Space Traveling across VM Automatically Bridging the Semantic-Gap in - - PowerPoint PPT Presentation

space traveling across vm
SMART_READER_LITE
LIVE PREVIEW

Space Traveling across VM Automatically Bridging the Semantic-Gap in - - PowerPoint PPT Presentation

Dec 03, 2022 254 likes •932 views

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine Introspection via Online Kernel Data Redirection Yangchun Fu, and

slide-1
SLIDE 1

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Space Traveling across VM

Automatically Bridging the Semantic-Gap in Virtual Machine Introspection via Online Kernel Data Redirection

Yangchun Fu, and Zhiqiang Lin

Department of Computer Sciences The University of Texas at Dallas

May 23rd, 2012

slide-2
SLIDE 2

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Outline

1

Background and The Problem

2

State-of-the-Art

3

Our Approach: Data Space Traveling

4

Conclusion

slide-3
SLIDE 3

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Cloud Runs Virtual Machines (VM)

Hardware Layer Virtualization Layer

Product‐VM Product‐VM Product‐VM

Linux Win‐7

..

Windows XP

slide-4
SLIDE 4

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Cloud Runs Virtual Machines (VM)

Hardware Layer Virtualization Layer

Product‐VM Product‐VM Product‐VM

Linux Win‐7

..

Windows XP

Consolidation, Multiplexing, Migration, Isolation, Encapsulation, Interposition, Security, Reliability, Dependability ...

slide-5
SLIDE 5

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Cloud Runs Virtual Machines (VM)

Hardware Layer Virtualization Layer

Product‐VM Product‐VM Product‐VM

Linux Win‐7

..

Windows XP

Consolidation, Multiplexing, Migration, Isolation, Encapsulation, Interposition, Security, Reliability, Dependability ... VMI [Garfinkel and Rosenblum,

NDSS’03]

slide-6
SLIDE 6

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum]

Hardware Layer Virtualization Layer

Secure‐VM Product‐VM Product‐VM

Linux Win‐7

..

Introspect A Trusted OS

slide-7
SLIDE 7

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum]

Hardware Layer Virtualization Layer

Secure‐VM Product‐VM Product‐VM

Linux Win‐7

..

Introspect A Trusted OS

Using a trusted, isolated, dedicated VM to monitor

  • ther VMs
slide-8
SLIDE 8

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum]

Hardware Layer Virtualization Layer

Secure‐VM Product‐VM Product‐VM

Linux Win‐7

..

Introspect A Trusted OS

Using a trusted, isolated, dedicated VM to monitor

  • ther VMs

Intrusion Detection Malware Analysis Memory Forensics

slide-9
SLIDE 9

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Virtual Machine Introspection (VMI) [Garfinkel and Rosenblum]

Hardware Layer Virtualization Layer

Secure‐VM Product‐VM Product‐VM

Linux Win‐7

..

Introspect A Trusted OS

Using a trusted, isolated, dedicated VM to monitor

  • ther VMs

Intrusion Detection Malware Analysis Memory Forensics Semantic Gap Problem

slide-10
SLIDE 10

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

The Semantic Gap in VMI ([Chen and Noble HotOS’01])

Product‐VM

Linux

..

A Trusted OS Introspect

Secure‐VM

Semantic Gap

slide-11
SLIDE 11

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

The Semantic Gap in VMI ([Chen and Noble HotOS’01])

Product‐VM

Linux

..

A Trusted OS Introspect

Secure‐VM

Semantic Gap

View exposed by Virtual Machine Monitor is at low-level

slide-12
SLIDE 12

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

The Semantic Gap in VMI ([Chen and Noble HotOS’01])

Product‐VM

Linux

..

A Trusted OS Introspect

Secure‐VM

Semantic Gap

View exposed by Virtual Machine Monitor is at low-level There is no abstraction and no APIs

slide-13
SLIDE 13

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

The Semantic Gap in VMI ([Chen and Noble HotOS’01])

Product‐VM

Linux

..

