transparent system introspection in support of analyzing
play

Transparent System Introspection in Support of Analyzing Stealthy - PowerPoint PPT Presentation

May 02, 2023 •764 likes •1.56k views

Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD Dissertation kjl2y@virginia.edu November 30, 2016 Analogy: Volkswagen Scandal Volkswagen cheated on emissions test (over 10x EPA requirements) 2

  1. Transparent System Introspection in Support of Analyzing Stealthy Malware Kevin Leach PhD Dissertation kjl2y@virginia.edu November 30, 2016

  2. Analogy: Volkswagen Scandal ◮ Volkswagen cheated on emissions test (over 10x EPA requirements) 2

  3. Analogy: Volkswagen Scandal ◮ Volkswagen cheated on emissions test (over 10x EPA requirements) ◮ Car was able to detect the test 2

  4. Analogy: Volkswagen Scandal Volkswagen exploited the measurable difference between the EPA test and normal driving 3

  5. Analogy: Volkswagen Scandal Volkswagen exploited the measurable difference between the EPA test and normal driving What about malware that detects analysis tools? 3

  6. Overview 1. Motivation 2. Background ◮ Stealthy Malware Analysis and Artifacts ◮ Introspection 3. Hardware-assisted introspection and debugging ◮ Transparently acquire program data in two ways: 3.1 M AL T: Using SMM for Debugging 3.2 LO-PHI: Using DMA over PCIe for Introspection 4. Transparent program introspection ◮ H OPS : Limits of transparent program introspection 5. Conclusion 4

  7. Motivation ◮ Symantec blocked an average of 250k attacks per day during 2014 ◮ McAfee reported 40M new malware samples during each quarter of 2015 ◮ Kaspersky reported 320k new threats per day in 2015 5

  8. Malware Analysis Challenges ◮ Analysts want to quickly identify malware behavior 6

  9. Malware Analysis Challenges ◮ Analysts want to quickly identify malware behavior ◮ What damage does it do? 6

  10. Malware Analysis Challenges ◮ Analysts want to quickly identify malware behavior ◮ What damage does it do? ◮ How does it infect a system? 6

  11. Malware Analysis Challenges ◮ Analysts want to quickly identify malware behavior ◮ What damage does it do? ◮ How does it infect a system? ◮ How do we defend against it? 6

  12. Introspection ◮ Understanding program behavior 7

  13. Introspection ◮ Understanding program behavior ◮ Debugger introspects program to access raw data ◮ Read variables ◮ Reconstruct stack traces ◮ Read disk activity 7

  14. Introspection ◮ Understanding program behavior ◮ Debugger introspects program to access raw data ◮ Read variables ◮ Reconstruct stack traces ◮ Read disk activity ◮ Analyst infers behavior of a sample from interpreting this raw data 7

  15. Introspection ◮ Understanding program behavior ◮ Debugger introspects program to access raw data ◮ Read variables ◮ Reconstruct stack traces ◮ Read disk activity ◮ Analyst infers behavior of a sample from interpreting this raw data ◮ Virtual Machine Introspection (VMI) ◮ Plugin for a Virtual Machine Manager (slowdown) ◮ Helper process inside guest VM (detectable process) 7

  16. Introspection ◮ Understanding program behavior ◮ Debugger introspects program to access raw data ◮ Read variables ◮ Reconstruct stack traces ◮ Read disk activity ◮ Analyst infers behavior of a sample from interpreting this raw data ◮ Virtual Machine Introspection (VMI) ◮ Plugin for a Virtual Machine Manager (slowdown) ◮ Helper process inside guest VM (detectable process) But what if the program can detect our introspection tool? 7

  17. Artifacts and Stealthy Malware ◮ Adversary achieves stealth by using artifacts to detect analysis tools 8

  18. Artifacts and Stealthy Malware ◮ Adversary achieves stealth by using artifacts to detect analysis tools ◮ Measurable “tells” introduced by analysis 8

