220 likes | 322 Views
VM Introspection for Cognitive Immunity (VICI). Komoku , Inc. Tim Fraser tfraser@komoku.com June 2007 SRS2 PI Meeting. VICI = VMI + repair + learning. Rootkit attacks. VM running mission apps. diagnostic information. repairs. VICI. Problem:
E N D
VM Introspection for Cognitive Immunity (VICI) Komoku, Inc. Tim Fraser tfraser@komoku.com June 2007 SRS2 PI Meeting
VICI = VMI + repair + learning Rootkit attacks VM running mission apps diagnostic information repairs VICI Problem: Adversaries install kernel rootkits to hide, facilitate access, spy for days, weeks, months... Difficult to detect. Difficult to remove. Proposed Solution: VM Introspection for self-diagnosis. Automated repair for self-healing. Learning to optimize repair selection = “cognitive immunity”. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
VICI prototype testbed REPAIR AGENT KERNEL KME XEN 1. VM introspection reports problems Know- ledge base EXISTS NOW 2. Nooks, Microreboot, ReVirt repair problems 4. refinements LEARNING ENGINE 3. VM introspection evaluates repair effectiveness TODO On User VM On privileged “Domain0” VM VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Project timeline (Jun 07) (Dec 07) (Jun 08) Q1 Q2 Q3 Q4 Q5 Q6 Current status: Phase 1 prototype complete! Phase 1 prototype: diagnostics and repairs Phase 2 prototype: adds learning for cognitive immunity Phase 3 (final) prototype: adds coverage for Red Team exercises VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Summary of Phase 1 Results • Demonstrated useful self-diagnosis: • Prototype detects 6 kinds of kernel rootkit tampering. • Demonstrated useful self-healing: • Prototype repairs above 6 attacks. • 5 “surgical” repairs • 1 more complex Nooks-style repair • Alternate “Core War” approach to repair may prove to be equally effective at lower cost. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Demo: diagnostics and surgical repair REPAIR AGENT KERNEL KME XEN 1. VM introspection reports problems Know- ledge base EXISTS NOW 2. “Surgical repairs” by writing RAM, regisers rootsim On User VM On privileged “Domain0” VM VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Attack: text modification int cap_capable (struct task_struct *tsk, int cap) { if (tsk->cap_effective & CAP_TO_MASK(cap)) return 0; return -EPERM; } Original check: you need this AND that to pass. Tampered check: you need this OR that to pass (always passes). ------------- G O O D --------------- -------------- B A D ---------------- cap_capable() text: cap_capable() text: 89 d1 mov %edx,%ecx 89 d1 mov %edx,%ecx ba 01 00 00 00 mov $0x1,%edx ba 01 00 00 00 mov $0x1,%edx d3 e2 shl %cl,%edx d3 e2 shl %cl,%edx 23 90 74 01 00 and 0x174(%eax),%edx | 0b 90 74 01 00 or 0x174(%eax),%edx VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Text diagnostic and repair Domain 0 Guest Domain • Victim kernel: • Text • Static data • Dynamic data • Virtual Hardware: • Registers VICI Agent • Agent computes • MD5 checksums, • compares to • proper values. • Agent reads text in 4KB blocks. 3. Agent writes back good text. XEN VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Attack: system call interposition idt register Interrupt Descriptor Table 0x80 handler function System Call Table Rootkit function Kernel function • Code taken from “override” rootkit. • Hides files. • Interposes on getdents64 system call. • Override getdents64: • Call real getdents64, • Removes files named “Root_*”. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Attack: procfs jump table interposition • Code taken from “Adore-ng”. • Hides processes. • Interposes on procfs readdir function. • Adore-ng readdir: • Call real readdir, • Removes processes with euid != 0. • (The real Adore-ng has different removal criteria.) System Call Table Kernel read function Procfs jump Table Rootkit function Procfs function VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Table diagnostic and repair Domain 0 Guest Domain • Victim kernel: • Text • Static data (tables) • Dynamic data • Virtual Hardware: • Registers VICI Agent • Agent computes • MD5 checksums, • compares to • proper values. • Agent reads tables 3. Agent writes back good table values. XEN VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Attack: idt register redirection idt register Interrupt Descriptor Table Rootkit Interrupt Descriptor Table Rootkit 0x80 handler Kernel 0x80 handler System call table • Home-grown privilege escalation technique. • Makes idt register point to phony IDT. • Phony 0x80 handler: • Promotes callers to root, • Calls kernel’s 0x80 handler. • No modifications to: • Original IDT, • Original 0x80 handler. