“Out-Of-VM” Approach for Fine-Grained Process Execution Monitoring

Workshop for Frontiers of Cloud Computing, Dec 1, 2011, IBM T.J. Watson Research Center, NY

Process Out-Grafting: An Efficient “Out-of-VM” Approach for Fine-Grained Process Execution Monitoring

Deepa Srinivasan, Zhi Wang, Xuxian Jiang, Dongyan Xu * North Carolina State University, Purdue University* Malware Infection Trend

New malware samples collected by McAfee Labs, by month*

*Figure source: McAfee Threats Report: Second Quarter 2011, McAfee Labs 2 Anti-Malware Isolation

Traditional anti-malware tools are not well-isolated

Virtual Machine (VM) introspection Isolate tool by placing it outside a VM Analyze states and events externally

User-mode Applications Monitor

Virtual Machine …

OS Kernel

Hypervisor

3 Anti-Malware Isolation

Traditional anti-malware tools are not well-isolated

Virtual Machine (VM) introspection Isolate tool by placing it outside a VM Analyze states and events externally

User-mode Applications Monitor VM Virtual Introspection Machine …

OS Kernel

Hypervisor

4 Out-of-VM Solutions

Livewire (Garfinkel et al. , NDSS ‘03)

XenAccess (Payne et al. , ACSAC ‘07)

VMScope (Jiang et al. , RAID ‘07)

Lares (Payne et al. , Oakland ‘08)

…

5 Semantic Gap in Introspection

What we want to observe

High-level states and events (e.g. system calls, processes)

What we can observe

Low-level states and events (e.g. raw memory, interrupts)

Internal User-mode Applications Monitor

… External Monitor Semantic Virtual Machine Gap OS Kernel

Hypervisor 6 Addressing the Semantic Gap

Guest view casting VMWatcher (Jiang et al. , CCS ‘07)

Automatic generation of introspection-based tools Virtuoso (Dolan-Gavitt et al. , Oakland ‘11)

Issues Sensitive to internal OS changes or updates Incompatible with existing anti-malware tools

7 Our Goal

Support existing in-host process monitors out-of-VM without semantic gap!

8 In-host strace

9 In-host Monitors

Process-level monitoring System calls Library calls Instruction execution traces

10 Process Out-Grafting

Isolation Monitor protection from malware

Compatibility Natural support for fine-grained user-mode process monitoring tools ( strace, ltrace, … )

Efficiency No significant performance overhead due to isolation

11 Rest of This Talk

Motivation

System Design

Implementation & Evaluation

Related Work

Conclusion

12 Assumptions

Trusted hypervisor

Untrusted monitored VM

Non-goals OS kernel-level monitoring Stealthy monitoring

13 Key Techniques

Technique I: On-Demand Grafting Production VM Security VM Stub Suspect Process Monitor

User User Kernel Kernel

Hypervisor Technique II: Mode-sensitive Split Execution

14 Key Techniques

Technique I: On-Demand Grafting Production VM Security VM Monitor

User User Kernel Kernel

Hypervisor

15 On-Demand Grafting On-Demand Grafting

Relocate suspect process to security VM

Enable efficient, native inspection Eliminate hypervisor intervention Support existing process monitoring tools

Initiate out-grafting as needed

Restore process after monitoring

17 When to Out-Graft?

Process in user-mode

Process in kernel-mode Hypervisor notified when user-mode execution resumes

Suspect Process

Production VM Physical NX Memory Frames User Kernel

Hypervisor

18 What to Out-Graft?

Architecture-specific resources

No OS kernel-specific resources

Main root cause in semantic gap

Continued execution of out-grafted process

Suspect Process

Physical Production Memory VM Frames

User EIP Kernel Network Disk File EAX Socket EBX … … Hypervisor

19 How to Out-Graft?

Stub protected Production VM by hypervisor Security VM Stub Suspect Process Monitor

Physical NXMemory X Frames User User Kernel Kernel Helper Module

VCPU Register State Hypervisor Page Mappings

20 Mode-Sensitive Split Execution Mode-Sensitive Split Execution

All user-mode execution occurs in security VM

All kernel-mode execution occurs in production VM

Out-grafted process considers itself running in production VM

22 System Call Redirection

Smooth, continued execution of out-grafted process

Monitor isolation

Production VM No hypervisor Security VM Stub intervention! Suspect Process Monitor

- System call number

- Arguments

User System Call User Kernel Network Kernel Socket Helper Module Disk File

Hypervisor (e.g., KVM)

