Lares: An Architecture for Secure Active Monitoring Using Virtualization

Lares: An Architecture for Secure Active Monitoring Using Virtualization

IEEE Security & Privacy, 2008. Host-based security tools such as anti-virus and intrusion detection systems are not adequately protected on today’s computers. Malware is often designed to immediately disable any security tools upon installation, rendering them useless. While current research has focused on moving these vulnerable security tools into an isolated virtual machine, this approach cripples security tools by preventing them from doing active monitoring. This paper describes an architecture that takes a hybrid approach, giving security tools the ability to do active monitoring while still benefiting from the increased security of an isolated virtual machine. We discuss the architecture and a prototype implementation that can process hooks from a virtual machine running Windows XP on Xen. We conclude with a security analysis and show the performance of a single hook to be 28 µsecs in the best case. http://dl.acm.org/citation.cfm?id=1398072

938bca9547ba1cac3e69d80efd67fe6b?s=128

Bryan Payne

May 19, 2008
Tweet

Transcript

  1. Lares: An Architecture for Secure Active Monitoring Using Virtualization Bryan

    D. Payne - Martim Carbone - Monirul Sharif - Wenke Lee School of Computer Science Georgia Institute of Technology
  2. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008
  3. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Kernel User Word Processor Web Browser Email Client Music Player Chat / IM Client Anti-Virus Calendar PDF Viewer Spread- sheet Printer Drivers Anti-Virus Hooks Display Drivers Operating System Kernel
  4. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Kernel User Word Processor Web Browser Email Client Music Player Chat / IM Client Calendar PDF Viewer Spread- sheet Printer Drivers Display Drivers Operating System Kernel Anti-Virus Anti-Virus Hooks
  5. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Kernel User Word Processor Web Browser Email Client Music Player Chat / IM Client Calendar PDF Viewer Spread- sheet Printer Drivers Display Drivers Operating System Kernel Anti-Virus Anti-Virus Hooks Malware
  6. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Kernel User Hypervisor / Virtual Machine Monitor Kernel User Word Processor Web Browser Email Client Music Player Chat / IM Client Calendar PDF Viewer Spread- sheet Printer Drivers Display Drivers Operating System Kernel Guest VM Security VM Anti-Virus Anti-Virus Hooks Malware
  7. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Kernel User Hypervisor / Virtual Machine Monitor Kernel User Word Processor Web Browser Email Client Music Player Chat / IM Client Calendar PDF Viewer Spread- sheet Printer Drivers Display Drivers Operating System Kernel Guest VM Security VM Anti-Virus Anti-Virus Hooks Malware
  8. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Kernel User Hypervisor / Virtual Machine Monitor Kernel User Word Processor Web Browser Email Client Music Player Chat / IM Client Calendar PDF Viewer Spread- sheet Printer Drivers Display Drivers Operating System Kernel Guest VM Security VM Anti-Virus Anti-Virus Hooks Malware
  9. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Problem Statement: How can we deploy hooks with the security of external monitoring?
  10. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Introduction to the Problem Security Requirements Lares Architecture Implementation Details Evaluation Conclusions
  11. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 • Bypass Hook (A1) • Modify event context (A2) • Tamper with security application (A3) • Tamper with dependencies (A4) • Tamper with response (A5) Active Monitoring Attacks Libraries, OS and other dependencies Kernel or process execution flow Event occurred A1 Event handling finished Security Application Notification Resume/response A2 A4 A3 A5 Hook
  12. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 • Bypass Hook (A1) • Modify event context (A2) • Tamper with security application (A3) • Tamper with dependencies (A4) • Tamper with response (A5) Active Monitoring Attacks Libraries, OS and other dependencies Kernel or process execution flow Event occurred A1 Event handling finished Security Application Notification Resume/response A2 A4 A3 A5 Hook Prevented by virtualization protections
  13. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Security Assumptions and Threat Model • We can boot the machine into a known good state (secure boot) • We can initialize the protection mechanism before opening the system to attack • The guest VM can be attacked in any way, including kernel-level rootkits • The security VM and hypervisor are secure
  14. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Introduction to the Problem Security Requirements Lares Architecture Implementation Details Evaluation Conclusions
  15. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Lares Architecture • Hypervisor provides protection and inter-VM comms • Memory protection used for hooks and trampoline, security relies on hypervisor being trusted Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM Hooks User Processes ... Memory Protector Introspection API Security Application Security Driver Trampoline
  16. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Lares Architecture • Guest VM is where user does regular work • Protected hooks transfer execution to trampoline • Trampoline transfers execution to Security VM, using an inter-VM communication channel Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM Hooks User Processes ... Memory Protector Introspection API Security Application Security Driver Trampoline
