New Methods for Detecting Malware Infections and New Attacks against Hardware Virtualization

In my dissertation, I address problems in two domains: (i) Detection of unknown malware and (ii) finding new attacks against hardware virtualization. Accordingly, this dissertation is divided into two parts. In the first part of the dissertation, I propose Membrane, a memory forensics tool to detect code injection attacks. Instead of trying to detect the code injection event itself, I focus on the changes it causes on the paging behavior of the Windows operating system. As my method focuses on the anomalies caused by code injection in paging events, I am able to detect a wide range of code injection techniques. My results indicate that on Windows XP we can detect malware behavior with 91-98% success. On Windows 7, a good detection rate is maintained except for malware injecting into explorer.exe where the success of detection decreases to 75-86%. My approach can detect stealthy malware attacks, even advanced targeted attacks using code injection. Still in the first part, I propose a new system monitoring framework that can serve as an enabler for automated malware detection on live systems. My approach takes advantage of the increased availability of hardware assisted virtualization capabilities of modern CPUs, and its basic novelty consists in launching a hypervisor layer on the live system without stopping and restarting it. This hypervisor runs at a higher privilege level than the OS itself, thus, it can be used to observe the behavior of the analyzed system in a transparent manner. For this purpose, I also propose a novel system call tracing method that is designed to be configurable in terms of transparency and granularity. In the second part of the dissertation, I shed light on VM related threats and defences by implementing, testing, and categorizing a wide range of known and unknown attacks based on directly assigned devices. I executed these attacks on an exhaustive set of VMM configurations to determine their potential impact. My experiments suggest that most of the previously known attacks are ineffective in current VMM setups. I also developed an automatic tool, called PTFuzz, to discover hardware-level problems that affect current VMMs. By using PTFuzz, I found several cases of unexpected hardware behaviour, and a major vulnerability on Intel platforms that potentially impacts a large set of machines used in the wild. These vulnerabilities affect unprivileged virtual machines that use a directly assigned device (e.g., network card) and have all the existing hardware protection mechanisms enabled. Such vulnerabilities allow either an attacker to generate a host-side interrupt or hardware faults, violating expected isolation properties. These can cause host software (e.g., VMM) halt as well as they might open the door for practical VMM exploitations. I believe that my study can help cloud providers and researchers to better understand the limitations of their current architectures to provide secure hardware virtualization and prepare for future attacks. At the same time, security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being analysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted virtualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such analyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on. Finally, I introduce novel approaches that make the detection of hardware assisted virtualization plat-

[1]  Hemant S. Patel A process monitor , 1986 .

[2]  James Newsome,et al.  Building Verifiable Trusted Path on Commodity x86 Computers , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  П. Довгалюк,et al.  Два способа организации механизма полносистемного детерминированного воспроизведения в симуляторе QEMU , 2012 .

[4]  W. Marsden I and J , 2012 .

[5]  Karen A. Scarfone,et al.  Guide to Security for Full Virtualization Technologies , 2011 .

[6]  Levente Buttyán,et al.  Towards the automated detection of unknown malware on live systems , 2014, 2014 IEEE International Conference on Communications (ICC).

[7]  Rabbit 让你心里有数的“轻量级”测试软件——PassMark Performance Test , 2001 .

[8]  Angelos Stavrou,et al.  Using Hardware Features for Increased Debugging Transparency , 2015, 2015 IEEE Symposium on Security and Privacy.

[9]  Karsten Schwan,et al.  High performance and scalable I/O virtualization via self-virtualized devices , 2007, HPDC '07.

[10]  Levente Buttyán,et al.  A survey of security issues in hardware virtualization , 2013, CSUR.

[11]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[12]  Ole Agesen,et al.  A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[13]  Eric Filiol,et al.  Strong Cryptography Armoured Computer Viruses Forbidding Code Analysis: the Bradley Virus 1 , 2004 .

[14]  Rafal Wojtczuk Subverting the Xen hypervisor , 2008 .

[15]  H. White You , 1971 .

[16]  Abhinav Srivastava,et al.  On the feasibility of software attacks on commodity virtual machine monitors via direct device assignment , 2014, AsiaCCS.

[17]  Zhi Wang,et al.  Process out-grafting: an efficient "out-of-VM" approach for fine-grained process execution monitoring , 2011, CCS '11.

[18]  Pierangela Samarati,et al.  Proceedings of the 8th ACM conference on Computer and Communications Security , 1998, CCS 2001.

[19]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[20]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[21]  Patrick Stewin,et al.  Understanding DMA Malware , 2012, DIMVA.

[22]  Wenke Lee,et al.  Lares: An Architecture for Secure Active Monitoring Using Virtualization , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[23]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[24]  Carsten Willems Internals of Windows Memory Management (not only) for Malware Analysis , 2011 .

[25]  刘锋,et al.  Kernel-based virtual machine事件跟踪机制的设计与实现 , 2008 .

[26]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[27]  Antonio J. Caamano,et al.  2015 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS (ICC) , 2015 .

[28]  Rafal Wojtczuk,et al.  Adventures with a certain Xen vulnerability (in the PVFB backend) , 2008 .

[29]  Christopher Krügel,et al.  The power of procrastination: detection and mitigation of execution-stalling malicious code , 2011, CCS '11.

[30]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[31]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[32]  Rafal Wojtczuk,et al.  Following the White Rabbit : Software attacks against Intel ( R ) VT-d technology , 2011 .

[33]  Rafal Wojtczuk,et al.  Another Way to Circumvent Intel ® Trusted Execution Technology , 2009 .

