Transparent System Introspection from Ring -3 ESORICS 2019 Lei Zhou ( ) ∗ , Jidong Xiao 1 , Kevin Leach 5 , Westley Weimer 5 , 𝐆𝐟𝐨𝐡𝐱𝐟𝐣 𝐚𝐢𝐛𝐨𝐡 F ) ∗∗ , Guojun Wang I ( Central South University, China ) Wayne State University, USA 1 Boise State University, USA 5 University of Michigan, USA F SUSTech, China I Guangzhou University, China * Work was done while visiting COMPASS lab at WSU; ** The corresponding author

  2. Ou Outline • Introduction and Background • Architecture of Nighthawk • Design and Implementation • Evaluation: Effectiveness and Performance • Conclusion

  3. Pr Privilege Layers Ring 3 User mode virus Ring 0 Kernel mode rootkits Ring -1 Hypervisor rootkits Ring -2 SMM rootkits (SMM reload)

  4. Defense Mechanism How to defend against the attacks in each layer?

  5. Defense Mechanism How to defend against the attacks in each layer? Deploy a defense at the a more privileged layer !

  6. Existing Malware Detection n Virtualization based defensive approach ( ring -1 ) Advantages ---- Full control of VM. Limitations ---- High performance overhead and more likely to be a new target of attack.

  7. Existing Malware Detection n Virtualization based defensive approach ( ring -1 ) Advantages ---- Full control of VM. Limitations ---- High performance overhead and more likely to be a new target of attack. n Hardware based defensive approach ( ring -2 ) Advantages ---- Small TCB and lower layer. Limitations ---- Additional monitoring device or disturbing the normal system execution.

  8. How to better defend against low-level attacks?

  9. How to better defend against low-level attacks? “Ring -3” ?

  10. Higher Privilege System In Intel Architecture Applications User mode Supervisor mode Intel ME system: Provide assistance protection for Host Hypervisor kernel Intel AMT Software Hardware SPI Flash ME DRAM SMRAM Intel ME system: Memory UMA Strong Isolation but integrate into Intel Chipset ME CPU Main CPU motherboard Understanding DMA Malware (DIMVA 2012)

  11. Intel Management Engine ü No Extra Hardware Needed ü Full Privilege ü Small TCB ü Transparency and low performance overhead

  12. Intel Management Engine ü No Extra Hardware Needed ü Full Privilege ü Small TCB ü Transparency and low performance overhead However, IME related resources are not public to users

  13. Location Microcontroller embedded in the PCH (older version in MCH)

  14. Ou Outline • Introduction and Background • Architecture of Nighthawk • Design and Implementation • Evaluation: Effectiveness and Performance • Conclusion

  15. High-level Architecture of the Nighthawk Introspection Introspection Compromised & modules Memory DMA-based Checking Assist Forensics Analyzing IME Target Host Remote Machine Target Machine If we are able to add introspection code into IME system, we can check arbitrary host physical memory.

  16. Details of Components in Nighthawk

  17. Ou Outline • Introduction and Background • Architecture of Nighthawk • Design and Implementation • Evaluation: Effectiveness and Performance • Conclusion

  18. Nighthawk Design & Implementation § Preparing the Target Machine § Target Host Reconnaissance § Measuring Integrity via Custom IME § Command from Remote Machine

  19. High-level Overview of the Implementation

  20. Nighthawk Design & Implementation § Preparing the Target Machine § Target Host Reconnaissance § Measuring Integrity via Custom IME § Command from Remote Machine

  21. Preparing Target Machine (1) — Code Injection The Process for introspection code injection in ME

  22. How to Inject the Introspection Code Through Reverse engineering of the ME system code, we find the ideal function entry in which to inject the code.

  23. Preparing Target Machine (2) — Stop Reusing Injection Stop reusing the injection in ME: leveraging the Intel TXT to lock the related registers.

  24. Nighthawk Design & Implementation § Preparing the Target Machine § Target Host Reconnaissance § Measuring Integrity via Custom IME § Command from Remote Machine

  25. Target Host Reconnaissance (1) — General Case The information including: System call table : 0x1653100 Kernel _text: 0x1000000 kvm_intel: 0xf8bc7000 … Once the host system initializes, we fetch those basic information.

  26. Target Host Reconnaissance (2) — Special Case To mitigate some attacks like ATRA, we leverage SMM to get the runtime CPU information after checking SMRAM.