  19. Artifacts and Stealthy Malware ◮ Adversary achieves stealth by using artifacts to detect analysis tools ◮ Measurable “tells” introduced by analysis ◮ Timing (nonfunctional) artifacts — overhead incurred by analysis ◮ single-stepping instructions with debugger is slow ◮ imperfect VM environment does not match native speed 8

  20. Artifacts and Stealthy Malware ◮ Adversary achieves stealth by using artifacts to detect analysis tools ◮ Measurable “tells” introduced by analysis ◮ Timing (nonfunctional) artifacts — overhead incurred by analysis ◮ single-stepping instructions with debugger is slow ◮ imperfect VM environment does not match native speed ◮ Functional artifacts — features introduced by analysis ◮ isDebuggerPresent() — legitimate feature abused by adversaries ◮ Incomplete or unfaithful emulation of some instructions by VM ◮ Device names (hard disk named “VMWare disk”) 8

  21. Artifacts and Stealthy Malware ◮ Adversary achieves stealth by using artifacts to detect analysis tools ◮ Measurable “tells” introduced by analysis ◮ Timing (nonfunctional) artifacts — overhead incurred by analysis ◮ single-stepping instructions with debugger is slow ◮ imperfect VM environment does not match native speed ◮ Functional artifacts — features introduced by analysis ◮ isDebuggerPresent() — legitimate feature abused by adversaries ◮ Incomplete or unfaithful emulation of some instructions by VM ◮ Device names (hard disk named “VMWare disk”) Significant effort to fully analyze each stealthy sample 8

  22. Malware Analysis Triage System New Sample Signature developed Manual analysis (Time consuming) 9

  23. Transparency ◮ We want accurate introspection even in the presence of stealthy malware ◮ We want transparency — no artifacts produced by analysis We want transparent system introspection tools to solve this ‘debugging transparency problem’ 10

  24. Thesis Statement ◮ It is possible to develop a transparent system introspection tool by independently considering timing and functional artifacts 11

  25. Architecture System Under Test (SUT) Remote Host Use cases Semantics Variables Function Calls Read Variables Userspace Code Under Test Read Stack Trace OS Introspection Kernel ( Spectre , VMI) SMM Memory PCIe Memory Hardware Acquisition Acquisition Component 1 – Hardware-assisted memory acquisition via PCI-e Component 2 – Hardware-assisted memory acquisition via SMM Component 3 – Transparent program introspection 12

  26. Architecture System Under Test (SUT) Remote Host Use cases Semantics Variables Function Calls Read Variables Userspace Code Under Test Read Stack Trace OS Introspection Kernel ( Spectre , VMI) SMM Memory PCIe Memory Hardware Acquisition Acquisition Component 1 – Hardware-assisted memory acquisition via PCI-e Component 2 – Hardware-assisted memory acquisition via SMM Component 3 – Transparent program introspection 12

  27. Architecture System Under Test (SUT) Remote Host Use cases Semantics Variables Function Calls Read Variables Userspace Code Under Test Read Stack Trace OS Introspection Kernel ( Spectre , VMI) SMM Memory PCIe Memory Hardware Acquisition Acquisition Component 1 – Hardware-assisted memory acquisition via PCI-e Component 2 – Hardware-assisted memory acquisition via SMM Component 3 – Transparent program introspection 12

  28. Architecture System Under Test (SUT) Remote Host Use cases Semantics Variables Function Calls Read Variables Userspace Code Under Test Read Stack Trace OS Introspection Kernel ( Spectre , VMI) SMM Memory PCIe Memory Hardware Acquisition Acquisition Component 1 – Hardware-assisted memory acquisition via PCI-e Component 2 – Hardware-assisted memory acquisition via SMM Component 3 – Transparent program introspection 12

