Virtual-machine based rootkit (VMBR)

2006 IEEE Symposium on Security and Privacy (S&P)
SubVirt: Implementing malware
with virtual machines
14 pages, cited: 163
Samuel T. King, Peter M. Chen
(University of Michigan)
Yi-Min Wang, Chad Verbowski, Helen J. Wang,
and Jacob R. Lorch (Microsoft Research)
By Mike Hsiao, 20100423
• Introduction
• Virtual machines
• Virtual-machine based rootkit design and
• Evaluation
• Defending against virtual-machine based rootkits
• Related work
• Conclusions
• New type of malware
– Virtual-machine based rootkit (VMBR) installs a VM
monitor underneath an existing operating system and
hoists the original operating system into a virtual
• rootkit: tools used to hide malicious activities
– VMBR are hard to detect and remove because their
state cannot be accessed by software running in the
target system.
– Further, VMBRs support general-purpose malicious
services by allowing such services to run in a separate
operating system
Introduction (cont’d)
• A major goal of malware writers is control.
– Controlling the system allows malware to remain
invisible by lying to or disabling intrusion detection
– Lower layers can control upper layers.
– If the defender’s security service occupies a lower
layer than the malware, then that security service
should be able to detect, contain, and remove the
• E.g., ps, kernel-level rootkit, check the integrity of the kernel
ds, hide/check memory footprint,
Virtual machines
• A virtual-machine monitor (VMM) manages the
resources of the underlying hardware and
provides an abstraction of one or more virtual
– Multiplexing computer’s hardware
– Isolate all resources of each virtual computer
– VM services are implemented outside the guest they
are serving in order to avoid perturbing the guest.
Virtual machines (cont’d)
• VM services
– debug operating systems and system configurations
– migrate live machines
– detect or prevent intrusions
• Software running outside of a VM views low-level VM state
such as disk blocks, network packets, and memory.
• Software inside the VM interprets this state as high-level
abstractions such as files, TCP connections, and variables.
• It is called the semantic gap. Virtual-machine introspection
(VMI) [18, 27] describes techniques that enables a VM
service to understand and modify states and events within
the guest.
[18] T. Garfinkel and M. Rosenblum, “A Virtual Machine Introspection Based Architecture for
Intrusion Detection,” in proc. NDSS, 2003.
[27] A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen, “Detecting past and present intrusions
through vulnerability-specific predicates,” in proc. SOSP, 2005.
Virtual-machine based rootkit design
and implementation
• 3.1 describes how a VMBR is installed on an existing system.
• 3.2 describes the techniques VMBRs use to implement malicious
services, and
• 3.3 discusses the example malicious services we implemented.
• 3.4 explains how VMBRs maintain control over the system.
• They implemented two proof-of-concept VMBRs for the x86
platform using Virtual PC and VMware Workstation VMMs.
– The Virtual PC VMBR uses a minimized version of Windows XP for the
host OS and the VMware VMBR uses Gentoo Linux.
– They modify the host Windows XP kernel, Virtual PC, and the host
Linux kernel. (They don’t have VMware source code.)
• To insert itself beneath an existing system, a VMBR manipulate the system
boot sequence to ensure that the VMBR loads before the target OS.
– After the VMBR loads, it boots the target OS using the VMM. As a result, the
target OS runs normally, but the VMBR sits silently beneath it.
Installation (cont’d)
Original Boot sequence
Boot sequence
Installation (cont’d)
• To install a VMBR on a computer, an attacker
must first gain access to the system with
sufficient privileges to modify the system boot
exploit a remote vulnerability
fool a user into installing malicious software
bribe an OEM or vendor
corrupt a bootable CDROM or DVD image on P2P
• Install the VMBR’s state on persistent storage
– unused blocks elsewhere on the disk (Windows)
– Disable swapping and use the swap partition (Linux)
Installation (cont’d)
• Modify the system’s boot sequence to ensure our
VMBR loads before the target OS
– modify the boot records on the primary hard disk
– But, anti-malware applications detect modifications to the
hard disk’s boot blocks.
– But, the author manipulate the boot blocks during the final
stages of shutdown (after most processes and kernel
subsystems have exited).
• Windows XP: registers a LastChanceShutdown Notification
event handler
– They use the low-level disk driver to copy our VMBR boot code (to bypass
the file system layer).
• Linux: modify the boot sequence using user-mode code
– They modify the shutdown scripts so that our installation code runs after
all processes have been killed but before the system shuts down.
