[show abstract][hide abstract] ABSTRACT: We propose XTRec, a primitive that can record the instruction-level execution trace of a commodity computing system. Our primitive is resilient to compromise to provide integrity of the recorded execution trace. We implement XTRec on the AMD platform running the Windows OS. The only software component that is trusted in the system during runtime is XTRec itself, which contains only 2,195 lines of code permitting manual audits to ensure security and safety. We use XTRec to show whether a particular code has been executed on a system, or conversely to prove that some malware has not executed on the system. This is a highly desirable property to ensure information assurance, especially in critical e-government infrastructure. Our experimental results show that the imposed overhead is 2x-4x for real-world applications. This overhead is primarily due to CPU Branch Trace Messages(BTM), a ubiquitous debugging feature used to record control-flow instructions. Hardware improvements to BTM would therefore enable XTRec to run with minimal overhead.
System Sciences (HICSS), 2011 44th Hawaii International Conference on; 02/2011
[show abstract][hide abstract] ABSTRACT: Virtualization has been purported to be a panacea for many security problems. We analyze the feasibility of constructing an integrity-protected hypervisor on contemporary x86 hardware that includes virtualization sup- port, observing that without the fundamental property of hypervisor integrity, no secrecy properties can be achieved. Unfortunately, we find that significant issues remain for constructing an integrity-protected hypervisor on such hard- ware. Based on our analysis, we describe a set of necessary rules that must be followed by hypervisor developers and users to maintain hypervisor integrity. No current hypervisor we are aware of adheres to all the rules. No current x86 hardware platform we are aware of even allows for the construction of an integrity-protected hypervisor. We provide a perspective on secure virtualization and outline a research agenda for achieving truly secure hypervisors. Virtualization allows a single physical computer to share its resources among multiple guests, each of which perceives itself as having total control of its virtual machine (VM) (30). Virtualization is an effective means to improve hardware utilization, reduce power and cooling costs, and streamline backup, recovery, and data center management. It is even making inroads on the client-side. However, in all of these roles, the hypervisor (or Virtual Machine Monitor (VMM)) becomes yet another maximally privileged software component from the perspective of the guest's trusted computing base (TCB). This stands in direct violation of several well-known principles of protecting information in computer systems (36). In many scenarios, the hypervisor may support guests for two or more mutually distrusting entities, thereby putting to the test the hypervisor's ability to truly protect its own integrity and isolate guests (7). Unfortunately, today's popular hypervisors are not without their share of vulnerabilities (e.g., (4,49)), and ap- pear to be unsuitable for use with highly sensitive applications. Despite recent enhancements to hardware support for virtualization (6,21,32), low-level systems problems (e.g., System Management Mode exploits (12,50) and vulner- able BIOSes (26,35)) continue to plague existing solutions. We distinguish between threats to hypervisor integrity and threats to hypervisor and guest data secrecy, observing that an integrity-protected hypervisor is a necessary, but not sufficient, condition for maintaining data secrecy in the face of mutually distrusting guests. We define integrity- protected to mean that the hypervisor's code cannot be modified in any fashion and the hypervisor's data cannot be maliciously changed. The secrecy of guests' data is explicitly defined to be outside the scope of the current paper. Are today's virtualization and security extensions to the x86 platform sufficient to maintain the integrity of a hypervisor? This is a challenging question to answer for current platforms due to their high complexity. Challenging practical issues that we consider include per-device idiosyncrasies that arise from devices that are not completely standards-compliant, and the need to offer the precise (i.e., bug-compatible) environment expected by unmodified guest operating systems. Given the challenges in designing and implementing an integrity-protected hypervisor, we define threats to data secrecy and availability (such as covert channels, side channels, timing channels, and resource exhaustion attacks) to be outside the scope of this paper. Data secrecy and availability can be ensured only if the fundamental property of hypervisor integrity is realized. For example, without integrity-protection, portions of the hypervisor that manage the isolation of memory pages between guests may be maliciously modified, thereby allowing one guest to make modifications to the code or data of another guest. These modifications may include