Master of Science

thesisSystem administrators use application-level knowledge to identify anomalies in virtual appliances (VAs) and to recover from them. This process can be automated through an anomaly detection and recovery system. In this thesis, we claim that application-level policies defined over kernel-level application state can be effective for automatically detecting and mitigating the effects of malicious software in VAs. By combining user-defined application-level policies, virtual machine introspection (VMI), expert systems, and kernel-based state management techniques for anomaly detection and recovery, we are able to provide a favorable environment for the execution of applications in VAs. We use policies to specify the desired state of the VA based on an administrator's application-level knowledge. By using VMI we are able to generate a snapshot that represents the true internal state of the VA. An expert system evaluates the snapshot and identifies any violations. Potential violations include the execution of an irrelevant application, an unauthorized process, or an unfavorable environment configuration. The expert system also reasons about appropriate recovery strategies for each of the violations detected. The recovery strategy decided by the expert system is carried out by recovery tools so that the VA can be restored to an acceptable state. We evaluate the effectiveness of this approach for anomaly detection and repair by using it to detect and recover from the actions of different types malicious software targeting a web server VA. The system is shown to be effective in guarding the VA against the actions of a kernel-exploit kit, a kernel rootkit, a user-space rootkit, and an application malware. For each of these attacks, the recovery component was able to restore the VA to an acceptable state. Although, the recovery actions carried out did not remove the malicious software, they substantially mitigated the harmful effects of the malicious software

監視対象システムを止めずにカーネル制御フロー改変ルートキットを検知するシステム

　カーネル制御フロー改変ルートキットとは，ユーザプロセスが発行するシステムコールのカーネル内処理ルーチンを改竄し，目的を実現するマルウェアである．この種のルートキットは，実現しやすい，汎用性が高い，そして検知されにくいという特徴を持つ．ルートキットにより汚染されたシステムの上で動作するルートキット検知システムの挙動は信用できないため，検知システムは仮想マシンモニタを利用するなどして，対象システムの外部に置くのが一般的である．　しかし，対象システムを外部に置くと，セマンティクギャップという問題が生じる．従来の多くの研究では，一時的に対象システムを止めて，システムから必要な情報を取得する手法を用いてセマンティクギャップ問題を解決する．しかし，この手法では，オーバーヘッドが大きく，対象システムのパフォーマンスを低下させる問題点が生じる．　本研究では，対象システムを止めることなく，監視対象の外部からルートキットを検知するシステムを目指す．本システムは対象システムのカーネル関数の呼び出し履歴(トレース情報)を取得するカーネル組み込みの Ftrace を拡張して利用する．更に，Ftrace は対象システム内部で動作しているため，トレース結果がルートキットにより改竄される恐れがある．本研究では，ルートキットによるトレース情報の改竄を困難にするため，トレース情報をホスト側で用意した鍵と XOR を取るように対象システムを拡張した．これらの目的を達成するため，本研究では，Ftrace と QEMU-KVM 及びゲスト OS のカーネルを拡張し利用した．電気通信大学201

Extraction of Host Internal Information for External Hardware Security Monitors

학위논문 (박사)-- 서울대학교 대학원 : 전기·컴퓨터공학부, 2016. 2. 백윤흥.Defending electrical devices against a variety of attacks is a daunting task. A lot of researchers have endeavored to address this issue by proposing security solutions that can attain high level of security while minimizing performance overhead introduced to the system. Among them, hardware-based security solutions have been noted for high performance compared to their software-based counterparts. However, we have witnessed that these mechanisms have rarely been accepted to the market. This phenomenon may be attributed to the fact that most solutions incur non-negligible modifications to the host architecture internals and thus would substantially increase the design time and manufacturing cost. In order to answer this problem, a hardware-based external monitoring has recently been proposed. The crux of this solution is that, being located outside the host core and connected to the host via a standard bus interface, the external monitor can efficiently conduct time-consuming monitoring tasks on behalf of the host while requiring no alteration to the host internals. However, these approaches either suffer from the incapability of handling various security problems or experience unsubtle performance overhead because, being externally placed and having no dedicated communication channels, the hardware monitor has a limited access to the information produced by the host core, and consequently, the system may be forced to use memory regions or other shared hardware resources to explicitly transfer the information from the host to the monitor hardware. In this thesis, we propose a security solution that can carry out more complicated security tasks with low performance overhead while keeping the host internal architecture intact. This can be archived by using an existing standard debug interface, readily available in numerous modern processors, to connect our security monitor to the host processor. In order to show the validity of our approach and explore the implication of using the debug interface for security monitoring, we present three security monitoring systems each of which addresses one of three well-known security issues: defending against kernel rootkits, tracking information-flow, and defense of code-reuse attacks. The experiment results show that, when implemented on a FPGA prototyping board, our monitoring solutions successfully detect the attack samples (i.e., data leakage attacks and CRAs). More importantly, our systems can attain significantly low performance overhead compared to previously proposed security monitoring solutions. The experiments also reveal that the area overhead of the hardware is acceptably small when compared to the normal sizes of today's mobile processors.Chapter 1. Introduction 1 Chapter 2. Background and RelatedWork 8 2.1 Background 8 2.1.1 Core Debug Interface 8 2.2 Related Work 9 2.2.1 Software-based Monitoring solutions 10 2.2.2 Hardware-based Monitoring with Invasive Modification 10 2.2.3 Hardware-based Monitoring with Minimal Modification 11 2.2.4 Hardware-based Kernel Integrity Monitors 12 2.2.5 Utilizing debug interface 13 Chapter 3. Monitoring the Integrity of OS Kernels with Data-Flow Information 15 3.1 Introduction 15 3.2 Motivational Example 19 3.3 Assumptions and Threat Models 20 3.4 The Baseline System 21 3.4.1 The Overall System Design 21 3.4.2 Periodic Cache Flush for Cache Resident Attacks 23 3.5 Extrax design 25 3.5.1 Address Translation Unit 26 3.5.2 Early Stage Filter 28 3.6 Experimental Results 30 3.6.1 Prototype System 30 3.6.2 Security Evaluation 32 3.6.3 Performance Analysis 34 3.6.4 Power Consumption 36 3.7 Limitation and Future Work 36 3.8 Conclusion 39 Chapter 4. Monitoring Dynamic Information Flow using Control-Flow/Data-Flow Information 41 4.1 Introduction 41 4.2 DIFT Process with an External Hardware Engine 44 4.3 Building a DIFT Engine for CDI 48 4.3.1 Components of the DIFT Engine 48 4.3.2 Tag Propagation Unit 51 4.4 Experiment 53 4.4.1 Security Evaluation 56 4.4.2 Performance Evaluation 56 4.5 Conclusion 59 Chapter 5. Monitoring ROP/JOP Attacks using Control-Flow Information 60 5.1 Introduction 60 5.2 Background and Assumptions 65 5.2.1 Background 65 5.2.2 Assumptions and Threat Model 70 5.3 Overall System Architecture 71 5.3.1 SoC Prototype Overview 71 5.3.2 CRA Detection Process 72 5.4 IMPLEMENTATION DETAILS 75 5.4.1 Binary Instrumentation 75 5.4.2 Hardware Architectures 77 5.5 EXPERIMENTAL RESULTS 82 5.6 Conclusion 86 Chapter 6. Conclusion 88 Bibliography 90 초 록 99Docto

