CyberSEED: Virtual Machine Introspection to Detect and Protect
19
@CSICyberSEED Virtual Machine Introspection to Detect and Protect “It’s turtles all the way down!” Tamas K Lengyel @tklengyel
-
Upload
tamas-k-lengyel -
Category
Software
-
view
1.533 -
download
0
Transcript of CyberSEED: Virtual Machine Introspection to Detect and Protect
@CSICyberSEED
Virtual Machine Introspection toDetect and Protect
“It’s turtles all the way down!”
Tamas K Lengyel@tklengyel
@CSICyberSEED
# whoami• Senior Security Researcher at Novetta• PhD Student at UConn CSE• DARPA Cyber Fast Track participant• Maintainer of Xen, DRAKVUF & LibVMI
@CSICyberSEED
Outline• Brief look at the current security model• Virtualization• Virtual Machine Introspection• It’s turtles all the way down!
@CSICyberSEED
Current security model
Low privilege
High privilege
@CSICyberSEED
Current security model
Low privilege
High privilege
X
@CSICyberSEED
The problem: Rootkits
Low privilege
High privilege
@CSICyberSEED
The problem: Rootkits
Low privilege
High privilege
X
@CSICyberSEED
Virtualization
Low privilege
High privilege
Higher privilege
@CSICyberSEED
Virtual Machine Introspection
Use the hypervisorfor additional security!
X
X XX
@CSICyberSEED
How?● Isolation: provided by the hypervisor● Interpretation: use forensics tools
○ LibVMI, Rekall, Volatility● Interposition: use hardware extensions
○ Intel EPT, #VE
@CSICyberSEED
But wait, this looks familiar..
X
X XX
X
@CSICyberSEED
The million dollar question
What protects the
hypervisor?
@CSICyberSEED
It’s turtles all the way down!A well-known scientist (some say it was Bertrand Russel) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said:"What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise."The scientist gave a superior smile before replying,"What is the tortoise standing on?""You're very clever, young man, very clever," said the old lady. "But it's turtles all the way down!"— Hawking, A Brief History of Time
@CSICyberSEED
Add some more layers
Nested hypervisors
Root hypervisor
@CSICyberSEED
But why stop there?
System Management ModeDual-monitor mode Hypervisor
SMM VM
No nested hypervisor in SMM
The real root hypervisor withreference implementation available!Only OEM access on most hw
@CSICyberSEED
There is more!
SMM Hypervisor
SMM VM
Intel Management Engine
No reference implementationNo documentationOnly Intel has access
@CSICyberSEED
The bottom line• Adding layers doesn’t solve the problem
• Only increases the cost of breaking through
• Building cross-layer tools is hard• That’s the whole point
• Barrier erodes with time
@CSICyberSEED
What’s the catch?• Keeping lower layers as small as possible
• More code = more attack surface
• Users should have the ability to inspect these layers• Lower the layer the fewer folks have insight/access
• Isn’t that the perfect setup for DRM?
• It may be about security - but not necessarily yours!
@CSICyberSEED
Thanks!
Tamas K [email protected]@novetta.com@tklengyel
LibVMI http://libvmi.comDRAKVUF http://drakvuf.com
