Cyber Situational Awareness Using Live Hypervisor-Based Virtual Machine Introspection Dustyn A
Total Page:16
File Type:pdf, Size:1020Kb
Air Force Institute of Technology AFIT Scholar Theses and Dissertations Student Graduate Works 9-10-2010 Cyber Situational Awareness Using Live Hypervisor-Based Virtual Machine Introspection Dustyn A. Dodge Follow this and additional works at: https://scholar.afit.edu/etd Part of the Information Security Commons, and the OS and Networks Commons Recommended Citation Dodge, Dustyn A., "Cyber Situational Awareness Using Live Hypervisor-Based Virtual Machine Introspection" (2010). Theses and Dissertations. 1979. https://scholar.afit.edu/etd/1979 This Thesis is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more information, please contact [email protected]. CYBER-SITUATIONAL AWARENESS USING LIVE HYPERVISOR-BASED VIRTUAL MACHINE INTROSPECTION THESIS Dustyn A. Dodge, 1st Lieutenant, USAF AFIT/GCE/ENG/10-07 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government. AFIT/GCE/ENG/10-07 CYBER-SITUATIONAL AWARENESS USING LIVE HYPERVISOR-BASED VIRTUAL MACHINE INTROSPECTION THESIS Presented to the Faculty Department of Electrical and Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Engineering Dustyn A. Dodge, B.S. Computer Engineering 1st Lieutenant, USAF September 2010 APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. AFIT/GCE/ENG/10-07 CYBER-SITUATIONAL AWARENESS USING LIVE HYPERVISOR-BASED VIRTUAL MACHINE INTROSPECTION Dustyn A. Dodge, B.S. Computer Engineering 1st Lieutenant, USAF Approved: //signed// ________________________________ _____________ Dr. Barry E. Mullins (Chairman) (3 Sept 2010) //signed// ________________________________ ______________ Dr. Gilbert L. Peterson (Member) (3 Sept 2010) //signed// ________________________________ ______________ Maj. Ryan W. Thomas, Ph.D. (Member) (3 Sept 2010) AFIT/GCE/ENG/10-07 Abstract Static memory analysis has been proven a valuable technique for digital forensics. However, the memory capture technique impacts the system by modifying important dynamic system data, such as logged on users, network status, active processes, active drivers, open files and open registry keys. As a result, live analysis techniques have emerged to complement static analysis. In this paper, a compiled memory analysis tool for virtualization (CMAT-V) is presented as a virtual machine introspection (VMI) utility to conduct live analysis during cyber attacks. CMAT-V leverages static memory dump analysis techniques to provide live system state awareness, which includes dynamic system data. Live analysis means that CMAT-V can continually parse live dynamic memory from an active guest operating system (OS). Unlike some VMI applications, CMAT-V bridges the semantic gap using derivation techniques. The semantic gap refers to the disconnect between raw data from dynamic memory and the OS-specific contextual meaning. CMAT-V detects Windows-based operating systems and uses the Microsoft Symbol Server to provide this context to the user. This technique provides increased CMAT-V compatibility for current and future Windows-based operating systems. This research demonstrates the usefulness of CMAT-V as a situational awareness tool during cyber attacks, tests the detection of CMAT-V from the guest system level and measures its impact on host performance. During experimental testing, live system state information was successfully extracted from two simultaneously executing virtual iv machines (VM’s) under four rootkit-based malware attack scenarios. For each malware attack scenario, CMAT-V was able to provide evidence of the attack. Furthermore, data from CMAT-V detection testing did not confirm detection of the presence of CMAT-V’s live memory analysis from the VM itself. This supports the conclusion that CMAT-V does not create uniquely identifiable interference in the VM itself. Finally, three different benchmark tests reveal an 8% to 12% decrease in the host VM performance while CMAT-V is executing. v Acknowledgments I would first like to thank Jimmy Okolica for his outstanding work developing CMAT and for his technical mentoring and support throughout this whole project. Without your help none of this could have been accomplished. In addition, I would like to thank Bill Kimball for his help with Windows data structures and the Intel architecture. A sincere thank you also goes to Ryan Harris for such an outstanding job acquiring equipment and software for my research. I would also like to thank Bryan Payne for his outstanding work developing and documenting the XenAccess project. Last but certainly not least, I would like to thank my advisor, Dr. Barry Mullins, and my committee members, Dr. Gilbert Peterson and Maj Ryan Thomas, for guiding me in my research. vi Table of Contents Page Abstract .............................................................................................................................. iv Acknowledgments.............................................................................................................. vi List of Figures ..................................................................................................................... x List of Tables .................................................................................................................... xii I. Introduction ..................................................................................................................... 1 1.1. Goals .................................................................................................................... 2 1.2. Assumptions......................................................................................................... 4 1.3. Thesis Overview .................................................................................................. 5 II. Background .................................................................................................................... 7 2.1. Virtualization ....................................................................................................... 7 2.1.1. Protection Ring Architecture ................................................................ 9 2.1.2. Virtualization Methods ....................................................................... 10 2.1.3. Benefits of Virtualization .................................................................... 17 2.2. Virtual Machine Introspection ........................................................................... 19 2.2.1. Motivation ........................................................................................... 19 2.2.2. The Semantic Gap ............................................................................... 22 2.2.3. VMI Model ......................................................................................... 23 2.2.4. VMI View-Generation ........................................................................ 25 2.3. Related Work ..................................................................................................... 29 2.3.1. Introvirt ............................................................................................... 31 2.3.2. Livewire .............................................................................................. 32 2.3.3. XenAccess........................................................................................... 33 2.3.4. Lares .................................................................................................... 34 2.3.5. VIX ..................................................................................................... 35 2.3.6. VMWatcher......................................................................................... 36 2.3.7. Ant Farm ............................................................................................. 37 2.3.8. LycosID............................................................................................... 38 2.3.9. Manitou ............................................................................................... 38 2.3.10. Patagonix............................................................................................. 39 2.3.11. Revirt................................................................................................... 40 2.3.12. Wizard ................................................................................................. 41 vii III. Methodology ............................................................................................................... 43 3.1. Problem Definition ............................................................................................ 43 3.2. CMAT-V Software Developmental Approach .................................................. 44 3.2.1. Overall Design .................................................................................... 44 3.2.2. Software Integration............................................................................ 48 3.2.3. Registry Search Optimization