Seeing Through the Same Lens: s: Introsp spect cting Guest Address ss Space ce at Na Native Speed Siqi Zhao *, Xuhua Ding*, Wen Xu ◆ , Dawu Gu ◇ * Singapore Management University ◆ Georgia Institute of Technology ◇ Shanghai JiaoTong University 1
Out utline • Problem • Design • Implementation • Evaluations 2
Prob oblem • Considering introspecting kernel objects • Untrusted live VM • VMI tool running outside of the VM • The VMI tool and the target objects are in different address spaces. • The VMI tool needs to perform a sequence of operations for every kernel object access. 3
Prob oblem Goal: res = task_struct Live Target VM VMI Tool • Considering introspecting kernel VA: 0xC0001000 objects GPA: 0x1000 HPA: 0xFE000 task_struct • Untrusted live VM ptr = 0xFE000 at 0xC0001000 • VMI tool running outside of the VM GPT • The VMI tool and the target objects are in different address spaces. EPT • The VMI tool needs to perform a sequence of operations for every kernel object access. Physical Memory task_struct at 0xFE000 4
Inad nadequacy of of Page Table ble Walk • Page table walk lies at the heart of VMI • Slow, compared to native address translation by MMU • A number of loads from memory • An experiment to evaluate the slowness of software based page table walk • Periodically modifies one task->cred pointer • Closely monitor the value of the pointer by repeatedly reading it from outside • Cannot catch up with frequent transient guest state changes 5
Inad nadequacy of of Page Table ble Walk Live Target VM VMI Tool • Mapping consistency with the VA: 0xC0001000 target is not maintained GPA: 0x1000 task_struct • Uses any mappings: ample room for at 0xC0001000 the guest to present false mappings • The target VM may also make GPT transient changes to the page table • Caching techniques that aim to enhance efficiency further deteriorate GPA Space the situation, giving up consistency for EPT efficiency. task_struct at 0x1000 task_struct at 0x2000 Physical Memory task_struct at 0xFE000 6
Immersi sive Execution Environment t (ImEE EE) ) Architecture • ImEE is essentially a special VM created on- demand by VMI applications. • Scheduled by the hypervisor • Consists of only a vCPU and a small amount of memory: code and data • ImEE hosts a piece of code called ImEE agent that actually performs introspection • ImEE acts as a memory access engine for VMI applications • Only perform memory read • Native speed read • Page table is consistent with target at any moment 7
Basi sic Idea dea ImEE Target VM • An environment with a twisted address mappings • Cloned CR3 content VA: 0xC0001000 CR3 VA: 0xC0001000 • Cloned EPT, with mappings from CR3 target EPT and restricted permission GPT • The result: a VA is translated to the GPA: 0x1000 GPA: 0x1000 same HPA by the MMU in both EPT Cloned EPT environments RO NX Target frames memory HPA: 0xFE000 memory 8
Makin king it it work ork ImEE Target VM • Implementation issues: • Need room in the virtual address space for CR3 • our own code CR3 • exchanging data with VMI tool • We want to avoid touching GPT GPT Cloned EPT EPT T EPT EPT c • What about the number of RO redirected pages? NX data code Target frames memory memory 9
Immersi sive Execution Environment (ImEE EE) ImEE Target VM • Two address spaces in the ImEE Local Target • Local address space is for the address address space space ImEE agent to interact with the CR3 CR3 VMI application CR3 Local • The idea ‘incarnates’ as the target GPT GPT address space in ImEE. • Introspection is only performed in EPT EPT T EPT EPT C RO the target address space NX data code Target frames memory memory 10
Target Add ddress Sp Space ImEE Target VM • GPA space is split by the EPT Local Target • All address mappings are the same address address space as in the target VM, with read-only space CR3 permission CR3 CR3 • One page is redirected by EPT to Local GPT the agent’s code page, with GPT execute-only permission • Two possible kinds of translation EPT EPT C EPT T EPT RO in the target address space: NX data code Target frames • Instruction fetch memory memory • Memory read 11
Target Add ddress Sp Space ImEE ImEE Target VM Target VM • Example: Local Local Target Target address address address address mov (0x1000), %eax 0xBFF0: space space space space CR3 CR3 CR3 CR3 CR3 CR3 Local Local GPT GPT GPT GPT EPT EPT EPT C EPT T EPT T EPT EPT EPT C RO RO NX NX data data code code Target frames Target frames memory memory memory memory 12
