Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot
Communications in computer and information science, 2020
Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of ... more Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.
International series on intelligent systems, control and automation: science and engineering, 2015
Trusted Computing is a special branch of computer security. One branch of computer security invol... more Trusted Computing is a special branch of computer security. One branch of computer security involves protection of systems against external attacks. In that branch we include all methods that are used by system owners against external attackers, for example Firewalls, IDS, IPS etc. In all those cases the system owner installs software that uses its own means to determine if a remote user is malicious and terminates the attack. (Such means can be very simple such as detecting signatures of attacks or very complex such as machine learning and detecting anomalies in the usage pattern of the remote user). Another branch of attacks requires protection by the system owner against internal users. Such attacks include prevention of users to read each other's data, use more than their allotted share of resources etc. To some extent anti-virus/anti-spam software is also included here. All password protection and used management software are included in this branch. The third branch, Trusted Computing, involves the verification of a remote host that the user machine will behave in a certain predictable way, i.e. protection against the current owner of the machine. The most common example for this kind of requirement is distribution of digital media. Digital media is distributed in some conditional access mode (rented, pay per view, sold for personal use, etc.). Obtaining digital media usually does not entitle the user to unlimited rights. The user usually may not redistribute or edit the digital media and may not even be allowed to consume it himself after a certain date. (Media rentals, pay per view) However, as the user is consuming media on his private machine. How can the media provider assure himself that a malicious user does not tamper with the machine so that contents are not replicated? The problem of security against the owner of the machine is the problem region of Trusted Computing. In trusted computing as opposed to other branches of security the "attacker" is not limited to some attack surface that was exposed to him but can also use a soldering iron to tap into busses, replace chips and other system parts etc. Trusted computing also includes other protection tools against the current owner (or possessor of the machine if not the legal owner). For example protection of
This is a self-archived version of an original article. This version may differ from the original... more This is a self-archived version of an original article. This version may differ from the original in pagination and typographic details.
Many enterprises migrate to a private cloud VDI environment. In such an environment multiple work... more Many enterprises migrate to a private cloud VDI environment. In such an environment multiple workstations are served by a single powerful server. On such an environment each VDI workstation receives only a limited CPU power. An average of less than a quarter of a core per planned VDI workstation is a common setup. Under such cases, anti-virus and application control software load is multiplied by the number of VDI workstation running on each server. These security applications take merely a few percentages of a single core on a normal desktop. However, on a VDI server where the multiple VDI workstations run on a single server, they may consume 20-25 percent the load. Naturally, such an increase is significant. We present an application control system that is extremely useful in a VDI environment.
IEEE Transactions on Information Forensics and Security, Aug 1, 2019
This is a self-archived version of an original article. This version may differ from the original... more This is a self-archived version of an original article. This version may differ from the original in pagination and typographic details.
International Journal of Digital Content Technology and Its Applications, 2017
The business world is exhibiting a growing dependency on computer systems, their operations and t... more The business world is exhibiting a growing dependency on computer systems, their operations and the databases they contain. Unfortunately, it also suffers from an ever growing recurrence of malicious software attacks. Malicious attack vectors are diverse and the computer-security industry is producing an abundance of behavioral-pattern detections to combat the phenomenon. This paper proposes an alternative approach, based on the implementation of an attested, and thus trusted, thin-hypervisor. Secondary level address translation tables, governed and fully controlled by the hypervisor, are configured in order to assure that only pre-whitelisted instructions can be executed in the system. This methodology provides resistance to most APT attack vectors, including those based on zero-day vulnerabilities that may slip under behavioral-pattern radars.
International Journal of Digital Content Technology and Its Applications, 2017
An important aspect of protecting software from attack, theft of algorithms, or illegal software ... more An important aspect of protecting software from attack, theft of algorithms, or illegal software use, is eliminating the possibility of performing reverse engineering. One common method to deal with these issues is code obfuscation. However, in most case it was shown to be ineffective. Code encryption is a much more effective means of defying reverse engineering, but it requires managing a secret key available to none but the permissible users. The authors propose a new and innovative solution. Critical functions in protected software are encrypted using well-known encryption algorithms. Following verification by external attestation, a thin hypervisor is used as the basis of an ecosystem that manages just-in-time decryption, inside the CPU, where decrypted instructions are then executed and finally discarded, while keeping the secret key and the decrypted instructions absolutely safe. The paper presents and compares two methodologies that perform just-in-time decryption: in-place and buffered execution. The former being safer, while the latter boasts better performance.
Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods o... more Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does not support modern operating systems featuring address space layout randomization (ASLR). We describe a hypervisor-based memory acquisition method that solves the two aforementioned deficiencies. We analyze the memory usage and performance of the proposed method. This method is described in multiple previous works (Qi et al., 2017; Martignoni et al., 2010).
Proceedings of the 5th International Conference on Information Systems Security and Privacy
Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods o... more Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does not support modern operating systems featuring address space layout randomization (ASLR). We describe a hypervisor-based memory acquisition method that solves the two aforementioned deficiencies. We analyze the memory usage and performance of the proposed method. This method is described in multiple previous works (Qi et al., 2017; Martignoni et al., 2010).
