ether: malware analysis via hardware virtualization extensions author: artem dinaburg, paul royal,...
Post on 31-Dec-2015
222 Views
Preview:
TRANSCRIPT
Ether: Malware Analysis viaEther: Malware Analysis viaHardware Virtualization ExtensionsHardware Virtualization Extensions
Ether: Malware Analysis viaEther: Malware Analysis viaHardware Virtualization ExtensionsHardware Virtualization Extensions
Author: Artem Dinaburg, Paul Royal, Monirul Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke LeeSharif, Wenke Lee
Presenter: Yi YangPresenter: Yi Yang
1
Agenda● Motivation
● Transparency Requirements
● Ether Framework
● Experiments and Evaluation
●Conclusion
2
Motivation• Malware Definition: short for malicious
software, is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
• Malware Categories: computer viruses, worms, trojan horses, rootkits, spyware, adware, rogue security software, and other malicious programs.
• Malware Problem: Malware has become the centerpiece of most security threats on the Internet
3
Malware Analysis• There is a profound need to understand
malware behavior:• -Forensics and Asset Remediation• -Threat Analysis• Malware authors make analysis very
challenging• Direct financial motivation• Focal point of malware analysis: how to detect
versus ,how to hide a malware analyzer from malware during runtime
4
Two Types of Malware Analysis
• Static Analysis• What a program would do • Complete view of program behavior • Requires accurate disassembly of x86 machine
code • Often impossible to do in practice• Dynamic Analysis• Shows what a program actually did when
executed • Only gives a partial view of program behavior • Question: How do you hide your analyzer?
5
The Malware Uncertainty Principle
• An important practical problem • Observer affecting the observed
environment • Robust and detailed analyzers are typically
invasive • Malware will refuse to run
6
Solving Malware Uncertainty Principle
• An analyzer’s aim should be transparent. • – Defining transparency • The execution of the malware and the
malware analyzer is governed by the principle of non-interference.
7
Transparency Requirements• Higher Privilege • No non-privileged side effects • Same instruction execution semantics • Transparent exception handling • Identical notion of time
8
Fulfilling Transparency Requirements
• Reduced Privilege Guests (VMWare, etc)• – Non-privileged side effects• Emulation (full system emulator:QEMU) • – Instruction execution semantics• Idea: Use hardware assisted virtualization • Poses complex analysis challenges
9
Ether Framework
• Software that can utilize hardware virtualization extensions: Xen hypervisor
• Hardware virtualization platform: Intel VT• Target operating system :Windows XP
10
Intel VT hardware Virtualization Extensions
11
Architecture of Ether
12
Using Intel VT for Malware Analysis
• Ether should be able to monitor some instructions
• Instructions executed by a guest process, any memory writes a guest process performs, and any system calls a guest process makes.
• Intel VT extensions do not provide support for these monitoring activities
13
Monitoring Activities
• Monitoring Instruction Execution• Monitoring Memory Writes• Monitoring System Call Execution
14
Maintaining Analyzer Transparency
• Despite making several modifications to the guest, Ether maintains transparency of the analyzer by ensuring such changes are undetectable
15
Potential Attacks• While theoretically resilient against in-guest
detection attacks, current architectural restrictions make some of these attacks possible
• Ether is vulnerable to a class of timing attacks using external timing sources
• Detection methods :• In-Memory Presence• CPU Registers• Memory Protection• Privileged Instruction Handling• Instruction Emulation• Timing Attacks
16
Potential Attacks• While theoretically resilient against in-guest
detection attacks, current architectural restrictions make some of these attacks possible
• Ether is vulnerable to a class of timing attacks using external timing sources
• Detection methods :• In-Memory Presence• CPU Registers• Memory Protection• Privileged Instruction Handling• Instruction Emulation• Timing Attacks
17
Architectural Limitation• Intel VT suffers from some architectural
limitations which may allow Ether to be detected under certain circumstances.
• Different hardware virtualization extensions exist that do not suffer from such limitations.
• Intel VT suffers from two main flaws which allow the current implementation to be detected by observing implicit changes to the memory hierarchy:
• Intel flushed the TLB on every VMExit;• Paging mode must be turned on before
entering VMX Root code.
18
Experiments and Evaluation
• Two tools based on Ether: EtherUnpack and EtherTrace.
• EtherUnpack traces memory writes and single instructions (i.e., fine-grained tracing)
• EtherTrace traces system calls (i.e., coarse-grained tracing).
• Using these tools to evaluate Ether and compare
• it against current approaches.
19
Experiments and Evaluation
• Two tools based on Ether: EtherUnpack and EtherTrace.
• EtherUnpack traces memory writes and single instructions (i.e., fine-grained tracing)
• EtherTrace traces system calls (i.e., coarse-grained tracing).
• Using these tools to evaluate Ether and compare
• it against current approaches.
20
Packing vs Unpacking• Packing is a term used to describe the
obfuscation and encryption of program code to thwart static analysis.
• The result of packing is that signature-based approaches fail to identify packed malware as malicious.
• Opposite to packers, unpackers are programs which attempt to obtain the original code hidden by the packer.
21
About EtherUnpack
22
About EtherUnpack• Precision universal automated unpacker• Uses instruction-by-instruction tracing (fine
grained tracing) to detect unpack execute behavior
• If code written is later executed, unpack execution occurred
• Able to handle multiple packing layers • Dumps unpacked memory images to disk
23
Evaluation: EtherUnpack
• Looked for a 32 byte string present in the original code section
• Not a random string
24
Evaluation: EtherUnpack
• Ether is more transparent
25
About EtherTrace• An implementation of a coarse grained tracer
using the Ether framework• Traces the Windows equivalent of system calls
(Native API)• Information Provided: • – Call name • – Typed arguments • – Return values • – Context (Process ID, Thread ID)
26
Evaluation: EtherTrace
• Examine trace logs for expected actions • – File • – Registry
27
Evaluation: EtherTrace
• Ether is more transparent
28
Conclusion• Ether, a transparent and external malware
analyzer that is based on hardware virtualization extensions such as Intel VT.
• Ether is an implementation of a different approach
• Evaluation confirms Ether is more transparent • Theoretically, can do better:• improving resistance to timing attacks and
memory hierarchy detection attacks.
29
Reference• http://ether.gtisc.gatech.edu/
30
Questions?
31
top related