follow the whiterabbit towards consolidation of on the
play

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly - PowerPoint PPT Presentation

Jan 25, 2024 •340 likes •548 views

Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection IFIP SEC 2018 Sergej Proskurin, 1 Julian Kirsch, 1 and Apostolis Zarras 2 1 Technical University of Munich 2 Maastricht University

  1. Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection IFIP SEC 2018 Sergej Proskurin, 1 Julian Kirsch, 1 and Apostolis Zarras 2 1 Technical University of Munich 2 Maastricht University 19.09.2018 S. Proskurin et al. IFIP SEC 2018 1 / 19

  2. “Follow the white rabbit.” — The Matrix S. Proskurin et al. IFIP SEC 2018 2 / 19

  3. “Follow the white rabbit.” — The Matrix bluepill redpill S. Proskurin et al. IFIP SEC 2018 2 / 19

  4. Introduction & Background Technical University ofMunich Modern Operating Systems (OSes) provide a large attack surface ▸ 334 system calls in Linux kernel v4.18 (excluding compatibility system calls for 32-bit) ▸ Malware can gain the same privileges as OSes → Bypass or disable security mechanisms Move security applications out of the OS [1]: ▸ Place security applications into a small environment with higher privileges → Employ system virtualization S. Proskurin et al. IFIP SEC 2018 3 / 19

  5. Introduction & Background Technical University ofMunich System Virtualization virtual ISA VMM ISA Hardware Some background on system virtualization: “x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of s****. [...] That’s all x86 virtualization is.” — An openbsd-misc email by Theo de Raadt S. Proskurin et al. IFIP SEC 2018 4 / 19

  6. Introduction & Background Technical University ofMunich System Virtualization VM 0 virtual ISA VMM ISA Hardware Some background on system virtualization: “x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of s****. [...] That’s all x86 virtualization is.” — An openbsd-misc email by Theo de Raadt S. Proskurin et al. IFIP SEC 2018 4 / 19

  7. Introduction & Background Technical University ofMunich System Virtualization VM 0 Applications OS virtual ISA VMM ISA Hardware Some background on system virtualization: “x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of s****. [...] That’s all x86 virtualization is.” — An openbsd-misc email by Theo de Raadt S. Proskurin et al. IFIP SEC 2018 4 / 19

  8. Introduction & Background Technical University ofMunich System Virtualization System virtualization employed for different purposes ▸ Malware detection [4] and analysis [2, 5] ▸ System integrity validation [6] Benefits of system virtualization ▸ Narrow attack surface ▸ Strong isolation capabilities ▸ Complete view over the VM’s state S. Proskurin et al. IFIP SEC 2018 5 / 19

  9. Introduction & Background Technical University ofMunich System Virtualization System virtualization employed for different purposes ▸ Malware detection [4] and analysis [2, 5] ▸ System integrity validation [6] Benefits of system virtualization ▸ Narrow attack surface ▸ Strong isolation capabilities ▸ Complete view over the VM’s state How can we analyze OS internals from the outside? Employ Virtual Machine Introspection (VMI) [4] techniques S. Proskurin et al. IFIP SEC 2018 5 / 19

  10. Introduction & Background Technical University ofMunich Virtual Machine Introspection & The Semantic Gap Virtual Machine Introspection [4] Excerpt of the OS binary state ▸ Analyze and manipulate the guest OS state 1 20 00 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 from the outside of the VM 3 00 80 54 0C 00 00 FF FF 02 00 00 00 00 01 40 00 4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ▸ Binary state of guest OSes needs interpretation 5 01 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 6 BA EC FE FF 00 00 00 00 80 CF 66 28 00 80 FF FF ▸ Map the binary state to OS data structures 7 [ . . . ] → Lack of semantic information The Semantic Gap problem [1] ▸ Use semantic information of the guest OS and virtual hardware to bridge the Semantic Gap [7] S. Proskurin et al. IFIP SEC 2018 6 / 19

  11. Introduction & Background Technical University ofMunich Virtual Machine Introspection & The Semantic Gap Virtual Machine Introspection [4] Excerpt of the OS binary state ▸ Analyze and manipulate the guest OS state 1 20 00 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 from the outside of the VM 3 00 80 54 0C 00 00 FF FF 02 00 00 00 00 01 40 00 4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ▸ Binary state of guest OSes needs interpretation 5 01 00 00 00 01 00 00 00 10 00 00 00 00 00 00 00 6 BA EC FE FF 00 00 00 00 80 CF 66 28 00 80 FF FF ▸ Map the binary state to OS data structures 7 [ . . . ] → Lack of semantic information task_struct thread_info state The Semantic Gap problem [1] stack ▸ Use semantic information of the guest OS and virtual hardware usage to bridge the Semantic Gap [7] ... S. Proskurin et al. IFIP SEC 2018 6 / 19