  27. Nighthawk Design & Implementation § Preparing the Target Machine § Target Host Reconnaissance § Measuring Integrity via Custom IME § Command from Remote Machine

  28. Measuring Integrity via Custom IME Workflow of Introspection

  29. Nighthawk Design & Implementation § Preparing the Target Machine § Target Host Reconnaissance § Measuring Integrity via Custom IME § Command from Remote Machine

  30. Command from Remote Machine

  31. Ou Outline • Introduction and Background • Architecture of Nighthawk • Design and Implementation • Evaluation: Effectiveness and Performance • Conclusion

  32. Evaluation The test environment platform: ü Intel DQ35JO motherboard with 3.0GHz Intel E8400 CPU, ICH9D0 I/O Controller Hub and 2GB RAM. ü Intel e1000e Gigabyte network card for the network communication. ü We use an earlier BIOS version (JOQ3510J.86A.0933) for injecting code into ME. ü We run Ubuntu with the Linux kernel version 2.6.x to 4.x, along with KVM- and Xen-based Hypervisor.

  33. Effectiveness--General Attacks Target Object and Attacks To simulate the attacking environment, we use existing rootkits for OS kernel, SMM, etc., installed in the target system. We manually modify the memory content in kernel, Xen, KVM and SMM modules. Through experiments, all attacks illustrated in this table have been detected by Nighthawk

  34. Effectiveness -- Mitigating Special Attacks ATRA Detection We detect ATRA by testing for Page Global Directory and CR3 changes Transient Attacks Detection We simulate a transient attack using a toorkit-modified rootkit that changes the pointer address of the system call table. Our results in the table show that Nighthawk can detect transient attacks in real world.

  35. Performance Evaluation DMA Fetching Overhead Integrity Checking Overhead Transmission Overhead

  36. DMA Fetching Overhead Time consumed by fetching data (Pages). * represents the number of PTEs. Time consumed by DMA (User Cases ). α represents accessing times. Fetching data from host memory to ME memory

  37. Memory Degradation Due To Introspection With the benchmark test, the results show that Nighthawk has a very small performance impact to host.

  38. Integrity Checking Overhead § Time cost depends on the hash algorithm we choose. -- For 4KB memory page, it takes 7.3ms for checking under SDBM hash . § Note that, for more complexity hash algorithm, e.g., sha1, it takes more time for checking. § Compared to the fetching time, the checking time is very lower.

  39. Comparison for Checking Overhead With the SDBM hash verification test, we found the computing performance is much lower than it is in Host. For example, comparing a 6.3MB data, 25s is needed in ME, and 10 ms in Host. Main factor: ME CPU core has a significantly lower computational capability. We develop a CPU speed testing program, and the experimental result shows that the ME CPU executes approximately 15 million instructions each second (Meanwhile, billions per second on regular CPUs).

  40. Transmission Overhead l For a small message(<1 KB ), takes 228 ms on average to pass the data. l For a dumping data (i.e., > 64 KB ), we divide the data into multiple packets and transmit via multiple messages. e.g., 64KB data takes 4.9 s .

  41. Performance Evaluation Summary

  42. Conclusion Nighthawk—a transparent introspection framework — Leveraging Intel ME — High privilege: ring -3 — Small TCB Attack scenarios — Real-world attacks against OS kernels, type-I and type-II hypervisors, and unlocked system management RAM Introducing almost zero overhead

  43. Thank you! Questions? zhangfw@sustech.edu.cn https://fengweiz.github.com/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD Dissertation kjl2y@virginia.edu November 30, 2016 Analogy: Volkswagen Scandal Volkswagen cheated on emissions test (over 10x EPA requirements) 2

1.56k views • 78 slides
Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David Chalmers Four Issues The Power of Introspection 1. Doubts about Introspection 2. Mechanisms of Introspection 3. Introspection and Consciousness

733 views • 26 slides
Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Background Detailed Design Implementation Evaluation Related Work Summary Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection Yangchun Fu , Zhiqiang Lin, Kevin Hamlen Department of Computer Science The

814 views • 52 slides
NIGHTHAWK NEXT STEPS APPLICATION Home Campus Designation Alexandria, Annandale, Loudoun,

NIGHTHAWK NEXT STEPS APPLICATION Home Campus Designation Alexandria, Annandale, Loudoun,