[34]  Adrian Perrig,et al.  TrustVisor: Efficient TCB Reduction and Attestation , 2010, 2010 IEEE Symposium on Security and Privacy.

[35]  No License,et al.  Intel ® 64 and IA-32 Architectures Software Developer ’ s Manual Volume 3 A : System Programming Guide , Part 1 , 2006 .

[36]  Aggelos Kiayias,et al.  Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system , 2014, ACSAC.

[37]  Levente Buttyán,et al.  Duqu: Analysis, Detection, and Lessons Learned , 2012 .

[38]  Dag Arne Osvik,et al.  MD5 considered harmful today, creating a rogue CA certificate , 2008 .

[39]  Niels Provos,et al.  SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks , 2011, USENIX Security Symposium.

[40]  S Haworth,et al.  Student project. , 1989, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[41]  Yunheung Paek,et al.  Vigilare: toward snoop-based kernel integrity monitor , 2012, CCS '12.

[42]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[43]  吴自容 Process Explorer——超强任务管理器 , 2004 .

[44]  Bruce Schneier,et al.  Environmental Key Generation Towards Clueless Agents , 1998, Mobile Agents and Security.

[45]  Aristide Fattori,et al.  When hardware meets software: a bulletproof solution to forensic memory acquisition , 2012, ACSAC '12.

[46]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[47]  Yves Deswarte,et al.  Exploiting an I/OMMU vulnerability , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[48]  J. Meigs,et al.  WHO Technical Report , 1954, The Yale Journal of Biology and Medicine.

[49]  Ta Vinh Thong,et al.  Consistency verification of stateful firewalls is not harder than the stateless case , 2009 .

[50]  Dhabaleswar K. Panda,et al.  High Performance VMM-Bypass I/O in Virtual Machines , 2006, USENIX Annual Technical Conference, General Track.

[51]  Abhinav Srivastava,et al.  Automatic Discovery of Parasitic Malware , 2010, RAID.

[52]  Levente Buttyán,et al.  Duqu: A Stuxnet-like malware found in the wild , 2011 .

[53]  R. Sailer,et al.  sHype : Secure Hypervisor Approach to Trusted Virtualized Systems , 2005 .

[54]  Jiuxing Liu Evaluating standard-based self-virtualizing devices: A performance study on 10 GbE NICs with SR-IOV support , 2010, 2010 IEEE International Symposium on Parallel & Distributed Processing (IPDPS).

[55]  Peng Ning,et al.  SICE: a hardware-level strongly isolated computing environment for x86 multi-core platforms , 2011, CCS '11.

[56]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[57]  Zhi Wang,et al.  HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity , 2010, 2010 IEEE Symposium on Security and Privacy.

[58]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[59]  Alex Landau,et al.  ELI: bare-metal performance for I/O virtualization , 2012, ASPLOS XVII.

[60]  Muli Ben-Yehuda,et al.  vIOMMU: Efficient IOMMU Emulation , 2011, USENIX Annual Technical Conference.

[61]  Steve Keckler,et al.  Proceedings of the 36th annual international symposium on Computer architecture , 2009, ISCA 2009.

[62]  Aron LAnnam,et al.  Universal Autonomous Robot Navigation Using Quasi Optimal Path Generation , 2009 .

[63]  Ahmad-Reza Sadeghi,et al.  Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization , 2013, 2013 IEEE Symposium on Security and Privacy.

[64]  Micah Sherr,et al.  Proceedings of the 29th Annual Computer Security Applications Conference , 2013, ACSAC 2013.

[65]  Christopher Krügel,et al.  BareCloud: Bare-metal Analysis-based Evasive Malware Detection , 2014, USENIX Security Symposium.

[66]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[67]  Gil Neiger,et al.  Intel ® Virtualization Technology for Directed I/O , 2006 .

[68]  Christopher Krügel,et al.  Detecting System Emulators , 2007, ISC.

[69]  Somesh Jha,et al.  Proceedings of the 13th international conference on Recent advances in intrusion detection , 2010 .

[70]  Herbert Bos,et al.  Prudent Practices for Designing Malware Experiments: Status Quo and Outlook , 2012, 2012 IEEE Symposium on Security and Privacy.

[71]  Kaladhar Voruganti Storage Security , 2009, Encyclopedia of Database Systems.

[72]  Muli Ben-Yehuda,et al.  Direct Device Assignment for Untrusted Fully-Virtualized Virtual Machines , 2008 .

[73]  Felix C. Freiling,et al.  Sandnet: network traffic analysis of malicious software , 2011, BADGERS '11.

[74]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[75]  Levente Buttyán,et al.  nEther: in-guest detection of out-of-the-guest malware analyzers , 2011, EUROSEC '11.

[76]  Chris Kanich,et al.  GQ: practical containment for measuring modern malware systems , 2011, IMC '11.

[77]  Zhi Wang,et al.  HyperSentry: enabling stealthy in-context measurement of hypervisor integrity , 2010, CCS '10.

[78]  Jiang Wang,et al.  Autonomic Recovery: HyperCheck: A Hardware-Assisted Integrity Monitor , 2013 .

[79]  Peter Ferrie Attacks on Virtual Machine Emulators , 2007 .

[80]  Claudia Eckert,et al.  Nitro: Hardware-Based System Call Tracing for Virtual Machines , 2011, IWSEC.

[81]  Brendan Dolan-Gavitt,et al.  The VAD tree: A process-eye view of physical memory , 2007, Digit. Investig..