Artifact Mitigation in High-Fidelity Hypervisors

17 USC 105 interim-entered record; under temporary embargo.U.S. Government affiliation is unstated in article text

HyBIS: Windows Guest Protection through Advanced Memory Introspection

Effectively protecting the Windows OS is a challenging task, since most implementation details are not publicly known. Windows has always been the main target of malwares that have exploited numerous bugs and vulnerabilities. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for latest Windows (8.x and 10), advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of Windows OSes

Assessing performance overhead of Virtual Machine Introspection and its suitability for malware analysis

Virtual Machine Introspection is the process of introspecting guest VM’s memory and reconstructing the state of the guest operating system. Due to its isolation, stealth and full visibility of the monitored target, VMI lends itself well for security monitoring and malware analysis. The topics covered in this thesis include operating system and hypervisor concepts, the semantic gap issue, VMI techniques and implementations, applying VMI for malware analysis, and analysis of the performance overhead. The behaviour and magnitude of the performance overhead associated with doing virtual machine introspection is analysed with five different empirical test cases. The intention of the tests is to estimate the costs of a single trapped event, determine the feasibility of various monitoring sensors from usability and stealth perspective, and analyse the behaviour of performance overhead. Various VMI-based tools were considered for the measurement, but DRAKVUF was chosen as it is the most advanced tool available. The test cases go as follows. The chosen load is first executed without any monitoring to determine the baseline execution time. Then a DRAKVUF monitoring plugin is turned on and the load is executed again. After both measurements have been made, the difference between the two execution times is the time spent executing monitoring code. The execution overhead is then determined by calculating the difference between the two execution times and dividing it by the baseline execution time. The disc consumption and execution overhead of a sensor, which captures removed files is small enough to be deployed as a monitoring solution. The performance overhead of system call monitoring sensor is dependant on the number of issued system calls. Loads which issue large numbers of system calls cause high performance overhead. The performance overhead of such loads can be limited by monitoring a subset of all system calls

ARTIFACT MITIGATION IN HIGH-FIDELITY HYPERVISORS

The use of hypervisors for cyber operations has increased significantly over the past decade, resulting in an associated increase in the demand for higher-fidelity hypervisors. These hypervisors would not exhibit the markers, or artifacts, that expose the presence of the virtualized environments present in most currently available virtualization solutions. To address this, we present an in-depth examination of a subset of virtualization artifacts in order to design and implement a software solution that will reduce the detectability via mitigation of these artifacts. Our analysis includes performant measures of a bare metal machine, a virtualized machine without our mitigations, and a virtualized machine with our mitigations. The analysis also includes a measure of our implemented system's simulated sensor output. Results of the implementation are analyzed to determine the potential performance impact, the accuracy of our system's simulated output, and whether our mitigation technique is appropriate for extending high-fidelity hypervisors.Outstanding ThesisLieutenant Commander, United States NavyApproved for public release. distribution is unlimite

Prevalencia de tipos de ASEPs en malware de Windows.

Los puntos de inicio automático de ejecución (Auto Start Execution Points, ASEPs) son aquellos lugares del sistema operativo que permiten a un programa ejecutarse de forma automática sin la necesidad de que haya una interacción explícita con el usuario. En el ámbito de la ciberseguridad, es común que el malware (software malicioso) haga uso de estos elementos para garantizar su persistencia en un sistema comprometido durante el mayor tiempo posible. Este proyecto se centra en diseñar un flujo de trabajo que permita estudiar la prevalencia de los ASEPs en malware de Windows a través de un sistema automatizado, capaz de obtener y procesar muestras de malware de diferentes fuentes, así como de coordinar diferentes máquinas encargadas de analizar dinámicamente su comportamiento para, posteriormente, categorizarlas en función de los resultados de dicho análisis. Una vez finalizada la fase de experimentación del trabajo, se ha podido comprobar que el sistema de análisis desarrollado es capaz de llevar a cabo, de forma exitosa, el análisis y clasificación de la gran mayoría de muestras introducidas en el pipeline de análisis, ofreciendo un reporte detallado de los resultados de este proceso. Por otro lado, se ha podido constatar que el sistema diseñado ha logrado detectar en múltiples muestras el uso de diferentes tipos de ASEPs y, posteriormente, clasificarlos acertadamente. Durante el desarrollo del proyecto han surgido una serie de dificultades que han limitado el alcance original del estudio y para las cuales se ofrece un análisis de su impacto, así como diversas propuestas para solucionarlas.<br /

Designing Robust API Monitoring Solutions

racing the sequence of library calls and system calls that a program makes is very helpful to characterize its interactions with the surrounding environment and, ultimately, its semantics. However, due to the entanglements of real-world software stacks, accomplishing this task can be surprisingly challenging as we take accuracy, reliability, and transparency into the equation. In this article, we identify six challenges that API monitoring solutions should overcome in order to manage these dimensions effectively and outline actionable design points for building robust API tracers that can be used even for security research. We then detail and evaluate SNIPER, an open-source API tracing system available in two variants based on dynamic binary instrumentation (for simplified in-guest deployment) and hardware-assisted virtualization (realizing the first general user-space tracer of this kind), respectively