  29. Architecture System Under Test (SUT) Remote Host Use cases Semantics Variables Function Calls Read Variables Userspace Code Under Test Read Stack Trace OS Introspection Kernel ( Spectre , VMI) SMM Memory PCIe Memory Hardware Acquisition Acquisition Component 1 – Hardware-assisted memory acquisition via PCI-e Component 2 – Hardware-assisted memory acquisition via SMM Component 3 – Transparent program introspection 12

  30. Architecture System Under Test (SUT) Remote Host Use cases Semantics Variables Function Calls Read Variables Userspace Code Under Test Read Stack Trace OS Introspection Kernel ( Spectre , VMI) SMM Memory PCIe Memory Hardware Acquisition Acquisition Component 1 – Hardware-assisted memory acquisition via PCI-e Component 2 – Hardware-assisted memory acquisition via SMM Component 3 – Transparent program introspection 12

  31. Overview 1. Motivation 2. Background ◮ Stealthy Malware Analysis and Artifacts ◮ Introspection ◮ Architecture 3. Hardware-assisted introspection and debugging ◮ Transparently acquire program data in two ways: 3.1 M AL T: Using SMM for Debugging 3.2 LO-PHI: Using DMA over PCIe for Introspection 4. Transparent program introspection ◮ H OPS : Limits of transparent program introspection 5. Conclusion 13

  32. Hardware-Assisted Introspection ◮ Two approaches 1. M AL T, using System Management Mode (SMM) ◮ Significant timing artifacts ◮ No functional artifacts 2. LO-PHI, FPGA-based custom circuit ◮ Few timing artifacts ◮ Increased functional artifacts (e.g., DMA access performance counter) 14

  33. SMM-based Memory Acquisition ◮ Intel x86 feature provides small, OS-transparent and -agnostic, trusted computing base ◮ Custom SMI Handler executed in SMM ◮ Code stored in System Management RAM (SMRAM) ◮ Trust only the BIOS ◮ Logically atomically executed transparently from OS 15

  34. SMM Architecture System Management Mode Protected Mode OS / Program Code 1. Find program in memory SMI occurs SMI Handler 2. Dump to remote host 3. Configure next SMI OS / Program Code Resume from SMM 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Nighthawk: Transparent System Introspection from Ring -3 ESORICS 2019 Lei Zhou ( ) , Jidong

Nighthawk: Transparent System Introspection from Ring -3 ESORICS 2019 Lei Zhou ( ) , Jidong

Nighthawk: Transparent System Introspection from Ring -3 ESORICS 2019 Lei Zhou ( ) , Jidong Xiao 1 , Kevin Leach 5 , Westley Weimer 5 , F ) , Guojun Wang I ( Central South University,

470 views • 43 slides
Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David Chalmers Four Issues The Power of Introspection 1. Doubts about Introspection 2. Mechanisms of Introspection 3. Introspection and Consciousness

733 views • 26 slides
Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection

Background Detailed Design Implementation Evaluation Related Work Summary Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection Yangchun Fu , Zhiqiang Lin, Kevin Hamlen Department of Computer Science The

814 views • 52 slides
Mosaic: c: A GPU Memory Manager wit with Applic lication ion-Tr Transparent Support fo for

Mosaic: c: A GPU Memory Manager wit with Applic lication ion-Tr Transparent Support fo for

Mosaic: c: A GPU Memory Manager wit with Applic lication ion-Tr Transparent Support fo for Multiple Page Sizes Rachata Ausavarungnirun , Joshua Landgraf, Vance Miller Saugata Ghose, Jayneel Gandhi, Christopher J. Rossbach, Onur Mutlu

271 views • 14 slides
Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda What is VM Introspection ? VMI ecosystem today Rustifying the VM Introspection ecosystem Future work Virtualization

718 views • 33 slides
Automatic and Transparent I/O Optimization With Storage Integrated Runtime Support Noah Watkins

Automatic and Transparent I/O Optimization With Storage Integrated Runtime Support Noah Watkins

