SubVirt: Implementing malware with virtual machines
Presented by Boris [email protected]
The Paper
• SubVirt: Implementing malware(*) with virtual machines
• By– S. King, P. Chen
University of Michigan– Y. Wang, C. Verbowski, H. Wang, J. Lorch
Microsoft Research
• Appears On– 2006 IEEE Symposium on Security and Privacy
Topics in Information Security 2007 2
(*) Malware – malicious software
Presentation Outline
• Introduction• Virtualization Technology• VM-Based Rootkit Implementation• Defense
Topics in Information Security 2007 3
Introduction
Virtualization
Implementation
Defense
Rootkit
• A tool used to hide malicious activities• Goals of the Attacker
– More capability– Less visibility
• Goals of the Defender– Detect– Prevent
Topics in Information Security 2007 4
IntroductionIntroduction
Introduction
Virtualization
Implementation
Defense
Topics in Information Security 2007 5
Attack Technique Defense Technique
Application Level
Replace user-level application Monitor critical file system entries
For example: replace ps, ls etc. TripWire
KernelLevel
Modify kernel data structuresMonitor kernel integrity, detect system hooks
FU, hxdef VICE
IntroductionIntroduction
Some History
Introduction
Virtualization
Implementation
Defense
Topics in Information Security 2007 6
IntroductionIntroduction
Whoever controls a lower level – wins
Rootkits and detection SW migrate to lower layers
Both stop at the OS level
Whoever is smarter – wins
Attackers must sacrifice functionality for invisibility
Current State
Introduction
Virtualization
Implementation
Defense
Virtualization
• Manage underlying hardware• Provide an abstraction of a virtual-machine• Common practices
– Run several OSes on the same system– Test and Debug– Live machine migration
Topics in Information Security 2007 7
VirtualizationVirtualization
Introduction
Virtualization
Implementation
Defense
Virtual Machine Introspection
• The Semantic Gap– VM: disk blocks, network packets, memory– Guest SW: files, TCP connections, variables
• Read guest OS symbol and page tables• Use breakpoints to control execution• Invoke guest OS or application code
Topics in Information Security 2007 8
VirtualizationVirtualization
Introduction
Virtualization
Implementation
Defense
VMBR – a new class of rootkits
• Virtual Machine-Based Rootkit (VMBR)– Use the virtual-machine technologies– Gain maximum control– Allow arbitrary malware yet stay invisible
Topics in Information Security 2007 9
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
VMBR Implementation I
• How do we get there? - Installation
• What can we do? - Malicious Services
• Looks nice, so…How long can we stay? - Maintaining Control
• What is the price? - Performance
Topics in Information Security 2007 10
ImplementationImplementation
• How do we get there? - Installation
Introduction
Virtualization
Implementation
Defense
Installation
Topics in Information Security 2007 11
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
Installation – contd.
• Acquire root level access– Exploit remote vulnerability– Corrupt a software / bootable image on a P2P
network
• Save to persistent storage– Use the file system– Use low-level access
• Modify boot sequence (and avoid detection)– Run at shutdown– Take over the low-level disk controller
Topics in Information Security 2007 12
Microsoft Security Bulletin MSxx-xxx:“A remote code execution vulnerability
exists in … that could allow remote code execution on an affected system. An
attacker could exploit the vulnerability by … An attacker … could take complete control
of an affected system.”
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
VMBR Implementation II
• How do we get there? - Installation
• What can we do? - Malicious Services
• Looks nice, so…How long can we stay? - Maintaining Control
• What is the price? - Performance
Topics in Information Security 2007 13
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
Malicious Services
• Class I – No interaction with the target system– Spam relays– Phishing servers (*)– Distributed DoS zombies
Topics in Information Security 2007 14
(*) denotes services implemented by the authors
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
Malicious Services – contd.