  12. Motivation Technical University ofMunich Conventional VMI frameworks ▸ Employ VMI-aware VMMs (Xen, KVM, etc.) Issue: Target systems must be explicitely set up for VMI before operation ▸ Increases the administrative overhead ▸ Constraints employment of VMI S. Proskurin et al. IFIP SEC 2018 7 / 19

  13. Motivation Technical University ofMunich Conventional VMI frameworks ▸ Employ VMI-aware VMMs (Xen, KVM, etc.) Issue: Target systems must be explicitely set up for VMI before operation ▸ Increases the administrative overhead ▸ Constraints employment of VMI Idea: Combine VMI along with on-the-fly virtualization → WhiteRabbit VMI framework for forensic analysis ▸ Based on the idea of the Blue Pill rootkit [9] ▸ Employs Intel VT-x and ARM virtualization extensions S. Proskurin et al. IFIP SEC 2018 7 / 19

  14. Goals Technical University ofMunich (1) Virtual Machine Monitor ▸ Take over control of a running Linux (idea not limited to any OS) (2) Hiding from (split-personality) malware in memory ▸ Employ Second Stage Address Translation (3) (Remote) Virtual Machine Introspection ▸ Expose LibVMI interface to local or remote applications S. Proskurin et al. IFIP SEC 2018 8 / 19

  15. Goal 1: WhiteRabbit VMM Technical University ofMunich VM 0 non-root ring3 Applications VMX 0 g Device OS n i driver r root VMX ring0 WhiteRabbit Hardware (x86-64) Microkernel architecture designed for on-the-fly virtualization S. Proskurin et al. IFIP SEC 2018 9 / 19

  16. Goal 1: WhiteRabbit VMM Technical University ofMunich VM 0 non-root ring3 Applications VMX 0 ring3 g Device OS I/O VMI Mem Mgt n i driver r root VMX ring0 WhiteRabbit Hardware (x86-64) Microkernel architecture designed for on-the-fly virtualization ▸ Subsystems placed in user space (ring 3 on Intel; EL0 on ARM) ▸ I/O drivers isolated from the guest ▸ Establish a secure communication channel ▸ Leverage unused I/O devices or hardware multiplexing (e.g., Intel VT-d, ARM SMMU) S. Proskurin et al. IFIP SEC 2018 9 / 19

  17. Goal 1: WhiteRabbit VMM Technical University ofMunich VM 0 non-root ring3 Applications VMX 0 ring3 g Device OS I/O VMI Mem Mgt n i driver r root VMX ring0 WhiteRabbit Hardware (x86-64) Microkernel architecture designed for on-the-fly virtualization ▸ Only essential functionality in ring 0 on Intel (VMX root) and EL2 on ARM ▸ Reduced size and complexity of the VMM ▸ Can be deployed in an OS-dependent or OS-independent way S. Proskurin et al. IFIP SEC 2018 9 / 19

  18. Goal 1: On-the-Fly Virtualization Technical University ofMunich A VMM distributes its tasks across [8] : ▸ Allocator ▸ Dispatcher ▸ Interpreter S. Proskurin et al. IFIP SEC 2018 10 / 19

  19. Goal 1: On-the-Fly Virtualization Technical University ofMunich The Allocator Applications OS Hardware The allocator moves a running OS into a virtual environment S. Proskurin et al. IFIP SEC 2018 11 / 19

  20. Goal 1: On-the-Fly Virtualization Technical University ofMunich The Allocator VM 0 Applications OS Applications OS WhiteRabbit Hardware Hardware The allocator moves a running OS into a virtual environment S. Proskurin et al. IFIP SEC 2018 11 / 19

Recommend

Driving and virtualizing control systems: the Open Source approach used in WhiteRabbit Javier

Driving and virtualizing control systems: the Open Source approach used in WhiteRabbit Javier

Driving and virtualizing control systems: the Open Source approach used in WhiteRabbit Javier Muoz Mellid & Samuel Iglesias Gonsalvez Academia-Industry Matching event on Technology of Controls for Accelerators and Detectors November 2013

462 views • 31 slides
Debt Consolidation Presenter: Esteban Arze Debt Consolidation Have you ever wondered if there

Debt Consolidation Presenter: Esteban Arze Debt Consolidation Have you ever wondered if there

Debt Consolidation Presenter: Esteban Arze Debt Consolidation Have you ever wondered if there is a connection between health and wealth? Better decisions Clarity Less stress Less medical bills Debt Consolidation American household debt

629 views • 23 slides
Objectives Follow Sets Explain the purpose of the follow set. Dr. Mattox Beckman Be able

Objectives Follow Sets Explain the purpose of the follow set. Dr. Mattox Beckman Be able

