HyperLeech: Stealthy System Virtualization with Minimal Target Impact through DMA-Based Hypervisor Injection Ralph Palutke Simon Ruderich Friedrich-Alexander-Universität Erlangen Friedrich-Alexander-Universität Erlangen Matthias Wild Felix C. Freiling Friedrich-Alexander-Universität Erlangen Friedrich-Alexander-Universität Erlangen Abstract to alter important kernel structures, as memory forensics and live analysis often rely on their integrity [5, 22, 59]. In ad- In the recent past, malware began to incorporate anti-forensic dition, Zhang et al. [68] bypass state-of-art memory acquisi- techniques in order to hinder analysts from gaining mean- tion by manipulating the physical address layout on x86 plat- ingful results. Consequently, methods that allow the stealthy forms. Besides attacks that target software-based approaches, analysis of a system became increasingly important. Rutkowska [53] demonstrated a method to attack Direct Ac- HyperLeech In this paper, we present , the first approach cess Memory (DMA)-based acquisition by remapping parts which uses DMA to stealthily inject a thin hypervisor into of the Memory Mapped I/O (MMIO) address space. Zdzi- the memory of a target host, transparently shifting its oper- chowski et al. [66] listed further approaches in a recent meta ation into a hardware-accelerated virtual machine. For the study, surveying the landscape of modern anti-forensics. Ap- code injection, we make use of external PCILeech hardware proaches like these indicate the necessity for novel analysis to enable DMA to the target memory. Combining the advan- techniques that are robust against anti-forensics. tages of hardware-supported virtualization with the benefits provided by DMA-based code injection, our approach can To deliver ideal analysis results, an approach must meet two serve analysts as a stealthy and privileged execution layer that requirements which seemingly contradict each other: First, the enables powerful live forensics and atomic memory snapshots soundness of a particular analysis method indicates its robust- for already running systems. Our experiments revealed that ness against anti-forensics, meaning its degree of accuracy HyperLeech is sufficient to virtualize multi-core Linux hosts based on the actual data of the current target state. Second, a without causing significant impact on a target’s processor and method’s target impact implies the amount of modifications it memory state during its installation, execution, and removal. introduces to a target’s memory and processor state during its Although our approach might be misused for malicious pur- installation, operation, and removal. From a forensics point poses, we conclude that it provides new knowledge to help of view, a low target impact is desirable, as it prevents both a researchers with the design of stealthy system introspection potential loss of evidence and the chance for evasive malware techniques that focus on preserving a target system’s state. to alter its behavior [31]. Running an analysis tool at the same or even a lower privileged domain gives malware the chance to intercept its functionality and falsify results. Consequently, 1 Introduction a sound analysis cannot be guaranteed. To keep control over a system’s operation, security software steadily migrated to The ongoing arms race between malware authors and security higher privileged layers [32]. In contrast to malware infec- practitioners lead to increasingly sophisticated approaches tions, the deployment of privileged analysis software mostly on both sides. Recently, malware began to incorporate anti- depends on a system’s regular loading mechanisms. These forensics to evade analysis. Sparks and Butler [58] presented have a quite significant impact on the target state and usually a novel rootkit technique that subverts the memory transla- require root access, both disadvantageous from a forensics tion process of the Windows operating system, and exploits perspective. Furthermore, analysis methods are usually de- Translation Lookaside Buffer (TLB) incoherencies to hide ma- ployed after a system has been infected, which gives malware licious memory. Palutke and Freiling [42], as well as Torrey the chance to tamper with their installation. Hence, analysts [61], further enhanced this concept by dynamically virtualiz- began to use increasingly stealthy approaches to conceal the ing a victim system’s view on the physical memory, relying deployment of their methods. Stüttgen and Cohen [60] in- on a kernel extension. Other approaches use Direct Kernel ject a minimal memory acquisition module into an already Object Manipulation (DKOM), first discussed by Butler [6], existing host kernel module with only a small target impact. USENIX Association 23rd International Symposium on Research in Attacks, Intrusions and