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Register diagnostic and repair Domain 0 Guest Domain • Victim kernel: • Text • Static data • Dynamic data • Virtual Hardware: • Registers VICI Agent • Agent compares observed value to proper value. Bug: causes VM to hang. We do fix from LKM for now. • Agent reads idt register value. 3. Agent writes back good value. XEN VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Attack: pseudo-random number generator (PRNG) weakening ------------- G O O D --------------- -------------- B A D ---------------- PRNG pools and polynomials: PRNG pools and polynomials: polynomial A: 103 76 51 25 1 | polynomial A: 0 0 0 0 0 polynomial B: 26 20 14 7 1 | polynomial B: 0 0 0 0 0 input pool: 0x15182c1e142ead04 | input pool: 0x0000000000000000 nonblocking pool: 0xbc0173de1a09ead2 | nonblocking pool: 0x0000000000000000 blocking pool: 0x3725ea43a837418e | blocking pool: 0x0000000000000000 • Attack due to Baliga and others at Oakland 2007. • Weakens Linux PRNG output to make keys guessable. • Linux PRNG: • fills pools with numbers based on interrupt timing, • stirs pools with 5-term polynomial. • Baliga attack zeroes pools and polynomial exponents. • Baliga attack repeats, ours doesn’t (yet). VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
PRNG state diagnostic and repair Domain 0 Guest Domain • Victim kernel: • Text • Static data • Dynamic data • Virtual Hardware: • Registers VICI Agent • Agent compares exponents to proper values. • Agent reads PRNG exponents. • Agent writes back good exponents, refills pools with bytes from Domain 0’s PRNG. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Demo: non-surgical repair REPAIR AGENT KERNEL KME XEN 1. VM introspection reports problems Know- ledge base EXISTS NOW 2. Nooks-style repair action ttysnoop sidekick On User VM On privileged “Domain0” VM VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Ttysnoop: keyboard sniffer idt register Interrupt Descriptor Table 0x80 handler function System Call Table Ttysnoop read and write functions Kernel read and write functions • Code taken from “sk2” and “Linspy” rootkits. • Snoops ttys for passwords. • Ttysnoop rootkit: • Interposes on read and write system calls. • When write sees “password:” prompt, • Dumps next line seen by read to system log. VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Sidekick during normal runtime gcc Login: User programs make system calls. Ttysnoop intercepts read and write. Sidekick keeps track of which processes are blocked (waiting) on read and write. other other write read Ttysnoop Sidekick ----------- blocked ----------- Victim kernel VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Sidekick during unload repair • Agent detects interposition. • Agent traces read and write function pointers to Ttysnoop (not yet done). • Sidekick SIGTERMs processes blocked on read and write to unwind their stacks. • Sidekick unloads Ttysnoop. gcc Login: other other write read Ttysnoop Sidekick ----------- blocked ----------- Victim kernel VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Proposed “Core War” alternative Ttysnoop write: Preamble Call kernel write Wrote “ssword”? Log mode on! Conclusion Rendered harmless: Preamble Call kernel write NOP NOP NOP Conclusion VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Up next: phase 2 learning diagnosis Goal: learn to choose the least costly effective repair. adjust releaser thresholds choose repair action evaluation Problem: The foo data structure has been tampered with! Set of relevant repair actions: Tweak existing foo Replace entire foo Restart foo-using subsystem Restore system checkpoint (!!) --> . . . VICI – Tim Fraser <tfraser@komoku.com – Komoku, Inc.
Phase 3: % of data examined on a single momentary scan (vs. data never examined at all) Planned for VICI Seems possible in theory 100% coverage Done now Static data Including jump tables (ubiquitous) (*) Text (common) Dynamic data (rare) Hardware state (mainly theoretical) (**) (*) for a single kernel version. (**) for a single set of hardware.