ether: malware analysis via hardware virtualization extensions author: artem dinaburg, paul royal,...
TRANSCRIPT
![Page 1: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/1.jpg)
Ether: Malware Analysis viaEther: Malware Analysis viaHardware Virtualization ExtensionsHardware Virtualization Extensions
Ether: Malware Analysis viaEther: Malware Analysis viaHardware Virtualization ExtensionsHardware Virtualization Extensions
Author: Artem Dinaburg, Paul Royal, Monirul Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke LeeSharif, Wenke Lee
Presenter: Yi YangPresenter: Yi Yang
1
![Page 2: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/2.jpg)
Agenda● Motivation
● Transparency Requirements
● Ether Framework
● Experiments and Evaluation
●Conclusion
2
![Page 3: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/3.jpg)
Motivation• Malware Definition: short for malicious
software, is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
• Malware Categories: computer viruses, worms, trojan horses, rootkits, spyware, adware, rogue security software, and other malicious programs.
• Malware Problem: Malware has become the centerpiece of most security threats on the Internet
3
![Page 4: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/4.jpg)
Malware Analysis• There is a profound need to understand
malware behavior:• -Forensics and Asset Remediation• -Threat Analysis• Malware authors make analysis very
challenging• Direct financial motivation• Focal point of malware analysis: how to detect
versus ,how to hide a malware analyzer from malware during runtime
4
![Page 5: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/5.jpg)
Two Types of Malware Analysis
• Static Analysis• What a program would do • Complete view of program behavior • Requires accurate disassembly of x86 machine
code • Often impossible to do in practice• Dynamic Analysis• Shows what a program actually did when
executed • Only gives a partial view of program behavior • Question: How do you hide your analyzer?
5
![Page 6: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/6.jpg)
The Malware Uncertainty Principle
• An important practical problem • Observer affecting the observed
environment • Robust and detailed analyzers are typically
invasive • Malware will refuse to run
6
![Page 7: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/7.jpg)
Solving Malware Uncertainty Principle
• An analyzer’s aim should be transparent. • – Defining transparency • The execution of the malware and the
malware analyzer is governed by the principle of non-interference.
7
![Page 8: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/8.jpg)
Transparency Requirements• Higher Privilege • No non-privileged side effects • Same instruction execution semantics • Transparent exception handling • Identical notion of time
8
![Page 9: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/9.jpg)
Fulfilling Transparency Requirements
• Reduced Privilege Guests (VMWare, etc)• – Non-privileged side effects• Emulation (full system emulator:QEMU) • – Instruction execution semantics• Idea: Use hardware assisted virtualization • Poses complex analysis challenges
9
![Page 10: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/10.jpg)
Ether Framework
• Software that can utilize hardware virtualization extensions: Xen hypervisor
• Hardware virtualization platform: Intel VT• Target operating system :Windows XP
10
![Page 11: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/11.jpg)
Intel VT hardware Virtualization Extensions
11
![Page 12: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/12.jpg)
Architecture of Ether
12
![Page 13: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/13.jpg)
Using Intel VT for Malware Analysis
• Ether should be able to monitor some instructions
• Instructions executed by a guest process, any memory writes a guest process performs, and any system calls a guest process makes.
• Intel VT extensions do not provide support for these monitoring activities
13
![Page 14: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/14.jpg)
Monitoring Activities
• Monitoring Instruction Execution• Monitoring Memory Writes• Monitoring System Call Execution
14
![Page 15: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/15.jpg)
Maintaining Analyzer Transparency
• Despite making several modifications to the guest, Ether maintains transparency of the analyzer by ensuring such changes are undetectable
15
![Page 16: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/16.jpg)
Potential Attacks• While theoretically resilient against in-guest
detection attacks, current architectural restrictions make some of these attacks possible
• Ether is vulnerable to a class of timing attacks using external timing sources
• Detection methods :• In-Memory Presence• CPU Registers• Memory Protection• Privileged Instruction Handling• Instruction Emulation• Timing Attacks
16
![Page 17: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/17.jpg)
Potential Attacks• While theoretically resilient against in-guest
detection attacks, current architectural restrictions make some of these attacks possible
• Ether is vulnerable to a class of timing attacks using external timing sources
• Detection methods :• In-Memory Presence• CPU Registers• Memory Protection• Privileged Instruction Handling• Instruction Emulation• Timing Attacks
17
![Page 18: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/18.jpg)
Architectural Limitation• Intel VT suffers from some architectural
limitations which may allow Ether to be detected under certain circumstances.
• Different hardware virtualization extensions exist that do not suffer from such limitations.
• Intel VT suffers from two main flaws which allow the current implementation to be detected by observing implicit changes to the memory hierarchy:
• Intel flushed the TLB on every VMExit;• Paging mode must be turned on before
entering VMX Root code.
18
![Page 19: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/19.jpg)
Experiments and Evaluation
• Two tools based on Ether: EtherUnpack and EtherTrace.
• EtherUnpack traces memory writes and single instructions (i.e., fine-grained tracing)
• EtherTrace traces system calls (i.e., coarse-grained tracing).
• Using these tools to evaluate Ether and compare
• it against current approaches.
19
![Page 20: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/20.jpg)
Experiments and Evaluation
• Two tools based on Ether: EtherUnpack and EtherTrace.
• EtherUnpack traces memory writes and single instructions (i.e., fine-grained tracing)
• EtherTrace traces system calls (i.e., coarse-grained tracing).
• Using these tools to evaluate Ether and compare
• it against current approaches.
20
![Page 21: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/21.jpg)
Packing vs Unpacking• Packing is a term used to describe the
obfuscation and encryption of program code to thwart static analysis.
• The result of packing is that signature-based approaches fail to identify packed malware as malicious.
• Opposite to packers, unpackers are programs which attempt to obtain the original code hidden by the packer.
21
![Page 22: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/22.jpg)
About EtherUnpack
22
![Page 23: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/23.jpg)
About EtherUnpack• Precision universal automated unpacker• Uses instruction-by-instruction tracing (fine
grained tracing) to detect unpack execute behavior
• If code written is later executed, unpack execution occurred
• Able to handle multiple packing layers • Dumps unpacked memory images to disk
23
![Page 24: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/24.jpg)
Evaluation: EtherUnpack
• Looked for a 32 byte string present in the original code section
• Not a random string
24
![Page 25: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/25.jpg)
Evaluation: EtherUnpack
• Ether is more transparent
25
![Page 26: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/26.jpg)
About EtherTrace• An implementation of a coarse grained tracer
using the Ether framework• Traces the Windows equivalent of system calls
(Native API)• Information Provided: • – Call name • – Typed arguments • – Return values • – Context (Process ID, Thread ID)
26
![Page 27: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/27.jpg)
Evaluation: EtherTrace
• Examine trace logs for expected actions • – File • – Registry
27
![Page 28: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/28.jpg)
Evaluation: EtherTrace
• Ether is more transparent
28
![Page 29: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/29.jpg)
Conclusion• Ether, a transparent and external malware
analyzer that is based on hardware virtualization extensions such as Intel VT.
• Ether is an implementation of a different approach
• Evaluation confirms Ether is more transparent • Theoretically, can do better:• improving resistance to timing attacks and
memory hierarchy detection attacks.
29
![Page 30: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/30.jpg)
Reference• http://ether.gtisc.gatech.edu/
30
![Page 31: Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:](https://reader030.vdocument.in/reader030/viewer/2022032606/56649eb35503460f94bba4e6/html5/thumbnails/31.jpg)
Questions?
31