Security implications of memory deduplication in a virtualized environment

Xiao, Jidong; Xu, Zuhua; Huang, Hai; Wang, Haining

doi:10.1109/dsn.2013.6575349

Cited by 50 publications

(26 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, many packers contain anti-debugging and anti-VM features, further increasing the challenge of reverseengineering packed malware. [12] API Call Kernel32!IsDebuggerPresent returns 1 if a target process is being debugged ntdll!NtQueryInformationProcess: ProcessInformation field set to -1 if the process is being debugged kernel32!CheckRemoteDebuggerPresent returns 1 in debugger process NtSetInformationThread with ThreadInformationClass set to 0x11 will detach some debuggers kernel32!DebugActiveProcess to prevent other debuggers from attaching to a process PEB Field PEB!IsDebugged is set by the system when a process is debugged PEB!NtGlobalFlags is set if the process was created by a debugger Detection ForceFlag field in heap header (+0x10) can be used to detect some debuggers UnhandledExceptionFilter calls a user-defined filter function, but terminates in a debugging process TEB of a debugged process contains a NULL pointer if no debugger is attached; valid pointer if some debuggers are attached Ctrl-C raises an exception in a debugged process, but the signal handler is called without debugging Inserting a Rogue INT3 opcode can masquerade as breakpoints Trap flag register manipulation to thwart tracers If entryPoint RVA is set to 0, the magic MZ value in PE files is erased ZwClose system call with invalid parameters can raise an exception in an attached debugger Direct context modification to confuse a debugger 0x2D interrupt causes debugged program to stop raising exceptions Some In-circuit Emulators (ICEs) can be detected by observing the behavior of the undocumented 0xF1 instruction Searching for 0xCC instructions in program memory to detect software breakpoints TLS-callback to perform checks [17] Invalid instruction behavior [14] Using memory deduplication to detect various hypervisors including VMware ESX server, Xen, and Linux KVM [56] Anti-emulation Bochs Visible debug port [10] QEMU cpuid returns less specific information [7] Accessing reserved MSR registers raises a General Protection (GP) exception in real hardware; QEMU does not [15] Attempting to execute an instruction longer than 15 bytes raises a GP exception in real hardware; QEMU does not [15] Undocumented icebp instruction hangs in QEMU [7], while real hardware raises an exception Unaligned memory references raise exceptions in real hardware; unsupported by QEMU [15] Bit 3 of FPU Control World register is always 1 in real hardware, while QEMU contains a 0 [7] Other Using CPU bugs or errata to create CPU fingerprints via public chipset documentation [15] To demonstrate the transparency of MALT, we use popular packing tools to pack the Notepad.exe application in a Windows environment and run this packed application in MALT with near return stepping mode, OllyDbg [31], DynamoRIO [57], and a Windows virtual machine, respectively. Ten packing tools are used, including UPX, Obsidium, ASPack, Armadillo, Themida, RLPack, PELock, VMProtect, eXPressor, and PECompact.…”

Section: Testing With Packersmentioning

confidence: 99%

Using Hardware Features for Increased Debugging Transparency

Zhang

Leach

Stavrou

et al. 2015

2015 IEEE Symposium on Security and Privacy

Self Cite

View full text Add to dashboard Cite

Abstract-With the rapid proliferation of malware attacks on the Internet, understanding these malicious behaviors plays a critical role in crafting effective defense. Advanced malware analysis relies on virtualization or emulation technology to run samples in a confined environment, and to analyze malicious activities by instrumenting code execution. However, virtual machines and emulators inevitably create artifacts in the execution environment, making these approaches vulnerable to detection or subversion. In this paper, we present MALT, a debugging framework that employs System Management Mode, a CPU mode in the x86 architecture, to transparently study armored malware. MALT does not depend on virtualization or emulation and thus is immune to threats targeting such environments. Our approach reduces the attack surface at the software level, and advances state-of-the-art debugging transparency. MALT embodies various debugging functions, including register/memory accesses, breakpoints, and four stepping modes. We implemented a prototype of MALT on two physical machines, and we conducted experiments by testing an array of existing anti-virtualization, anti-emulation, and packing techniques against MALT. The experimental results show that our prototype remains transparent and undetected against the samples. Furthermore, our prototype of MALT introduces moderate but manageable overheads on both Windows and Linux platforms.

show abstract

Section: Testing With Packersmentioning

confidence: 99%

Using Hardware Features for Increased Debugging Transparency

Zhang

Leach

Stavrou

et al. 2015

2015 IEEE Symposium on Security and Privacy

Self Cite

View full text Add to dashboard Cite

show abstract

“…Suzaki et al [32] examined various virtual machines and discovered a side-channel in KVM based on the memory deduplication feature, which merges same-content memory pages, allowing for increased memory utilization. Based on these findings, Xiao et al [31] constructed a covert channel with bandwidths of up to 1000 bits/s yet with a large memory footprint of ∼ 400MB. Lipinski et al [50] drew on work done by Ristenpart et al [48] and improved the method of hard disk contention achieving a 1000 times higher steganographic bandwidth compared to the 0.1 bits/s by Ristenpart et al Okamura [28] et al examined the load-based covert channel on the Xen hypervisor.…”