NIGHTHAWK NEXT STEPS APPLICATION Home Campus Designation Alexandria, Annandale, Loudoun, Manassas, Woodbridge And our Medical Education Campus in Springfield Choosing the Right Major https://www.vawizard.org/wizard/home

105 views • 6 slides
Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda What is VM Introspection ? VMI ecosystem today Rustifying the VM Introspection ecosystem Future work Virtualization

718 views • 33 slides
Candidat didates s Toda day Hirin ring g Toda day Unemployment at a 7 year low Model

Candidat didates s Toda day Hirin ring g Toda day Unemployment at a 7 year low Model

Candidat didates s Toda day Hirin ring g Toda day Unemployment at a 7 year low Model business buyer behavior - Expect a transparent and personalised experience Candidate decision journey now 41% longer 16 with an average of touch points

531 views • 24 slides
One City, One System Transparent, Consistent, Reliable Seattle City Council Briefing Affordable

One City, One System Transparent, Consistent, Reliable Seattle City Council Briefing Affordable

One City, One System Transparent, Consistent, Reliable Seattle City Council Briefing Affordable Housing, Neighborhoods &amp; Finance Committee February 15, 2017 What is Summit? Summit is the Citys financial management system, built with

495 views • 15 slides
STAR System of Transparent Allocation of Resources Informal Advisory Committee on Capacity

STAR System of Transparent Allocation of Resources Informal Advisory Committee on Capacity

GEFs STAR System of Transparent Allocation of Resources Informal Advisory Committee on Capacity Building for the Implementation of the Nagoya Protocol CBD Secretariat Montreal, September 15-17, 2015 Jai Jaime Caveli lier Programs Unit

464 views • 8 slides
TFS: A Transparent File System for Contributory Storage James Cipar Mark D. Corner

TFS: A Transparent File System for Contributory Storage James Cipar Mark D. Corner

Florida International University TFS: A Transparent File System for Contributory Storage James Cipar Mark D. Corner Emery D. Berger Luis Useche lusec001@cs.fiu.edu 4/3/07 Overview Introduction TFS: Design TFS: Implementation

357 views • 34 slides
Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The

Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The

Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The Vancouver Island Regional The Vancouver Island Regional Approach to Traffic Crashes Approach to Traffic Crashes Richard Stanwick Stanwick MD,

443 views • 26 slides
Transparent Assessment Providing transparent goals and expectations for students Jonathon Adams

Transparent Assessment Providing transparent goals and expectations for students Jonathon Adams

Transparent Assessment Providing transparent goals and expectations for students Jonathon Adams Shinshu University Thursday, 9 August 12 Outline Aims of the presentation An approach to transparent goals and expectations Example

576 views • 46 slides
Collector Ring (CR) - FAIR EoI 13b: RF Systems Prerequisites for All Tasks Official

Collector Ring (CR) - FAIR EoI 13b: RF Systems Prerequisites for All Tasks Official

Collector Ring (CR) - FAIR EoI 13b: RF Systems Overview on EoI 13b SIS100 Bunch Compression System SIS100 Barrier Bucket System Interfaces and Low-Level RF for: all SIS100 RF Systems (Accel., BC, BB, Long. Feedback) all CR RF

497 views • 18 slides
INTROPERF: TRANSPARENT CONTEXT- SENSITIVE MULTI-LAYER PERFORMANCE INFERENCE USING SYSTEM STACK

INTROPERF: TRANSPARENT CONTEXT- SENSITIVE MULTI-LAYER PERFORMANCE INFERENCE USING SYSTEM STACK

INTROPERF: TRANSPARENT CONTEXT- SENSITIVE MULTI-LAYER PERFORMANCE INFERENCE USING SYSTEM STACK TRACES Chung Hwan Kim*, Junghwan Rhee, Hui Zhang, Nipun Arora, Guofei Jiang, Xiangyu Zhang*, Dongyan Xu* NEC Laboratories America *Purdue University

459 views • 30 slides
Device-Transparent Personal Storage Based on the article Eyo: Device Transparent Personal

Device-Transparent Personal Storage Based on the article Eyo: Device Transparent Personal

Device-Transparent Personal Storage Based on the article Eyo: Device Transparent Personal Storage by Jacob Strauss, Justin Mazzola Paluska, Chris Lesniewski-Laas, Bryan Ford, Robert Morris, Frans Kaashoek Eyos assumptions and API

490 views • 30 slides
Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http://