Lo Local Add ddress Sp Space ImEE Target VM • Minimizes the number of Local Target redirected page in the target address address address space space space • Only two pages are mapped CR3 CR3 CR3 • All pages except one are mapped to Local GPT code GPT • The remaining one is mapped to data EPT EPT T EPT EPT C • Allowing the agent to be executed RO almost anywhere, because we do NX not know the load address data code Target frames memory beforehand memory 13
Lo Local Add ddress s Sp Spaces ImEE Target VM • Example: Local Target address address 0xBFFA: mov %eax, (0x2000) space space CR3 CR3 CR3 Local GPT GPT EPT EPT T EPT EPT C RO NX data code Target frames memory memory 14
The he ImEE EE Agent • The ImEE agent is the only code that runs inside ImEE • Reside within one page, self-contained • Position independent • Granted ring 0 privilege • Initially, the agent is loaded at a page whose VA is mapped as executable in the guest page tables. • The hypervisor uses the page that the current IP points to 15
The he ImEE EE Agent • The agent’s execution straddles between the two address spaces. • Simplified pseudo-code: 1. eax = data[request] 2. cr3 = target_cr3 /* switch to target address space */ 3. xmm0 = *eax 4. cr3 = imee_cr3 /* switch to local address space */ 5. data[result] = xmm0 16
Other Issu sues ImEE Target VM • Blind spot • The code page in the target GPA space is redirected VA: 0xC0001000 CR3 • Any virtual address mapped to this CR3 GPA cannot be read GPT • Cannot be eliminated GPA: 0x1000 • Only detected when introspection EPT T EPT EPT C is on the blind spot • Relying on EPT mappings code Target frames HPA: 0xBFF0 • Relocate agent once detected memory HPA: 0xFE000 17
Adv dvantages • Native speed • Address translation is performed at native speed by hardware. • Consistency • Page table used is kept consistent with the current one in the target. • CR3 is synchronized 18
Implementation • We implemented a prototype of ImEE • Hypervisor changes: modified KVM module • Consists of around 1400 SLOC • Two new IOCTLs as interface to user space • Optimized code path that handles ImEE specific VM exit • Agent: specially crafted assembly code • Within one page, a few tens of instructions • Position independent • One data page for exchange data with VMI tool 19
Evaluati tion • We use LibVMI as the base line. • LibVMI: the only open source tool • Serves as building block for various other tools such as Volatility • Experiment setup: • Hardware: Intel Core i7-2600, 4GB DDR3 RAM • Guest VM: 1GB RAM and one vCPU 20
Evaluati tion • ImEE Overhead • Launch time: time taken for the hypervisor to prepare relevant data such as the EPT • Activation time: time for a launched, but not running, ImEE to begin execute the agent code ImEE LibVMI Speedup Launch time 97 μ s 100 ms 1031 times Activation time 3.2 μ s - 21
Evaluati tion • Guest access speed • We measure the time take to read a number of bytes from the target • LibVMI’s translation cache is on, data cache off # of Bytes ImEE LibVMI ( μ s) Speedup 4 0.353 18.4 52 times 64 0.358 18.5 52 times 128 0.389 18.4 47 times 512 1.643 18.9 11 times 1024 1.715 38.1 22 times 22
Too ools • syscalldmp : dumps totally 351 entries of the guest’s system call table • pidlist : lists all process identifiers in the guest. • pslist : lists all tasks’ identifiers and task names stored in task struct. • credlist : lists all tasks’ credential structures referenced by the task struct’s cred pointer. 23
Evaluati tion • We ran our four tools in four setups: ImEE, kernel, LibVMI on KVM and LibVMI on Xen • Measure time taken to complete the task • Results: • Comparable to kernel • Significant speedup compared to LibVMI Kernel ( μ s) LibVMI / KVM ( μ s) LibVMI / Xen ( μ s) ImEE ( μ s) Speedup (KVM) Speedup (Xen) syscalldmp 0.2 28.2 43 2.9 9 times 15 times pidlist 10 5887 2180 31.6 186 times 68 times pslist 10.4 8319 1477 38.6 215 times 38 times credlist 25.3 8234 2274 25.6 321 times 88 times 24
Evaluati tion • Scanning multiple VMs • We setup four VMs and measure: • Time to scan every VM • Time to switch scan target • Results: LibVMI ImEE Speedup Scanning all VMs 561 ms 377 μ s 1400 times Switching target VM 19 ms 4.4 μ s 4300 times 25
Recommend
More recommend