releasing secrets. We enumerate core system elements (e.g., buses and system components) required to protect the integrity of the hypervisor in §2, and present rules for an integrity-protected hypervisor in §3. In §4, we discuss specific details of AMD's and Intel's hardware virtualization support in the context of an integrity-protected hypervisor. We believe our rules represent a strong first approximation of the necessary requirements for an integrity-protected hypervisor on today's x86 hardware. We write these rules as hypervisor developers with years of experience investigating hypervisor integrity. We leave for future work the demonstration that these rules are also sufficient. Given the complexity of the current x86 hardware virtualization architecture and the plethora of available devices, it may be difficult to conclude definitively that an integrity-protected hypervisor can be created when its VMs are
Trust and Trustworthy Computing, Third International Conference, TRUST 2010, Berlin, Germany, June 21-23, 2010. Proceedings; 01/2010
[show abstract][hide abstract] ABSTRACT: We describe, build, and evaluate Lockdown, a system that significantly increases the level of security for online transactions, even on a platform infested with malicious code. Lockdown provides the user with a highly-protected, yet also highly-constrained trusted environment for performing online transactions, as well as a high-performance, general-purpose environment for all other (non-security-sensitive) applications. A simple, user-friendly external in-terface allows the user to securely learn which environment is active and easily switch between them. We focus on making Lockdown deployable and usable today. Lockdown works with both Windows and Linux, and provides immediate improvements to security-sensitive tasks while imposing, on average, only 3% memory overhead and 2–7% storage overhead on non-security-related tasks.
[show abstract][hide abstract] ABSTRACT: This paper extends VAMPiRE, a stealth breakpoint framework specifically tailored for microscopic malware analysis. Stealth breakpoints are designed to provide unlimited number of code, data and I/O breakpoints that cannot be detected or countered. However, in this paper we present several attacks that can be used to detect and counter VAMPiRE. We then present a solution towards preventing such attacks in the form of a new breakpoint framework named Galanus. Galanus also adds support for legacy I/O breakpoints in kernel-mode, an important feature required to analyze keyloggers, BIOS flashers, CMOS updaters and rootkits. We also evaluate Galanus, comparing it to VAMPiRE in the context of a few real-world malware.
CRiSIS 2009, Post-Proceedings of the Fourth International Conference on Risks and Security of Internet and Systems, Toulouse, France, October 19-22, 2009; 01/2009
[show abstract][hide abstract] ABSTRACT: Malware or malicious code is a rapidly evolving threat to the computing community. Zero-day malware are exploiting vulnerabilities very soon after being discovered and are spreading quickly. However, anti-virus tools, which are the most widely used countering mechanism, are unable to cope with this. They are based on signatures which need to be computed for new malware strains. After a new malware strikes and before the signature is found allows sufficient time for the malware to perform its damage. We propose a new framework, codenamed MalTRAK, which, when deployed on a clean system, guarantees that any effects of a known or unknown malware can always be reversed and the system can be restored back to a prior clean state. Our framework also maintains detailed dependency lists of system operations which can be used for further forensic analysis. We are able to achieve this without imposing any restrictions on the nature of programs that can be executed by the user and without the user noticing any perceptible system slowdown due to the framework. Furthermore, we are able to track modifications to the system at a level that ensures that we can always monitor any changes to the system state even if a malware modifies the system during execution. We implemented and evaluated MalTRAK on Windows, using 8 known malware assuming they were unknown strains. We then compared our results with two popular commercial anti-virus tools. We were able to successfully restore all the effects of the 8 malware, while the commercial tools, on an average were only able to restore 36% of all their effects put together. For one of the malware samples, the commercial tools could only detect it but could not repair any of its damage. Further, for two of the malware samples, the commercial tools were completely unable to detect or restore any of their effects. Our results show that signature based mechanisms in addition to not being able to prevent infection by new malware strains, are not ve- - ry effective in removing an infection even after a signature has been developed. Our experience shows that non-signature based approaches, such as MalTRAK, are the next step towards combating the threat of ever-evolving malware.
