Asynchronouns notification channel for exploitation-robust ... - CiteSeerX

Asynchronouns notification channel for exploitation-robust secure OS on virtual machine monitor Ruo Ando, Youki Kadobayashi and Youichi Shinoda National Institute of Information and Communication Technology, 4-2-1 Nukui-Kitamachi, Koganei, Tokyo 184-8795 Japan [email protected] http://www2.nict.go.jp/y/y212/index en.html

Abstract. (VMM) Virtual Machine Monitor provides secure isolation between guest OS and monitoring system. Fortunately, VMM provides utilities of pause, copy and save (snapshot) of guest OS. These commands can be used for detection, prevention and forensics. To enable these utilities effectively, an asynchronous notification channel is necessary to implement to secure the system. In this paper we propose an asynchronous notification channel for improving secure OS on virtual machine monitor. We design interruption mechanism specified for security incident notification of guest OS. Proposed method is applied for buffer overflow handling, LKM-rootkit profiling and MAC (Mandatory Access Control) extension. For these three applications, we present how to use asynchronous channel and extend system call of guest OS. Analysis of memory snapshot for profiling LKM-rootkit is also discussed. Proposed system is implemented on XEN virtual machine monitor. It is showed that our asynchronous notification channel is effective to extend MAC and fault handler for incident notification. Keywords: Asynchronous notification, virtual machine monitor, exploitationrobust, kernel module, MAC extention.

1

Introduction

VMM (Virtual machine monitor) is a thin layer between hardware and operating system. VMM works as resource and reference monitor of guest VMs. Recently, VMM changes the way to deploy and design security module. In this paper we discuss how to provide security enhancement with VM on virtual machine monitor. VMM manages the resource of CPU, memory and storage. This means that we can make it possible to control access of hosted OS (called domain). On VMM, more fine-grained control and detailed forensics are possible. For this purpose, new communication mechanism between hypervisor and hosted OS is necessary. In this paper, we propose an asynchronous notification channel for improving secure OS on virtual machine monitor.

2

2

Ruo Ando et al.

Secure OS and virtual machine monitor

Around 2000, secure OS is implemented as device driver based on LSM (Linux Security Module). This mechanism is designed by the concept of MAC (Mandatory Access Control). MAC makes it possible to prevent fine-grained access control of i-node and socket. However, secure OS is not perfect to cope with all kinds of incident. Exploitation using buffer overflow and malware is not preventable of secure OS. The important role of virtual machine monitor is to provide secure isolation of hosted OS. VMM have a great impact for deployment and design of IPS (intrusion prevention system) and secure OS. Secure OS can be improved by specified for VMM deployment partly because VMM can create, copy, pause, save and restore the guest OS. To secure the guest OS, asynchronous notification (interrupt) mechanism is effective. We append three abilities to secure OS on VMM: buffer overflow handling, LKM-rootkit profiling and MAC extension.

2.1

LSM and MAC

LSM (Linux Security Module) is an access control mechanism for files and sockets. LSM is introduces in kernel 2.6 based on FLASK architecture. Supported by LSM, we can check permission when I/O request go through device driver. MAC is a strict permission management framework. In MAC, owner (even root user) cannot change permission. Compared with previous DAC (discrete Access Control), attributes is more detailed for fine-grained permission check.

2.2

Virtualization

Virtualization technology is divided into two categories: full-virtualization and para-virtualization. Full-virtualization is possible by new CPU architecture. This is called ”VMX” in Intel Pentium D and later. Para-virtualization needs kernelmodification to run on VMM. Para-virtualization is more lightweight (mainly about I/O performance). In para-virtualization, we can insert hypervisor call into the source code of hosted kernel. This enables us to construct new (specified for security) notification channel between hosted OS and VMM.

2.3

Event-channel of XEN

In this paper we implement our system on XEN virtual machine monitor. In XEN, guest domain access hardware through backend driver of domain 0 (privileged domain) using event-channel. Event channel is a virtualized interruption mechanism from guest domain (U) to host domain(0). In proposed system, eventchannel is implemented for notification of security event on guest OS.

