Lokke, a hybrid security hypervisor
Resumo
This work did ample research on techniques used by advanced threats that aim to evade detection systems, elevate privileges and manipulate objects in a modern OS kernel, using the Windows 10 kernel as a test bench. Given state-of-the-art attacks in kernelspace, this work's main goal is to design a secure mechanism to protect the OS kernel against a class of attacks, not relying upon any specific vector. This mechanism is based on hybrid virtualization and combines the advantages of Type 1 and 2 hypervisors, where the hypervisor runs at the same level as the OS kernel does, but within a privileged execution framework. The design of this security framework allows for the integration with other security subsystems, by providing security policies enforced by the hypervisor and independently of the kernel.
Referências
ATTACK, K. A. T. Advanced threat defense and targeted attack risk mitigation. Tech. rep., Kaspersky, 2019.
CHEN, X., GARFINKEL, T., LEWIS, E. C., SUBRAHMANYAM, P., WALDSPURGER, C. A., BONEH, D., DWOSKIN, J., AND PORTS, D. R. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. SIGARCH Comput. Archit. News 36, 1 (Mar. 2008), 2–13.
DEVELOPMENT TEAM, B. lightweight hypervisor sdk written in c++ with support for windows, linux and uefi. https://github.com/Bareflank/hypervisor.
DOLAN-GAVITT, B., LEEK, T., ZHIVICH, M., GIFFIN, J., AND LEE, W. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In 2011 IEEE Symposium on Security and Privacy (May 2011), pp. 297–312.
DONG, Y., ZHANG, X., DAI, J., AND GUAN, H. Hyvi: A hybrid virtualization solution balancing performance and manageability. IEEE Transactions on Parallel and Distributed Systems 25, 9 (Sep. 2014), 2332–2341.
GRAZIANO, M., FLORE, L., LANZI, A., AND BALZAROTTI, D. Subverting operating system properties through evolutionary dkom attacks. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2016).
HFIREF0X. DefeatingWindows User Account Control by abusing built-in Windows AutoElevate backdoor. https://github.com/hfiref0x/UACME, 2018.
HOFMANN, O. S., KIM, S., DUNN, A. M., LEE, M. Z., AND WITCHEL, E. Inktag: Secure applications on an untrusted operating system. SIGPLAN Not. 48, 4 (Mar. 2013), 265–278.
INTEL. Intel 64 and IA-32 Architectures Software Developer’s Manual - Volume 3C. Intel Corporation, Setember 2016.
INTELLIGENCE, W. T. Microsoft security intelligence report. Tech. Rep. 24, Microsoft, 2019.
IONESCU, A. Simplevisor is a simple, portable, intel vt-x hypervisor. https://github.com/ionescu007/SimpleVisor.
KASPERSKY. Kaspersky secure hypervisor. https://os.kaspersky.com/products/kaspersky-secure-hypervisor, 2016.
KING, S. T., AND CHEN, P. M. Subvirt: implementing malware with virtual machines. In 2006 IEEE Symposium on Security and Privacy (S P’06) (2006), pp. 14 pp.–327.
LANGE, J., AND DINDA, P. Symcall: Symbiotic virtualization through vmm-to-guest upcalls. vol. 46, pp. 193–204.
LUT, AS,, A., COLES, A, A., LUKACS, S., AND LUTAS, D. U-hipe: hypervisor-based protection of usermode processes in windows. Journal of Computer Virology and Hacking Techniques (02 2015).
MICROSOFT. Access tokens. [link].
MICROSOFT. From alert to driver vulnerability: Microsoft defender atp investigation unearths privilege escalation flaw. [link].
MICROSOFT. Securing device objects. [link].
MICROSOFT. Windows defender advanced threat protection. [link].
MICROSOFT. Windows early launch antimalware. [link], 2017.
MICROSOFT. Windows defender application control configurable code integrity and virtualizationbased security. [link], 2018.
ORMAN, H. The morris worm: A fifteen-year perspective. Security and Privacy, IEEE 1 (10 2003), 35 – 43.
OS, Q. Qubes os, a reasonably secure operating system. https://www.qubes-os.org.
PIETRO, R. D., FRANZONI, F., AND LOMBARDI, F. Hybis: Windows guest protection through advanced memory introspection. CoRR abs/1601.05851 (2016).
RUTKOWSKA, J. Subverting vista kernel forfun and profit. Black Hat Briefings (7 2006).
SESHADRI, A., LUK, M., QU, N., AND PERRIG, A. Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In SOSP (2007), T. C. Bressoud and M. F. Kaashoek, Eds., ACM, pp. 335–350.
SILVA, O. A. A. NIST CVE-2018-8061. https://nvd.nist.gov/vuln/detail/CVE-2018-8061, 2018.
SYSTEMS, V. Rekall forensic. http://www.rekall-forensic.com/.
UNKNOW. Intel Network Adapter Diagnostic Driver IOCTL Handling Vulnerability. https://www.exploit-db.com/exploits/36392, 2015.
UNKNOW. ASUS Memory Mapping Driver - Physical Memory Read/Write. https://www.exploitdb.com/exploits/39785/, 2016.
VMWARE, I. vSphere Management SDK v7. https://code.vmware.com/web/sdk/7.0/vsphere-management, 2020.
WOJTCZUK, R., AND RUTKOWSKA, J. Following the white rabbit: Software attacks against intel (r) vt-d technology.
