detection of an hvm rootkit (aka bluepill-like) desnos ... · desnos anthony (esiea si&s)...
TRANSCRIPT
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Rootkit– Userland
– Kernelland
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Userland– Replace binaries
– Patch on the fly
– Syscall proxy
– Remote Userland Execve
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Kernel land– Hooks in text section
– Hooks in data (structures)
– No Hook !
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● HVM (Hardware-based Virtual Machine) Rootkit– Use virtualization
● Rootkit ring -1● All power on the host
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Virtualization– AMD
● SVM
– Intel● VMX
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● SVM – Quickly switch from host to guest,
– Interception of instructions or guest's events,
– DMA access protection : EAP (External Access Protection),
– Tagged TLB between the hypervisor and the virtual machines.
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● HVM Rootkit– "Switching the operating system in a virtual
machine"● All classic time sources may be intercepted
(RDTSC, I/O, ...)● All users' actions
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● BluePill– The first and the only public HVM rootkit
– Released in 2006 (vista 64 bits, AMD) by Joanna Rutkowska
– Latest version 0.32 (AMD + Intel) (~ 10.000 lines)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Controversy– Security buzz
● Advertisements :– « End of the world » / « undetectable rootkit »
● « Tout va bien madame la marquise »● Detecting a hypervisor is the same way as an HVM
rootkit ?
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Solutions :– Timing attack
– Pattern matching
– TLB
– DMA/Firewire
– Cpu Bugs
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Analysis– No hook (no installation after a reboot)
– Loading of BluePill :● like a driver
– Vista : driver signing● F8 during the boot
● by a memory device● by a kernel bug
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Analysis– Interceptions
● vmrun, vmload, vmsave● msr efer, vm hsave pa, tsc● clgi, stgi● SMM● Debug● cpuid, rdtsc, rdtscp
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Protections– Against rdtsc
– Blue Chicken
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● No viral payload ?!– Simple hypervisor
– « hvm rootkit » poc
● Why ?
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Why ?– No hook on the system
– Filtering I/O● Time !
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Detection techniques– Memory fingerprint
● Use the classic memory allocator● Rootkit can bypassed it
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Detection techniques– Timing attack
● Impossible (rootkit is here !)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Detection techniques– Timing attack
● Impossible (rootkit is here !)● External sources ?
– NTP– Counter
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Counter (original idea from Barbosa)– No information
– 2 threads in kernel land● Calling an intercepted instruction● Incrementing a variable
– Each thread on a cpu
– Drawbacks :● Processor with >= 2 cpu● Variable frequency
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Without BluePill :– Average : 30 incrementations/instruction
● With BluePill :– Average : 330 incrementations/instruction
● « hvm rootkit » poc– x 10 !!
● usefull rootkit !
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Conclusion :– No rootkit is really undetectable
– The opposite is also true
Desnos Anthony (ESIEA SI&S)
Filiol Éric (ESIEA (v+c)^o)
Detection of an HVM rootkit (aka BluePill-like)
● Conclusion– Stay away from the security buzz
– Protection ?● Desactivation of the virtualization in the bios● A key to activate the virtualization
– Impossible to access !● Hypervisor of protection