Exploitation-robust secure OS on virtual machine monitor

3

3

Related work

Foudamental aspect of VMM is discussed in [9][10]. Proposal system is implemented on XEN virtual machine monitor[1]. In [5], a new relationship between virtual machine monitor and IDS is discussed. In [3][4], prevention techniques of buffer overflow is proposed and implemented. Logging on VMM is discussed in [6][7].

4

Asynchronous notification channel

In XEN, asynchronous notification channel is implemented as event-channel. Figure 1 illustrates architecture of XEN. Domain U (guest OS) has ”virtualized” frontend-driver, proxy for I/O access of ”real” device driver under Domain 0 (host OS). I/O request of process on guest OS is notified by split device driver (backend and frontend driver).

DOMAIN 0 (HOST OS) XEN KERNEL PROC

PROC

DOMAIN U (GUEST OS) VMX or SPARSE KERNEL PROC (XM)

PROC

I/O REQUEST

KERNEL READ / WRITE

DEVICE DRIVER

PROC

BACKEND DRIVER

FRONTEND DRIVER

NOTIFICATION CHANNEL

RAM DRIVER

VIRTUAL MACHINE MONITOR (HYPERVISOR)

Fig. 1.

Event channel is communication mechanism between two drivers. An event is equivalent of a hardware interrupt. For example, 256: 257: 258:

1782 0 0

Dynamic-irq Dynamic-irq Dynamic-irq

timer0 resched0 callfunc0

4

Ruo Ando et al.

259: 260: 261: 262: 263:

227 187 891 0 0

Dynamic-irq Dynamic-irq Dynamic-irq Dynamic-irq Dynamic-irq

xenbus xencons blkif blkif eth0

This is output of ”cat /proc/interrupt”. 261 is interrupt handler of harddisk image. 262 is for swap. 263 is for network interface. In our system, event channel is used for notifying security incidents on guest domain. Proposed method is divided into three steps: [1]Implementing front/backend driver [2]Registering driver to Xenstore [3]Buffer overflow handling: inserting hypervisor call into exception handler [4]LKM-rootkit extension: inserting hypervisor call into system call [5]MAC extention: inserting hypervisor call into i-node permission checker Once our driver is registered correctly, modification is very simple. We only have to insert Hypervisor call EVTCHN send into LSM and handlers. int port=9; evtchn_op_t op; op.cmd = EVTCHNOP_send, op.u.send.port = port; (void)HYPERVISOR_event_channel_op(&op); In this case, port number 9 is according Dynamic-IRQ of guest domain. For further work, we can append grant-table manipulation to this interruption.

5

Buffer overflow handling

In proposed system, the exception handler is enhanced to detect the buffer overflow in user domain and to generate (user defined) signal to inform the process of being attacked. We modify some routines in traps-xen.c to record return addresses (instruction pointer) in calling function and check whether EIP (instruction pointer) and saved EIP is same after and before calling function. Then, we insert send sig in exception handler of traps-xen.c to generate and send signal to signal handler of running program. In detail, INT03 (do debug) and INT01 (do trap) exception handler are modified. Proposed system is constructed on 80x86 processor. The 80x86 processor has 20 different exception handlers. Table 1 shows the exception handlers mainly concerned with debugging. Among them, we enhance debug() function with signal

Exploitation-robust secure OS on virtual machine monitor

5

SIGTRAP. Debug facility is invoked when we set the T flag of eflags or when the address of an instruction fall the range of an active debug register. The concept of proposed method is automated debugging by the implementation of some additional process within the debug() function. To achieve the concept of proposed method, IDT (interrupt descriptor table) must be initialized and overwritten for dealing with the bugs hooked by INT01 insertion. In other words, to enable exception, the kernel should initialize the IDT properly. The correspondence between interrupt or exception vector and the address of each recognized interrupt or exception handler is stored to IDT. We change INT01 and INT03 for checking integrity of sequence of EIP and EBP. By enhancing exception handler, no modification for applications or kernel is necessary to detect buffer overflow which enables each process to identify itself with ”being infected” and nullify itself spontaneously. Our system is operating system independent and therefore does not need software rebuilding.