Achieving cyber resiliency against lateral movement through detection and response

Systems and attacks are becoming more complex, and classical cyber security methods are failing to protect and secure those systems. We believe that systems must be built to be resilient to attacks. Cyber resilience is a dynamic protection strategy that aims to stop cyber attacks while maintaining an acceptable level of service. The strategy monitors a system to detect cyber incidents, and dynamically changes the state of the system to learn about the incidents, contain an attack, and recover. Thus, instead of being perfectly protected, a cyber-resilient system survives a cyber incident by containing the attack and recovering while maintaining service. Cyber resiliency has the potential to secure the modern systems that control our critical infrastructure. However, several practical and theoretical challenges hinder the development of cyber-resilient architectures. In particular, an architecture needs to support and make use of a large amount of monitoring; the problem is especially serious for a large network in which hosts send low-level information for fusion. The problem is not only computational; the semantics of the data also creates a challenge. In combining information from multiple sources and across multiple abstractions, we need to realize that the sources are describing different events in the system which are occurring at varying time scales. Moreover, the system is dependent on the integrity of the monitoring data when estimating the state of the system. The estimated state is used to detect malicious activities and to drive responses. The integrity of the monitoring data is critical to making “correct” decisions that are not influenced by the attacker. In addition, choosing an appropriate response to specific attacks requires knowledge of the at- tackers’ behavior, i.e., an attacker model. If the attacker model is wrong, then the responses selected by the mechanism will be ineffective. Finally, the response mechanisms need to be proven effective in maintaining the resilience of the system. Proving such properties is particularly challenging when the systems are highly complex. In this dissertation, we propose a resiliency architecture that uses a model of the system to deploy monitors, estimates the state of the system using monitor data, and selects responses to contain and recover from attacks while maintaining service. Then we describe our design for the essential components of the said resiliency architecture for a multitude of systems including operating systems, hosts, and enterprise net- works, to address lateral movement attacks. Specifically, we have built components that address monitor design, fusion of monitoring data, and response. Our pieces address the challenges that face cyber-resilient architectures. We set out to provide resilience against lateral movement. Lateral movement is a step taken by an attacker to shift his or her position from an initial compromised host into a target host with high value. First, we designed a host-level monitor Kobra that generates different estimations of the state of a host. Kobra combines the various aspects of application behavior into multiple views: (1) a discrete time signal used for anomaly detection, and (2) a host-level process communication graph to correlate events that happen in a network. We use the host correlations to generate chains of network events that correspond to suspicious lateral movement behavior. We use a novel fusion framework that enables us to fuse monitoring events for different sources over a hierarchy. Finally, we respond to lateral movement by changing the topology and healing rates in the network. The changes are enacted by a feedback controller to slow down and stop the spread of the attack. Since our cyber resiliency architecture depends on the integrity of the monitoring data, we propose PowerAlert, an out-of-box integrity checker, to establish the “trustworthiness” of a machine. PowerAlert is resilient to attacker evasion and adaptation. It uses the current drawn by the CPU, measured using an external probe, to confirm that the machine executed the check as expected. To prevent an attacker from evading PowerAlert, we use an optimal initiation strategy, and to resist adaptation, we use randomly generated integrity-checking programs. We pick the optimal initiation strategy by modeling the problem of low-cost integrity checking when an attacker is attempting to evade detection as a continuous-time game called Tireless. The optimal strategy is the Nash equilibrium that optimizes the defender’s cost of checking and utility of detection against an adaptive attacker