1 / 22

VM Introspection for Cognitive Immunity (VICI)

VM Introspection for Cognitive Immunity (VICI). Komoku , Inc. Tim Fraser tfraser@komoku.com June 2007 SRS2 PI Meeting. VICI = VMI + repair + learning. Rootkit attacks. VM running mission apps. diagnostic information. repairs. VICI. Problem:

onslow
Download Presentation

VM Introspection for Cognitive Immunity (VICI)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VM Introspection for Cognitive Immunity (VICI) Komoku, Inc. Tim Fraser tfraser@komoku.com June 2007 SRS2 PI Meeting

  2. VICI = VMI + repair + learning Rootkit attacks VM running mission apps diagnostic information repairs VICI Problem: Adversaries install kernel rootkits to hide, facilitate access, spy for days, weeks, months... Difficult to detect. Difficult to remove. Proposed Solution: VM Introspection for self-diagnosis. Automated repair for self-healing. Learning to optimize repair selection = “cognitive immunity”. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  3. VICI prototype testbed REPAIR AGENT KERNEL KME XEN 1. VM introspection reports problems Know- ledge base EXISTS NOW 2. Nooks, Microreboot, ReVirt repair problems 4. refinements LEARNING ENGINE 3. VM introspection evaluates repair effectiveness TODO On User VM On privileged “Domain0” VM VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  4. Project timeline (Jun 07) (Dec 07) (Jun 08) Q1 Q2 Q3 Q4 Q5 Q6 Current status: Phase 1 prototype complete! Phase 1 prototype: diagnostics and repairs Phase 2 prototype: adds learning for cognitive immunity Phase 3 (final) prototype: adds coverage for Red Team exercises VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  5. Summary of Phase 1 Results • Demonstrated useful self-diagnosis: • Prototype detects 6 kinds of kernel rootkit tampering. • Demonstrated useful self-healing: • Prototype repairs above 6 attacks. • 5 “surgical” repairs • 1 more complex Nooks-style repair • Alternate “Core War” approach to repair may prove to be equally effective at lower cost. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  6. Demo: diagnostics and surgical repair REPAIR AGENT KERNEL KME XEN 1. VM introspection reports problems Know- ledge base EXISTS NOW 2. “Surgical repairs” by writing RAM, regisers rootsim On User VM On privileged “Domain0” VM VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  7. Attack: text modification int cap_capable (struct task_struct *tsk, int cap) { if (tsk->cap_effective & CAP_TO_MASK(cap)) return 0; return -EPERM; } Original check: you need this AND that to pass. Tampered check: you need this OR that to pass (always passes). ------------- G O O D --------------- -------------- B A D ---------------- cap_capable() text: cap_capable() text: 89 d1 mov %edx,%ecx 89 d1 mov %edx,%ecx ba 01 00 00 00 mov $0x1,%edx ba 01 00 00 00 mov $0x1,%edx d3 e2 shl %cl,%edx d3 e2 shl %cl,%edx 23 90 74 01 00 and 0x174(%eax),%edx | 0b 90 74 01 00 or 0x174(%eax),%edx VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  8. Text diagnostic and repair Domain 0 Guest Domain • Victim kernel: • Text • Static data • Dynamic data • Virtual Hardware: • Registers VICI Agent • Agent computes • MD5 checksums, • compares to • proper values. • Agent reads text in 4KB blocks. 3. Agent writes back good text. XEN VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  9. Attack: system call interposition idt register Interrupt Descriptor Table 0x80 handler function System Call Table Rootkit function Kernel function • Code taken from “override” rootkit. • Hides files. • Interposes on getdents64 system call. • Override getdents64: • Call real getdents64, • Removes files named “Root_*”. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  10. Attack: procfs jump table interposition • Code taken from “Adore-ng”. • Hides processes. • Interposes on procfs readdir function. • Adore-ng readdir: • Call real readdir, • Removes processes with euid != 0. • (The real Adore-ng has different removal criteria.) System Call Table Kernel read function Procfs jump Table Rootkit function Procfs function VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  11. Table diagnostic and repair Domain 0 Guest Domain • Victim kernel: • Text • Static data (tables) • Dynamic data • Virtual Hardware: • Registers VICI Agent • Agent computes • MD5 checksums, • compares to • proper values. • Agent reads tables 3. Agent writes back good table values. XEN VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  12. Attack: idt register redirection idt register Interrupt Descriptor Table Rootkit Interrupt Descriptor Table Rootkit 0x80 handler Kernel 0x80 handler System call table • Home-grown privilege escalation technique. • Makes idt register point to phony IDT. • Phony 0x80 handler: • Promotes callers to root, • Calls kernel’s 0x80 handler. • No modifications to: • Original IDT, • Original 0x80 handler. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  13. Register diagnostic and repair Domain 0 Guest Domain • Victim kernel: • Text • Static data • Dynamic data • Virtual Hardware: • Registers VICI Agent • Agent compares observed value to proper value. Bug: causes VM to hang. We do fix from LKM for now. • Agent reads idt register value. 3. Agent writes back good value. XEN VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  14. Attack: pseudo-random number generator (PRNG) weakening ------------- G O O D --------------- -------------- B A D ---------------- PRNG pools and polynomials: PRNG pools and polynomials: polynomial A: 103 76 51 25 1 | polynomial A: 0 0 0 0 0 polynomial B: 26 20 14 7 1 | polynomial B: 0 0 0 0 0 input pool: 0x15182c1e142ead04 | input pool: 0x0000000000000000 nonblocking pool: 0xbc0173de1a09ead2 | nonblocking pool: 0x0000000000000000 blocking pool: 0x3725ea43a837418e | blocking pool: 0x0000000000000000 • Attack due to Baliga and others at Oakland 2007. • Weakens Linux PRNG output to make keys guessable. • Linux PRNG: • fills pools with numbers based on interrupt timing, • stirs pools with 5-term polynomial. • Baliga attack zeroes pools and polynomial exponents. • Baliga attack repeats, ours doesn’t (yet). VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  15. PRNG state diagnostic and repair Domain 0 Guest Domain • Victim kernel: • Text • Static data • Dynamic data • Virtual Hardware: • Registers VICI Agent • Agent compares exponents to proper values. • Agent reads PRNG exponents. • Agent writes back good exponents, refills pools with bytes from Domain 0’s PRNG. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  16. Demo: non-surgical repair REPAIR AGENT KERNEL KME XEN 1. VM introspection reports problems Know- ledge base EXISTS NOW 2. Nooks-style repair action ttysnoop sidekick On User VM On privileged “Domain0” VM VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  17. Ttysnoop: keyboard sniffer idt register Interrupt Descriptor Table 0x80 handler function System Call Table Ttysnoop read and write functions Kernel read and write functions • Code taken from “sk2” and “Linspy” rootkits. • Snoops ttys for passwords. • Ttysnoop rootkit: • Interposes on read and write system calls. • When write sees “password:” prompt, • Dumps next line seen by read to system log. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  18. Sidekick during normal runtime gcc Login: User programs make system calls. Ttysnoop intercepts read and write. Sidekick keeps track of which processes are blocked (waiting) on read and write. other other write read Ttysnoop Sidekick ----------- blocked ----------- Victim kernel VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  19. Sidekick during unload repair • Agent detects interposition. • Agent traces read and write function pointers to Ttysnoop (not yet done). • Sidekick SIGTERMs processes blocked on read and write to unwind their stacks. • Sidekick unloads Ttysnoop. gcc Login: other other write read Ttysnoop Sidekick ----------- blocked ----------- Victim kernel VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  20. Proposed “Core War” alternative Ttysnoop write: Preamble Call kernel write Wrote “ssword”? Log mode on! Conclusion Rendered harmless: Preamble Call kernel write NOP NOP NOP Conclusion VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  21. Up next: phase 2 learning diagnosis Goal: learn to choose the least costly effective repair. adjust releaser thresholds choose repair action evaluation Problem: The foo data structure has been tampered with! Set of relevant repair actions: Tweak existing foo Replace entire foo Restart foo-using subsystem Restore system checkpoint (!!) --> . . . VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.

  22. Phase 3: % of data examined on a single momentary scan (vs. data never examined at all) Planned for VICI Seems possible in theory 100% coverage Done now Static data Including jump tables (ubiquitous) (*) Text (common) Dynamic data (rare) Hardware state (mainly theoretical) (**) (*) for a single kernel version. (**) for a single set of hardware.

More Related