6

Memory forensics for LKM-rootkit profiling

Compared with other operating systems, linux has no debugging facilities inside kernel. Until linux 2.6.16 (or later) is modified to be able to be run on VMM, memory dump needs additional implementation. Fortunately in XEN, command ”xm save” provides snapshot of memory. Memory snapshot is useful for malware profiling and forensics. In this section we discuss the way to take a snapshot of malicious behavior and analyze it. Proposed method consists of four steps. Step [1][2] buffer overflow, LKM installation and access to protected directory are detected the facility of exception handler and secure OS module. Step [3] Notification of these events goes from frontend driver to backend driver (interrution is triggerred). Step [4] Domain management tools (XM) takes snapshot of RAM. Then, proposed system can profile these events. 6.1

LKM-rootkit

LKM (Loadable kernel module) is device driver which is plugged (embedded) dynamically into kernel. Unfortunately, LKM is also used for rootkit exploitaTable 1. Exception handler and signal in linux for Intel architecture. No 1 2 3 4 5 12 14

Exception Debug NMI Breakpoint Overflow BoundsCheck StackException Page Fault

Exception Handler debug() nmi() int3() overflow() bound() stack segment() page fault()

Signal SIGTRAP None SIGTRAP SIGSEGV SIGSEGV SIGBUS SIGSEGV

6

Ruo Ando et al.

DOMAIN 0 (HOST OS) PROC

DOMAIN U (GUEST OS) PROC

SNAPSHOT

PROC

KERNEL

DEVICE DRIVER

FRONTEND DRIVER

NOTIFICATION CHANNEL

[2]

Secure OS

[1] BACKEND DRIVER

PROC

RAM DRIVER

[3]

VMM [4]

Fig. 2.

tion. LKM-rootkit changes core system (system call table, specific file system) of kernel. Therefore, once LKM-rootkit is installed, it is difficult to detect or profile it. VMM takes advantages in coping with this malware because VMM is deployed ”below LKM-rootkit” and can hook illegal changes on hosted domain. 6.2

System call extension

We insert hypervisor call into the function of insmod. Insmod is the routine for LKM hot-plugging. By doing this, guest domain can transfer information of newly embedded LM to host domain and VMM. Once VMM receives notification, VMM takes memory snapshot of guest domain. Second system call we modified is chown or lchown. LKM-rootkit uses these system call to hide files and processes. 6.3

Behavior detect using MAC

Another extension of proposed system is inserting hypervisor call into LSM (linux security module) code. In this paper we apply MAC extension for LIDS (linux intrusion detection system). LIDS is secury patch and admin tools for linux kernel to achieve MAC framework. We insert hypervisor call EVTCHN send into i-node permission routine of LIDS. static int lids_inode_permission(struct inode *inode, int mask, struct nameidata *nd)

Exploitation-robust secure OS on virtual machine monitor

7

Table 2. Exception handler and signal in linux for Intel architecture. No 1 2 3 4 5 6 7 8 9 10 11 12

Section arch/i386/kernel/head.o arch/i386/kernel/init task init/main.o init/varsion.o kernel/kernel.o mm.o fs.fs.o ipc/ipc.o drivers/*/*.ko net/network.o arch/i386/lib/lib.a lib/lib.a

commnent decompress routine task data structure main boot routine version main kernel routine memory management routine file system routine internal process communiation device drivers network routine library 1 library 2

When READ/WRITE request is hooked, we can get information from inode.i ino, inode.i sb.s dev and d.d iname. Proposed system writes file path to /proc/* for following memory snapshot forensics. For example, we can set access control to /usr/src, /usr/loca/src or /tmp to inspect some anomalous behavior on these directories. 6.4

Memory forensics and LKM profiling

Table 2 show the kernel memory layout. We can see the list of device driver compiled and embedded by objdump or hexdump command. If the module which is not listed in driver/*ko is pluuged, we need to check if anomal system call (chown, for example) is executed. Once module is installed, proposal system checks the points as follows: [1]Module name and file path. [2]It is known (listed in drivers/*/*.ko of kernel memory) or not. [3]System call just after plugging (for example, changing permission or read/write proc file system). To hide process and files, LKM-rootkit changes permission of the files and /proc/* using system call chown or lchown. So, it is very likely that LKM-rootkit is used and hide if we find anomaly about [1][2][3]. Table 3 shows physical memory layout of 128MB. Linux kernel is memory resident. 0x00100000 - 0x07feffff is available for kernel memory. Physical memory forensics is useful to detect and profile LKM-rootkit.