Defenses 165 Besides the installation of an analysis method, both its execu- ting up Extended Page Tables (EPTs), providing an ab- tion and removal, as well as the extraction of results, which straction of the physical memory, often makes use of existing communication channels, alter the target state to an even higher degree. In addition, these • devise the process of removing our system without leav- communication channels might already be compromised, so ing detectable traces, that the integrity of the transferred data cannot be guaranteed. • implement a prototype that is capable of virtualizing run- With the rise of anti-forensics, security practitioners started ning multi-core Linux hosts without notably impacting to use DMA from external hardware in order to analyze a the target’s processor and memory state, system [7, 15, 36, 44]. This allows the transparent access of a system’s memory without notably impacting its state, as DMA • evaluate the target impact caused by the injection, exe- does not interfere with a processor’s operation. Since these cution and removal of our system, devices are often hot pluggable, DMA-based approaches offer • point out the performance impact caused by the injection a significant advantage when targeting production systems, of our system, and where down times are often not acceptable. As hot plugging allows a method to be deployed even after the infection of a • discuss possible mitigation strategies, as our approach system, it is especially useful for malware analysis. In addi- might be misused as a powerful rootkit. tion, DMA usually bypasses authorization checks enforced by the operating system. As a downside, Gruhn and Freiling The remainder of this paper is outlined as follows: Sec- [21] showed that these approaches suffer from a lack of atom- tion2 provides fundamental background knowledge that is icity, since the target is not suspended during the analysis or necessary to understand our design concepts. In Section3, we acquisition process. Consequently, they cannot produce fully present an architectural overview of the HyperLeech system, sound analysis results. and describe its injection and removal. Section4 evaluates Virtualization-based approaches provide the transparent the impact on both the target’s state and performance, and analysis of a system from the more privileged hypervisor discusses possible mitigation strategies. Section5 briefly sur- layer. The respective target is booted inside a virtualized exe- veys related work and possible use cases. Concluding remarks cution environment (respectively VM), enabling the isolated and future research directions are given in Section6. analysis of the system through Virtual Machine Introspection (VMI)[18]. Since investigators are mostly confronted with 2 Technical Background already infected systems running on bare metal, these cannot be virtualized by conventional technologies like KVM [20] For a better understanding of our design choices, we briefly or Xen [4], however. This led analysts to use on-the-fly vir- outline important technical fundamentals. Consequently, we tualization, initially introduced by Rutkowska [52] and Zovi introduce the PCILeech framework (Section 2.1), explain the [69], which installs a thin hypervisor through a kernel driver, mechanics of hardware-supported virtualization provided by and migrates the running system into a hardware-accelerated Intel’s VT-x (Section 2.2), and shed light on the Advanced Pro- VM for further analysis [29, 39, 47, 65]. Although on-the-fly grammable Interrupt Controller (APIC) (Section 2.3). Read- virtualization greatly improves the analysis of a system, it ers familiar with the topics can skip these sections. falls short in several categories. Loading a kernel driver re- quires root privileges and has significant impact on the target state. Furthermore, an already infected kernel might subvert 2.1 PCILeech the installation process altogether. Originally developed by Frisk [15], the PCILeech project In this paper, we present HyperLeech, the first approach is a generic attack framework that allows external devices combining transparent DMA-based code injection and on- to use DMA over Peripheral Component Interconnect Ex- the-fly virtualization. In contrast to existing solutions, our press (PCIe) to inject code into the physical memory of a approach enables the sound analysis of a target system with target system. Due to PCIe offering hot plug functionality, a negligible impact on its processor and memory state. In detail, variety of PCILeech devices can be attached to a system at we runtime. Similarly, such devices can be unplugged at any time without causing significant interruptions. PCILeech supports • are the first to use DMA from an
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages16 Page
-
File Size-