Transcription
SHARK: Architectural Support for Autonomic ProtectionAgainst Stealth by Rootkit ExploitsVikas RR. VasishtHsien-Hsin S. LeeSchool of Electrical and Computer EngineeringGeorgia Tech
Rootkit DefinitionA set of programs that allows a permanent orconsistent,cos ste t, uundetectabledetectab e presencep ese ce oon a cocomputerpute– Not an exploit to gain elevated access– Conceal all evidences and malware activitiesRootkit’s functions:Hide processes,processes filesfiles, network connections andconceal malware activitiesSHARK: Vasisht & Lee2
Example - Hidden KeyloggerAdversaryTask Manager looks cleanwww.anybank.com login password OS compromised & Rootkit installedSHARK: Vasisht & Lee3
Rootkit Technique (I)USER SPACEUESystem Administrator (E.g., “ps”, “top”)User ProgramAPI FunctionLibraryChoose Syscallfrom SSDTReturnSyscallFunctionKERNELL SPACEChoose InterruptHandler from IDTImport Address TableInterrupt Descriptor TableSHARK: Vasisht & LeeSystem Service Descriptor Table4
Rootkit Technique (I)USER SPACEUESystem Administrator (E.g., “ps”, “top”)User ProgramAPI FunctionLibraryChoose Syscallfrom SSDTReturnSyscallFunctionKERNELL SPACEChoose InterruptHandler from IDTImport Address TableInterrupt Descriptor TableSystem Service Descriptor TableModify OS execution flow to hide traces of malwareSHARK: Vasisht & Lee5
Rootkit Technique (II)“ps”Process-1Process 2Process-2Process-3MalwareSafe machine psP-1P-2P-3MalwareP-5Compromised Machine psP-1P-2P-3P-5Process-5Direct Kernel Object ModificationManipulate Kernel Data to remove malware informationSHARK: Vasisht & Lee6
Rootkit Detection Techniques Software based techniques:– Signature/Behavioral detection1 Works for only known rootkits– Cross-View based detection1 Complex rootkits compromise low level OS view– Integrity based detection1 Rootkits fake memory contents – Shadow Walker rootkit Hardware based techniques:– CoPilot (N. Petroni et al. [USENIX’04]) Integrity of host memory checked in a remote admin station1 Send a faked memory snapshot to the remote machine.SHARK: Vasisht & Lee7
Sophisticated RootkitsSub-Virt1A1A2Bluepill2A3NativeOSHost OSHardwareInfectionM1M2Malicious OSA1VMRUNA2Host OSNative OScontinuesexecutioninside VMVirtual Machine MonitorHardwareHost OS downgraded to VM1. King et al. [Symposium on Security and Privacy’06]SHARK: Vasisht & LeeHypervisorypinstalled on-the-flyHypervisor below the host OS2. Joanna Rutkowska [Black Hat’06]8
ChallengeWe cannot detect hidden processes, VMs andVMMs using software techniquesNoApplicationsGet directfeedbackfrom HWSys.y AdminUtilitiesGuest OSVMM SHARK: Vasisht & LeeSeeing a clean systemH/WMalware enjoyinghardware resources9
Motivation –Process Context Aware ArchitectureProcess 1Process 2Process 3PProcessesSSpawneddPossible!Page TablesPT 1PT 2PT 3AS-1AS-2AS-3Address SpaceOS completely manages processes and HW can be fooledSHARK: Vasisht & Lee10
SHARK Big PictureProcess 1Process 2Process 3Processocess SpawnedSpa edSuccess1st Page Table UpdateFailsEncryptg TablesPagePT 1PT 2PT 3AS -1AS -2AS -3Address SpaceAddress space isolation achieved by page table encryptionSHARK: Vasisht & Lee11
SHARK – Secure Hardware Against RootKits Hardware assisted PID Generation– Software PIDs vulnerable Page Table Encryption/Decryption– Page table update: Hardware support for every update– TLB miss: Page table decryption Process Authentication– On a context switch, PID HPID Register– TLB miss: HPID used for decryptionSHARK: Vasisht & Lee12
Hardware Assisted PID GenerationOSNew ProcessPageTableEncrypted PTE1st PTESHARKPID PIDCounter modeAESSEncryption64-bit Counter128-bitSecret Hardware KeyPID returnedtd tto ththe OS onlyl afterft initiali iti l encryptiontiSHARK: Vasisht & Lee13