Virtual ring routing Virtual ring routing Some slides from http:// research.microsoft.com/en-us/um/people/antr/vrr- sigcomm06.ppt 123 VRR: the virtual ring VRR: the virtual ring topology-independent 0 FFF node identifiers, e.g., MAC

694 views • 18 slides
Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design:

A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring A Vaginal Ring Containing Dapivirine for HIV-1 PrEP Ring Study: Background Study Design: Ring Background : Randomized, double-blind, phase 3, placebo-controlled trial of a

341 views • 6 slides
New Mexico Susan Chacon Ease of Use of Services for La/no

New Mexico Susan Chacon Ease of Use of Services for La/no

New Mexico Susan Chacon Ease of Use of Services for La/no Families Who Have Children and Youth With Special Health Care Needs Ac/on Learning

824 views • 12 slides
and Birth Outcomes to Enhance Program Targeting Amanda Bennett, PhD CDC Assignee in MCH

and Birth Outcomes to Enhance Program Targeting Amanda Bennett, PhD CDC Assignee in MCH

Connecting Concentrated Disadvantage and Birth Outcomes to Enhance Program Targeting Amanda Bennett, PhD CDC Assignee in MCH Epidemiology IDPH Office of Womens Health &amp; Family Services BACKGROUND Using Local Level Data for Program

491 views • 19 slides
Family Engagement Overview and Opportunities Alice Wertheimer Center Project Coordinator Family

Family Engagement Overview and Opportunities Alice Wertheimer Center Project Coordinator Family

Family Engagement Overview and Opportunities Alice Wertheimer Center Project Coordinator Family Engagement Team Lead Team Overview Team Mission To integrate the consumer/family perspective into all aspects of the Centers work Who Are We?

368 views • 10 slides
FreeBSD and NUMA John Baldwin NYC*BUG June 3, 2015 What is NUMA Non-Uniform Memory

FreeBSD and NUMA John Baldwin NYC*BUG June 3, 2015 What is NUMA Non-Uniform Memory

FreeBSD and NUMA John Baldwin NYC*BUG June 3, 2015 What is NUMA Non-Uniform Memory Architecture Slow vs Fast Memory From CPUs From I/O Devices Present on x86 starting with AMD Opterons (HyperTransport) and Intel

569 views • 16 slides
Update on the /Solver Interface Library AMPL Robert Fourer Dept. of Industrial Engineering

Update on the /Solver Interface Library AMPL Robert Fourer Dept. of Industrial Engineering

Update on the /Solver Interface Library AMPL Robert Fourer Dept. of Industrial Engineering and Management Sciences Northwestern University 4er@iems.nwu.edu David M. Gay AMPL Optimization LLC dmg@acm.org dmg@ampl.com Outline 1.

575 views • 30 slides
Induced matchings and the a lge b r a i c st ab ilit y of persisten c e ba r c odes U lri c h Bau

Induced matchings and the a lge b r a i c st ab ilit y of persisten c e ba r c odes U lri c h Bau

Induced matchings and the a lge b r a i c st ab ilit y of persisten c e ba r c odes U lri c h Bau er TUM A pr 7, 20 15 GETCO 20 15, Aa l b org J oint w ork w ith M i c h a el L esni c k ( IMA ) 1 / 2 8 2 / 2 8 2 / 2 8 2 / 2 8 2 / 2 8 2 / 2 8 2 / 2

1.76k views • 149 slides
Algorithmic Sahlqvist Preservation for Modal Compact Hausdorff Spaces Zhiguang Zhao Delft

Algorithmic Sahlqvist Preservation for Modal Compact Hausdorff Spaces Zhiguang Zhao Delft

Algorithmic Sahlqvist Preservation for Modal Compact Hausdorff Spaces Zhiguang Zhao Delft University of Technology, Delft, the Netherlands TACL, Prague, 28th Jun, 2017 Motivation and Aim Discrete duality Discrete duality CABAO CABAO KF KF

219 views • 10 slides
Optimizations to NFS LA Patrick Stach NFS Linear Algebra Solve for a vector x such that:

Optimizations to NFS LA Patrick Stach NFS Linear Algebra Solve for a vector x such that:

Optimizations to NFS LA Patrick Stach NFS Linear Algebra Solve for a vector x such that: x != 0 and B*x = 0 One of, if not the worst, scaling steps of NFS RSA-640 (193 digits) to RSA-200 1.5 months to 3 months increase

634 views • 46 slides

More recommend