semantics driven introspection in a virtual environment
play

Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 - PowerPoint PPT Presentation

Apr 28, 2023 •21 likes •311 views

Problem Overall Architecture Evaluation Conclusion Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 . Tamberi 2 F F 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

  1. Problem Overall Architecture Evaluation Conclusion Semantics-Driven Introspection in a Virtual Environment . Baiardi 1 D. Maggiari 1 D. Sgandurra 2 . Tamberi 2 F F 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer Science, University of Pisa IAS Conference, 2008 1/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  2. Problem Overall Architecture Evaluation Conclusion Outline Problem 1 Sense of Self Overall Architecture 2 Assertions and System Calls Virtualization Overall Architecture Evaluation 3 Performance Conclusion 4 Results and Future Works 2/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  3. Problem Overall Architecture Sense of Self Evaluation Conclusion Attacks Against the Self Protecting a process from attacks that alter the intended behavior of the executed program. We want to preserve the original semantics of the program. We are not interested in logic errors, such as: authentication errors (weak passwords); malicious behavior. 3/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  4. Problem Overall Architecture Sense of Self Evaluation Conclusion Buffer Overflow The program stores more data into a buffer than the memory space reserved for it. The attacker may overwrite data that controls the program’s flow: control-hijacking attack: the attacker can diverge the control flow; malicious code is executed. If the program has the rights of invoking any system call, the attacker gains control of the system. 4/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  5. Problem Overall Architecture Sense of Self Evaluation Conclusion A Sense of Self for Processes Notion of process self: the program that the process executes. Based on traces of system calls: dynamic analysis: Forrest et al; static analysis: Wagner and Dean. Assumption: a process can execute security critical operations only through system calls. Denial of service attacks are still possible! 5/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  6. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion General Approach Find system call sites in the program’s source code: their return address. Generate an invariant for each system call: relate values of programs variables and of system call parameters. At run-time, access the memory of the monitored process to evaluate an invariant each time the process issues a system call. Exploit virtualization technology. 6/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  7. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Virtualization Virtual Machines (VMs): execution environments that emulate, at software, the behavior of the underlying physical machine. A standard machine can support several VMs. 7/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  8. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Architecture Based on two virtual machines: the Monitored VM (Mon-VM), i.e. the VM executing the process to be monitored; the Introspection VM (I-VM), i.e. the VM monitoring the process through virtual machine introspection: Assertion Checker: to evaluate invariants; Introspection Library: to access the memory of the monitored VM. 8/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  9. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Monitored VM It runs the monitored process. HiMod: Linux Kernel Module to hijack system calls. Only a subset of system calls is traced: most critical ones. 9/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  10. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Introspection VM It runs the monitoring systems and applies the consistency checks. It exploits the Introspection Library to access the monitored VM. Assertion Checker evaluates invariants. 10/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  11. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Introspection Library The Introspection Library is invoked by the Assertion Checker whenever the monitored process issues a system call. Memory Introspection, to access the memory of a monitored VM both at the user and at the kernel level. VCPU-Context Introspection, to retrieve the state of the monitored VM’s virtual processor. 11/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  12. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Evaluating Invariants To detect non-control-data attacks and mimicry attacks. Attacks based upon parameters of system calls. Assertions can be deduced by using dynamic tools (e.g. Daikon) or by a static analysis (e.g. CodeSurfer); Currently, we use a combination of Daikon, CodeSurfer and programmer-provided assertions. 12/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  13. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Evaluating Invariants The kernel of the Monitored VM transfers control to the Introspection VM every time the process invokes a system call. The Introspection VM freezes the execution of the Monitored VM. The Assertion Checker exploits the Introspection Library to: retrieve the current return address of the process; retrieve the values of the some variables; evaluate the invariant. 13/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  14. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Evaluating Invariants The input is a set of invariants of the form: [PC, {var name: addr: type}, {expr on vars}] PC is the program counter (return addr) paired with a system call; {var name: addr: type} is a set of variable names, their virtual address and their type; {expr on vars} is a set of relations among variables. 14/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  15. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Examples of Invariants Parameters assertions: data-flow relations among parameters of distinct calls; e.g. the file descriptor in a read is the result of a previous open . File assertions: prevent symlink and race condition attacks,; e.g. real file-name of a file descriptor belongs to a known directory. 15/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  16. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Examples of Invariants Buffer length assertions: length of a string passed to a vulnerable function is not larger than the local buffer. Conditional statements assertions: prevent impossible paths by relating a system call and the expression in the guard of a conditional statement: e.g: syscall 1 if(uid == 0) then syscall 2 else syscall 3 , pair the assertion uid == 0 with syscall 2 . 16/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  17. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Example 17/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  18. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Example 17/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  19. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Example 17/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  20. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Example 17/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  21. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Example 17/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  22. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Example 17/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  23. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Example 17/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