Page Table Encryption (x86)Faulted VPNLevel 2Level 3128 V-BitsLevel 1VByte withinpagePTE3rd Level - PT4 PTEs2nd Level - PMDPDE128 VV-BitsV1st Level - PGD32-bits PTECR3SHARK: Vasisht & Lee14
Page Table Encryption (x86)Faulted VPNLevel 2Level 3128 V-BitsLevel 1VByte withinpagePTE3rd Level - PT4 PTEs2nd Level - PMD128 VV-BitsVPDE1st Level - PGD32-bits PTECR3SHARK: Vasisht & Lee15
Page Table Encryption (x86)128 V-Bits1VPTEPID3rd Level - PT4 PTEs128-bit128bit secrettH/W key128-bit128bitCipher-Text4- PTEs32-bits PTEPIDV-BitBlock IDPIDAES – 128128-bitCipher-TextV-bit ArraySHARK: Vasisht & Lee128-bit secretH/W keyPIDAES – 128128-bit128bitPlain-Text4-PTEsCounter(PID) not a secret;HW key is secret128-bitPlain-TextV-bit Array16
TLB Updatep(x86)() – Handled byy SSMMemory AccessTLB miss: Two V-bit array decryptions one PTE decryptionVVPNVPNPPNPTE3rd Level - PTPPNTLBTLB UpdateMissHardware Page TableWalkVPDECounterModeDecryption((AES-128))Page Tablewalk1st Level -PGDCounterModeDecryption(AES-128)CR3SHARK: Vasisht & LeeCounterModeodeDecryption(AES-128)HPID Register17
Instructions supported in SHARK GENPID- Generate a new PID– Used when a new process is created MODPTMODPT UpdateU dtheh page tablebl off a process– Used when page tables have to be modified DECPT- Decrypt a process' page table entry– Used to know the physical pages of processesSHARK: Vasisht & Lee18
MODPT: Physical Page Tracking MODPT used to Invalidate a page table entry:PIDPhysicalPage 28)PhysicalPage32B EncryptedChecksumMODPT usedsed to Validate a page table entrentry:PIDPhysicalPageSHA date PTEYES ?NOIllegal PT Update32B EncryptedChecksumTracks the association of memory page and owning processSHARK: Vasisht & Lee19
Stealth CheckerI can compareand catch hiddensoftware contexts“ps”OSContext Switch HPIDSHARKPage TablesVPN PPNVPN-PPNPID 1PID 2PID 3Master PID ListPIDsHardware Implementedpin Firmware Encrypts and sends PIDs to a remote system admin machine Hardware and software lists compared in the remote machineSHARK: Vasisht & Lee20
Experimental Analysis Functionality Evaluation– BOCHS emulator modified Linux 2.6.16.33– Rootkits installed: Adore 0.42, Knark 2.4.3, Phide,Enyelkm.en.v1.1, and Mood-nt-2.3– SHARK was ablebl tto ddetectt t allll rootkitstkit Performance Evaluation– VirtuTech SIMICS– Performance overhead due to encryption/decryptionSHARK: Vasisht & Lee21
Performance Evaluation SPEC 2006 benchmark suite Emulated first 2B instructions– More page faults and TLB updates SHARK Overhead in recompiled Linux kernel 2.6.16.33– MODPT instruction: 6 * AES SHASHA-256256– TLB Refill: 3 * AES– DECPT instruction: 3 * AES Sensitivity study for different TLB configurations– 4 KB and 2 MB pages supported (x86)– Varied number of TLB entries TLB flushed upon every context switch as in x86 machinesSHARK: Vasisht & Lee22
SPEC2006Performance impact with different TLB organizationsg More context switches and more TLB misses Sensitive to the number of entries for 2MB pages in TLB Average CPI overhead is 1.3%SHARK: Vasisht & Lee23
SPEC2006 (6 System Configurations) Larger AES latency increases the overhead Larger L2 cache (longer L2 latency) lowers the overheadg overhead: AverageRange : 0.45% - 4.7%SHARK: Vasisht & Lee24
Conclusions SHARK is the first synergistic micro-architectureand OS technique to address the Rootkit exploits CConcealedl d activityti it att UUser, KKernell andd VMM llevelslwill be revealed Low performance overhead makes it practicalSHARK: Vasisht & Lee25
Thank youhttp://arch.ece.gatech.eduSHARK: Vasisht & Lee26
VPN PPN p() 3rd Level PT VPTE Memory Access TLB miss: Two V-bit array decryptions one PTE decryption TLB Update Miss-VPN PPN TLB Page Table walk Counter Mode Decryption VPDE (AES-128) Hardware Page Table Walk Counter Mode Counter Mode 1st Level -PGD Decryption (AES-128) Decryption (AES-128) SHARK: Vasisht & Lee 17 CR3 HPID Register
