[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis KO
[2014 CodeEngn Conference 10] 김학수 - 하이퍼바이저 루트킷, 어디까지 가봤니
-
Upload
gangseok-lee -
Category
Education
-
view
363 -
download
4
description
Transcript of [2014 CodeEngn Conference 10] 김학수 - 하이퍼바이저 루트킷, 어디까지 가봤니
Index
ⓒ 2014 CodeEngn hakbaby
ü Origin of the Hypervisor
ü Hardware Assisted
Virtualization
About Hypervisor Attack Hypervisor
ü HVM Rootkit
ü SMM Rootkit
ü Hypervisor in Cloud
ü Trust Execution
Technology
ü Secure Virtual Machine
Protect Hypervisor
Virtualization : 가상화
ⓒ 2014 CodeEngn hakbaby
하나의 하드웨어에서
여러 운영체제를
실행할 수 있는 기술
Virtualization – Hypervisor?!
ⓒ 2014 CodeEngn hakbaby
하나의 하드웨어에서
여러 운영체제를
실행할 수 있는 기술
가상화를 구현하기 위해 필요한
논리적인 플랫폼 : Hypervisor
Origin of the Hypervisor - Emulator
ⓒ 2014 CodeEngn hakbaby
운영체제와 하드웨어를 1 대 1로 매칭하여 명령어를 수정해주는 방식
(Binary Translation)
Hardware (Intel IA-32)
Blade Hardware
Other HardwareCPU Memory NIC Disk
Emulation Engine(ARM)
Emulation Engine(IBM Power PC)
Guest OS (MAC OS X) Guest OS (Android)
Host PC OS (Windows 8)
Application
MOV R0, R1
MOV EAX, EBX
Binary Translation
Origin of the Hypervisor – Full & Para
ü Full Virtualization
시스템 전체를 가상화하여 시스템의 BIOS, CPU, 메모리 등을 완전히 에뮬레이션 하는 방식
ⓒ 2014 CodeEngn hakbaby
Ring 3(User Application)
Ring 2
Ring 1(Guest OS)
Ring 0 (Virtual Machine Monitor)
Host ComputerSystem Hardware
Dir
ect
Execu
tio
n(U
ser
Req
uest
)
Binary Translation
Emulation vs Virtualization? : What’s different?
ⓒ 2014 CodeEngn hakbaby
Hardware (Intel IA-32)
Guest OS(Windows XP)
Host PC OS (Windows 8)
Guest OS (Ubuntu)Application
Virtual Machine Monitor
[Virtualization]
Hardware (Intel IA-32)
Emulation Engine(ARM)
Guest OS(Android)
Host PC OS (Windows 8)
Emulation Engine(IBM Power PC)
Guest OS(MAC )
Application
[Emulator]
Origin of the Hypervisor – Full & Para
ü Para Virtualization
Guest OS의 커널을 일부 수정하여 사용하며, OS 레벨 요청을 Hypercall이 처리
ⓒ 2014 CodeEngn hakbaby
Hypervisor Call(Hypercall)
Ring 3(User Application)
Ring 2
Ring 1
Ring 0 ( Modified-Guest OS)
Virtual Machine Monitor
Host ComputerSystem Hardware
Dir
ect
Execu
tio
n(U
ser
Req
uest
)
Para Virtualization – Hypercall?
