Modern Blue Pills and Red Pills

This article presents the concept of blue pill, a stealth hypervisor-based rootkit, that was introduced by Joanna Rutkowska in 2006. The blue pill is a malicious thin hypervisor-based rootkit that takes control of the victim machine. Furthermore, as the blue pill does not run under the operating system context, the blue pill is very difficult to detect easily. The red pill is the competing concept (i.e., a forensics software that runs on the inspected machine and detects the existence of malicious hypervisor or blue pill). The concept of attestation of a host ensuring that no hypervisor is running was first introduced by Kennel and Jamieson in 2002. Modern advances in hypervisor technology …

Online Expression, Personal Cybersecurity Costs, and the Specter of Cybercrime

The internet is used increasingly as a platform both for free expression and e-commerce. The internet has unique security and privacy risks. Such risks include the threat of criminal cyberattacks, including hacking and doxing. Internet users have a variety of attitudes towards the security and privacy risks involved with using the internet and distinct concerns and behaviors with regard to expressing themselves online. In order to mitigate the security and privacy risks of the internet, some internet users spend valuable time thinking about and configuring the security settings of their devices. They may also have different attitudes towards personal spending of money for cybersecurity prod…

Timing and Side Channel Attacks

How would you know the US pentagon is planning an attack on Iraq? One possible plan is to infiltrate the pentagon using spies, flipping traitors etc. But this sounds like lots of work and it is a dangerous work. That is the direct approach. Another possible plan is to ask the pizza delivery guys in the area. People planning an attack probably adds up to lots of people urgently trying to meet deadlines, staying late in the office and ordering pizza. So the pizza delivery guys know about a pending attack! The pizza delivery guys do not know the nature of the attack but they know “something is up” in the pentagon because for a few days people are staying late at the office and ordering pizza a…

Hypervisor-based Protection of Code

The code of a compiled program is susceptible to reverse-engineering attacks on the algorithms and the business logic that are contained within the code. The main existing countermeasure to reverse-engineering is obfuscation. Generally, obfuscation methods suffer from two main deficiencies: 1) the obfuscated code is less efficient than the original and 2) with sufficient effort, the original code may be reconstructed. We propose a method that is based on cryptography and virtualization. The most valuable functions are encrypted and remain inaccessible even during their execution, thus preventing their reconstruction. A specially crafted hypervisor is responsible for decryption, execution, a…

HyperWall: A Hypervisor for Detection and Prevention of Malicious Communication

Malicious programs vary widely in their functionality, from key-logging to disk encryption. However, most malicious programs communicate with their operators, thus revealing themselves to various security tools. The security tools incorporated within an operating system are vulnerable to attacks due to the large attack surface of the operating system kernel and modules. We present a kernel module that demonstrates how kernel-mode access can be used to bypass any security mechanism that is implemented in kernel-mode. External security tools, like firewalls, lack important information about the origin of the intercepted packets, thus their filtering policy is usually insufficient to prevent c…

Remote Attestation of Software and Execution-Environment in Modern Machines

The research on network security concentrates mainly on securing the communication channels between two endpoints, which is insufficient if the authenticity of one of the endpoints cannot be determined with certainty. Previously presented methods that allow one endpoint, the authentication authority, to authenticate another remote machine. These methods are inadequate for modern machines that have multiple processors, introduce virtualization extensions, have a greater variety of side effects, and suffer from nondeterminism. This paper addresses the advances of modern machines with respect to the method presented by Kennell. The authors describe how a remote attestation procedure, involving…

An efficient VM-based software protection

This paper presents Truly-protect, a system, incorporating a virtual machine, that enables execution of encrypted programs. Our intention is to form a framework for a conditional access/digital rights management system.

Trusted Computing and DRM

Trusted Computing is a special branch of computer security. One branch of computer security involves protection of systems against external attacks. In that branch we include all methods that are used by system owners against external attackers, for example Firewalls, IDS, IPS etc. In all those cases the system owner installs software that uses its own means to determine if a remote user is malicious and terminates the attack. (Such means can be very simple such as detecting signatures of attacks or very complex such as machine learning and detecting anomalies in the usage pattern of the remote user). Another branch of attacks requires protection by the system owner against internal users. …

Hypervisor-assisted dynamic malware analysis

AbstractMalware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transp…

Hyplets - Multi Exception Level Kernel towards Linux RTOS

This paper presents the concept of a Multi-Exception level operating system. We add a hypervisor awareness to the Linux kernel and execute code in hyp exception level. We do that through the use of Hyplets. Hyplets are an innovative way to code interrupt service routines under ARM. Hyplets provide high performance, security, running time predictability, an RPC mechanism and a possible solution for the priority inversion problem. Hyplets uses special features of ARM8va hypervisor memory architecture.

Arm Hypervisor and Trustzone Alternatives

Many scenarios such as DRM, payments, and homeland security require a trusted and verified trusted execution environment (TEE) on ARM. In most cases such TEE should be available in source code mode. The vendor cannot conduct code review and ensure that the operating system is trustworthy unless source code is available. Android and other rich execution environments (REEs) support various TEE implementations. Each TEE implementation has its own unique way of deploying trusted applications and features. Most TEEs in ARM can be started at TrustZone™ or Hyp (Hypervisor) mode. Choosing a proper TEE operating system can be a problem for trusted application developers and hardware vendors. This ar…