A Trusted OS Introspect

Secure‐VM

Semantic Gap

View exposed by Virtual Machine Monitor is at low-level There is no abstraction and no APIs Need to reconstruct the guest-OS abstraction

slide-14
SLIDE 14

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Example: Inspect pids of Guest Memory from VMM

… 00001800 eb 40 1b 02 63 74 00 f0 00 00 00 00 00 00 00 00 |.@..ct..........| 00001810 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 |................| 00001820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00001830 00 00 00 00 00 00 00 00 10 76 16 cc 00 00 00 00 |.........v......| 00001840 00 19 66 8c d0 50 b8 08 00 00 00 66 8e d0 53 8b |..f..P.....f..S.| 00001850 d9 ff 2d 19 02 00 00 0f 20 c0 0f ba f0 1f 0f 22 |..-..... ......"| 00001860 c0 eb 00 b9 80 00 00 c0 0f 32 0f ba f0 08 0f 30 |.........2.....0| 00001870 0f 20 e0 0f ba f0 05 0f 22 e0 60 9c 8b d3 c1 ea |. ......".`.....| 00001880 04 89 a3 76 02 00 00 0f 01 83 80 02 00 00 0f 01 |...v............| 00001890 8b 88 02 00 00 8b 8b 3c 00 00 00 0b c9 74 12 8b |.......<.....t..| 000018a0 b3 38 00 00 00 8b fb 81 c7 00 30 00 00 2b f9 f3 |.8........0..+..| 000018b0 a4 0f 01 9b 90 02 00 00 0f 01 93 68 02 00 00 66 |...........h...f| 000018c0 b8 10 00 66 8e d8 66 8e c0 66 8e d0 66 8e e0 66 |...f..f..f..f..f| … * 00100f60 00 00 00 00 00 00 00 00 00 f0 ff 5d 76 e3 f0 2f |...........]v../| 00100f70 93 c9 a4 1d f9 48 be f8 6c c7 1d 92 4c 1e 6e 35 |.....H..l...L.n5| 00100f80 b4 f8 1b ae f6 69 e8 c0 b7 34 74 a1 4e 5a a7 93 |.....i...4t.NZ..| 00100f90 97 2f f3 47 cf d7 10 df f0 d6 e3 9b f5 cf a9 23 |./.G...........#| 00100fa0 cd 9f 87 4f 37 7f 1e f1 fe dc 7d b9 f9 f3 7b ef |...O7.....}...{.| 00100fb0 cf 95 bf 94 3f 8d 63 9a cc 8a 36 5b 56 7b d2 76 |....?.c...6[V{.v| 00100fc0 b6 d9 ad ee 61 f6 90 a4 2c 2b 54 66 37 de 3d a9 |....a...,+Tf7.=.| 00100fd0 b9 d9 67 37 1e 7a b5 ce ef 0c 58 ee 4d 30 d0 9b |..g7.z....X.M0..| 00100fe0 c0 6e bc e7 3d f3 e7 d0 9a bf a4 82 1b c7 9c f1 |.n..=...........| 00100ff0 db 66 2b d8 38 cb 2a 91 80 ad 7d 25 d8 0a e5 db |.f+.8.*...}%....|

Virtual Machine Monitor Layer

DISK

slide-15
SLIDE 15

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Example: Inspect pids of Guest Memory from VMM