Automatic and Transparent I/O Optimization With Storage Integrated Runtime Support Noah Watkins Zhihao Jia Galen Shipman Carlos Maltzahn Alex Aiken Pat McCormick UC Santa Cruz Stanford LANL What is this talk about? Convince you that

751 views • 33 slides
vCache: Architectural Support for Transparent and Isolated Virtual LLCs in Virtualized

vCache: Architectural Support for Transparent and Isolated Virtual LLCs in Virtualized

vCache: Architectural Support for Transparent and Isolated Virtual LLCs in Virtualized Environments Daehoon Kim * , Hwanju Kim , Nam Sung Kim * , and Jaehyuk Huh * University of Illinois at Urbana-Champaign, University of Cambridge,

570 views • 18 slides
FEASIBILITY STUDY: Determine the potential to support the work of DCA by analyzing new digital

FEASIBILITY STUDY: Determine the potential to support the work of DCA by analyzing new digital

FEASIBILITY STUDY: Determine the potential to support the work of DCA by analyzing new digital data sources. Purpose of this report Overarching research question USAID/DCA is interested in understanding financial access gaps in real time, so we

450 views • 23 slides
for representing and analyzing problem situations with computer support Nikolai Khomenko

for representing and analyzing problem situations with computer support Nikolai Khomenko

INSA STRASBOURG GRADUATE SCHOOL OF SCIENCE AND TECHNOLOGY A R C H I T E C T S + E N G I N E E R S OTSM Network of Problems for representing and analyzing problem situations with computer support Nikolai Khomenko

837 views • 55 slides
One City, One System Transparent, Consistent, Reliable Seattle City Council Briefing Affordable

One City, One System Transparent, Consistent, Reliable Seattle City Council Briefing Affordable

One City, One System Transparent, Consistent, Reliable Seattle City Council Briefing Affordable Housing, Neighborhoods & Finance Committee February 15, 2017 What is Summit? Summit is the Citys financial management system, built with

495 views • 15 slides
STAR System of Transparent Allocation of Resources Informal Advisory Committee on Capacity

STAR System of Transparent Allocation of Resources Informal Advisory Committee on Capacity

GEFs STAR System of Transparent Allocation of Resources Informal Advisory Committee on Capacity Building for the Implementation of the Nagoya Protocol CBD Secretariat Montreal, September 15-17, 2015 Jai Jaime Caveli lier Programs Unit

464 views • 8 slides
TFS: A Transparent File System for Contributory Storage James Cipar Mark D. Corner

TFS: A Transparent File System for Contributory Storage James Cipar Mark D. Corner

Florida International University TFS: A Transparent File System for Contributory Storage James Cipar Mark D. Corner Emery D. Berger Luis Useche lusec001@cs.fiu.edu 4/3/07 Overview Introduction TFS: Design TFS: Implementation

357 views • 34 slides
Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The

Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The

Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The Vancouver Island Regional The Vancouver Island Regional Approach to Traffic Crashes Approach to Traffic Crashes Richard Stanwick Stanwick MD,

443 views • 26 slides
Transparent Fault Tolerance Support in Model-Based Design Ivan Cibrario Bertolotti * , Tingting Hu

Transparent Fault Tolerance Support in Model-Based Design Ivan Cibrario Bertolotti * , Tingting Hu

Transparent Fault Tolerance Support in Model-Based Design Ivan Cibrario Bertolotti * , Tingting Hu ** , Nicolas Navet ** * National Research Council of Italy IEIIT, Torino, Italy ** University of Luxembourg FSTC, Esch-sur-Alzette,

613 views • 24 slides
Transparent Assessment Providing transparent goals and expectations for students Jonathon Adams

Transparent Assessment Providing transparent goals and expectations for students Jonathon Adams

Transparent Assessment Providing transparent goals and expectations for students Jonathon Adams Shinshu University Thursday, 9 August 12 Outline Aims of the presentation An approach to transparent goals and expectations Example

