security breakthrough introducing hypervisor memory introspection bo skeel, chief evangelist...
TRANSCRIPT
SECURITY BREAKTHROUGH
INTRODUCING HYPERVISOR MEMORY INTROSPECTIONBo Skeel, Chief [email protected]@Bo_Skeel
ROOT-KIT EXPLAINED
• Provide attacker with a backdoor• Bypass authentication and authorization mechanisms• Conceal other malware, like for instance key loggers• Use system to perform attacks on other systems• Modify boot sector, for instance to attack full disk encryption or to intercept encryption keys and
passwords• Make system part of botnets that can launch denial-of-service attacks, distribute spam, conduct
click fraud, etc.
Use cases:
A root-kit is designed to attack the kernel and hide itself at the lowest possible level.
SECURITY TRENDS
Advanced Persistent Threats (APTs), botnets, cyber-espionage heavily rely on:
• Rootkits• Kernel exploits• 0-day
ADVANCED PERSISTANT THREAT (APT) ACTION-FLOW
• Spear phishing• Drive-by downloads• Trojans
1. infection vector
2. exploit
• CVE-2012-0158 → APT28• CVE2013-1347 → Energetic Bear• CVE2014-0497 → DarkHotel
3. user-apppayload
• Code injection → Energetic Bear, Epic Turla, Regin, Zeus, etc.• API hooking → Dyreza, GameOver…
4. kernelpayload
• Stealthiness & Persistence → kernel rootkits (Necurs, TDL), bootkits
5. remote control of
victim
• Espionage & data exfiltration• Identity theft• Sabotage
WHY DOES ADVANCED MALWARE SUCCEED?
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Common Malware
WHY DOES ADVANCED MALWARE SUCCEED?
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Common Malware
WHY DOES ADVANCED MALWARE SUCCEED?
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Common Malware
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Advanced Malware
WHY DOES ADVANCED MALWARE SUCCEED?
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Common Malware
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Advanced Malware
ISOLATIONkernel controlled
WHY DOES ADVANCED MALWARE SUCCEED?
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Common Malware
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
Advanced Malware
ISOLATION bypassedMalware has control
ISOLATIONkernel controlled
WHY DOES ADVANCED MALWARE SUCCEED?
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Common Malware
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
Advanced Malware
ISOLATION bypassedMalware has control
ISOLATIONkernel controlled
WHY DOES ADVANCED MALWARE SUCCEED?
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
ISOLATIONkernel controlled
Common Malware
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernel
Drivers
Advanced Malware
ISOLATION bypassedMalware has control
Advanced attacks evade traditional in-OS security approaches
WHY DOES ADVANCED MALWARE SUCCEED?
Securitysolution
WHY DOES ADVANCED MALWARE SUCCEED?
Securitysolution
? ????
EVASIVE MALWARE BEHAVIOR
INTRODUCING:
HYPERVISOR MEMORY INTROSPECTION
WHAT IS HYPERVISOR MEMORY INTROSPECTION?
• Provide security from outside the guest OS• Not relying on OS for isolation of security services• Not exposed to advanced threats
• Direct access to analyse memory of guest OS and applications• Hook memory as non-execute or non-writable using hardware extensions• Hooking & notification must be supported efficiently by CPU
• Audit access by code running in guest OS• Write attempts, Execution attempts• Allow or deny attempts – decision provided by security logic
WHAT IS HYPERVISOR MEMORY INTROSPECTION?
Guest VMPhysical memory space
OS kernel code
User mode stacks & heaps
Critical kernel dataSystem Service Dispatch Table, Interrupt Descriptor Table, etc.
User mode code
Kernel driver code and data
data data data
Extended Page Table (EPT) protected areasdetection of operations & events
(ex. module load, process start, paging structure change, etc.)