… 00001800 eb 40 1b 02 63 74 00 f0 00 00 00 00 00 00 00 00 |.@..ct..........| 00001810 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 |................| 00001820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00001830 00 00 00 00 00 00 00 00 10 76 16 cc 00 00 00 00 |.........v......| 00001840 00 19 66 8c d0 50 b8 08 00 00 00 66 8e d0 53 8b |..f..P.....f..S.| 00001850 d9 ff 2d 19 02 00 00 0f 20 c0 0f ba f0 1f 0f 22 |..-..... ......"| 00001860 c0 eb 00 b9 80 00 00 c0 0f 32 0f ba f0 08 0f 30 |.........2.....0| 00001870 0f 20 e0 0f ba f0 05 0f 22 e0 60 9c 8b d3 c1 ea |. ......".`.....| 00001880 04 89 a3 76 02 00 00 0f 01 83 80 02 00 00 0f 01 |...v............| 00001890 8b 88 02 00 00 8b 8b 3c 00 00 00 0b c9 74 12 8b |.......<.....t..| 000018a0 b3 38 00 00 00 8b fb 81 c7 00 30 00 00 2b f9 f3 |.8........0..+..| 000018b0 a4 0f 01 9b 90 02 00 00 0f 01 93 68 02 00 00 66 |...........h...f| 000018c0 b8 10 00 66 8e d8 66 8e c0 66 8e d0 66 8e e0 66 |...f..f..f..f..f| … * 00100f60 00 00 00 00 00 00 00 00 00 f0 ff 5d 76 e3 f0 2f |...........]v../| 00100f70 93 c9 a4 1d f9 48 be f8 6c c7 1d 92 4c 1e 6e 35 |.....H..l...L.n5| 00100f80 b4 f8 1b ae f6 69 e8 c0 b7 34 74 a1 4e 5a a7 93 |.....i...4t.NZ..| 00100f90 97 2f f3 47 cf d7 10 df f0 d6 e3 9b f5 cf a9 23 |./.G...........#| 00100fa0 cd 9f 87 4f 37 7f 1e f1 fe dc 7d b9 f9 f3 7b ef |...O7.....}...{.| 00100fb0 cf 95 bf 94 3f 8d 63 9a cc 8a 36 5b 56 7b d2 76 |....?.c...6[V{.v| 00100fc0 b6 d9 ad ee 61 f6 90 a4 2c 2b 54 66 37 de 3d a9 |....a...,+Tf7.=.| 00100fd0 b9 d9 67 37 1e 7a b5 ce ef 0c 58 ee 4d 30 d0 9b |..g7.z....X.M0..| 00100fe0 c0 6e bc e7 3d f3 e7 d0 9a bf a4 82 1b c7 9c f1 |.n..=...........| 00100ff0 db 66 2b d8 38 cb 2a 91 80 ad 7d 25 d8 0a e5 db |.f+.8.*...}%....|

Virtual Machine Monitor Layer

DISK

slide-16
SLIDE 16

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Example: Inspect pids of Guest Memory from VMM

… 00001800 eb 40 1b 02 63 74 00 f0 00 00 00 00 00 00 00 00 |.@..ct..........| 00001810 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 |................| 00001820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00001830 00 00 00 00 00 00 00 00 10 76 16 cc 00 00 00 00 |.........v......| 00001840 00 19 66 8c d0 50 b8 08 00 00 00 66 8e d0 53 8b |..f..P.....f..S.| 00001850 d9 ff 2d 19 02 00 00 0f 20 c0 0f ba f0 1f 0f 22 |..-..... ......"| 00001860 c0 eb 00 b9 80 00 00 c0 0f 32 0f ba f0 08 0f 30 |.........2.....0| 00001870 0f 20 e0 0f ba f0 05 0f 22 e0 60 9c 8b d3 c1 ea |. ......".`.....| 00001880 04 89 a3 76 02 00 00 0f 01 83 80 02 00 00 0f 01 |...v............| 00001890 8b 88 02 00 00 8b 8b 3c 00 00 00 0b c9 74 12 8b |.......<.....t..| 000018a0 b3 38 00 00 00 8b fb 81 c7 00 30 00 00 2b f9 f3 |.8........0..+..| 000018b0 a4 0f 01 9b 90 02 00 00 0f 01 93 68 02 00 00 66 |...........h...f| 000018c0 b8 10 00 66 8e d8 66 8e c0 66 8e d0 66 8e e0 66 |...f..f..f..f..f| … * 00100f60 00 00 00 00 00 00 00 00 00 f0 ff 5d 76 e3 f0 2f |...........]v../| 00100f70 93 c9 a4 1d f9 48 be f8 6c c7 1d 92 4c 1e 6e 35 |.....H..l...L.n5| 00100f80 b4 f8 1b ae f6 69 e8 c0 b7 34 74 a1 4e 5a a7 93 |.....i...4t.NZ..| 00100f90 97 2f f3 47 cf d7 10 df f0 d6 e3 9b f5 cf a9 23 |./.G...........#| 00100fa0 cd 9f 87 4f 37 7f 1e f1 fe dc 7d b9 f9 f3 7b ef |...O7.....}...{.| 00100fb0 cf 95 bf 94 3f 8d 63 9a cc 8a 36 5b 56 7b d2 76 |....?.c...6[V{.v| 00100fc0 b6 d9 ad ee 61 f6 90 a4 2c 2b 54 66 37 de 3d a9 |....a...,+Tf7.=.| 00100fd0 b9 d9 67 37 1e 7a b5 ce ef 0c 58 ee 4d 30 d0 9b |..g7.z....X.M0..| 00100fe0 c0 6e bc e7 3d f3 e7 d0 9a bf a4 82 1b c7 9c f1 |.n..=...........| 00100ff0 db 66 2b d8 38 cb 2a 91 80 ad 7d 25 d8 0a e5 db |.f+.8.*...}%....|

