20 research outputs found
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations
Hardware virtualization technologies play a significant role in cyber
security. On the one hand these technologies enhance security levels, by
designing a trusted operating system. On the other hand these technologies can
be taken up into modern malware which is rather hard to detect. None of the
existing methods is able to efficiently detect a hypervisor in the face of
countermeasures such as time cheating, temporary self uninstalling, memory
hiding etc. New hypervisor detection methods which will be described in this
paper can detect a hypervisor under these countermeasures and even count
several nested ones. These novel approaches rely on the new statistical
analysis of time discrepancies by examination of a set of instructions, which
are unconditionally intercepted by a hypervisor. Reliability was achieved
through the comprehensive analysis of the collected data despite its
fluctuation. These offered methods were comprehensively assessed in both Intel
and AMD CPUs.Comment: 25 pages, 7 figures, 8 tables. Paper presented at the Proceedings of
the 10th Annual Conference on Digital Forensics, Security and Law (CDFSL),
33-57, Daytona Beach, Florida, USA (2015, May 18-21
Memoryranger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering with users\u27 data by accessing kernel-mode memory. This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the Windows 10, version 1809 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor-based solution to prevent such attack by running kernel-mode drivers in isolated kernel memory enclaves
Memoryranger Prevents Highjacking File_object Structures in Windows Kernel
Windows OS kernel memory is one of the main targets of cyber-attacks. By launching such attacks, hackers are succeeding in process privilege escalation and tampering users’ data by accessing kernel-mode memory. This paper considers a new example of such an attack, which results in access to the files opened in an exclusive mode. Windows built-in security features prevent such a legal access, but attackers can circumvent them by patching dynamically allocated objects. The research shows that the newest Windows 10 x64 is vulnerable to this attack. The paper provides an example of using MemoryRanger, a hypervisor- based solution to prevent such attack by running kernel-mode drivers in isolated kernel memory enclaves
Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again
The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64
Hypervisor-Based Active Data Protection for Integrity and Confidentiality Of Dynamically Allocated Memory in Windows Kernel
One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware
This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we will present new detection methods which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows’ memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware, to speed-up memory forensics. All three ideas are currently a work in progress.
Keywords: rootkit detection, anti-forensics, memory analysis, scattered fragments, anticipatory enhancement, CUDA
Applying Memory Forensics to Rootkit Detection
Volatile memory dump and its analysis is an essential part of digital
forensics. Among a number of various software and hardware approaches for
memory dumping there are authors who point out that some of these approaches
are not resilient to various anti-forensic techniques, and others that require
a reboot or are highly platform dependent. New resilient tools have certain
disadvantages such as low speed or vulnerability to rootkits which directly
manipulate kernel structures e.g. page tables. A new memory forensic system -
Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in
this paper. It is resilient to popular anti-forensic techniques. The system can
be used for doing a wide range of memory forensics tasks. This paper describes
how to apply the system for research and detection of kernel mode rootkits and
also presents analysis of the most popular anti-rootkit tools.Comment: 25 pages, 3 figures, 8 tables. Paper presented at the Proceedings of
the 9th annual Conference on Digital Forensics, Security and Law (CDFSL),
115-141, Richmond, VA, USA. (2014, May 28-29
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware
This paper focuses on the anticipatory enhancement of methods of detecting
stealth software. Cyber security detection tools are insufficiently powerful to
reveal the most recent cyber-attacks which use malware. In this paper, we will
present first an idea of the highest stealth malware, as this is the most
complicated scenario for detection because it combines both existing
anti-forensic techniques together with their potential improvements. Second, we
present new detection methods, which are resilient to this hidden prototype. To
help solve this detection challenge, we have analyzed Windows memory content
using a new method of Shannon Entropy calculation; methods of digital
photogrammetry; the Zipf Mandelbrot law, as well as by disassembling the memory
content and analyzing the output. Finally, we present an idea and architecture
of the software tool, which uses CUDA enabled GPU hardware to speed-up memory
forensics. All three ideas are currently a work in progress