Download as PDF, PPTX
Uploaded byTamas K Lengyel
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel gives a presentation on virtual machine introspection and how it can be used to detect and protect against threats. He discusses how virtualization adds layers that can be leveraged for security monitoring. However, he notes that the approach of adding more layers is not a true solution and just increases the cost to break through defenses. Lengyel argues that the root hypervisor and lowest system layers are ultimately not fully transparent or accessible, leaving security imperfect similar to the concept of turtles all the way down.
More Related Content
Similar to CyberSEED: Virtual Machine Introspection to Detect and Protect
![[HackInTheBox] Breaking virtualization by any means](https://cdn.slidesharecdn.com/ss_thumbnails/brossard-hitb-kuala-lumpur-2010-101022053642-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![he-dieu-hanh_david-mazieres_l18-virtual-machines - [cuuduongthancong.com].pdf](https://cdn.slidesharecdn.com/ss_thumbnails/he-dieu-hanhdavid-mazieresl18-virtual-machines-cuuduongthancong-230504152824-d5e49a1c-thumbnail.jpg?width=640&height=640&fit=bounds)
CyberSEED: Virtual Machine Introspection to Detect and Protect
- 1. @CSICyberSEED Virtual Machine Introspectionto Detect and Protect “It’s turtles all the way down!” Tamas K Lengyel @tklengyel
- 2. @CSICyberSEED # whoami • SeniorSecurity Researcher at Novetta • PhD Student at UConn CSE • DARPA Cyber Fast Track participant • Maintainer of Xen, DRAKVUF & LibVMI
- 3. @CSICyberSEED Outline • Brief lookat the current security model • Virtualization • Virtual Machine Introspection • It’s turtles all the way down!
- 4. @CSICyberSEED Current security model Lowprivilege High privilege
- 5. @CSICyberSEED Current security model Lowprivilege High privilege X
- 6. @CSICyberSEED The problem: Rootkits Lowprivilege High privilege
- 7. @CSICyberSEED The problem: Rootkits Lowprivilege High privilege X
- 8.
- 9. @CSICyberSEED Virtual Machine Introspection Usethe hypervisor for additional security! X X X X
- 10. @CSICyberSEED How? ● Isolation: providedby the hypervisor ● Interpretation: use forensics tools ○ LibVMI, Rekall, Volatility ● Interposition: use hardware extensions ○ Intel EPT, #VE
- 11. @CSICyberSEED But wait, thislooks familiar.. X X XX X
- 12. @CSICyberSEED The million dollarquestion What protects the hypervisor?
- 13. @CSICyberSEED It’s turtles allthe way down! A well-known scientist (some say it was Bertrand Russel) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said: "What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise." The scientist gave a superior smile before replying, "What is the tortoise standing on?" "You're very clever, young man, very clever," said the old lady. "But it's turtles all the way down!" — Hawking, A Brief History of Time
- 14. @CSICyberSEED Add some morelayers Nested hypervisors Root hypervisor
- 15. @CSICyberSEED But why stopthere? System Management Mode Dual-monitor mode Hypervisor SMM VM No nested hypervisor in SMM The real root hypervisor with reference implementation available! Only OEM access on most hw
- 16. @CSICyberSEED There is more! SMMHypervisor SMM VM Intel Management Engine No reference implementation No documentation Only Intel has access
- 17. @CSICyberSEED The bottom line •Adding layers doesn’t solve the problem • Only increases the cost of breaking through • Building cross-layer tools is hard • That’s the whole point • Barrier erodes with time
- 18. @CSICyberSEED What’s the catch? •Keeping lower layers as small as possible • More code = more attack surface • Users should have the ability to inspect these layers • Lower the layer the fewer folks have insight/access • Isn’t that the perfect setup for DRM? • It may be about security - but not necessarily yours!
- 19. @CSICyberSEED Thanks! Tamas K Lengyel tamas@tklengyel.com tlengyel@novetta.com @tklengyel LibVMIhttp://libvmi.com DRAKVUF http://drakvuf.com