Virtual Machine Monitor Layer

DISK

In Kernel 2.6.18 struct task_struct { ... [188] pid_t pid; [192] pid_t tgid; ... [356] uid_t uid; [360] uid_t euid; [364] uid_t suid; [368] uid_t fsuid; [372] gid_t gid; [376] gid_t egid; [380] gid_t sgid; [384] gid_t fsgid; ... [428] char comm[16]; ... } SIZE: 1408

slide-17
SLIDE 17

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Example: Inspect pids of Guest Memory from VMM

… 00001800 eb 40 1b 02 63 74 00 f0 00 00 00 00 00 00 00 00 |.@..ct..........| 00001810 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 |................| 00001820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00001830 00 00 00 00 00 00 00 00 10 76 16 cc 00 00 00 00 |.........v......| 00001840 00 19 66 8c d0 50 b8 08 00 00 00 66 8e d0 53 8b |..f..P.....f..S.| 00001850 d9 ff 2d 19 02 00 00 0f 20 c0 0f ba f0 1f 0f 22 |..-..... ......"| 00001860 c0 eb 00 b9 80 00 00 c0 0f 32 0f ba f0 08 0f 30 |.........2.....0| 00001870 0f 20 e0 0f ba f0 05 0f 22 e0 60 9c 8b d3 c1 ea |. ......".`.....| 00001880 04 89 a3 76 02 00 00 0f 01 83 80 02 00 00 0f 01 |...v............| 00001890 8b 88 02 00 00 8b 8b 3c 00 00 00 0b c9 74 12 8b |.......<.....t..| 000018a0 b3 38 00 00 00 8b fb 81 c7 00 30 00 00 2b f9 f3 |.8........0..+..| 000018b0 a4 0f 01 9b 90 02 00 00 0f 01 93 68 02 00 00 66 |...........h...f| 000018c0 b8 10 00 66 8e d8 66 8e c0 66 8e d0 66 8e e0 66 |...f..f..f..f..f| … * 00100f60 00 00 00 00 00 00 00 00 00 f0 ff 5d 76 e3 f0 2f |...........]v../| 00100f70 93 c9 a4 1d f9 48 be f8 6c c7 1d 92 4c 1e 6e 35 |.....H..l...L.n5| 00100f80 b4 f8 1b ae f6 69 e8 c0 b7 34 74 a1 4e 5a a7 93 |.....i...4t.NZ..| 00100f90 97 2f f3 47 cf d7 10 df f0 d6 e3 9b f5 cf a9 23 |./.G...........#| 00100fa0 cd 9f 87 4f 37 7f 1e f1 fe dc 7d b9 f9 f3 7b ef |...O7.....}...{.| 00100fb0 cf 95 bf 94 3f 8d 63 9a cc 8a 36 5b 56 7b d2 76 |....?.c...6[V{.v| 00100fc0 b6 d9 ad ee 61 f6 90 a4 2c 2b 54 66 37 de 3d a9 |....a...,+Tf7.=.| 00100fd0 b9 d9 67 37 1e 7a b5 ce ef 0c 58 ee 4d 30 d0 9b |..g7.z....X.M0..| 00100fe0 c0 6e bc e7 3d f3 e7 d0 9a bf a4 82 1b c7 9c f1 |.n..=...........| 00100ff0 db 66 2b d8 38 cb 2a 91 80 ad 7d 25 d8 0a e5 db |.f+.8.*...}%....|