• Class II – Observe the target system– Hardware
• Key loggers (*)• Packet Monitor
– Using VMI• Intercept SSL packets before encrypt• Scan for sensitive data (e. g. ~user/.ssh/id_dsa) (*)
Topics in Information Security 2007 15
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
• Class III – Deliberately modify the target system– Can either modify HW level data or use VMI– Examples:
• Modify execution of target applications (*)• Modify network traffic
Topics in Information Security 2007 16
ImplementationImplementationMalicious Services – contd.
Introduction
Virtualization
Implementation
Defense
VMBR Implementation III
• How do we get there? - Installation
• What can we do? - Malicious Services
• Looks nice, so…How long can we stay? - Maintaining Control
• What is the price? - Performance
Topics in Information Security 2007 18
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
Maintaining Control
• VMBR has full control of the system while powered up.
• No control from system power-up until load of the VMBR– User can boot from an alternate media
• Avoiding power-up– Emulate restarts – only restart the VM (*)
• Alternate boot media is loaded under the VMBR!
– Avoid complete shutdown (*)• Emulate shutdown using ACPI
Topics in Information Security 2007 19
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
VMBR Implementation IV
• How do we get there? - Installation
• What can we do? - Malicious Services
• Looks nice, so…How long can we stay? - Maintaining Control
• What is the price? - Performance
Topics in Information Security 2007 20
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
Performance
SizeCompressed / Uncompressed
Download Time725kbps / 5Mbps
VMware-based VMBR 95MB / 228MB 18 min / 2.5 min
Virtual PC-based VMBR 106MB / 251MB 20 min / 3 min
• System performance is hardly affected– About 3% RAM usage for the Virtual PC-based VMBR– Video intensive applications may suffer degraded performance
• Solution: graphics card doesn’t have to be virtualized…
Topics in Information Security 2007 21
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
Performance – contd.
Installation
Target Boot
without VMBR
Target Boot
Emulated Reboot
Target Boot
Emulated Shutdown
Host Boot after
Power-Off
Host + Target
Boot afterPower-Off
VMware (Linux Target)
24 53 74 96 52 145
Virtual PC (Windows XP Target)
262 23 54 N/A 45 101
Topics in Information Security 2007 22
• All times are given in seconds• All measurements have variance less than 3%
ImplementationImplementation
Introduction
Virtualization
Implementation
Defense
Security Below the VMBR
• Hardware based defense– Intel’s Trusted Execution Technology (formerly
LaGrande)– AMD’s platform for trustworthy computing initiative– Copilot – PCI-based integrity monitor
• Secure boot from CD or network– Do not forget to unplug…
• Secure VMM– Detect and prevent VMBRs at the installation stage
Topics in Information Security 2007 23
DefenseDefense
Introduction
Virtualization
Implementation
Defense
Security Above the VMBR
• Detect VMM impact on the system– Memory: VMBR can hide memory usage by paging– Disk: VMBR can hide disk usage by emulating bad
blocks– CPU: VMBR can slow down target’s clock
• Run benchmarks against wall-mount clock
• Detect modifications to I/O drivers– VMBR can emulate only what it needs
Topics in Information Security 2007 24
DefenseDefense
Conclusions
• VMBR is a new form of a layer-below attack• VMBRs can provide features unavailable to
traditional rootkits• VMBRs are easy to implement• VMBRs are difficult to detect and remove• Future of VMBRs
– Widespread use of virtualization– Hardware support for virtualization
Topics in Information Security 2007 25
Topics in Information Security 2007 26
Thank You
Home Assignment
• What are the advantages of a VM-based rootkit over an OS level rootkit from the attacker’s point of view.
• If complete control over the hardware is achieved, why VMI is still required? Discuss the differences between HW level based and VMI based key loggers.
• Suppose a secure file system is deployed on the host. Would user data remain secure from a malicious service running within a VMBR? Explain.
• How hardware support for virtualization would affect VMBRs?
Topics in Information Security 2007