  24. Problem Assertions and System Calls Overall Architecture Virtualization Evaluation Overall Architecture Conclusion Example 17/21 Daniele Sgandurra Semantics-Driven Introspection in a Virtual Environment

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production

About Bringing Memory Forensics and Virtual Machine Introspection Title: to Production Environments Student: Benjamin Taubmann PhD stage: Third year, finisher Advisor: Prof. Dr. Hans P. Reiser Affiliation: Assistant Professorship of

313 views • 8 slides
Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Background Detailed Design Implementation Evaluation Related Work Summary Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection Yangchun Fu , Zhiqiang Lin, Kevin Hamlen Department of Computer Science The

814 views • 52 slides
Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1

Problem Overall Architecture Evaluation Conclusion Building Trustworthy Intrusion Detection Through Virtual Machine Introspection Fabrizio Baiardi 1 Daniele Sgandurra 2 1 Polo G. Marconi - La Spezia, University of Pisa 2 Department of Computer

472 views • 20 slides
Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David Chalmers Four Issues The Power of Introspection 1. Doubts about Introspection 2. Mechanisms of Introspection 3. Introspection and Consciousness

733 views • 26 slides
Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin

Virtual machine introspection in a hybrid honeypot architecture Tamas K Lengyel & Justin Neumann University of Connecticut The role of the honeypot The limitations Low-interaction honeypots: "Artificial" attack surface

846 views • 13 slides
Connecting Teams at a Distance The Virtual Environment Working in a virtual environment creates

Connecting Teams at a Distance The Virtual Environment Working in a virtual environment creates

Connecting Teams at a Distance The Virtual Environment Working in a virtual environment creates additional physical, psychological, and emotional distance. This means that virtual team leaders must be mindful, purposeful, and intentional when

992 views • 61 slides
Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

220 views • 21 slides
Modelling semantics developing a cognitively plausible, data-driven approach Objective

Modelling semantics developing a cognitively plausible, data-driven approach Objective

Modelling semantics developing a cognitively plausible, data-driven approach Objective Develop a model of semantics that is wide-coverage, cognitively plausible and computationally useful Data-driven approach: technically feasible,

482 views • 11 slides
Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What

Semantics 1 / 21 Outline What is semantics? Denotational semantics Semantics of naming What is semantics? 2 / 21 What is the meaning of a program? Recall: aspects of a language syntax : the structure of its programs semantics : the

551 views • 21 slides
Share Virtual Discovery Environment in Linked Data (SHARE-VDE) Short Summary Michele Casalini

Share Virtual Discovery Environment in Linked Data (SHARE-VDE) Short Summary Michele Casalini

Share Virtual Discovery Environment in Linked Data (SHARE-VDE) Short Summary Michele Casalini SWIB18 What is SHARE-VDE? SHARE-VDE is a library-driven initiative to establish an effective working environment for the use of linked data by

