Ahmad Atamli
ABSTRACT
Modern malware is complex, stealthy, and employ anti-forensics techniques to evade detection. In order to detect malware, data must be collected, such, allows further analyses of the malware's behaviour. However, when both the malware and the detecting system run on the same domain (the CPU) it's questionable whether the data acquired by the acquisition method is not tampered with. Hardware based techniques, such as acquiring data out-of-band using a PCIe device allow for data acquisition that is deemed trusted when the acquisition method does not rely on any data present on the host memory. Unfortunately, in Input-Output Memory Management Unit (IOMMU) based systems, peripheral devices access to host memory go through a stage of translation by the IOMMU. The translation tables which reside in the host's memory are subject to malware control, hence are not trustworthy. In this paper we present a method that allows acquiring the data reliably without dependant on data residing in host memory, even when IOMMU is being used to restrict devices. We show how accessing host physical memory is achieved and discuss why this is not a vulnerability in some platforms, but rather a powerful tool for securing data acquisition when the host is not trusted to perform the acquisition.
- Damien Aumaitre and Christophe Devine. 2010. Subverting windows 7 x64 kernel with dma attacks. HITBSecConf Amsterdam (2010).Google Scholar
- Michael Becher, Maximillian Dornseif, and Christian N Klein. 2005. FireWire: all your memory are belong to us. Proceedings of CanSecWest (2005), 67.Google Scholar
- Rory Breuk and Albert Spruyt. 2012. Integrating DMA attacks in exploitation frameworks. Retrieved on January 14, 2014 (2012), 2011--2012.Google Scholar
- Ravi Budruk, Don Anderson, and Tom Shanley. 2004. PCI express system architecture. Addison-Wesley Professional. Google ScholarDigital Library
- Guoxing Chen, Sanchuan Chen, Yuan Xiao, Yinqian Zhang, Zhiqiang Lin, and Ten H Lai. 2018. Sgxpectre attacks: Leaking enclave secrets via speculative execution. arXiv preprint arXiv:1802.09085 (2018).Google Scholar
- Intel Corporation. {n. d.}. ArriaÂő 10 GX FPGA Development Kit. https://www.intel.com/content/www/us/en/programmable/products/boards_and_kits/dev-kits/altera/kit-a10-gx-fpga.html.Google Scholar
- Francis M David, Ellick M Chan, Jeffrey C Carlyle, and Roy H Campbell. 2008. Cloaker: Hardware supported rootkit concealment. In 2008 IEEE Symposium on Security and Privacy (sp 2008). IEEE, 296--310. Google ScholarDigital Library
- Zhui Deng, Xiangyu Zhang, and Dongyan Xu. 2013. Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference. ACM, 289--298. Google ScholarDigital Library
- Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security. ACM, 51--62. Google ScholarDigital Library
- Tal Garfinkel, Mendel Rosenblum, et al. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection.. In Ndss, Vol. 3. Citeseer, 191--206.Google Scholar
- Github. 2017. Boardbase Management Controller. https://github.com/openbmc/openbmc.Google Scholar
- Robert P Goldberg. 1974. Survey of virtual machine research. Computer 7, 6 (1974), 34--45. Google ScholarDigital Library
- Brian Kelly. 2018. Cerberus Architecture. https://github.com/opencomputeproject/Project_Olympus/tree/master/Project_Cerberus.Google Scholar
- Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: bare-metal analysis-based evasive malware detection. In 23rd {USENIX} Security Symposium ({USENIX} Security 14). 287--301. Google ScholarDigital Library
- Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre attacks: Exploiting speculative execution. arXiv preprint arXiv:1801.01203 (2018).Google Scholar
- Moritz Lipp, Misiker Tadesse Aga, Michael Schwarz, Daniel Gruss, Clémentine Maurice, Lukas Raab, and Lukas Lamster. 2018. Nethammer: Inducing rowhammer faults through network requests. arXiv preprint arXiv:1805.04956 (2018).Google Scholar
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. arXiv preprint arXiv:1801.01207 (2018).Google Scholar
- Ben Martini and Kim-Kwang Raymond Choo. 2012. An integrated conceptual digital forensic framework for cloud computing. Digital Investigation 9, 2 (2012), 71--80.Google ScholarCross Ref