7

Conclusion

(VMM) Virtual Machine Monitor provides secure isolation between guest OS and monitoring system. Fortunately, VMM provides utilities of pause, copy and save

8

Ruo Ando et al. Table 3. Physical memory layout No 1 2 3 4 5 6

area 0x00000000 - 0x0009ffff 0x000f0000 - 0x000fffff 0x00100000 - 0x07feffff 0x07f00000 - 0x07ff2fff 0x07ff3000 - 0x07ffffff 0xffff0000 - 0xffffffff

commnent available reserved avaiable ACPI data ACPI volatile reserved

(snapshot) of guest OS. These commands can be used for detection, prevention and forensics. To enable these utilities effectively, an asynchronous notification channel is necessary to implement to secure the system. In this paper we propose an asynchronous notification channel for improving secure OS on virtual machine monitor. We design interruption mechanism specified for security incident notification of guest OS. Proposed method is applied for buffer overflow handling, LKM-rootkit profiling and MAC (Mandatory Access Control) extension. For these three applications, we present how to use asynchronous channel and extend system call of guest OS. Analysis of memory snapshot for profiling LKM-rootkit is also discussed. Proposed system is implemented on XEN virtual machine monitor. It is showed that our asynchronous notification channel is effective to extend MAC and fault handler for incident notification. It is showed that our asynchronous notification channel is effective to detect and profile security incident by LKM-rootkit. Our model could be applied for VMX (full virtualization) and KVM (kernel virtual machine). Shared memory between domains could be used for enhancing our system.

References 1. XEN virtual machine monitor, http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ 2. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. Xen and the art of virtualization. In Proceedings of the 19th Symposium on Operating System Principles(SOSP 2003), Bolton Landing, NY, October 2003. 3. Linux Openwall project. http://www.openwall.com/ 4. C.Cowan, C.Pu, D.Maier, J.Walpole, P.Bakke, S.Beattie, A.Grier, P.Wagle, Q.Zhang, and H.Hinton:StackGuard Automatic adaptive detection and prevention of buffer-overflow attacks, In Proc. 7th USENIX Security Conference, pp 63–78,1998. 5. A Virtual Machine Introspection Based Architecture for Intrusion Detection Tal Garfinkel and Mendel Rosenblum In the Internet Society’s 2003 Symposium on Network and Distributed System Security (NDSS), pages 191–206, February 2003. 6. George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza Basrai, and Peter M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI 2002), Boston, MA, December 2002.

Exploitation-robust secure OS on virtual machine monitor

9

7. George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza Basrai, and Peter M. Chen. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI 2002), Boston, MA, December 2002. 8. Reiner Sailer and Trent Jaeger and Enriquillo Valdez and Ramon Caceres and Ronald Perez and Stefan Berger and John L. Griffin and Leendert van Doorn. Building a MAC-Based Security Architecture for the Xen Opensource Hypervisor. December, 2005. in Proceedings of the 2005 Annual Computer Security Applications Conference (ACSAC), pages 249–258. 9. Paul A. Karger, Mary Ellen Zurko, Douglas W. Bonin, Andrew H. Mason, Clifford E. Kahn: A Retrospective on the VAX VMM Security Kernel. IEEE Trans. Software Eng. 17(11): 1147-1165 (1991) 10. Paul A. Karger, Mary Ellen Zurko, Douglas W. Bonin, Andrew H. Mason, Clifford E. Kahn: A Retrospective on the VAX VMM Security Kernel. IEEE Trans. Software Eng. 17(11): 1147-1165 (1991) 11. Intel Corporation: IA-32 IntelR Architecture Software Developer’s Manual, Volume 2B: Insruction Set Reference N-Z,2004.