ⓒ 2014 CodeEngn hakbaby
Interrupt Gate Descriptor
InterruptDescriptor Table
INT 2E SYSENTER
SYSENTER_EIP(MSR)
ISR Offset
SegmentSelector
CodeDescriptor
Code Segment Base Address
Privilege Level(DPL)
System Service Dispatcher
(KiSystemService)
System Service Table(ntoskrnl.exe)
System Service Table(win32k.sys)
GlobalDescriptor Table
ServiceDescriptor Table
Service Table
Counter Table
Service Limit
Argument Table
KeServiceDescriptorTable
Function Address
System ServiceDispatch Table
Kernel Function
EAX
[System Calls on Windows]
Hypervisor : Hardware-Assist Virtualization
ü Hardware-Assist Virtualization
가상화 방식의 가장 큰 과부화 원인인 Binary Translation이 없어지고 CPU의 지원을 받기 시작함
ⓒ 2014 CodeEngn hakbaby
Ring 3(User Application)
Ring 2
Ring 1
Ring 0 (Guest OS)
Hypervisor Layer
Host ComputerSystem Hardware
Non-Root ModePrivilege Levels
Root Mode Privilege Levels
Dir
ect
Execu
tio
n(U
ser
Req
uest
)특정 명령어 실행과H/W 제어권한이
일부 제한됨
CPU나 H/W의모든제어권을 가짐
Guest 0 Guest 1
VM MonitorVMXON VMXOFF
VM Entry VM ExitVM Exit
[INTEL Virtual Machine Monitor & Guests]
Hypervisor – Type of Hypervisor
ⓒ 2014 CodeEngn hakbaby
Hypervisor
Hypervisor
Native (Bare Metal)
호스트의 하드웨어에 위치하여, 하드웨어 제어와
Guest OS 모니터링을담당함
Hosted
호스트의 운영체제에 위치하며, 단순히
소프트웨어의역할로써 Guest OS에 관리를담당함
Attack of Hypervisor : Virtual Machine Extensions
ⓒ 2014 CodeEngn hakbaby
Ring 3
Ring 0
Root Mode
Guest OS (Windows XP)Guest OS (Ubuntu)
Application Application
VM Entry VM Exit VMM Configuration
VMM Control Structure (VMCS)
Memory and I/O Virtualization
Host PC Hardware Virtual CPU
①
②
③
④
⑤
Intel VT-x
HVM Rootkit : HVM
ⓒ 2014 CodeEngn hakbaby
ü Hardware-assisted Virtualization Machine : HVM
HVM은일반적으로 VMCS를설정해 Guest OS를 구동하고 Guest OS의코드가 실행되다가 설정된
동작을 수행하면 Exit 되도록하여 이를 VMM에서 처리
Operating System - Kernel’s Processor Control Block (KPCB)
VM Guest 0
Guest0 VMCS
VM Guest 1
Guest1 VMCS
VM Guest 2
Guest2 VMCS
VM Guest 3
Guest3 VMCS
Active VMCS
*VMCS
Active VMCS
*VMCS
Current VMCS
*VMCS
*simplicityKPRCB
*CurrentThread
*NextThread
*IdleThread
KPROCESS
EPROCESS
LIST_ENTRY {FLINKBLINK }
KPROCESS
EPROCESS
LIST_ENTRY {FLINKBLINK }
KPROCESS
EPROCESS
LIST_ENTRY {FLINKBLINK }
KTHREADETHREAD
ApcState
Hypervisor – Virtual Machine Control Data Structures (VMCS)
Hypervisor : VMCS (Intel)
VMX Non-Root 오퍼레이션과 VMX 전환을 제어하는 구조체
ⓒ 2014 CodeEngn hakbaby
ActiveNot Current
Clear
InactiveNot Current
Clear
ActiveNot CurrentLaunched
AnythingElse
ActiveCurrent
Clear
ActiveCurrent
Launched
VM
PTR
LD Y
VM
PTR
LD X
VM
PTR
LD Y
VM
PTR
LD X
VMCLEAR X
VMCLEAR XVMCLEAR X
VMLAUNCH
[States of VMCS X]
HVM Rootkit : VMRUN Instruction
ⓒ 2014 CodeEngn hakbaby
Instruction Flow(Outside Matrix)
VMCB(AMD)
VMRUN
Guest state andspecification of