Follow Sets Follow Sets Objectives Follow Sets Explain the purpose of the follow set. Dr. Mattox Beckman Be able to compute a follow set. University of Illinois at Urbana-Champaign Department of Computer Science Follow Sets Follow

88 views • 5 slides
GOALS COLLABORATIVE TEACHER IMPROVED CLASSROOM SCHOOL CONSOLIDATION WORKSPACES UTILIZATION

GOALS COLLABORATIVE TEACHER IMPROVED CLASSROOM SCHOOL CONSOLIDATION WORKSPACES UTILIZATION

PROGRAMMING SCHOOL CONSOLIDATION PK-8 TERRACE HILLS / COLLINS PK-8 SCHOOL CONSOLIDATION PROJECT IS COMMITTED TO EMBRACING EPISDS STRATEGIC PRIORITIES & LEARNING GOALS. PROJECT BASED LEARNING BREAK OUT AREAS SAFE CAMPUS WITH FRESH

759 views • 7 slides
Consolidation and Regionalization Efforts Michelle Frederick, P.E.

Consolidation and Regionalization Efforts Michelle Frederick, P.E.

State Water Resources Control Board, Division of Drinking Water Consolidation and Regionalization Efforts Michelle Frederick, P.E. Caitlin Juarez Consolidation Coordinators Topics

688 views • 26 slides
ISO 20022 messaging in the context of the T2-T2S Consolidation project 1 st meeting of the

ISO 20022 messaging in the context of the T2-T2S Consolidation project 1 st meeting of the

ISO 20022 messaging in the context of the T2-T2S Consolidation project 1 st meeting of the Target Consolidation Contact Group (TCCG) Frankfurt, 06 February 2018 Agenda Objectives Principles related to ISO 20022 Migration Current

102 views • 9 slides
Tax Consolidation Presenter : P V Srinivasan pvs@pvsadvisors.com Mobile: +919845057597 1

Tax Consolidation Presenter : P V Srinivasan pvs@pvsadvisors.com Mobile: +919845057597 1

The Chamber of Tax Consultants Bangalore Study Group Meeting January 28, 2020 Tax Consolidation Presenter : P V Srinivasan pvs@pvsadvisors.com Mobile: +919845057597 1 Tax Consolidation - Concept Supreme Court in Govind Saran Ganga Saran

473 views • 10 slides
LSCU-GCUA Strategic Consolidation A little about me SVP, Association Services LSCU: 8+

LSCU-GCUA Strategic Consolidation A little about me SVP, Association Services LSCU: 8+

LSCU-GCUA Strategic Consolidation A little about me SVP, Association Services LSCU: 8+ years Prior to: American Cancer Society Amazing family 2-Time FSU Graduate HUGE Sports Fan Did I mention FSU? Consolidation Town Halls

719 views • 20 slides
Characterization & Analysis of a Server Consolidation Benchm ark on Xen Padm a Apparao

Characterization & Analysis of a Server Consolidation Benchm ark on Xen Padm a Apparao

Characterization & Analysis of a Server Consolidation Benchm ark on Xen Padm a Apparao Ravi Iyer, Don Newell, Xiaomin Zhang, Tom Adelmeyer Intel Corporation Nov 16 th , 2007 1 Background Virtualization and consolidation are a

571 views • 17 slides
Consolidation Rate Chapter 9 Consolidation Model 1 4/2/2015 Consolidation Rate

Consolidation Rate Chapter 9 Consolidation Model 1 4/2/2015 Consolidation Rate

4/2/2015 Consolidation Rate Chapter 9 Consolidation Model 1 4/2/2015 Consolidation Rate 1 1 Coefficient of

361 views • 8 slides
Water Protection Program Water Regionalization/Consolidation Benefits of

Water Protection Program Water Regionalization/Consolidation Benefits of

Water Protection Program Water Regionalization/Consolidation Benefits of Regionalization/Consolidation Easier to meet and sustain regulatory standards Spreads capital and operational costs among more users Greater financial strength

424 views • 10 slides
Straw Proposal Business Programs Follow-up Business Program Follow-up Topic Follow-up

Straw Proposal Business Programs Follow-up Business Program Follow-up Topic Follow-up

Triennial Plan II: Straw Proposal Business Programs Follow-up Business Program Follow-up Topic Follow-up How does EMs list of measures compare with other programs? What are the costs that make custom more expensive than

523 views • 13 slides
Can consolidation targets be achieved and if so, how? OSCAR Inc Organisation Sunshine Coast

Can consolidation targets be achieved and if so, how? OSCAR Inc Organisation Sunshine Coast

Can consolidation targets be achieved and if so, how? OSCAR Inc Organisation Sunshine Coast Association of Residents Greg Smith, President Suggested points to cover Does OSCAR have a view on consolidation targets as expressed in the SEQ

364 views • 12 slides
Village and Town of Pawling Consolidation Public Meeting Village and Town of Pawling