- Nick L Petroni Jr, Timothy Fraser, Jesus Molina, and William A Arbaugh. 2004. Copilot-a Coprocessor-based Kernel Runtime Integrity Monitor.. In USENIX Security Symposium. San Diego, USA, 179--194. Google ScholarDigital Library
- Darren Quick and Kim-Kwang Raymond Choo. 2014. Impacts of increasing volume of digital forensic data: A survey and future research challenges. Digital Investigation 11, 4 (2014), 273--294. Google ScholarDigital Library
- Danny Quist, Val Smith, and Offensive Computing. 2006. Detecting the presence of virtual machines using the local data table. Offensive Computing (2006).Google Scholar
- Thomas Raffetseder, Christopher Kruegel, and Engin Kirda. 2007. Detecting system emulators. In International Conference on Information Security. Springer, 1--18. Google ScholarDigital Library
- Michael Rushanan and Stephen Checkoway. 2015. Run-dma. In 9th {USENIX} Workshop on Offensive Technologies ({WOOT} 15). Google ScholarDigital Library
- Joanna Rutkowska. 2007. Beyond the CPU: Defeating hardware based RAM acquisition. Proceedings of BlackHat DC 2007 (2007).Google Scholar
- Fernand Lone Sang, Eric Lacombe, Vincent Nicomette, and Yves Deswarte. 2010. Exploiting an I/OMMU vulnerability. In 2010 5th International Conference on Malicious and Unwanted Software. IEEE, 7--14.Google ScholarCross Ref
- Fernand Lone Sang, Vincent Nicomette, and Yves Deswarte. 2011. I/O attacks in Intel PC-based architectures and countermeasures. In 2011 First SysSec Workshop. IEEE, 19--26. Google ScholarDigital Library
- Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to computer security via binary analysis. In International Conference on Information Systems Security. Springer, 1--25. Google ScholarDigital Library
- Chad Spensky, Hongyi Hu, and Kevin Leach. 2016. LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis.. In NDSS.Google Scholar
- Patrick Stewin and Iurii Bystrov. 2012. Understanding DMA malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 21--41. Google ScholarDigital Library
- Andrei Tatar, Radhesh Krishnan Konoth, Elias Athanasopoulos, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi. 2018. Throwhammer: Rowhammer attacks over the network and defenses. In 2018 {USENIX} Annual Technical Conference ({USENIX}{ATC} 18). 213--226. Google ScholarDigital Library
- Jiang Wang, Angelos Stavrou, and Anup Ghosh. 2010. Hypercheck: A hardware-assisted integrity monitor. In International Workshop on Recent Advances in Intrusion Detection. Springer, 158--177. Google ScholarDigital Library
- Filip Wecherowski. 2009. A real smm rootkit: Reversing and hooking bios smi handlers. Phrack Magazine 13, 66 (2009).Google Scholar
- Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. ACM Sigplan Notices 47, 7 (2012), 227--238. Google ScholarDigital Library
Index Terms
- IO-Trust: An out-of-band trusted memory acquisition for intrusion detection and Forensics investigations in cloud IOMMU based systems
Recommendations
Flexible Device Sharing in PCIe Clusters using Device Lending
ICPP Workshops '18: Workshop Proceedings of the 47th International Conference on Parallel ProcessingProcessing workloads may have very high IO demands, exceeding the capabilities provided by resource virtualization and requiring direct access to the physical hardware. For computers that are interconnected in PCI Express (PCIe) networks, we have ...
Demon: An Efficient Solution for on-Device MMU Virtualization in Mediated Pass-Through
VEE '18: Proceedings of the 14th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsMemory Management Units (MMUs) for on-device address translation are widely used in modern devices. However, conventional solutions for on-device MMU virtualization, such as shadow page table implemented in mediated pass-through, still suffer from high ...
Page Fault Support for Network Controllers
Asplos'17Direct network I/O allows network controllers (NICs) to expose multiple instances of themselves, to be used by untrusted software without a trusted intermediary. Direct I/O thus frees researchers from legacy software, fueling studies that innovate in ...
Comments