Virtual Machine Monitor Layer

DISK

Kernel specific data structure definition Kernel symbols (global variable) Virtual to physical (V2P) translation

In Kernel 2.6.18 struct task_struct { ... [188] pid_t pid; [192] pid_t tgid; ... [356] uid_t uid; [360] uid_t euid; [364] uid_t suid; [368] uid_t fsuid; [372] gid_t gid; [376] gid_t egid; [380] gid_t sgid; [384] gid_t fsgid; ... [428] char comm[16]; ... } SIZE: 1408

slide-18
SLIDE 18

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01]

slide-19
SLIDE 19

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01]

In HotOS’01, Chen and Noble first raised the semantic gap problem in virtualization

slide-20
SLIDE 20

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01]

In HotOS’01, Chen and Noble first raised the semantic gap problem in virtualization

“Services in the VM operate below the abstractions provided by the guest OS ... This can make it difficult to provide services.”

slide-21
SLIDE 21

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03]

slide-22
SLIDE 22

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03]

In NDSS’03, Garfinkel et

  • al. first proposed VMI,

demonstrated for IDS Introspection routine is based on crash utility

slide-23
SLIDE 23

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03] VMWatcher [Jiang et al, CCS’07]

slide-24
SLIDE 24

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03] VMWatcher [Jiang et al, CCS’07]

In CCS’07, Jiang et al. proposed VMwatcher Introspection routine is based on manually created code

Target VM

Target Kernel

Virtual Machine Monitor

VMwatcher

slide-25
SLIDE 25

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03] SBCFI [Petroni et al, CCS’07] VMWatcher [Jiang et al, CCS’07]

slide-26
SLIDE 26

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03] SBCFI [Petroni et al, CCS’07] VMWatcher [Jiang et al, CCS’07]

In CCS’07, Petroni et al. proposed SBCFI Introspection routine is based on customized kernel source code

Target VM

Target Kernel

Virtual Machine Monitor

User App Monitor VM

OS Kernel

CFI Monitor

slide-27
SLIDE 27

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03] SBCFI [Petroni et al, CCS’07] VMWatcher [Jiang et al, CCS’07] Virtuoso [Dolan‐Gavitt et al., SP’11]

slide-28
SLIDE 28

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03] SBCFI [Petroni et al, CCS’07] VMWatcher [Jiang et al, CCS’07] Virtuoso [Dolan‐Gavitt et al., SP’11]

In SP’11, Dolan-Gavitt et

  • al. proposed Virtuoso

Introspection routine is based on the trained user level and kernel level code

Runtime

Introspection Program

C O P Y O N W R I T E

Security VM Untrusted VM

User Kernel

slide-29
SLIDE 29

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03] SBCFI [Petroni et al, CCS’07] VMWatcher [Jiang et al, CCS’07] VMST [Our solution, SP’12] Virtuoso [Dolan‐Gavitt et al., SP’11]

slide-30
SLIDE 30

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

State-of-the-art

The Semantic Gap [Chen et al, HotOS’01] VMI [Garfinkel et al, NDSS’03] SBCFI [Petroni et al, CCS’07] VMWatcher [Jiang et al, CCS’07] VMST [Our solution, SP’12] Virtuoso [Dolan‐Gavitt et al., SP’11]

In SP’12, we propose VM Space Traveler (VMST). Introspection routine is automatically generated from the native user level and kernel level code