Extended Page Table (EPT) protected areasProvide detection of alteration attempts, ensuring
protection of critical code & data
MEMORY INTROSPECTION VIA XEN
Guest VM 2Guest VM 1 Guest VM Ndom0 Security domU
IntrospectionEngine
-----
policy events
Altp2m + Vm_event Extensions part of Xen 4.6 (ongoing)
Hypervisor controlled, hardware enforcedSTRONG ISOLATION
OpenXen/Citrix XenServer 4.6 (ongoing)
Implementation A
MEMORY INTROSPECTION VIA XEN
Guest VM 2Guest VM 1 Guest VM Ndom0 Security domU
IntrospectionEngine
-----
policy events
Hypervisor controlled, hardware enforcedSTRONG ISOLATION
OpenXen/Citrix XenServer 4.6 (ongoing)
Implementation B
Altp2m + Vm_event Extensions part of Xen 4.6 (ongoing)
HYPERVISOR MEMORY INTROSPECTION XEN EXTENSIONSPATCHES SUBMITTED BY INTEL
1. Enables alternate EPT domains via addition of altp2m capability in Xen2. HVM Hypercalls to manage altp2m without conflicting with Xen memory
management for other use cases3. Both, in-guest and out-of guest agents can utilize altp2m capabilities4. Enable VMFUNC for in.-guest agents to switch altp2m for various usages5. Report guest-specific EPT memory access events via #VE6. Enabling CPU acceleration automatically if VMFUNC and #VE CPU
enumerated and emulated if not available
HYPERVISOR MEMORY INTROSPECTION XEN EXTENSIONSPATCHES SUBMITTED BY BITDEFENDER
1. Emulate an instruction and discard the written data to prevent patching2. Attach the guest state 8vCPU registers) to the memory sent3. Generate VMexits for introspection-relevant Model Specific Register (MSR)
accesses by the guest OS4. Disable the REP prefix support in the emulator when introspecting5. Deny Model Specific Register & Control Register writes by the guest6. Introspection specific VMCALL support (hypercall), used when injecting
an application into the guest7. Support for memory content hiding (compatible with PatchGuard)8. Various other clean-ups in the VM event subsystem
SCENARIOS
MEMORY INTROSPECTION
MEMORY INTROSPECTION SCENARIOS
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernelDrivers
ISOLATION – HVMI controlled &Enforced by hardware
Advanced Malware
Hypervisor IntrospectionEngine
Protected byuser-mode introspection
Protected bykernel-mode introspection
MEMORY INTROSPECTION SCENARIOS
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernelDrivers
ISOLATION – HVMI controlled &Enforced by hardware
Advanced Malware
Hypervisor IntrospectionEngine
Protected byuser-mode introspection
Protected bykernel-mode introspection
MEMORY INTROSPECTION SCENARIOS
App 1(office)
App 2(Browser)
Securitysolution
Security filter
OS kernelDrivers
ISOLATION – HVMI controlled &Enforced by hardware
Advanced Malware
Hypervisor IntrospectionEngine
Protected byuser-mode introspection
Protected bykernel-mode introspection
USER-MODE MEMORY INTROSPECTION
o Monitor user applications (such as web-browsers, Microsoft* Office, Adobe* Reader, …) for• detection of code injection• detection of function detouring• enforcement of generic Write-XOR-eXecute (W X) policy⊕• specific events, e.g. detection of malicious code unpacking
o Injection of remediation tools into the guest runtime on-the-fly (no help from ‘within’ guest needed)
FIGHTING APTS WITH HVMI
• Spear phishing• Drive-by downloads• Trojans
1. infection vector
2. exploit
• CVE-2012-0158 → APT28• CVE2013-1347 → Energetic Bear• CVE2014-0497 → DarkHotel
3. user-apppayload
• Code injection → Energetic Bear, Epic Turla, Zeus, etc.• API hooking → Dyreza, GameOver…
4. kernelpayload
• Stealthiness & Persistence → kernel rootkits (Necurs, TDL), bootkits
5. remote control of
victim
• Espionage & data exfiltration• Identity theft• Sabotage
KERNEL-MODE HVMIUSER-MODE HVMI
UM HVMI is strongly isolated (enforced by hardware) and provides generic detection mechanisms
RECORDED
DEMO
TYPICAL QUESTIONS
o What is the performance cost of HVMI?• Performance emulation software (LoginVSI), show performance impact of less than 2%
on response time and latency.
o Will HVMI make my hypervisor less stable?• Not at all. We are able to detect all memory instructions related to the hypervisor domain
and are not interfering with these functions at all.
WHATS NEXT?
MEMORY INTROSPECTION
Products will be released H1 2016:
• Hypervisor protection for Xen Project, Citrix XenServer and KVM
• Solution for physical computers (all operating systems)Will be delivered as a new type of hypervisor, where we are onlyvirtualizing the CPU and the memory.
THANK YOU!