Twenty-Fourth Annual Computer Security Applications Conference, ACSAC 2008, Anaheim, California, USA, 8-12 December 2008; 01/2008
[show abstract][hide abstract] ABSTRACT: - Advances in softward and hardware technologies have given operating systems the ability to process data and handle various
concurrent processes. The increased ability has been one of the driving forces which have led to the proliferation of mechanisms
in operating systesm to satisfy the performance requriements of applications with predictable resourece allocation. As differnt
classes of applicatons require different resources managemnt policies one needs to look into ways to satify all classes of
applications. Conventional general purpose operating systems have been developed for a single class of best-effort applications,
hence, are inadequate to support multiple classes of applications. We present an abstract architecture for the support of
Quality of Service (Qos) in Kernel-Less Operating System (KLOS). We propose new semantics for the Qos resources management
paradigm, based on the notion of Quality of Service. By virtue of this new semantics, it is possible to provide the support
required by KLOS to various components of the operating system such as memory manager, processor time, IO management etc.
These mechanisms which are required within an operating system to support this paradigm are described, and the design and
implementation of a protoypical kernel which implements them in is presented. Various notions of negotiation rules between
the application and the operating systems are discussed along-with a feature which allows the user to express its requirements
and the fact is that this model assures the user in providing the selcted parameters and returns feedback about the way it
meets those requirements. This Qos model presents a design paradigm that allows the internal components to be rearranged dynamically,
adapting the architecutre to the high performance of KLOS. The benefits of our framework are demonstrated by building a simulation
model to represent how the various modules of an opeating system and the interface between the processes and the operating
system can be tailored to provide Qualitu of Service guarantees.
[show abstract][hide abstract] ABSTRACT: Fine-grained code analysis in the context of malware is a complex and challenging task that provides insight into malware code-layers (polymorphic/metamorphic), its data encryption/decryption engine, its memory layout etc., important pieces of information that can be used to detect and counter the malware and its variants. Current research in fine-grained code analysis can be categorized into static and dynamic approaches. Static approaches have been tailored towards malware and allow exhaustive fine-grained malicious code analysis, but lack support for self-modifying code, have limitations related to code-obfuscations and face the undecidability problem. Given that most if not all malware employ self-modifying code and code-obfuscations, poses the need to analyze them at runtime using dynamic approaches. However, current dynamic approaches for fine-grained code analysis are not tailored specifically towards malware and lack support for multithreading, self-modifying/self-checking code and are easily detected and countered by ever-evolving anti-analysis tricks employed by malware. To address this problem, we propose a powerful dynamic fine-grained malicious code analysis framework, codenamed Cobra, to combat malware that are becoming increasingly hard to analyze. Our goal is to provide a stealth, efficient, portable and easy-to-use framework supporting multithreading, self-modifying/self-checking code and any form of code obfuscation in both user- and kernel-mode on commodity operating systems. Cobra cannot be detected or countered and can be dynamically and selectively deployed on malware specific code-streams while allowing other code-streams to execute as is. We also illustrate the framework utility by describing our experience with a tool employing Cobra to analyze a real-world malware.
Security and Privacy, 2006 IEEE Symposium on; 06/2006
[show abstract][hide abstract] ABSTRACT: Microscopic analysis of malicious code (malware) requires the aid of a variety of powerful tools. Chief among them is a debugger that enables runtime binary analysis at an instruction level. One of the important services provided by a debugger is the ability to stop execution of code at an arbitrary point during runtime, using breakpoints. Software breakpoints support an unlimited number of breakpoint locations by changing the code being debugged so that it can be interrupted during runtime. Most, if not all, malware are very sensitive to code modification with self-modifying and/or self-checking (SM-SC) capabilities, rendering the use of software breakpoints limited in their scope. Hardware breakpoints supported by the underlying processor, on the other hand, use a subset of the processor register set and exception mechanisms to provide breakpoints that do not entail code modification. This makes hardware breakpoints the most powerful breakpoint mechanism for malware analysis. However, current processors provide a very limited number of hardware breakpoints (typically 2-4 locations). Thus, a serious restriction is imposed on the debugger to set a desired number of breakpoints without resorting to the limited alternative of software breakpoints. Also, with the ever evolving nature of malware, there are techniques being employed that prevent the use of hardware breakpoints. This calls for a new breakpoint mechanism that retains the features of hardware breakpoints while providing an unlimited number of breakpoints, which cannot be detected or countered. In this paper, we present the concept of stealth breakpoints and discuss the design and implementation of VAMPiRE, a realization of this concept. VAMPiRE cannot be detected or countered and provides unlimited number of breakpoints to be set on code, data, and I/O with the same precision as that of hardware breakpoints. It does so by employing a subtle combination of simple stealth techniques using virtual memory and hardware single-stepping mechanisms that are available on all processors, old and new. This technique makes VAMPiRE portable to any architecture, providing powerful breakpoint ability similar to hardware breakpoints for microscopic malware analysis.