Village and Town of Pawling Consolidation Public Meeting Village and Town of Pawling

Village and Town of Pawling Consolidation Public Meeting Village and Town of Pawling Consolidation Study August 25, 2020 Introductions Laberge Group Benjamin H. Syden, AICP, Vice President Kathleen Rooney, Local Government Specialist

407 views • 25 slides
Pathology Consolidation in England 29 th August 2019 NHS England and NHS Improvement 1. The

Pathology Consolidation in England 29 th August 2019 NHS England and NHS Improvement 1. The

Pathology Consolidation in England 29 th August 2019 NHS England and NHS Improvement 1. The drivers History of consolidation in the NHS Results : The Carter review The opportunity Report saw 5bn of value opportunity 2020- 21, if

352 views • 31 slides
Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo

Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo

Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo Padma Apparao, Ravi Iyer, Don Newell *Hardware Architecture Lab Intel Corporation 1 IISWC 2008 Outline Server Consolidation Asymmetric

334 views • 14 slides
School District Reorganization Property Tax Relief Task Force Government Consolidation

School District Reorganization Property Tax Relief Task Force Government Consolidation

School District Reorganization Property Tax Relief Task Force Government Consolidation Sub-Committee September 24, 2019 Whole Child Whole School Whole Community 1 Table of Contents Previous Consolidation Studies Slide 3

234 views • 11 slides
Consolidation theory Outlines 7.1 Introduction Craig Page # 227 7.2 The oedometer test

Consolidation theory Outlines 7.1 Introduction Craig Page # 227 7.2 The oedometer test

Consolidation theory Outlines 7.1 Introduction Craig Page # 227 7.2 The oedometer test Craig Page # 227 7.3 Consolidation settlement: one-dimensional method Craig Page # 235 7.6 Degree of consolidation Craig Page # 244 7.7

489 views • 22 slides
Energy Aware Consolidation in Cloud Computing April 8th, 2015 Adrian J. Mirabel and Rashid

Energy Aware Consolidation in Cloud Computing April 8th, 2015 Adrian J. Mirabel and Rashid

Energy Aware Consolidation in Cloud Computing April 8th, 2015 Adrian J. Mirabel and Rashid Siddiqui California State University, Dominguez Hills - Midterm Presentations Overview Introduction Def. of Consolidation Challenges

580 views • 21 slides
THE NEW PENSION CONSOLIDATION LAW & ITS IMPACT ON ARTICLE 4 FIREFIGHTER PENSION FUNDS HOW

THE NEW PENSION CONSOLIDATION LAW & ITS IMPACT ON ARTICLE 4 FIREFIGHTER PENSION FUNDS HOW

THE NEW PENSION CONSOLIDATION LAW & ITS IMPACT ON ARTICLE 4 FIREFIGHTER PENSION FUNDS HOW DID WE GET HERE? A BRIEF HISTORY BRIEF HISTORY OF PENSION CONSOLIDATION This is not a new idea. Pension consolidation has been discussed

467 views • 36 slides
Consolidation Chapter 9 Consolidation 1 3/31/2015 Consolidation Model Consolidation Model 0

Consolidation Chapter 9 Consolidation 1 3/31/2015 Consolidation Model Consolidation Model 0

3/31/2015 Consolidation Chapter 9 Consolidation 1 3/31/2015 Consolidation Model Consolidation Model 0 2 3/31/2015 Consolidation Model Consolidation Model 0

492 views • 16 slides
Consumers in an Era of Hospital Consolidation NYS Health Foundation October 11, 2019 Lois

Consumers in an Era of Hospital Consolidation NYS Health Foundation October 11, 2019 Lois

Empowering New York Consumers in an Era of Hospital Consolidation NYS Health Foundation October 11, 2019 Lois Uttley, MPP Womens Health Program Director Community Catalyst Founder, MergerWatch Hospital Consolidation in New York State 41

571 views • 9 slides
AGENDA TTO follow up Run 11 -12 Goals Efficiency TTO FOLLOW UP P . Krejcik wrote

AGENDA TTO follow up Run 11 -12 Goals Efficiency TTO FOLLOW UP P . Krejcik wrote

AGENDA TTO follow up Run 11 -12 Goals Efficiency TTO FOLLOW UP P . Krejcik wrote a synopsis of the Twin Bunch TTO project. I started a TTO website (with a link to it from the Performance Program site)

315 views • 7 slides
Swift Follow-Up Observations of s and +GW events Swift follow-up of IceCube

Swift Follow-Up Observations of s and +GW events Swift follow-up of IceCube

Azadeh Keivani Columbia Universi tz AMON Workshop Chiba, Japan May 21, 2019 Swift Follow-Up Observations of s and +GW events Swift follow-up of IceCube neutrinos 2 Swift is a powerful tool to search for transients

811 views • 30 slides

More recommend