software security
play

Software Security VMI (Virtual Machine Introspection) / VMM-based - PowerPoint PPT Presentation

Jan 16, 2023 •10 likes •220 views

Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

  1. Software Security VMI (Virtual Machine Introspection) / VMM-based Intrusion Prevention Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 julian (sect) Software Security SoSe 2016 1 / 21

  2. Virtualization (Recap) Assume basic virtualization support (Intel VT-x, AMD SVM, ARM VE) ⇒ All sensitive instructions either handled internally (i. e. modify virtual state instead of physical state) or cause a trap into HV MMU with nested page table support First translations GV → GP Nested translation GP → P IOMMU/SYSMMU to keep devices in check What now? Virtualization? So what? julian (sect) Software Security SoSe 2016 2 / 21

  3. Virtual Machine Introspection First idea defined in 2001 “When virtual is better than real” [1] Host Intrusion Detection System Check the integrity of guest kernel julian (sect) Software Security SoSe 2016 3 / 21

  4. VMI: Semantic Gap VM might be infected with malware... HV provides an interface for trustworthy (detector) VMs to read memory of an other (supervised) VM Detector VM tries to figure out if supervised VM was infected The detector VM can only read raw main memory... So what to do? Problem: Semantic Gap! julian (sect) Software Security SoSe 2016 4 / 21

  5. Linux kernel rootkits To bridge the semantic gap we need to know what rootkits change/manipulate in a system Name Comment Arch. Module Module Arch. State. Use raw Process Syscall table Loading hiding manipulation socket hiding manipulation Cloaker (POC) - Academic rootkit ARM X - Very old (Kernel 2.2) knark (*) x86 X X X X - Already provided many modern features Phrack rootkit I (*) - Described in Phrack magazine issue 58 x86 X Phrack rootkit II (*) - Described in Phrack magazine issue 68 ARM X X - Modern rookit (Kernel v3.x) ARM Suterusu (*) - Can hide network ports x86 X X X X - Can disable LKM x86 64 - One of the latest wild rootkits ARM XOR.DDoS - Binary only x86 X X X X x86 64 Table: List of exisiting rootkits and the features they use (* Sourcecode available) julian (sect) Software Security SoSe 2016 5 / 21

  6. Rootkit example I: VBAR/SCTLR manipulation Privilege transition from usr (ring-3) to svc (ring-0) involve control flow transfer to vectors page Address of the vectors page is controlled through SCTLR and VBAR Syscalls use that mechanism Changing the vectors page allows attacker to get into control for each syscall [2] julian (sect) Software Security SoSe 2016 6 / 21

  7. Rootkit example II: Syscall table hooking Syscall recap: Linux user process requests service from kernel via syscall: Load value into a designated register Call svc ( int 80 ) instruction Value is used as an index into a table (syscall table) Syscall table holds function pointers to kernel functions implementing the requested syscall julian (sect) Software Security SoSe 2016 7 / 21

  8. Rootkit example II: Syscall table hooking (cont.) Attacker can obtain the syscall table address, even if it’s not exposed (through /proc/kallsyms ), Inspecting the zImage (kernel image) Address can be calculated from the vector table ( swi vector) [3] The syscall table is a convenient target Once the vector is overwritten → attacker always gets control when the syscall with this number is called julian (sect) Software Security SoSe 2016 8 / 21

  9. Rootkit example II: Syscall table hooking (cont.) Here is how the Suterusu rootkit [4] finds the syscall table unsigned long ∗ f i n d s y s c a l l t a b l e ( void ) { void ∗ s w i a d d r = ( long ∗ )0 x f f f f 0 0 0 8 ; unsigned long o f f s e t , ∗ v e c t o r s w i a d d r ; o f f s e t = (( ∗ ( long ∗ ) s w i a d d r ) & 0 x f f f ) + 8; v e c t o r s w i a d d r = ∗ ( unsigned long ∗∗ )( s w i a d d r + o f f s e t ) ; w h i l e ( v e c t o r s w i a d d r++) { i f ( (( ∗ ( unsigned long ∗ ) v e c t o r s w i a d d r ) & 0 x f f f f f 0 0 0 ) == 0 xe28f8000 ) { o f f s e t = (( ∗ ( unsigned long ∗ ) v e c t o r s w i a d d r ) & 0 x f f f ) + 8 ; r e t u r n v e c t o r s w i a d d r + o f f s e t ; } } r e t u r n NULL ; } julian (sect) Software Security SoSe 2016 9 / 21

  10. Rookit activities Once rootkit has kernel privileges you can request services Hide processes, sockets, modules Start SSH server How do we hide these things? Tools such as ps read /proc/ to find running processes ProcFS is a virtual filesystem not backed by “memory” Each filesystem has a kernel structure called file operations file operations struct contains pointers to functions that handle open, read, write etc. Rootkits can overwrite read pointer in the struct of procFS Read function only returns subset of processes Effectively hide processes julian (sect) Software Security SoSe 2016 10 / 21

  11. Back to the semantic gap! Defender has to do the same things as the attacker Somehow find valuable datastructures and check if they where manipulated Rootkit example I: VBAR/SCTLR manipulation Easy to check for defender VBAR is set on system start and never changed HV can read the register and check the address If address is different from default case → Rootkit detected! julian (sect) Software Security SoSe 2016 11 / 21

  12. Back to the semantic gap! (cont.) Processor state is easy to check because it is contained in registers What about structures in memory? This is were the fun begins... julian (sect) Software Security SoSe 2016 12 / 21