[show abstract][hide abstract] ABSTRACT: Malware — a generic term that encompasses viruses, trojans, spywares and other intrusive code — is widespread today. Malware analysis is a multi-step pro- cess providing insight into malware structure and func- tionality, facilitating the development of an antidote. Behavior monitoring, an important step in the analy- sis process, is used to observe malware interaction with respect to the system and is achieved by employing dy- namic coarse-grained binary-instrumentation on the tar- get system. However, current research involving dy- namic binary-instrumentation, categorized into probe- based and just-in-time compilation (JIT), fail in the con- text of malware. Probe-based schemes are not transpar- ent. Most if not all malware are sensitive to code mod- ification incorporating methods to prevent their analy- sis and even instrument the system themselves for their functionality and stealthness. Current JIT schemes, though transparent, do not support multithreading, self- modifying and/or self-checking (SM-SC) code and are unable to capture code running in kernel-mode. Also, they are an overkill in terms of latency for coarse-grained instrumentation. To address this problem, we have developed a new dynamic coarse-grained binary-instrumentation frame- work codenamed SPiKE, that aids in the construction of powerful malware analysis tools to combat malware that are becoming increasingly hard to analyze. Our goal is to provide a binary-instrumentation framework that is unobtrusive, portable, ecient, easy-to-use and reusable, supporting multithreading and SM-SC code, both in user- and kernel-mode. In this paper, we dis- cuss the concept of unobtrusive binary-instrumentation and present the design, implementation and evaluation of SPiKE. We also illustrate the framework utility by describing our experience with a tool employing SPiKE to analyze a real world malware.
[show abstract][hide abstract] ABSTRACT: Operating Systems provide services that are accessed by processes via mechanisms that involve a ring transition to transfer control to the kernel where the required functi on is performed. This has one significant drawback that every service call involves an overhead of a context switch where processor state is saved and a protectio n domain transfer is performed. However, as we discovered, it is possible, on processor architectures that support segmentation, to achieve a significant performance gain in accessing the services provided by the operating system by not performing a ring transition. Further, such gains can be achieved without compromising on the separation of the privileged components from the unprivileged. KLOS is a Kernel-Less Operating System built on the basis of such a design. The KLOS service call mechanism is an order of magnitude faster than the current widely implemented mechanisms for service or system calls wit h a 4x improvement over the traditional trap/interrupt and a 2x improvement over the Intel SYSENTER/SYSEXIT fast system call models.
[show abstract][hide abstract] ABSTRACT: Operating Systems provide services that are accessed by processes via mechanisms that involve a ring transition to transfer control to the kernel where the required function is performed. This has one significant drawback that every service call involves an overhead of a context switch where processor state is saved and a protection domain transfer is performed. However, as we discovered, it is possible, on architectures that support segmentation, to achieve a significant performance gain in accessing the services provided by the operating system by not performing a ring transition. Further, such gains can be achieved without compromising on the separation of the privileged components from the non-privileged. Our service call mechanism results in 28 clock cycles in the best case and 50 clock cycles in the average case which is an order of magnitude faster than current widely implemented methods of service or system calls 1.
[show abstract][hide abstract] ABSTRACT: Much effort has been spent to reduce the software Trusted Computing Base (TCB) of modern systems. However, the hardware TCB remains complex and untrustworthy. Com-ponents such as memory, peripherals, and system buses may become malicious via firmware compromise, a malicious manufacturer, a malicious supply chain, or local physical tampering. We seek to reduce the hardware TCB to a min-imal set of hardware components that must be trusted. We describe the design and implementation of an isolated execu-tion environment on commodity x86 platforms that only re-lies on the CPU, without needing to trust the memory, buses, peripherals, or any other system components.