detection of an hvm rootkit (aka bluepill-like) desnos ... · desnos anthony (esiea si&s)...

Desnos Anthony (ESIEA SI&S)

Filiol Éric (ESIEA (v+c)^o)

Detection of an HVM rootkit (aka BluePill-like)

● Rootkit– Userland

– Kernelland

● Userland– Replace binaries

– Patch on the fly

– Syscall proxy

– Remote Userland Execve

● Kernel land– Hooks in text section

– Hooks in data (structures)

– No Hook !

● HVM (Hardware-based Virtual Machine) Rootkit– Use virtualization

● Rootkit ring -1● All power on the host

● Virtualization– AMD

● SVM

– Intel● VMX

● SVM – Quickly switch from host to guest,

– Interception of instructions or guest's events,

– DMA access protection : EAP (External Access Protection),

– Tagged TLB between the hypervisor and the virtual machines.

● HVM Rootkit– "Switching the operating system in a virtual

machine"● All classic time sources may be intercepted

(RDTSC, I/O, ...)● All users' actions

● BluePill– The first and the only public HVM rootkit

– Released in 2006 (vista 64 bits, AMD) by Joanna Rutkowska

– Latest version 0.32 (AMD + Intel) (~ 10.000 lines)

● Controversy– Security buzz

● Advertisements :– « End of the world » / « undetectable rootkit »

● « Tout va bien madame la marquise »● Detecting a hypervisor is the same way as an HVM

rootkit ?

● Solutions :– Timing attack

– Pattern matching

– TLB

– DMA/Firewire

– Cpu Bugs

● Analysis– No hook (no installation after a reboot)

– Loading of BluePill :● like a driver

– Vista : driver signing● F8 during the boot

● by a memory device● by a kernel bug

● Analysis– Interceptions

● vmrun, vmload, vmsave● msr efer, vm hsave pa, tsc● clgi, stgi● SMM● Debug● cpuid, rdtsc, rdtscp

● Protections– Against rdtsc

– Blue Chicken

● No viral payload ?!– Simple hypervisor

– « hvm rootkit » poc

● Why ?

● Why ?– No hook on the system

– Filtering I/O● Time !

● Detection techniques– Memory fingerprint

● Use the classic memory allocator● Rootkit can bypassed it

● Detection techniques– Timing attack

● Impossible (rootkit is here !)

● Detection techniques– Timing attack

● Impossible (rootkit is here !)● External sources ?

– NTP– Counter

● Counter (original idea from Barbosa)– No information

– 2 threads in kernel land● Calling an intercepted instruction● Incrementing a variable

– Each thread on a cpu

– Drawbacks :● Processor with >= 2 cpu● Variable frequency

● Without BluePill :– Average : 30 incrementations/instruction

● With BluePill :– Average : 330 incrementations/instruction

● « hvm rootkit » poc– x 10 !!

● usefull rootkit !

● Conclusion :– No rootkit is really undetectable

– The opposite is also true

● Conclusion– Stay away from the security buzz

– Protection ?● Desactivation of the virtualization in the bios● A key to activate the virtualization

– Impossible to access !● Hypervisor of protection

detection of an hvm rootkit (aka bluepill-like) desnos ... · desnos anthony (esiea si&s)...

Documents

atb laurence scott hvm sep 07

pp presentatie hvm

paravirtual/hvm linux examples

desnos dynamic metamorphic virtual machines-slides

brochure esiea

esiea engineer internship viva-voce presentation...

yves-louis desnos head research & development section &...

pdf varices vulvaires hamel desnos 23.01.11 chamonix

rni and hvm update - sae international · rni and hvm...

hvm presentatie

experiencia hvm

hvm review overview report

euvl symposium hvm final 2004[1]

distracted sleep by robert desnos

bundle cateter central hvm 1254773953

rb‡hvmv‡hvm bxwz 2011

logaritmos hvm

linux pv on hvm - xen€¦ · linux pv on hvm: initial...

linux pv on hvm

présentation erasmus crepuq 4oct11 esiea