Proceedings of the 3rd International Conference on Information Systems Security and Privacy
An important aspect of protecting software from attack, theft of algorithms, or illegal software ... more An important aspect of protecting software from attack, theft of algorithms, or illegal software use, is eliminating the possibility of performing reverse engineering. One common method to deal with these issues is code obfuscation. However, it is proven to be ineffective. Code encryption is a much more effective means of defying reverse engineering, but it requires managing a secret key available to none but the permissible users. Adequate systems for managing secret keys in a protected trust-zone and supporting execution of encrypted native code have been proposed in the past. Nevertheless, these systems are not suitable as is for protecting managed code. In this paper we propose enhancements to these systems so they support execution of encrypted Java programs that are resistant to reverse engineering. The main difficulty underlying Java protection with encryption is the interpretation that is performed by the JVM. The JVM will require the key to decrypt the encrypted portions of Java code and there is no feasible way of securing the key inside the JVM. To solve this, the authors propose implementing a Java bytecode interpreter inside a trust-zone, governed by a thin hypervisor. This interpreter will run in parallel to the standard JVM, both cooperating to execute encrypted Java programs.
The blue pill is a malicious stealthy hypervisor-based rootkit. The red pill is a software packag... more The blue pill is a malicious stealthy hypervisor-based rootkit. The red pill is a software package that is designed to detect such blue pills. Since the blue pill was originally proposed there has been an ongoing arms race between developers that try to develop stealthy hypervisors and developers that try to detect such stealthy hypervisors. Furthermore, hardware advances have made several stealth attempts impossible while other advances enable even more stealthy operation. In this paper we describe the current status of detecting stealth hypervisors and methods to counter them.peerReviewe
2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)
Many enterprises migrate to a private cloud VDI environment. In such an environment multiple work... more Many enterprises migrate to a private cloud VDI environment. In such an environment multiple workstations are served by a single powerful server. On such an environment each VDI workstation receives only a limited CPU power. An average of less than a quarter of a core per planned VDI workstation is a common setup. Under such cases, anti-virus and application control software load is multiplied by the number of VDI workstation running on each server. These security applications take merely a few percentages of a single core on a normal desktop. However, on a VDI server where the multiple VDI workstations run on a single server, they may consume 20-25 percent the load. Naturally, such an increase is significant. We present an application control system that is extremely useful in a VDI environment.
Système et procédés de protection de copie d'unité centrale de traitement (cpu) d'un dispositif informatique
La presente invention concerne des techniques pour un systeme et des procedes de gestion en fonct... more La presente invention concerne des techniques pour un systeme et des procedes de gestion en fonction du logiciel d'une introduction de blocs de donnees protegees dans le mecanisme de cache de memoire d'un dispositif informatise. En particulier, l'invention concerne le fait d'empecher des blocs de donnees protegees d'etre modifies et expulses du cache de CPU couple a une execution de logiciel mise en tampon. La technique est fonde sur l'identification d'au moins un bloc de donnees conflictuel ayant une indication d'une mise en correspondance d'une memoire avec une ligne de cache de memoire designee et sur le fait d'empecher le bloc de donnees conflictuel d'etre mis en cache. Des caracteristiques fonctionnelles du produit logiciel d'un vendeur, tel qu'un jeu ou une video, peuvent etre partiellement chiffrees pour permettre une exploitabilite protegee et fonctionnelle et eviter un piratage et une utilisation malveillante par un utilis...
International Journal of Digital Content Technology and Its Applications, 2017
An important aspect of protecting software from attack, theft of algorithms, or illegal software ... more An important aspect of protecting software from attack, theft of algorithms, or illegal software use, is eliminating the possibility of performing reverse engineering. One common method to deal with these issues is code obfuscation. However, in most case it was shown to be ineffective. Code encryption is a much more effective means of defying reverse engineering, but it requires managing a secret key available to none but the permissible users. The authors propose a new and innovative solution. Critical functions in protected software are encrypted using well-known encryption algorithms. Following verification by external attestation, a thin hypervisor is used as the basis of an eco-system that manages just-in-time decryption, inside the CPU, where decrypted instructions are then executed and finally discarded, while keeping the secret key and the decrypted instructions absolutely safe. The paper presents and compares two methodologies that perform just-in-time decryption: in-place ...
Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot
Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of ... more Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.
International Journal of Digital Content Technology and Its Applications, 2017
The business world is exhibiting a growing dependency on computer systems, their operations and t... more The business world is exhibiting a growing dependency on computer systems, their operations and the databases they contain. Unfortunately, it also suffers from an ever growing recurrence of malicious software attacks. Malicious attack vectors are diverse and the computer-security industry is producing an abundance of behavioral-pattern detections to combat the phenomenon. This paper proposes an alternative approach, based on the implementation of an attested, and thus trusted, thin-hypervisor. Secondary level address translation tables, governed and fully controlled by the hypervisor, are configured in order to assure that only pre-whitelisted instructions can be executed in the system. This methodology provides resistance to most APT attack vectors, including those based on zero-day vulnerabilities that may slip under behavioral-pattern radars.
Uploads
Papers by Amit Resh