Malicious services
• VMBRs use a separate attack OS to deploy malware that is invisible
from the perspective of the target OS but is still easy to implement.
• Three categories (malicious services)
– those that need not interact with the target system at all
• E.g., spam relays, DDoS zombies, phishing web servers
– those that observe information about the target system
• VMBRs can use virtual-machine introspection to help observe and understand
the software-level abstractions in the target OS and applications.
• Not affect the virtual devices presented to the target OS.
• E.g., VMBRs enable logging of hardware-level data (e.g., keystrokes, packets)
• E.g., if a target application uses an encrypted socket, attackers can use virtualmachine introspection to trap all SSL socket write calls and log the clear-text
data before it is encrypted.
– those that intentionally perturb the execution of the target system
• The third class of malicious service deliberately modifies the execution of the
target system.
• A VMBR can customize the VMM’s device emulation layer to modify hardwarelevel data.
Example malicious services
• The author implemented
– a phishing web server,
• in another VM
– a keystroke logger,
• in the VMM keyboard control module
– a service that scans the target file system looking for
sensitive files, and
• use VM introspection to scan the target OS’s file system to
copy the password file
– a defense countermeasure that defeats a current
virtual-machine detector.
• redpill [39]
[39] J. Rutkowska. Red Pill... or how to detect VMM using (almost) one CPU instruction, 2005.
Maintaining control
• To avoid being removed, a VMBR must protect its state by
maintaining control of the system.
– The only time the VMBR loses control of the system is in the
period of time after the system powers up until the VMBR starts.
• The first code is BIOS.
– By restarting the virtual hardware, VMBRs provide the illusion of
resetting the underlying physical hardware without relinquishing
– VMBRs can also emulate system shutdowns such that the
system appears to shutdown, but the VMBR remains running on
the system.
• We use ACPI sleep states to emulate system shutdowns and to avoid
system power-downs.
• When the user “powers-up” the system by pressing the power button
the VMBR resumes. (powers-off only suspends the VMBR)
• VMware-based VMBR
– Run on a Dell Optiplex Workstation with a 2.8 GHz
Pentium 4 and 1 GB of RAM
– compromises a RedHat Enterprise Linux 4 target
– VMBR image 228/95 MB (un-/uncompressed)
• Virtual PC-based VMBR
– a Compaq Deskpro EN with a 1 GHz Pentium 4 and
256 MB of RAM
– compromises a Windows XP target system
– VMBR image 251/106 MB (un-/uncompressed)
Evaluation – installation/boot time (sec)
Actual memory usage is 3% for the extra VMM.
Defending against virtual-machine
based rootkits
• Security software below the VMBR
– Such detection software can read physical memory or disk
and look for signatures or anomalies that indicate the
presence of a VMBR.
– Other low-level techniques such as secure boot can ensure
the integrity of the boot sequence and prevent a VMBR
from gaining control before the target OS.
• Intel’s LaGrande [25], AMD’s platform for trustworthy computing
[2], and Copilot [36].
– Boot from a safe medium such as a CD-ROM, USB drive or
network boot server
– Use a secure VMM [17] (Terra)
• does not by itself stop a VMBR, but does retain control over the
Defending against virtual-machine
based rootkits (cont’d)
• Security software above the VMBR
– (CPU overhead) by comparing the running time of
benchmarks against wall-clock time
– (memory and disk space) extra paging activity may
increase the running time of the program
– (I/O devices) VMMs only emulate a small number
of virtual devices (often with customized
interfaces to improve performance)
– (x86 processor features) sidt
Related work
• Layer-below attacks
– operating system kernel
• Using virtual machines to enhance security
VMs to detect intrusions, analyze intrusions
isolate services
encrypt network traffic
implement honeypots
• Detect the presence of VMMs
• Inserting new software layers into existing systems
– A key feature of all these applications is that they preserve
compatibility with existing systems by not modifying interfaces
of the existing layers.
– E.g., file system, firewall
• Considering the characteristics of VM in security issues.
– VMM layer
– VM Image can be ”power on/off”
• Some people don’t like VM environment.
– How to detect that I’m in a VM?
– How do I know my host/VMM/VM/OS is secure?
– Can other vulnerable or hostile VM penetrate my VM?
• Auditing mechanisms (such as VMMs) are benefits or
harms for me?
• Provide better visibility!

similar documents