123 views • 9 slides
Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda What is VM Introspection ? VMI ecosystem today Rustifying the VM Introspection ecosystem Future work Virtualization

718 views • 33 slides
Generalizations are driven by semantics and constrained by statistical preemption New evidence

Generalizations are driven by semantics and constrained by statistical preemption New evidence

Generalizations are driven by semantics and constrained by statistical preemption New evidence from artificial language experiments Florent Perek & Adele Goldberg University of Birmingham & Princeton University Generalizations Previous

360 views • 25 slides
Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection IFIP SEC 2018 Sergej Proskurin, 1 Julian Kirsch, 1 and Apostolis Zarras 2 1 Technical University of Munich 2 Maastricht University

548 views • 20 slides
Virtual Functional Segmentation of Snake Robots for Perception-Driven Obstacle-Aided Locomotion

Virtual Functional Segmentation of Snake Robots for Perception-Driven Obstacle-Aided Locomotion

Introduction A hierarchical control framework Virtual functional segment (VFS) parametrisation model Control approach Conclusion and future work References Virtual Functional Segmentation of Snake Robots for Perception-Driven Obstacle-Aided

271 views • 25 slides
Graeme Smith Supervisors: Dr James Gain Description Create a virtual environment from robot

Graeme Smith Supervisors: Dr James Gain Description Create a virtual environment from robot

Jason Brownbridge Graeme Smith Supervisors: Dr James Gain Description Create a virtual environment from robot sensors Allow operator to control robot by manipulating it within the virtual environment Conduct research into effect of

467 views • 9 slides
The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw

The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw

The Practical Assessment of Test Sets with Inductive Inference Techniques Neil Walkinshaw Department of Computer Science University of Leicester September 4, 2010 B ACKGROUND Test Adequacy Assessing the ability of a test set to identify

295 views • 25 slides
First Experiments with Data Driven Conjecturing Karel Chvalovsk, Thibault Gauthier, and Josef

First Experiments with Data Driven Conjecturing Karel Chvalovsk, Thibault Gauthier, and Josef

First Experiments with Data Driven Conjecturing Karel Chvalovsk, Thibault Gauthier, and Josef Urban CIIRC CTU Conjecturing some bits from history There have been various attempts, e.g., Wang in the late 1950s novel and

540 views • 15 slides
Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall

Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall

Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall (slides originally by Ian Stark) School of Informatics The University of Edinburgh Thursday 21 January 2010 Semester 2 Week 2 N I V E U R S E I

1.17k views • 21 slides
Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Authors Authors Author Defn. Num.* K. Rustan M. Leino MJS 13 Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6 Wolfram Schulte S 3 David Detlefs M 2 Raymie Stata J 2 Mike Barnett S 2

239 views • 5 slides
Chad Aldeman Bellwether Education Partners @ChadAldeman Design Objectives Simplicity Clarity

Chad Aldeman Bellwether Education Partners @ChadAldeman Design Objectives Simplicity Clarity

Chad Aldeman Bellwether Education Partners @ChadAldeman Design Objectives Simplicity Clarity Fairness Test scores used as a screen Achievement and growth indices Equal weight for each grade and subject Focus on lowest-performing

1.45k views • 68 slides
Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/ ?? Outline of this tutorial

1.06k views • 42 slides
Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University

Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University

Mining Software Engineering Data Tao Xie Ahmed E. Hassan North Carolina State University University of Victoria www.csc.ncsu.edu/faculty/xie www.ece.uvic.ca/~ahmed xie@csc.ncsu.edu ahmed@uvic.ca Some slides are adapted from KDD 06 tutorial

1.39k views • 120 slides
Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl

Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl

Learning Register Automata Models Falk Howar IPSSE, TU Clausthal, Goslar, Germany Dagstuhl Seminar 16172 Falk Howar (TU Clausthal) Learning RAs Dagstuhl Seminar 16172 1 / 22 Scenario: Verification of Component-based Systems Environment

618 views • 35 slides

More recommend