author : jiang wang, angelos stavrou, and anup ghosh conference: raid 2010 advisor: yuh-jye lee...
TRANSCRIPT
Author : Jiang Wang, Angelos Stavrou, and Anup Ghosh
Conference: RAID 2010Advisor: Yuh-Jye LeeReporter: Yi-Hsiang YangEmail: [email protected]
12011/4/28
OutlineIntroductionRelated WorkSystem ArchitectureImplementationEvaluationConclusion
22011/4/28
Introduction • Virtual Machine Monitors (VMMs)• Deep isolation of untrusted software components• Attackers towards VMM vulnerabilities
• HyperCheck • Works at the BIOS level • CPU System Management Mode (SMM)
32011/4/28
Related workCopilot employed a special PCI device to poll the physical
memory of the host and send it to an admin station periodically
HyperGuard Rutkowska et al. suggested using SMM of the x86 CPU to monitor the integrity of the hypervisors
DeepWatch also offers detection of hypervisor rootkits by using the embedded micro-controller(s) in the chipset. Relying on hardware-assisted virtualization technologies such as Intel VT-d
Flicker uses a TPM based method to provide a minimum Trusted Code Base (TCB), which can be used to detect the modification to the kernels
42011/4/28
Threat modelSystem Management Mode (SMM)
Intel386 SL and Intel486 SL processorsThe processor enters SMM when the external
SMM interrupt pin (SMI#) is activated or received from the advanced programmable interrupt controller (APIC)
Processor switches to a separate address space, called system management RAM (SMRAM)
52011/4/28
Attacker’s capabilitiesExploit vulnerabilities in any software after
bootup. Eg. compromise a guest domain and escape to the privileged domainModify the hypervisor code or data using any
known or zero-day attacks. Eg. DMA attack
62011/4/28
General AssumptionsAttacker cannot tamper with PCI NIC using the
same driver interfaceSMRAM is properly setup by BIOS upon boot
time and lockedLimitations
Analysis cannot protect against attacks that modify the dynamically generated function pointers
72011/4/28
In-scope AttacksAims to detect the in-memory Ring-0 level rootkits
Rookits A set of programs and code that allows a
permanent or consistentModifies the memory and/or registers Runs in the kernel levelEg . idt-hook rootkit
Modifies the interrupt descriptor table (IDT) Gains the control of the complete system
2011/4/28 8
System ArchitectureHyperCheck is composed of three key components
Physical memory acquiring moduleReads the contents of the physical memory Sends data to the analysis module
Analysis moduleChecks the memory contents and verifies if anything is
alteredCPU register checking module
Reads the registers and validates
92011/4/28
System Architecture
102011/4/28
System ArchitectureHyperCheck should not rely on any software runningUse hardware
PCI Ethernet card– as memory acquiring moduleSMM to read the CPU registers
Uses the CR3 register Translate the virtual addresses to the physical
addresses
112011/4/28
System Architecture-Acquiring the physical memoryTwo ways to acquire the physical memory
Software method/dev/kmem on Linux or \Device\PhysicalMemory on
Windows If the operating system or the hypervisor is compromised
Hardware methodUses a PCI deviceDepends less on the integrity of the operating system or
the hypervisor
122011/4/28
System Architecture-Acquiring the physical memoryHyperCheck puts drivers into the SMM codeTo prevent from a malicious NIC driver in the OS
to spoof the SMM driverUse a secret key obtained from the monitor machine
when booting up and stored in the SMRAMDenial of service(DoS) attacks
Advanced Configuration and Power Interface (ACPI) Allow the operating system to control the state of the
devices
132011/4/28
System Architecture-Translating the physical memoryThree properties of the kernel memory
Linear mappingKernel memory is linearly mapped to physical memory
Static natureContents of monitoring part of hypervisor have to be
staticPersistence
Memory will not swap to the hard disk
142011/4/28
System Architecture-Reading and verifying the CPU registersEthernet card cannot read the CPU registersUse SMM in x86 CPU