Nanovised Control Flow Attestation

This paper presents an improvement of control flow attestation (C-FLAT) for Linux. C-FLAT is a control attestation system for embedded devices. It was implemented as a software executing in ARM’s TrustZone on bare-metal devices. We extend the design and implementation of C-FLAT through the use of a type 2 Nanovisor in the Linux operating system. We call our improved system “C-FLAT Linux”. Compared to the original C-FLAT, C-FLAT Linux reduces processing overheads and is able to detect the SlowLoris attack. We describe the architecture of C-FLAT Linux and provide extensive measurements of its performance in benchmarks and real-world scenarios. In addition, we demonstrate the…

Survey of Cyber Threats in Air Traffic Control and Aircraft Communications Systems

Air traffic control systems based on the ADS-B standard have been widely adopted in civil aviation to the point that they are now considered the de facto standard. ADS-B provides major benefits to airports and airlines by increasing the safety of air traffic management and control and allowing more flights to travel near busy airports. However, the ADS-B technology lacks sufficient security measures. The ADS-B system is vulnerable and exposed to cyberattacks. We survey the potential known threats and attacks against ADS-B and assess the potential cybersecurity threats to air traffic management and control. The widespread use of ADS-B and the lack of security features in it, i.e., all the AD…

H-KPP : Hypervisor-Assisted Kernel Patch Protection

We present H-KPP, hypervisor-based protection for kernel code and data structures. H-KPP prevents the execution of unauthorized code in kernel mode. In addition, H-KPP protects certain object fields from malicious modifications. H-KPP can protect modern kernels equipped with BPF facilities and loadable kernel modules. H-KPP does not require modifying or recompiling the kernel. Unlike many other systems, H-KPP is based on a thin hypervisor and includes a novel SLAT switching mechanism, which allows H-KPP to achieve very low (≈6%) performance overhead compared to baseline Linux.

Efficient Protection for VDI Workstations

Many enterprises migrate to a private cloud VDI environment. In such an environment multiple workstations are served by a single powerful server. On such an environment each VDI workstation receives only a limited CPU power. An average of less than a quarter of a core per planned VDI workstation is a common setup. Under such cases, anti-virus and application control software load is multiplied by the number of VDI workstation running on each server. These security applications take merely a few percentages of a single core on a normal desktop. However, on a VDI server where the multiple VDI workstations run on a single server, they may consume 20-25 percent the load. Naturally, such an incr…

Attacking TrustZone on devices lacking memory protection

AbstractARM TrustZone offers a Trusted Execution Environment (TEE) embedded into the processor cores. Some vendors offer ARM modules that do not fully comply with TrustZone specifications, which may lead to vulnerabilities in the system. In this paper, we present a DMA attack tutorial from the insecure world onto the secure world, and the design and implementation of this attack in a real insecure hardware.

An LP-based hyperparameter optimization model for language modeling

In order to find hyperparameters for a machine learning model, algorithms such as grid search or random search are used over the space of possible values of the models hyperparameters. These search algorithms opt the solution that minimizes a specific cost function. In language models, perplexity is one of the most popular cost functions. In this study, we propose a fractional nonlinear programming model that finds the optimal perplexity value. The special structure of the model allows us to approximate it by a linear programming model that can be solved using the well-known simplex algorithm. To the best of our knowledge, this is the first attempt to use optimization techniques to find per…

Detecting Kernel Vulnerabilities During the Development Phase

Testing is one of the major problems in Linux kernel development cycle. Security analysis and ensuring no new vulnerabilities has been introduced is one of the toughest issues of testing. Kernel developers attempt to find as many security issues as possible before merging with the mainline branch. Failure to detect vulnerabilities will result in vulnerable kernel shipped by distribution and vulnerable systems. The kernel developers can choose between several industrial and open source tools to assist in the development process and shorten the development cycle. (Though not as many as user space developers. Kernel tools are limited and rare compared to user space tools) Some of these tools a…

HyperIO: A Hypervisor-Based Framework for Secure IO

Malware often attempts to steal input and output through human interface devices to obtain confidential information. We propose to use a thin hypervisor, called “HyperIO”, to realize a secure path between input and output devices using a partial implementation of device drivers. We apply our approach using two security systems built on HyperIO: FireSafe and ClipCrypt. FireSafe is a web browser extension which allows a remote web server to display and receive sensitive user information securely. ClipCrypt enables the user to securely enter and view their confidential information in commodity Windows applications.

Hypervisor-assisted Atomic Memory Acquisition in Modern Systems

Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does…

System for Executing Encrypted Java Programs

Hypervisor memory acquisition for ARM

Abstract Cyber forensics use memory acquisition in advanced forensics and malware analysis. We propose a hypervisor based memory acquisition tool. Our implementation extends the volatility memory forensics framework by reducing the processor's consumption, solves the in-coherency problem in the memory snapshots and mitigates the pressure of the acquisition on the network and the disk. We provide benchmarks and evaluation.

Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot

Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.

Hypervisor-Based White Listing of Executables

We describe an efficient system for ensuring code integrity of an operating system (OS), both its own code and application code. The proposed system can protect from an attacker who has full control over the OS kernel. An evaluation of the system's performance suggests the induced overhead is negligible. peerReviewed

The hyplet : Joining a Program and a Nanovisor for real-time and Performance

This paper presents the concept of sharing a hyper-visor address space with a standard Linux program. In this work, we add hypervisor awareness to the Linux kernel and execute code in the HYP exception level through using the hyplet. The hyplet is an innovative way to code interrupt service routines and remote procedure calls under ARM. The hyplet provides high performance and run-time predictability. We demonstrate the hyplet implementation using the C programming language on an ARM8v-a platform and under the Linux kernel. We then provide performance measurements, use cases, and security scenarios. peerReviewed

HERO vs. Zombie: Identifying Zombie Guests in a Virtual Machine Environment