PPT - CrySyS Lab

Download Report

Transcript PPT - CrySyS Lab

EUROSEC 2011 Gábor Pék , Boldizsár Bencsáth and Levente Buttyán Laboratory of Cryptography and Systems Security Budapest University of Technology and Economics

nEther: IN-GUEST DETECTION OF OUT-OF-THE-GUEST MALWARE ANALYSERS

Short Summary

We successfully achieved  In-guest detection of an out-of-the-guest malware analysis framework (Ether)  In-guest timing attack  Detection based on CPUID information  Detecting hardware assisted virtualization (can be a bit of information for analysis )  Detection based on errata in Intel CPUs Gábor Pék, CrySyS Lab.

4/30/2020 2

Goals in Malware Analysis

 Analyser : dissecting and figuring out the operations of the analysed program  Author of the malware: thwarting the analysis of the code and hiding its real intents, operations, execution Gábor Pék, CrySyS Lab.

4/30/2020 3

What is Malware Analysis?

   Analysing malware   Static (entire program, thwarting disassemblers) Dynamic (one control path)  we focus on this Two types of dynamic analysis: Native and Virtualization based Main tricks of detecting dynamic analyzers  Timing information  Special data structures, e.g., PEB  Single-step debugging (trap flag)  Exception handling Gábor Pék, CrySyS Lab.

4/30/2020 4

HW Assisted Virtualization

     New and higher CPU privilege level (Ring -1) Native instruction execution Intel VT    VMX root mode for VMM/Hypervisor VMX non-root mode for guest OS VMX transitions: VM Exit / VM Entry Rich feature set and control of operation Xen, KVM Gábor Pék, CrySyS Lab.

4/30/2020 5

Ether – Malware analysis via HW Virtualization Extensions

 Transparent, out-of-the-guest malware analysis platform based on Xen and Intel VT  Transparency of Ether: the malware cannot detect Ether  Transparency requirements as of the Ether paper:  Higher privilege of analyser environment     No non-privileged side effects Same instruction execution semantics X Identical exception handling Identical notion of time X Gábor Pék, CrySyS Lab.

4/30/2020 6

Advantages of Ether and challenges to detect it

   No in-guest memory presence Hide of changes made on CPU registers    Memory protection: modifies only shadow page tables Privileged instruction handling No instruction emulation Controlling timing (e.g., RDTSC instruction) Gábor Pék, CrySyS Lab.

4/30/2020 7

Contributions

 Design and implementation of an application framework to detect Ether based on multiple

feature tests

 Feature tests for Ether and Intel VT  A practical in-guest timing attack against Ether  Detecting Ether via CPUID information  Detection of HW assisted virtualization utilizing CPU errata Gábor Pék, CrySyS Lab.

4/30/2020 8

System Overview

4/30/2020 Gábor Pék, CrySyS Lab.

9

Various uses of RDTSC

 Different behaviour of sensitive instructions (e.g., RDTSC) in VMX non-root mode Normal operation Operation of Ether Guest OS Guest OS … Guest OS 4/30/2020 rdtsc TSC CPU rdtsc faketime ( FT ) rdtsc FT + Y VM Exit VM Entry Virtual CPU Gábor Pék, CrySyS Lab.

… Virtual CPU 10

Facts about Ether

  Alleged operation : FT = TSC, Y = TSC_OFFSET  but TSC_OFFSET is disabled Real operation : Monotonic increase of FT for every RDTSC call ( Y =1)  There can be external RDTSC calls during an analysis  The TSC difference between two RDTSCs of the analysed program = # of RDTSCs of the Guest during analysis (~9-171) Gábor Pék, CrySyS Lab.

4/30/2020 11

Practical implementation of in-guest timing attack

 Call an RDTSC and store it  Create a loop of non-sensitive instructions (e.g., nop )  Call an RDTSC and compare it with the stored value (

diff

)

if ( diff < length of the loop) Ether is present else Ether is not present

Gábor Pék, CrySyS Lab.

4/30/2020 12

CPUID information

   CPUID instruction: processor identifcation and feature information Allegedly: Ether has no in-memory presence  Reality: The TSC bit returned by CPUID is unset under Ether Other bits of information  PAE and PSE are disabled Gábor Pék, CrySyS Lab.

4/30/2020 13

CPU Errata

 Design deficiencies of CPUs  Some of them are unpredictable  Cause unexpected system behaviour  Several have ”No Fix ” status  Xen creates virtualized CPUs for privileged instructions   We have an erratum using MSRs (AH4) The access of MSRs are privileged  VM exit  Errata are not emulated by virtual CPUs  Bingo , we have a new feature test Gábor Pék, CrySyS Lab.

4/30/2020 14

Detecting Intel VT

Erratum AH4

# of tests

100 1000 10000 100000

Native

59 650 4232 20870

Number of updates

Xen Xen + Ether

0 0 0 0 0 0 0 0 Gábor Pék, CrySyS Lab.

4/30/2020 15

Future Work

  Fundamentality of these problems Updating the theoretical model and practical implementation of Ether  Finding more feature tests against other out of-the-guest approaches (e.g., Azure)  Proving that perfect transparency has practical limitations Gábor Pék, CrySyS Lab.

4/30/2020 16

Thanks for Your Attention!

Questions

?

[email protected]

[email protected]

[email protected]

CrySyS Lab. http://www.crysys.hu

Budapest University of Technology and Economics Gábor Pék, CrySyS Lab.

4/30/2020 17