Section: L4linux Resultsmentioning

confidence: 99%

“…Shared resources, such as caches [27], CPU [28], network subsystems [29], [30], or memory management [31], [32], are not only prevalent in all modern systems, but also run the risk of being the conduit for covert channel communication.…”

Section: A Covert Channel Backgroundmentioning

confidence: 99%

“…This is particularly notable as advanced system architectures employ hypervisors or other small isolation kernels with the goal of enforcing strict security policies. The memory deduplication feature in modern VMs is exploitable [31], [32], such that it allows to create very high-bandwidth channels. Lalande et al [35] prove that it is possible to form covert channels with various Linux subsystems, such as shared settings, system logs, thread enumeration, processor statistics, processor frequency, only to name a few.…”

Section: A Covert Channel Backgroundmentioning

confidence: 99%

See 1 more Smart Citation

Undermining Isolation Through Covert Channels in the Fiasco.OC Microkernel

Peter

Petschick

Vetter

et al. 2015

Lecture Notes in Electrical Engineering

View full text Add to dashboard Cite

Abstract-In the new age of cyberwars, system designers have come to recognize the merits of building critical systems on top of small kernels for their ability to provide strong isolation at system level. This is due to the fact that enforceable isolation is the prerequisite for any reasonable security policy. Towards this goal we examine some internals of Fiasco.OC, a microkernel of the prominent L4 family. Despite its recent success in certain highsecurity projects for governmental use, we prove that Fiasco.OC is not suited to ensure strict isolation between components meant to be separated.Unfortunately, in addition to the construction of system-wide denial of service attacks, our identified weaknesses of Fiasco.OC also allow covert channels across security perimeters with high bandwidth. We verified our results in a strong affirmative way through many practical experiments. Indeed, for all potential use cases of Fiasco.OC we implemented a full-fledged system on its respective archetypical hardware: Desktop server/workstation on AMD64 x86 CPU, Tablet on Intel Atom CPU, Smartphone on ARM Cortex A9 CPU. The measured peak channel capacities ranging from ∼13500 bits/s (Cortex-A9 device) to ∼30500 bits/s (desktop system) lay bare the feeble meaningfulness of Fiasco.OC's isolation guarantee. This proves that Fiasco.OC cannot be used as a separation kernel within high-security areas.

show abstract

“…For example, many mainframe virtual machine hypervisors such as VMware ESX and ESXi [10], Extended Xen [11], and KSM (Kernel Samepage Merging) [12] of the Linux kernel use the technique of memory deduplication to reduce memory footprint size of virtual machines. Since previous research has shown that page level memory sharing could create a side channel for information leakage [13], [14], [15], many end users ask the hypervisor to disable memory deduplication for their VMs. However, there exists no solution for end users to verify the execution of this agreement other than trusting the words of the cloud provider.…”

Section: Introductionmentioning

confidence: 99%

Detection of Service Level Agreement (SLA) Violation in Memory Management in Virtual Machines

Xie

Wang

Qin

2015

2015 24th International Conference on Computer Communication and Networks (ICCCN)

View full text Add to dashboard Cite

In cloud computing, quality of services is often enforced through Service Level Agreement (SLA) between end users and cloud providers. While SLAs on hardware resources such as CPU cycles or bandwidth can be monitored by low layer sensors, the enforcement of security SLAs stays a very challenging problem. Several high level architectures for security SLAs have been proposed. However, details still need to be filled before they can be deployed.In this paper, we propose to design mechanisms to detect violations of security SLAs. Specifically, we focus on unauthorized accesses to memory pages of a virtual machine and violation of the memory deduplication policies. Through measuring the accumulated memory access latency, we try to derive out whether or not the memory pages have been swapped out and the order of accesses to them. These events will then be compared to access commands issued by the local VM. In this way, unauthorized memory accesses or violation of deduplication policies can be detected. Compared to existing approaches, our mechanisms do not need explicit help from the hypervisor or third parties. Therefore, it can detect SLA violations even when they are initiated by the hypervisor. We implement our approaches under VMWare with Windows virtual machines. Our experiment results show that the VM can effectively detect the violations with small increases in overhead.

show abstract

Security implications of memory deduplication in a virtualized environment

Cited by 50 publications

References 15 publications

Using Hardware Features for Increased Debugging Transparency

Using Hardware Features for Increased Debugging Transparency

Undermining Isolation Through Covert Channels in the Fiasco.OC Microkernel

Detection of Service Level Agreement (SLA) Violation in Memory Management in Virtual Machines

Contact Info

Product

Resources

About