  17. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Lares Architecture • Security VM is where security application runs • Receives event notifications from trampoline through the inter-VM communication channel • Uses introspection to enrich context information Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM Hooks User Processes ... Memory Protector Introspection API Security Application Security Driver Trampoline
  18. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Challenges • Protecting hooks / trampoline from attack - Hooks in a fixed location is hard - Flexible hook placement is even harder • Acceptable performance impact for production-level systems - Comparable to current state-of-the-art
  19. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Introduction to the Problem Security Requirements Lares Architecture Implementation Details Evaluation Conclusions
  20. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Guest Initialization
  21. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM Guest Initialization
  22. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM Guest Initialization
  23. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM User Kernel Guest Initialization Driver Loader
  24. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM User Kernel Guest Initialization Driver Loader Driver
  25. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM User Kernel Guest Initialization Driver
  26. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM User Kernel Guest Initialization Driver Trampoline
  27. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM User Kernel Guest Initialization Driver Trampoline
  28. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM User Kernel Guest Initialization Driver Trampoline
  29. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM User Kernel Guest Initialization Driver Trampoline VMCALL
  30. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Security VM Details
  31. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM Security VM Details
  32. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM Security VM Details
  33. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Hardware (CPU + virtualization extensions) Hypervisor Guest VM Security VM Security VM Details User Kernel Security Driver virtual IRQ via event channel hypercall Security Application signal ioctl Guest VM Introspection Memory Map
  34. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Memory Protections • Xen marks the associated memory pages as read- only, forcing a trap to Xen on write Is the PF listed as protected? Mark as read-only Shadow page table PTE propagation NO Virtual Machine YES Guest page table Virtual Physical Memory Protection Policy Guest VM Security VM
  35. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Memory Protections Is the write targeted at a protected region? Emulate the write Propagate exception to guest NO YES Page fault due to failed write Technique for byte-level memory protection
  36. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Protecting Hook and Trampoline Code • Protect critical kernel data structures that are rooted in hardware (e.g., IDT and SSDT) • Protect the hook itself • Protect the trampoline memory • Disable interrupts while executing trampoline
  37. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Example Application • Goal: Mediate process creation • Hook: NTCreateSection • Security Application Decision: - Hook arguments include file handle - Handle lookup using introspection - File checked before allowing execution EPROCESS EPROCESS EPROCESS PsInitialSystemProcess HandleTable ... Handle Tables L1,L2,L3 Object Header Object TableCode EPROCESS EPROCESS ObjectCode Object Body
  38. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Introduction to the Problem Security Requirements Lares Architecture Implementation Details Evaluation Conclusions
  39. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Performance Comparison (all times are in micro-seconds) Traditional Hook 0 10 20 30 40 Lares Hook 0 10 20 30 40
  40. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Security Analysis • Bypass Hook (A1) • Modify event context (A2) • Tamper with security application (A3) • Tamper with dependencies (A4) • Tamper with response (A5)
  41. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 “Bypass Hook” Attacks • A1.5 and A1.6 are protected via memory protections • A1.2 and A1.4 also protected via memory protections • A1.3 would require attacker to relocate all of the kernel’s memory, which is difficult to do without detection • A1.1 protected on AMD, on Intel requires monitoring IDTR IDT Syscall dispatcher Trampoline SSDT hook GDTR + GDT + Paging structures To Security VM A1.5 A1.4 A1.2 A1.1 A1.3 A1.6
  42. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Security Analysis • Bypass Hook (A1) • Modify event context (A2) • Tamper with security application (A3) • Tamper with dependencies (A4) • Tamper with response (A5)
  43. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Security Analysis • Bypass Hook (A1) • Modify event context (A2) • Tamper with security application (A3) • Tamper with dependencies (A4) • Tamper with response (A5) Prevented by disabling interrupts
  44. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 Introduction to the Problem Security Requirements Lares Architecture Implementation Details Evaluation Conclusions
  45. Lares: An Architecture for Secure Active Monitoring Using Virtualization, Oakland

    2008 User Kernel Security Application Security Driver User Kernel Trampoline User Kernel Security Application Security Driver Guest VM Hypervisor Security VM Lares Architecture Traditional Architecture
  46. Questions?