  13. Bridging the semantic gap: An easy one Finding processes in raw memory Stack is 8k aligned thread info struct is located on the stack thread info struct has a pointer to its task struct task struct contains pointer back to the stack julian (sect) Software Security SoSe 2016 13 / 21

  14. Bridging the semantic gap: An easy one As we have seen before, attacker only overwrites procFS file operations struct The kernel structure for the process is still there ( it has to be! ) Now we can compare both lists, the one from the procFS ( ps ) and the one we reconstructed (on the slide before) If one is missing in the procFS list → Rootkit detected! julian (sect) Software Security SoSe 2016 14 / 21

  15. VMM-based Intrusion Prevention No common name exists First proposed in 2007 “SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes” [5] Attacker should be prevented to take over the kernel in the first place Rules are enforced from within the HV Rationale: User-level attacks can be prevented from inside the kernel But what if the attacker managed to exploit the kernel Finding kernel-level rootkits from within the kernel is a bad idea julian (sect) Software Security SoSe 2016 15 / 21

  16. Attacking the kernel What does an attack want to do? Attacker wants to execute malicious code Attacker want to stay persistent in the kernel (Attacker might want to exfiltrate user data) julian (sect) Software Security SoSe 2016 16 / 21

  17. Attacking the kernel (cont.) Depending on the vulnerability, attacker needs to store shellcode Two common ways to do this: � ret2usr - Return to user 1 � PXN Privilileged Execute 2 Never (or SMEP - Supervisor Mode Execution Prevention on Intel) � ret2dir - Return to direct 3 mapped memory julian (sect) Software Security SoSe 2016 17 / 21

  18. Privilege enforcement from HV What if we can prevent the attacker from executing code in the first place? But, HV has no knowledge about guest memory layout, therefore nested page table looks like this (everything is WX ): julian (sect) Software Security SoSe 2016 18 / 21

  19. Privilege enforcement from HV (cont.) What if we can have two nested page tables? Both tables with same mappings but with different permissions Load each page table depending if guestes executes kernel or user When exec. guest kernel: When exec. guest user: User space WX , kernel neither User space and kernel data W , kernel .text X but not W W nor X julian (sect) Software Security SoSe 2016 19 / 21

  20. Privilege enforcement from HV (cont.) Problems with the approach are, For every guest context siwtch the system has to trap into the HV to switch the nested page table The TLB has to be synchronized julian (sect) Software Security SoSe 2016 20 / 21

  21. P. M. Chen and B. D. Noble. When virtual is better than real [operating system relocation to virtual machines]. In Hot Topics in Operating Systems, 2001. Proceedings of the Eighth Workshop on , pages 133–138. IEEE, 2001. F. M. David, E. M. Chan, J. C. Carlyle, and R. H. Campbell. Cloaker: Hardware supported rootkit concealment. In Security and Privacy, 2008. SP 2008. IEEE Symposium on , pages 296–310. IEEE, 2008. dong-hoon you. Android platform based linux kernel rootkit. Phrack , 68, April 2011. mncoppola. An lkm rootkit targeting linux 2.6/3.x on x86( 64), and arm. https://github.com/mncoppola/suterusu , September 2014. Accessed: 2015-04-13. A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In ACM SIGOPS Operating Systems Review , volume 41, pages 335–350. ACM, 2007. julian (sect) Software Security SoSe 2016 21 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
Business Continuity at DESY a collection of themes and thoughts covering among others

Business Continuity at DESY a collection of themes and thoughts covering among others

Business Continuity at DESY a collection of themes and thoughts covering among others measures, procedures and dependencies Peter van der Reest, Yves Kemp, DESY IT Hepix Spring 2014, 21.05.2014 General DESY risk assessment > DESY

469 views • 15 slides
ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds

ISGC 2017 Security Workshop Sven Gabriel Security Incident handling in Federated Clouds www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 Introduction CSIRT 2017 March

703 views • 39 slides
TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies for Local Responding To and Trust Assessment Area Monitoring and Area

291 views • 8 slides
HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5

HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5

HOW TO CONNECT VEHICLE IN SAFE AND SECURE WAY MIKKO HURSKAINEN TECHNOLOGIST 17+ 200+ 70+ 5 YEARS IN AUTOMOTIVE TOP NOTCH LOCATIONS EMBEDDED SOFTWARE PROFESSIONALS AROUND SOFTWARE PROJECTS BUILDING THE GLOBE BUSINESS DELIVERED

616 views • 34 slides
Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks

Goals of IDS Detect wide variety of intrusions Previously known and unknown attacks Suggests need to learn/adapt to new attacks or changes in behavior Detect intrusions in timely fashion May need to be be real-time,

638 views • 29 slides
Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer

Outline Intrusion detection systems CSci 5271 Malware and the network Introduction to Computer Security Announcements intermission Day 22: Malware and Denial of Service Stephen McCamant Denial of service and the network University of

684 views • 10 slides
Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991

Lab 8: Firewalls & Intrusion Detec6on Systems Fengwei Zhang Wayne State University CSC 5991 Cyber Security Prac6ce 1 Firewall & IDS Firewall A device or applica6on that analyzes packet headers and enforces policy based on

365 views • 20 slides
Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 ,

Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems Martin Rehak 1,2 , Eugen Staab 3 , Volker Fusenig 3 , Michal Pechoucek 1,2 , Martin Grill 1 , Jan Stiborek 1 , and Karel Bartos 1 ( 1 ) Czech Technical University in

419 views • 24 slides

More recommend