Kernel Data Kernel Code

Applications

Product-VM Kernel

Common Utilities

Secure-VM C O W R/O R/W

ps lsmod netstat Syscall Execution Context Identification Redirectable Data Identification Kernel Data Redirection

VM-Space Traveler

Introspection

... ...

slide-31
SLIDE 31

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Key Idea

Data can be transferred In Internet, data is transferred though network packet

slide-32
SLIDE 32

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Key Idea

Data can be transferred In Internet, data is transferred though network packet Insight An inspection program P(µ, k) is often composed of static binary code P, runtime dynamic user-level data µ (including user-level stack, heap, and global variables), and inspected kernel data k.

slide-33
SLIDE 33

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Key Idea

Data can be transferred In Internet, data is transferred though network packet Insight An inspection program P(µ, k) is often composed of static binary code P, runtime dynamic user-level data µ (including user-level stack, heap, and global variables), and inspected kernel data k. Transfer kernel space data k from one machine to the other

slide-34
SLIDE 34

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Key Idea

Data can be transferred In Internet, data is transferred though network packet Insight An inspection program P(µ, k) is often composed of static binary code P, runtime dynamic user-level data µ (including user-level stack, heap, and global variables), and inspected kernel data k. Transfer kernel space data k from one machine to the other mov eax, [0x1c0eff08]

slide-35
SLIDE 35

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Principles

Principles P′(µ, k) = P(µ, k′), where P′ is the new introspection program P is the old inspection program µ is the user level data k is the kernel data bing inspected k′ is from other machine

slide-36
SLIDE 36

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Principles

Principles P′(µ, k) = P(µ, k′), where P′ is the new introspection program P is the old inspection program µ is the user level data k is the kernel data bing inspected k′ is from other machine Outcome We reuse legacy binary code of P to automatically generate new program P′

slide-37
SLIDE 37

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

How?

slide-38
SLIDE 38

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

How?

strace of a getpid program

1 execve("./getpid",..) = 0 2 brk(0) = 0x83b8000 3 access("/etc/ld.so.nohwcap",..) = -1 23 getpid() = 13849 26 write(1, "pid=13849\n", 10) = 10 27 exit_group(0) = ?

slide-39
SLIDE 39

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

How?

strace of a getpid program

1 execve("./getpid",..) = 0 2 brk(0) = 0x83b8000 3 access("/etc/ld.so.nohwcap",..) = -1 23 getpid() = 13849 26 write(1, "pid=13849\n", 10) = 10 27 exit_group(0) = ?

Three Key Components Syscall execution context identification

slide-40
SLIDE 40

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

How?

strace of a getpid program

1 execve("./getpid",..) = 0 2 brk(0) = 0x83b8000 3 access("/etc/ld.so.nohwcap",..) = -1 23 getpid() = 13849 26 write(1, "pid=13849\n", 10) = 10 27 exit_group(0) = ?

Three Key Components Syscall execution context identification Redirectable data identification

slide-41
SLIDE 41

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

How?

strace of a getpid program

1 execve("./getpid",..) = 0 2 brk(0) = 0x83b8000 3 access("/etc/ld.so.nohwcap",..) = -1 23 getpid() = 13849 26 write(1, "pid=13849\n", 10) = 10 27 exit_group(0) = ?

Three Key Components Syscall execution context identification Redirectable data identification Kernel data redirection

slide-42
SLIDE 42

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

How?

strace of a getpid program

1 execve("./getpid",..) = 0 2 brk(0) = 0x83b8000 3 access("/etc/ld.so.nohwcap",..) = -1 23 getpid() = 13849 26 write(1, "pid=13849\n", 10) = 10 27 exit_group(0) = ?

