SubVirt: Implementing malware with virtual machines

Authors: Samuel T. King, Peter M. Chen

University of MichiganYi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R.Lorch

Microsoft Research

Publication: Security and Privacy, 2006 IEEE Symposium.

Presenter: Radha Maldhure

Goal

Attacker run malicious software and avoid detection

understand and defend against threat

Attacker Defender

More control

OS

Hardware

App1 App2

Attacker

Defender

Attacker Defender

VMM

Fig: architecture of VMM ( used by VMware and VirtualPC )

VM

VM runs guest OS and guest application

Host application and host OS provides convenient access to I/O devices and run VM services

VMI = set of techniques that enable VM service to understand & modify states\ events in guest

What is the presentation about?

• Virtual-machine based rootkit (VMBR)– installation– malicious services– maintaining control

• Defending against VMBR– control below VMBR– control above VMBR

VMBR

Hardware

Target OS

App1 App2

VMM

Attacksystem

Afterinfection

Hardware

Target OS

App1 App2

Beforeinfection

Attack system = Attack OS + malware

invisible User mode

Installation

Gain sufficient privileges

Install VMBR’s state on persistent storage

Modify system’s boot sequence ( VMBR loads before target OS )

Insert VMBR beneath target OS

Manipulate boot sequence

Attain privileged level(= modifying boot records)

!! Need to be done at final stage of shutdown

Malicious services (MS)There are three types

2.MS observes data from target system e.g. use keystroke loggers to obtain sensitive info like password

3.MS modifies the execution of the target

system e.g. delete email

1.MS with no communication with target systeme.g. phishing web servers

Maintaining Control

System powers-up

BIOS

VMBR stateCode

VMBR!!! Avoid reboots and shutdowns

Handle reboots: restarting the virtual hardware rather than resetting the underlying physical hardware

Handle shutdowns: use ACPI sleep states to emulate system shutdown

Fig: Booting the System

System is compromised

DefenseCan see only virtualized state

Security Software

VMBR

Security Software

Can see the actual state and state of VMBR

Security Softwarebelow VMBR

Basic idea: Detector’s view of system does not go through

VMBR’s virtualization layer

Ways:– Boot from safe medium such as CD-ROM,

USB + physically unplug before booting– Use secure VMM

Security Softwareabove VMBR

Basic idea: Security Software below VMBR is inconvenient

Ways:– Compare running time of software in VM with

benchmarks against wall-clock time– Run a program that requires entire memory or

disk space

Contribution

• Explored the design and implementation of VMBR

• Explored techniques for detecting VMBR

Weakness

• VMBR is difficult to install

• VMBR require reboot before they can run

• Have more impact on the overall system

Suggestions

• The Ideas suggested by paper is good but needs many implementations both on attacker’s side and defender’s side

• Defense not convenient for end users

• Some ideas are not clear

Questions?

Quote for the day

“No defeat is final until we stop trying”