YOSIFOVICH, P., RUSSINOVICH, M. E., SOLOMON, D. A., AND IONESCU, A. Windows Internals, Part 1: System Architecture, Processes, Threads, Memory Management, and More (7th Edition), 7th ed. Microsoft Press, Redmond, WA, USA, 2017
CHEN, X., GARFINKEL, T., LEWIS, E. C., SUBRAHMANYAM, P., WALDSPURGER, C. A., BONEH, D., DWOSKIN, J., AND PORTS, D. R. Overshadow: A virtualization-based approach to retrofitting protection in commodity operating systems. SIGARCH Comput. Archit. News 36, 1 (Mar. 2008), 2–13.
DEVELOPMENT TEAM, B. lightweight hypervisor sdk written in c++ with support for windows, linux and uefi. https://github.com/Bareflank/hypervisor.
DOLAN-GAVITT, B., LEEK, T., ZHIVICH, M., GIFFIN, J., AND LEE, W. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In 2011 IEEE Symposium on Security and Privacy (May 2011), pp. 297–312.
DONG, Y., ZHANG, X., DAI, J., AND GUAN, H. Hyvi: A hybrid virtualization solution balancing performance and manageability. IEEE Transactions on Parallel and Distributed Systems 25, 9 (Sep. 2014), 2332–2341.
GRAZIANO, M., FLORE, L., LANZI, A., AND BALZAROTTI, D. Subverting operating system properties through evolutionary dkom attacks. In Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2016).
HFIREF0X. DefeatingWindows User Account Control by abusing built-in Windows AutoElevate backdoor. https://github.com/hfiref0x/UACME, 2018.
HOFMANN, O. S., KIM, S., DUNN, A. M., LEE, M. Z., AND WITCHEL, E. Inktag: Secure applications on an untrusted operating system. SIGPLAN Not. 48, 4 (Mar. 2013), 265–278.
INTEL. Intel 64 and IA-32 Architectures Software Developer’s Manual - Volume 3C. Intel Corporation, Setember 2016.
INTELLIGENCE, W. T. Microsoft security intelligence report. Tech. Rep. 24, Microsoft, 2019.
IONESCU, A. Simplevisor is a simple, portable, intel vt-x hypervisor. https://github.com/ionescu007/SimpleVisor.
KASPERSKY. Kaspersky secure hypervisor. https://os.kaspersky.com/products/kaspersky-secure-hypervisor, 2016.
KING, S. T., AND CHEN, P. M. Subvirt: implementing malware with virtual machines. In 2006 IEEE Symposium on Security and Privacy (S P’06) (2006), pp. 14 pp.–327.
LANGE, J., AND DINDA, P. Symcall: Symbiotic virtualization through vmm-to-guest upcalls. vol. 46, pp. 193–204.
LUT, AS,, A., COLES, A, A., LUKACS, S., AND LUTAS, D. U-hipe: hypervisor-based protection of usermode processes in windows. Journal of Computer Virology and Hacking Techniques (02 2015).
MICROSOFT. Access tokens. [link].
MICROSOFT. From alert to driver vulnerability: Microsoft defender atp investigation unearths privilege escalation flaw. [link].
MICROSOFT. Securing device objects. [link].
MICROSOFT. Windows defender advanced threat protection. [link].
MICROSOFT. Windows early launch antimalware. [link], 2017.
MICROSOFT. Windows defender application control configurable code integrity and virtualizationbased security. [link], 2018.
ORMAN, H. The morris worm: A fifteen-year perspective. Security and Privacy, IEEE 1 (10 2003), 35 – 43.
OS, Q. Qubes os, a reasonably secure operating system. https://www.qubes-os.org.
PIETRO, R. D., FRANZONI, F., AND LOMBARDI, F. Hybis: Windows guest protection through advanced memory introspection. CoRR abs/1601.05851 (2016).
RUTKOWSKA, J. Subverting vista kernel forfun and profit. Black Hat Briefings (7 2006).
SESHADRI, A., LUK, M., QU, N., AND PERRIG, A. Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In SOSP (2007), T. C. Bressoud and M. F. Kaashoek, Eds., ACM, pp. 335–350.
SILVA, O. A. A. NIST CVE-2018-8061. https://nvd.nist.gov/vuln/detail/CVE-2018-8061, 2018.
SYSTEMS, V. Rekall forensic. http://www.rekall-forensic.com/.
UNKNOW. Intel Network Adapter Diagnostic Driver IOCTL Handling Vulnerability. https://www.exploit-db.com/exploits/36392, 2015.
UNKNOW. ASUS Memory Mapping Driver - Physical Memory Read/Write. https://www.exploitdb.com/exploits/39785/, 2016.
VMWARE, I. vSphere Management SDK v7. https://code.vmware.com/web/sdk/7.0/vsphere-management, 2020.
WOJTCZUK, R., AND RUTKOWSKA, J. Following the white rabbit: Software attacks against intel (r) vt-d technology.
YOSIFOVICH, P., RUSSINOVICH, M. E., SOLOMON, D. A., AND IONESCU, A. Windows Internals, Part 1: System Architecture, Processes, Threads, Memory Management, and More (7th Edition), 7th ed. Microsoft Press, Redmond, WA, USA, 2017
Publicado
13/10/2020
Como Citar
SILVA, Otávio A. A.; GEUS, Paulo Lício de.
Lokke, a hybrid security hypervisor. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 20. , 2020, Petrópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 201-214.
DOI: https://doi.org/10.5753/sbseg.2020.19238.