Three Key Components Syscall execution context identification Redirectable data identification Kernel data redirection

Kernel

Common Utilities

Secure-VM

ps lsmod netstat

Syscall Execution Context Identification Redirectable Data Identification Kernel Data Redirection

...

slide-43
SLIDE 43

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • I. Syscall Execution Context Identification
slide-44
SLIDE 44

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • I. Syscall Execution Context Identification

Interrupt Handler sysenter/int 0x80 sysexit/iretd Syscall Service Routine Context Switch Exception Handler

slide-45
SLIDE 45

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • I. Syscall Execution Context Identification

Interrupt Handler sysenter/int 0x80 sysexit/iretd Syscall Service Routine Context Switch Exception Handler

One intuitive approach Hard-code all the starting and ending PC of Interrupt Exception Context switch

slide-46
SLIDE 46

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • I. Syscall Execution Context Identification

Interrupt Handler sysenter/int 0x80 sysexit/iretd Syscall Service Routine Context Switch Exception Handler

One intuitive approach Hard-code all the starting and ending PC of Interrupt Exception Context switch Our OS-agnostic solution Instrument VMM interrupt/exception handler to capture the starting and ending point of interrupt/exception

slide-47
SLIDE 47

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • I. Syscall Execution Context Identification

Interrupt Handler sysenter/int 0x80 sysexit/iretd Syscall Service Routine Context Switch Exception Handler

One intuitive approach Hard-code all the starting and ending PC of Interrupt Exception Context switch Our OS-agnostic solution Instrument VMM interrupt/exception handler to capture the starting and ending point of interrupt/exception Disable the context switch by disabling the timer

slide-48
SLIDE 48

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • II. Redirectable Data Identification
slide-49
SLIDE 49

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • II. Redirectable Data Identification

Challenges Identify kernel stack data (kernel control flow related)

slide-50
SLIDE 50

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • II. Redirectable Data Identification

Challenges Identify kernel stack data (kernel control flow related) Differentiate kernel stack, heap, and global variable

slide-51
SLIDE 51

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • II. Redirectable Data Identification

Challenges Identify kernel stack data (kernel control flow related) Differentiate kernel stack, heap, and global variable Differentiate kernel code and data

slide-52
SLIDE 52

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • II. Redirectable Data Identification

Challenges Identify kernel stack data (kernel control flow related) Differentiate kernel stack, heap, and global variable Differentiate kernel code and data Our solution: a variant of dynamic data flow analysis Identify the kernel global and kernel heap (derived from kernel global), and redirect their memory access

slide-53
SLIDE 53

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • II. Redirectable Data Identification

Challenges Identify kernel stack data (kernel control flow related) Differentiate kernel stack, heap, and global variable Differentiate kernel code and data Our solution: a variant of dynamic data flow analysis Identify the kernel global and kernel heap (derived from kernel global), and redirect their memory access Alternatively, identify only the stack variable (derived from esp), and no redirection for them.

slide-54
SLIDE 54

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • III. Kernel Data Redirection
slide-55
SLIDE 55

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • III. Kernel Data Redirection

Kernel

Syscall Execution Context Identification Redirectable Data Identification Kernel Data Redirection

slide-56
SLIDE 56

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

  • III. Kernel Data Redirection

Kernel

Syscall Execution Context Identification Redirectable Data Identification Kernel Data Redirection

The Algorithm

1: DynamicInstInstrument(i): 2:

if SysExecContext(s):

3:

if SysRedirect(s):

4:

RedirectableDataTracking(i);

5:

for α in MemoryAddress(i):

6:

if DataRead(α):

7:

PA(α) ← V2P(α)

8:

Load(PA(α))

9:

else:

10:

if NotDirty(α):

11:

CopyOnWritePage(α)

12:

UpdatePageEntryInSTLB(α)

13:

PA(α) ← V2P(α)

14:

Store(PA(α))

slide-57
SLIDE 57

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Architecture

Kernel Data Kernel Code

Applications

Product-VM Kernel

Common Utilities

Secure-VM C O W R/O R/W

ps lsmod netstat

Syscall Execution Context Identification Redirectable Data Identification Kernel Data Redirection

VM-Space Traveler

Introspection

... ...

slide-58
SLIDE 58

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Automatic VMI Tool Generation

Utilities Syntax? Semantics? w/ options Description (diff) (Manual) ps -A Reports a snapshot of all processes ✗

