subvirt implementing malware with virtual machines.pptVIP

SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R.Lorch Microsoft Research Publication: Security and Privacy, 2006 IEEE Symposium. Presenter: Radha Maldhure Goal Attacker run malicious software and avoid detection understand and defend against threat Attacker Defender VMM What is the presentation about? Virtual-machine based rootkit (VMBR) installation malicious services maintaining control Defending against VMBR control below VMBR control above VMBR VMBR Installation Malicious services (MS) There are three types Maintaining Control Defense Security Softwarebelow VMBR Basic idea: Detector’s view of system does not go through VMBR’s virtualization layer Ways: Boot from safe medium such as CD-ROM, USB + physically unplug before booting Use secure VMM Security Softwareabove VMBR Basic idea: Security Software below VMBR is inconvenient Ways: Compare running time of software in VM with benchmarks against wall-clock time Run a program that requires entire memory or disk space Contribution Explored the design and implementation of VMBR Explored techniques for detecting VMBR Weakness VMBR is difficult to install VMBR require reboot before they can run Have more impact on the overall system Suggestions The Ideas suggested by paper is good but needs many implementations both on attacker’s side and defender’s side Defense not convenient for end users Some ideas are not clear Questions? Quote for the day “No defeat is final until we stop trying” * More control OS Hardware App1 App2 Attacker Defender Attacker Defender Fig: architecture of VMM ( used by VMware and VirtualPC ) VM VM runs guest OS and