576 views • 46 slides
Analyzing, Using, and Disseminating Data Jim Ricca, Child Survival Technical Support Project,

Analyzing, Using, and Disseminating Data Jim Ricca, Child Survival Technical Support Project,

Rapid Health Facility Assessment (R-HFA): Analyzing, Using, and Disseminating Data Jim Ricca, Child Survival Technical Support Project, Macro International Bolaji Fapohunda, MEASURE Evaluation R-HFA Data Analysis: Learning Objectives At the

522 views • 19 slides
Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning

Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning

Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning Stanford University June 3, 2010 Ensemble Parsing Parser 2 Parser 1 Parser 3 Ensemble Parser Parser 4

195 views • 18 slides
MALT & NUMAPROF , Memory Profiling for HPC Applications SBASTIEN VALAT FOSDEM 2019

MALT & NUMAPROF , Memory Profiling for HPC Applications SBASTIEN VALAT FOSDEM 2019

1 MALT & NUMAPROF , Memory Profiling for HPC Applications SBASTIEN VALAT FOSDEM 2019 TRACK HPC Origin of the tools 2 PhD. on memory management for HPC (at CEA/UVSQ) MALT , post-doc at Versailles : NUMAPROF , side

532 views • 16 slides
MALT : MALloc Tracker A memory profiling tool 3/02/2019 MALT, Sbastien Valat 1 Questions

MALT : MALloc Tracker A memory profiling tool 3/02/2019 MALT, Sbastien Valat 1 Questions

MALT : MALloc Tracker A memory profiling tool 3/02/2019 MALT, Sbastien Valat 1 Questions We have good profiling tool for timings (eg. Valgrind or vtune) But for what memory profiling ? Memory can be an issue : Availability of

762 views • 40 slides
Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos

Using Hardware Features for Increased Debugging Transparency Fengwei Zhang, Kevin Leach, Angelos Stavrou, Haining Wang, and Kun Sun. In S&P'15. Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Overview

451 views • 28 slides
Algorithms R OBERT S EDGEWICK | K EVIN W AYNE L INEAR P ROGRAMMING brewers problem

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE L INEAR P ROGRAMMING brewers problem

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE L INEAR P ROGRAMMING brewers problem simplex algorithm implementations Algorithms reductions F O U R T H E D I T I O N R OBERT S EDGEWICK | K EVIN W AYNE

633 views • 50 slides
Inspecting the Structural Biases of Dependency Parsing Algorithms Yoav Goldberg and Michael

Inspecting the Structural Biases of Dependency Parsing Algorithms Yoav Goldberg and Michael

Inspecting the Structural Biases of Dependency Parsing Algorithms Yoav Goldberg and Michael Elhadad Ben Gurion University CoNLL 2010, Sweden There are many ways to parse a sentence There are many ways to parse a sentence Transition Based

1.06k views • 81 slides
72 \ (2)(3) = 6 Pant 2 53 k n n n 1 2 k n n ... n n k 1 2 k 1

72 \ (2)(3) = 6 Pant 2 53 k n n n 1 2 k n n ... n n k 1 2 k 1

, ,Pz3 EP f- z shirts - pxSSILsnsz.Si3lpxsI-lPl.lslshirt1pant11shit2@P1.s 72 \ (2)(3) = 6 Pant 2 53 k n n n 1 2 k n n ... n n k 1 2 k 1 k we 22-52 26 ' 16 1600 5 . gb za = = - . 63 E I

756 views • 22 slides
Transition-Based Dependency Parsing Saarbrcken, December 23rd 2011 David Przybilla

Transition-Based Dependency Parsing Saarbrcken, December 23rd 2011 David Przybilla

Transition-Based Dependency Parsing Saarbrcken, December 23rd 2011 David Przybilla davida@coli.uni-saarland.de Outline 1. MaltParser 2. Transition Based Parsing a. Example b. Oracle 3. Integrating Graph and Transition Based 4. Non

606 views • 39 slides

More recommend