what guest enventsare intercepted
Host PC(Hypervisor) Virtual
Machine
Instruction Fllow(Inside Guest)
Guest has beenIntercepted
Resume at the next
instructionAfter VMRUN
(Exit code written to
VMCB on exit)
HVM Rootkit : Blue Pill Infection
ⓒ 2014 CodeEngn hakbaby
CALL BluePill
CALL BluePill
Enable SVM
Prepare VMCB
VMRUN
Check VMCS.exitcode
RET
RIP
VMCB
NativeOperating System
Native Operating Systemcontinues to execute,
But inside Virtual Machine this time
Blue PillHypervisor
Only DuringFirst Call
RET From Blue Pill PROC,Never reached in host mode, Only executed once in guest mode
HVM Rootkit : Blue Pill
ⓒ 2014 CodeEngn hakbaby
Instdrv.exe
CPU
Ring 0
VMCB Host
Bluepill.sys
①
②③
HVM Rootkit : Blue Pill
ⓒ 2014 CodeEngn hakbaby
Instdrv.exe
CPU
Ring 0
VMCB Host
Bluepill.sys
Hypervisor Bluepill
④
Cheat Engine - DBVM
ⓒ 2014 CodeEngn hakbaby
Cheat Engine - DBVM
ⓒ 2014 CodeEngn hakbaby
Cheat Engine - DBVM
ⓒ 2014 CodeEngn hakbaby
Imagine of Story!
ⓒ 2014 CodeEngn hakbaby
üCloud Computing
인터넷상의 서버를통하여데이터 저장, 네트워크, 콘텐츠사용 등 IT 관련서비스를
한번에 사용할 수 있는컴퓨팅
Cloud Computing Services
ⓒ 2014 CodeEngn hakbaby
Software as a Service
Infra as a service
Platform as a service
Network Architects
Application Developers
End Users
Network
Storage
Server
Virtualization
Attack of Cloud System!
ⓒ 2014 CodeEngn hakbaby
Cloud Hypervisor
Cloud Physical Hardware
…
Guest 0 Guest 1 Guest 2 Guest 3 Guest X
Attack of Cloud System!
ⓒ 2014 CodeEngn hakbaby
Infected-Cloud Hypervisor
Cloud Physical Hardware
…
Guest 0 Infected-Guest 1 Guest 2 Guest 3 Guest X
①
② ③
Control Another Guest OS
So, How Detected?
ⓒ 2014 CodeEngn hakbaby
Trust Execution Technology
(TXT)
Secure Virtual Machine
(SVM)
INTEL – Trust Execution Technology
ⓒ 2014 CodeEngn hakbaby
INTEL TXT
Hardware
Hardware
Hypervisor
Hardware
Hypervisor
Hardware
Hypervisor
Hardware
Hypervisor
MATCH
NO MATCH
Trusted Platform Module : TPM
장비에암호화 키를통합하여 하드웨어를 보호하기 위해설계된전용 마이크로프로세서
ⓒ 2014 CodeEngn hakbaby
Conclusion
Reference
ü Intel, “Intel 64 and IA-32 Architectures Software Developer's Manual”
ü David Chisnall, “Xen 하이퍼바이저 완벽가이드“
ü Joanna Rutkowska, “Introducing Blue Pill”
ü Rafal Wojtczuk, Joanna Rutkowska, “Attacking Intel Trusted Execution Technology”
ü Hanbum Bak, “Virtualization Technology for Security”
ü MJ0011, “Analyzing VMware Operating System & Detecting Rootkit from Outside”
ü Farzad Sabahi, “Secure Virtualization for Cloud Environment Using Hypervisor-based Technology”
ü Rafal Wojtczuk, Joanna Rutkowska, Attacking Intel TXT via SINIT Code Execution Hijacking
ⓒ 2014 CodeEngn hakbaby
Speaker Info
순천향대학교 정보보호학과 SecurityFirst
[email protected] (fb.com/hakbaby)
김학수
ⓒ 2014 CodeEngn hakbaby
www.CodeEngn.com2014 CodeEngn Conference 10