SubVirt:%20Implementing%20malware%20with%20virtual%20machines

1
SubVirt Implementing malware with virtual
machines

• Authors
• Samuel T. King, Peter M. Chen
• University of Michigan
• Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob
  R.Lorch
• Microsoft Research
• Publication Security and Privacy, 2006 IEEE
  Symposium.
• Presenter Radha Maldhure

2
Goal

• Attacker run malicious software and
  avoid detection
• understand and defend
  against threat
• Attacker
  Defender

Attacker
Defender
More control
Defender
Attacker
OS
App1
App2
Hardware
3
VMM
VM
VM runs guest OS and guest application
Host application and host OS provides convenient
access to I/O devices and run VM services
Fig architecture of VMM ( used by VMware and
VirtualPC )
VMI set of techniques that enable VM service to
understand modify states\ events in guest
4
What is the presentation about?

• Virtual-machine based rootkit (VMBR)
• installation
• malicious services
• maintaining control
• Defending against VMBR
• control below VMBR
• control above VMBR

5
VMBR
invisible
User mode
App1
App2
Target OS
Hardware
Before infection
Attack system Attack OS malware
6
Installation
Install VMBRs state on persistent storage
Gain sufficient privileges
Insert VMBR beneath target OS
Manipulate boot sequence
( modifying boot records)
Attain privileged level
Modify systems boot sequence ( VMBR loads before
target OS )
!! Need to be done at final stage of shutdown
7
Malicious services (MS)

• There are three types

1.MS with no communication with target
system e.g. phishing web servers
2.MS observes data from target system e.g. use
keystroke loggers to obtain sensitive info like
password
3.MS modifies the execution of the target
system e.g. delete email
8
Maintaining Control
Fig Booting the System

System powers-up
BIOS
System is compromised
VMBR state
Code
VMBR
!!! Avoid reboots and shutdowns
Handle reboots restarting the virtual hardware
rather than resetting the underlying physical
hardware
Handle shutdowns use ACPI sleep states to
emulate system shutdown
9
Defense
Can see only virtualized state
Security Software
VMBR
Security Software
Can see the actual state and state of VMBR
10
Security Softwarebelow VMBR

• Basic idea
• Detectors view of system does not go through
  VMBRs virtualization layer
• Ways
• Boot from safe medium such as CD-ROM, USB
  physically unplug before booting
• Use secure VMM

11
Security Softwareabove VMBR

• Basic idea
• Security Software below VMBR is inconvenient
• Ways
• Compare running time of software in VM with
  benchmarks against wall-clock time
• Run a program that requires entire memory or disk
  space

12
Contribution

• Explored the design and implementation of VMBR
• Explored techniques for detecting VMBR

13
Weakness

• VMBR is difficult to install
• VMBR require reboot before they can run
• Have more impact on the overall system

14
Suggestions

• The Ideas suggested by paper is good but needs
  many implementations both on attackers side and
  defenders side
• Defense not convenient for end users
• Some ideas are not clear

15

• Questions?
• Quote for the day
• No defeat is final until we stop trying