23 Page Fault Forwarding

Consistent process memory mapping between VMs

No semantic knowledge in security VM (e.g. memory-mapped file)

Production VM Security VM Stub Suspect Process Monitor

- Faulting address

- Read/Write fault Page Page Fault Fault User User Kernel Kernel Page Tables Helper Module

Hypervisor (e.g., KVM)

24 Page Fault Forwarding

Consistent process memory mapping between VMs

No semantic knowledge in security VM (e.g. memory-mapped file)

Production VM Security VM Stub Suspect Process Monitor

Physical Memory Frame Page Page Fault Fault User User Kernel Kernel Page Tables Helper Module

Hypervisor (e.g., KVM)

25 Rest of This Talk

Motivation

System Design

Implementation & Evaluation

Related Work

Conclusion

26 Implementation

Hypervisor: KVM (2.6.36.1) Out-grafting support: +1309 SLOC Extended page tables support (Intel Core i7)

Host OS: Ubuntu 10.04 (kernel 2.6.28)

Guest OS: Ubuntu 9.04, Fedora 10

27 Security Analysis

Monitor isolation and effectiveness

System call forwarding Security VM protected from kernel attacks Production VM Security VM Stub Suspect Process Monitor

User User Kernel Network Kernel Socket System Call Disk File

Hypervisor (e.g., KVM) 28 Security Analysis

Stub protection Hypervisor-protected memory and page tables

Production VM Security VM Stub Suspect Process Monitor

User User Kernel Kernel

Hypervisor (e.g., KVM) 29 Security Analysis

Out-grafting detection Strong policy for random, arbitrary out-grafting

30 Case Studies

thttpd as test process for out-grafting Both disk and network usage

Support existing in-host tools, out-of-VM strace, ltrace, gdb

OmniUnpack (Martignoni et al. , ACSAC ‘07 )

31 Case Studies

thttpd as test process for out-grafting Both disk and network usage

Support existing in-host tools, out-of-VM strace, ltrace, gdb

OmniUnpack (Martignoni et al. , ACSAC ‘07 )

32 strace

In-VM strace Out-of-VM strace

33 Code Unpacking Detection

OmniUnpack (Martignoni et al. , ACSAC ‘07)

Track page writes and executions Detect unpacking when executing a previously-written page

Faithful reproduction of algorithm in Linux

Kernel module in security VM

NX bit support only in Localized overhead in Thorough test of page security VM kernel out-of-VM monitoring fault forwarding

34 Performance

Dell T1500, Intel Core i7, 4 cores, 2.6 GHz, 4 GB RAM

VM configuration Production VM: 1 VCPU, 2047 MB RAM Security VM: 1 VCPU, 1 GB RAM

35 Performance

Inter-VM system call ( getpid ): ~11 µs

Process state identification: ~250 µs

Slowdown to out-grafted process File-copy time: 35.42% thttpd throughput: 7.38%

36 Performance

Production VM Slowdown with a Contending Process Out-grafted 8% 6% 4% 2% 0% -2% -4% -6%

37 Rest of This Talk

Motivation

System Design

Implementation & Evaluation

Related Work

Conclusion

38 Related Work

VM introspection Livewire (Garfinkel et al. , NDSS ‘03) , XenAccess (Payne et al. , ACSAC ‘07) , VMScope (Jiang et al. , RAID ‘07) , Lares (Payne et al. , Oakland ‘08) , VMWatcher (Jiang et al. , CCS ‘07) , Virtuoso (Dolan-Gavitt et al. , Oakland ‘11) Efficient, isolated monitoring SIM (Sharif et al. , CCS ’09)

Process migration BLCR (Smith, UCB-TR ‘08) , Zap (Osman et al. , OSDI ‘02) , Migration survey (Nuttall et al. , ACM OS Review ’94) System call forwarding Application protection (Ta-Min et al. , OSDI ‘06) , Monitoring fidelity (Martignoni et al. , ICISS ‘09) Sandboxing, isolation techniques Ostia (Garfinkel et al. , NDSS ‘04) , Janus (Goldberg et al. , Security ‘96)

39 Conclusion

Process Out-grafting: An Efficient Out-of-VM Approach for Fine-grained Process Execution Monitoring (CCS ‘11)

Technique I: On-Demand Grafting Production VM Security VM Stub Suspect Process Monitor

User User Kernel Kernel

Hypervisor

Technique II: Mode-sensitive Split Execution 40 Thank you!

Questions?