Protecting The Kernel Data through Virtualization Technology

BY

VENKATA SAI PUNDAMALLI

E-mail id : vpundama@kent.edu

CONTENTS

● Introduction● Rootkit defense overview● Access control model for kernel data protection● Architecture of VMHUKO● Implementation● Conclusion and future work● References● Queries

INTRODUCTION

Virtualization technology has become a hot topic with the development of computer architectures which are used in the Cloud Computing Environment.

Core part of virtualization is the Virtual Machine Monitor (VMM). VMM is a software layer lying between the operating system and hardware. Present days kernel-level attacks such as rootkits are severe threats to

operating system if kernel doesn’t have defense code. To protect the kernel from these attacks VMM is a good platform to counter

the threat. Placing security software on VMM will help in defending rootkits from

executing unauthorized code in kernel space.

We still have some limitations in this method.1. Kernel data attacks which are not introduced by any unauthorized

code but modify existing kernel data.2. New kernel code execution can’t be refused as hardware

manufacturers export new drivers every day and it is impossible to authorize all these drivers.

Here we present a system called VMhuko that protects the kernel data

Contd.,

Rootkit defense overview

Generally kernel data can be divided into two types: 1. control data2. non-control data

Rootkits can hijack kernel control flow by modifying control data and redirect it to perform malicious actions.

Non-control data attacks are difficult to find as they don’t change the control flow.

Direct Kernel Object Manipulation(DKOM) is a famous technique where rootkits can hide malicious objects.

System performance will be progressively worse due to non-control data attacks.

To combat rootkits, all critical kernel data access should be checked and interpreted using operating system knowledge.

Kernel level software has full access to kernel components, to prevent corruption it is necessary to monitor kernel module execution.

Kernel module execution is modeled at machine instruction level as low level instruction can access memory and CPU directly.

A kernel module execution can be defined as the process of memory and CPU state updating.

To represent kernel module execution we define a transition function

where, ‘I’, all possible instructions,‘Im ⊆ I’ set of instructions belongs to kernel module.

‘M’, ‘C’, set of all possible memory states and CPU states ,‘Mp ⊆ M’, ‘Cp ⊆ C’ set of all memory states and CPU states related to

system security.

Access control model for kernel data protection

Mp and Cp are important system resources and services accessed by loadable kernel module.

There are two types of objects:1. kernel objects 2. hardware objects

Access control monitor mediates every memory and CPU state updates of Mp and Cp.

Our security policy restricts Im to access Mp and Cp directly instead kernel module can interact with the rest kernel via functions.

Contd.,

Architecture of VMHUKO VMhuko is designed to provide real-time protection mechanism for OS which

is vulnerable to kernel level attack.

VMhuko architecture has three parts1. Security VM2. Guest VM3. VMM

Four components of VMhukoa. Enforcerb. Memory Monitorc. Security Policyd. Controller

a. Enforcer

This is the key component in VMhuko which is designed to analyze unauthorized kernel data access and take corresponding action.

Here we have three modules: 1. Analyzer 2. Intrusion Counter3. Instruction Emulator

b. Memory monitor

This component is used to capture the unauthorized data access and send it to Enforcer.

VMhuko actively monitors data access by making full use of hardware page fault mechanism and source code knowledge for kernel data access.

VMhuko uses a technique called “shadow paging” which maintains two versions of page tables.

1. guest page tables(GPTs) which are controlled by guest OS. 2. shadow page tables(SPTs) which are controlled by the VMM.

Identification of static kernel objects is easy but identifying dynamic kernel objects becomes a challenge.

VMhuko approach is based on key observation, all dynamic data must be accessible from global kernel data objects.

We mark pointer-valued fields of global variables as protected areas. When any one of these areas are accessed then it will be trapped into VMM,

and VMhuko will reconstruct the original kernel object pointed by pointer-valued fields.

c. Security Policy Our protecting model is to make all attempted readings and writings of

security-critical data checked for validity at VMM which then takes appropriate action according to policy.

Im can access Mp and Cp via read and write instruction directly. Im can influence the important states of Mp and Cp using call operation.

VMhuko’s kernel policy contains Static kernel object, which is fixed when kernel is built Dynamic kernel object, which can be determined at run time.

d. Controller Controller provides an interface for administrators to communicate with the

VMM. VMM provides hypercall through which controller can transfer the

information to it. When VMM detects an attack, it notifies the controller all the related

information including the attack operation and the response results. Our system creates communication channel via shared memory.

Implementation We will implement VMhuko prototype using Xen 3.4.1 for VMM, Ubuntu 8.04

in the security VM and CentOS in the Guest VM with Hardware Virtual Machine (HVM) mode which can be executed without modification.

There are four components for this Implementationa. Memory access mediationb. Instruction Emulationc. Policyd. Controller

a. Memory access mediation Mediating memory access is the key issue to our system. We identify the pages that need to be protected and set page flag as Not-

Writable or Not-Present based on Policy. If flag is set to Not-Writable, we can trap Write access. If flag is set to Not-Present, we can trap both Read and Write access. If any code tries to access these pages then it causes a page fault.

Contd.,

b. Instruction Emulation VMhuko needs to handle the normal access action. Operating system will not be aware of special page fault while execution

without VMM. Implementation details for instruction emulations are as follows:

Contd.,

We use hvm_emulate_prepare to prepare the emulation environment. hvm_emulate_one is used to perform the instruction emulation.

Emulation component can not handle all faulting instructions, only few special instructions can be executed on real hardware environment.

This limitation does not affect the system defense in our experiment.

c. Policy

Kernel rootkit defending techniques depends on policy. Set of policies are defined based on access control model with kernel

objects. There are some specific access control policies which include both static

and dynamic objects.

d. Controller Controller will reside in the Security VM. The basic process is implemented as follows:

1. We use xc_evtchn_open to open the event channel in user space.2. We apply alloc_xenheap_pages to allocate shared memory in VMM.3. We map to controller using xc_map_foreign_range.

Conclusion and Related work

VMhuko is a system which can detect and prevent both static and dynamic kernel data attacks.

The system is effective to protect the OS kernel and the computational overhead is affordable.

In the future, we will explain methods to reduce performance overhead for the system.

With the help of expert knowledge, we can split kernel data structures into 1. none-security part 2. security part

which are then centralized in dedicated pages. Putting enforcement in VMM will be a better choice.

References

“Detecting Dynamic Data Kernel Rootkit Attacks via VMM-based Guest-Transparent Monitoring”, by J. Rhee, R. Riley, D. Xu and X. Jiang

“An Architecture for Secure Active Monitoring Using Virtualization”, by BD. Payne, M. Carbone, M. Sharif and W. Lee

www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf

" Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing“, by R. Riley, X. Jiang, and D. Xu

" Xen and the art of virtualization“, by P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield.

QUERIES ??