Subverting system authentication with context-aware, reactive virtual machine introspection

Authors:
Yangchun Fu;Zhiqiang Lin;Kevin W. Hamlen
Affiliations:
The University of Texas at Dallas, Richardson, TX;The University of Texas at Dallas, Richardson, TX;The University of Texas at Dallas, Richardson, TX
Venue:
Proceedings of the 29th Annual Computer Security Applications Conference
Year:
2013

Citing 27
Cited 0

The design and implementation of tripwire: a file system integrity checker

CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Reverse Engineering and Design Recovery: A Taxonomy

IEEE Software
Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor

Proceedings of the General Track: 2002 USENIX Annual Technical Conference
Anomaly Detection Using Call Stack Information

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
When Virtual Is Better Than Real

HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
Terra: a virtual machine-based platform for trusted computing

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Detecting past and present intrusions through vulnerability-specific predicates

Proceedings of the twentieth ACM symposium on Operating systems principles
SubVirt: Implementing malware with virtual machines

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Manitou: a layer-below approach to fighting malware

Proceedings of the 1st workshop on Architectural and system support for improving software dependability
An architecture for generating semantics-aware signatures

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Antfarm: tracking processes in a virtual machine environment

ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction

Proceedings of the 14th ACM conference on Computer and communications security
VMM-based hidden process detection and identification using Lycosid

Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Designing and implementing malicious hardware

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Lares: An Architecture for Secure Active Monitoring Using Virtualization

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Ether: malware analysis via hardware virtualization extensions

Proceedings of the 15th ACM conference on Computer and communications security
Lest we remember: cold boot attacks on encryption keys

SS'08 Proceedings of the 17th conference on Security symposium
Secure in-VM monitoring using hardware virtualization

Proceedings of the 16th ACM conference on Computer and communications security
Automatic Generation of String Signatures for Malware Detection

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
DKSM: Subverting Virtual Machine Introspection for Fun and Profit

SRDS '10 Proceedings of the 2010 29th IEEE Symposium on Reliable Distributed Systems
vIOMMU: efficient IOMMU emulation

USENIXATC'11 Proceedings of the 2011 USENIX conference on USENIX annual technical conference
Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Differential Slicing: Identifying Causal Execution Differences for Security Applications

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization

SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Nitro: hardware-based system call tracing for virtual machines

IWSEC'11 Proceedings of the 6th International conference on Advances in information and computer security
Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
EXTERIOR: using a dual-VM based external shell for guest-OS introspection, configuration, and recovery

Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments

Quantified Score

Hi-index	0.00

Visualization

Abstract

Recent advances in bridging the semantic gap between virtual machines (VMs) and their guest processes have a dark side: They can be abused to subvert and compromise VM file system images and process images. To demonstrate this alarming capability, a context-aware, reactive VM Introspection (VMI) instrument is presented and leveraged to automatically break the authentication mechanisms of both Linux and Windows operating systems. By bridging the semantic gap, the attack is able to automatically identify critical decision points where authentication succeeds or fails at the binary level. It can then leverage the VMI to transparently corrupt the control-flow or data-flow of the victim OS at that point, resulting in successful authentication without any password-guessing or encryption-cracking. The approach is highly flexible (threatening a broad class of authentication implementations), practical (realizable against real-world OSes and VM images), and useful for both malicious attacks and forensics analysis of virtualized systems and software.