When switches to SMM it saves the register context in the SMRAM
Focuses on monitoring two registers:IDTR
Should never change after system initialization CR3
Translate the physical addresses of the hypervisor kernel code and data
152011/4/28
ImplementationHyperCheck-I
Virtual machine uses QEMUAnalysis module runs on the host of QEMUPlaced NIC driver into the SMMProgram runs in the SMM and collects and sends out the
CPU registers via the Ethernet cardQuick Prototyping and DebuggingQEMU network card is much lower than a real NIC device
(10MB/s)Performance may not reflect the real world performance
162011/4/28
Implementation-Memory Acquiring moduleSMM code is one part of BIOSUsing SMM for ”Other Purposes”. Phrack Magazine, 2008
Writes the SMM code in 16bit assembly Uses a user level program to open the SMRAM Copy the assembly code to the SMRAMProgram the transferring part in assembly
Assembly code is compiled to an ELF object file Write a loader parse the ELF object file and load the code and
data to the SMMModified the existing Linux E1000 driver to initialize the
network card
172011/4/28
Implementation-Memory Acquiring moduleTwo transmission descriptors per packet
Header NIC is already initialized by OS
Data Prepare Descriptor table and write it to the Transmit Descriptor
Tail (TDT) register of the NIC Secret key
Create a random seed to selectively hash the data for one-time pad encryption
Serial random numbers indexes of the positions of the memory being scanned
182011/4/28
Implementation-Analysis moduleCentOS 5.3
Tcpdump to filter the packets from the acquiring module and output is sent to the analysis module
Recovers the contents using the same secret keyWritten in a Perl script reads the input and checks for any
anomaliesCompares every two consecutive memory snapshots Check the integrity of the control data and code
Control data includes IDT table, hypercall table and exception table of Xen
192011/4/28
Implementation-CPU register checking moduleTriggering SMI to enter SMM
SMI is often used for power management, and Southbridge provides some timers to monitor the state of a device
Employ the Ethernet card to trigger the SMI event Checking the registers in SMMReporting the result
202011/4/28
ImplementationHyperCheck-II
Target Xen 3.1 Intel E1000 Ethernet card SMM NIC driver from the QEMU VM does not work on the
physical machineNIC can access the SMRAM in a QEMU VM
Reserved 12MB for HyperCheck by using mem parameterMonitor
Analysis moduleUsed for performance measurement
212011/4/28
EvaluationHyperCheck-I
Dell Precision 690 8GB RAM 3.0GHz Intel Xeon CPU with two cores The host : CentOS 5.3 64bitQEMU version was 0.10.2Xen version was 3.3.1 Domain 0 was CentOS 5.3 32bit with PAE
HyperCheck-II Dell Optiplex GX 260 2.0GHz Intel Pentium 4 CPU 512MB memory Xen 3.1 and Linux 2.6.18 Domain 0 is CentOS 5.4
222011/4/28
Evaluation-DetectionHDD DMA attacks to modify the Xen hypervisor and
Domain 0Four attacks to Xen hypervisor and Two attacks to Domain
0Modified pcnet NIC in QEMU to attack Linux and
Windows operating systems
232011/4/28
Evaluation-Monitoring overhead
24
Internal NIC transfer FIFO is 16KB
2011/4/28
Evaluation-OperationTwo programs
Use Dummy SMM code Time for switching between protected mode & SMM
Use the registers to simulate the verification of IDTR and CR3
Sending the data : 73 Million cycles. Accessing the main memory : 5.28 Million cycles. The total time is 80 Million cycles
252011/4/28
Evaluation- Overhead of the operations
262011/4/28
EvaluationReading memory contents and comparing
Total 230 ms49 ms for only comparing the data
272011/4/28
Evaluation
282011/4/28
ConclusionIntroduced HyperCheck-a hardware-assisted tamper
detection frameworkRely on CPU System Managed Mode (SMM)Implemented two prototypes : QEMU and physical x86
machineHyperCheck operation is relatively lightweight
Produce and communicate a scan of the state of the protected software in less than 40ms
292011/4/28
Thanks for listening!Q&A
2011/4/28 30