  • lsmod

Shows the status of modules

  • lsof -c p

Lists opened files by a process p

  • ipcs

Displays IPC facility status

  • netstat -s

Displays network statistics

  • uptime

Reports how long the system running ✗

  • ifconfig

Reports network interface parameters

  • uname -a

Displays system information

  • arp

Displays ARP tables

  • free

Displays amount of free memory ✗

  • date

Print the system date and time ✗

  • pidstat

Reports statistics for Linux tasks ✗

  • mpstat

Reports CPU related statistics ✗

  • iostat

Displays I/O statistics ✗

  • vmstat

Displays VM statistics ✗

slide-59
SLIDE 59

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Performance Overhead

0% 20% 40% 60% 80% 100% ps lsmod ipcs uptime uname ifconfig arp date pidstat mpstat iostat vmstat netstat ugetpid Normalized Performance Overhead Benchmark Program

w/o VMI w/ VMI

slide-60
SLIDE 60

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

OS-Agnostic Testing

Linux Distribution Kernel Version Release Date OS-agnostic? LOC Redhat-9 2.4.20-31 11/28/2002 ✗ 53 Fedora-6 2.6.18-1.2798.fc6 10/14/2006 ✗ 53 Fedora-15 2.6.38.6-26.rc1.fc15 05/09/2011

  • OpenSUSE-11.3

2.6.34-12-default 09/13/2010

  • 2.6.35

08/10/2010

  • OpenSUSE-11.4

2.6.37.1-1.2-default 02/17/2011

  • 2.6.39.4

08/03/2011

  • Debian 3.0

2.4.27-3 08/07/2004 ✗ 53 Debian 4.0 2.6.18-6 12/17/2006 ✗ 53 Debian 6.0 2.6.32-5 01/22/2010

  • 2.6.32-rc8

02/09/2010

  • Ubuntu-4.10

2.6.8.1-3 08/14/2004 ✗ 53 Ubuntu-5.10 2.6.12-9 08/29/2005 ✗ 53 Ubuntu-10.04 2.6.32.27 12/09/2010

  • 2.6.33

03/15/2010

  • 2.6.34

07/05/2010

  • 2.6.36

11/22/2010

  • 2.6.37.6

03/27/2010

  • Ubuntu-11.04

2.6.38-8-generic 06/03/2011

  • Ubuntu-11.10

3.0.0-12-generic 08/05/2011

slide-61
SLIDE 61

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Limitations and Future Work

Limitations Need an identical trusted kernel Not entirely transparent to arbitrary OS kernels (relies on syscall knowledge) Non-blocking system call Does not inspect any disk data, memory swapped to disk

slide-62
SLIDE 62

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Limitations and Future Work

Limitations Need an identical trusted kernel Not entirely transparent to arbitrary OS kernels (relies on syscall knowledge) Non-blocking system call Does not inspect any disk data, memory swapped to disk Future Work Kernel version inference in cloud VM Porting to Windows OS Addressing the non-blocking issue

slide-63
SLIDE 63

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Conclusion

VMST has automatically bridged the semantic gap, and automatically generated the introspection tools by reusing the legacy code (no training involved)

slide-64
SLIDE 64

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Conclusion

VMST has automatically bridged the semantic gap, and automatically generated the introspection tools by reusing the legacy code (no training involved) It also enables native VMI tool development.

slide-65
SLIDE 65

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Conclusion

VMST has automatically bridged the semantic gap, and automatically generated the introspection tools by reusing the legacy code (no training involved) It also enables native VMI tool development. (We hope) Cloud/VM/OS Providers, and AV-Software Vendors, could benefit from our techniques (for VMI and memory forensics).

slide-66
SLIDE 66

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion

Thank You

Kernel Data Kernel Code

Applications

Product-VM Kernel

Common Utilities

Secure-VM C O W R/O R/W

ps lsmod netstat Syscall Execution Context Identification Redirectable Data Identification Kernel Data Redirection

VM-Space Traveler

Introspection

... ...

zhiqiang.lin@utdallas.edu