Modern Blue Pills and Red Pills

This article presents the concept of blue pill, a stealth hypervisor-based rootkit, that was introduced by Joanna Rutkowska in 2006. The blue pill is a malicious thin hypervisor-based rootkit that takes control of the victim machine. Furthermore, as the blue pill does not run under the operating system context, the blue pill is very difficult to detect easily. The red pill is the competing concept (i.e., a forensics software that runs on the inspected machine and detects the existence of malicious hypervisor or blue pill). The concept of attestation of a host ensuring that no hypervisor is running was first introduced by Kennel and Jamieson in 2002. Modern advances in hypervisor technology …

Timing and Side Channel Attacks

How would you know the US pentagon is planning an attack on Iraq? One possible plan is to infiltrate the pentagon using spies, flipping traitors etc. But this sounds like lots of work and it is a dangerous work. That is the direct approach. Another possible plan is to ask the pizza delivery guys in the area. People planning an attack probably adds up to lots of people urgently trying to meet deadlines, staying late in the office and ordering pizza. So the pizza delivery guys know about a pending attack! The pizza delivery guys do not know the nature of the attack but they know “something is up” in the pentagon because for a few days people are staying late at the office and ordering pizza a…

Hypervisor-based Protection of Code

The code of a compiled program is susceptible to reverse-engineering attacks on the algorithms and the business logic that are contained within the code. The main existing countermeasure to reverse-engineering is obfuscation. Generally, obfuscation methods suffer from two main deficiencies: 1) the obfuscated code is less efficient than the original and 2) with sufficient effort, the original code may be reconstructed. We propose a method that is based on cryptography and virtualization. The most valuable functions are encrypted and remain inaccessible even during their execution, thus preventing their reconstruction. A specially crafted hypervisor is responsible for decryption, execution, a…

Creating modern blue pills and red pills

The blue pill is a malicious stealthy hypervisor-based rootkit. The red pill is a software package that is designed to detect such blue pills. Since the blue pill was originally proposed there has been an ongoing arms race between developers that try to develop stealthy hypervisors and developers that try to detect such stealthy hypervisors. Furthermore, hardware advances have made several stealth attempts impossible while other advances enable even more stealthy operation. In this paper we describe the current status of detecting stealth hypervisors and methods to counter them. peerReviewed

Remote Attestation of Software and Execution-Environment in Modern Machines

The research on network security concentrates mainly on securing the communication channels between two endpoints, which is insufficient if the authenticity of one of the endpoints cannot be determined with certainty. Previously presented methods that allow one endpoint, the authentication authority, to authenticate another remote machine. These methods are inadequate for modern machines that have multiple processors, introduce virtualization extensions, have a greater variety of side effects, and suffer from nondeterminism. This paper addresses the advances of modern machines with respect to the method presented by Kennell. The authors describe how a remote attestation procedure, involving…

Trusted Computing and DRM

Trusted Computing is a special branch of computer security. One branch of computer security involves protection of systems against external attacks. In that branch we include all methods that are used by system owners against external attackers, for example Firewalls, IDS, IPS etc. In all those cases the system owner installs software that uses its own means to determine if a remote user is malicious and terminates the attack. (Such means can be very simple such as detecting signatures of attacks or very complex such as machine learning and detecting anomalies in the usage pattern of the remote user). Another branch of attacks requires protection by the system owner against internal users. …

Efficient Protection for VDI Workstations

Many enterprises migrate to a private cloud VDI environment. In such an environment multiple workstations are served by a single powerful server. On such an environment each VDI workstation receives only a limited CPU power. An average of less than a quarter of a core per planned VDI workstation is a common setup. Under such cases, anti-virus and application control software load is multiplied by the number of VDI workstation running on each server. These security applications take merely a few percentages of a single core on a normal desktop. However, on a VDI server where the multiple VDI workstations run on a single server, they may consume 20-25 percent the load. Naturally, such an incr…

Preventing Execution of Unauthorized Native-Code Software

The business world is exhibiting a growing dependency on computer systems, their operations and the databases they contain. Unfortunately, it also suffers from an ever growing recurrence of malicious software attacks. Malicious attack vectors are diverse and the computer-security industry is producing an abundance of behavioral-pattern detections to combat the phenomenon. This paper proposes an alternative approach, based on the implementation of an attested, and thus trusted, thin-hypervisor. Secondary level address translation tables, governed and fully controlled by the hypervisor, are configured in order to assure that only pre-whitelisted instructions can be executed in the system. Thi…

Hypervisor-assisted Atomic Memory Acquisition in Modern Systems

Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does…

System for Executing Encrypted Native Programs

An important aspect of protecting software from attack, theft of algorithms, or illegal software use, is eliminating the possibility of performing reverse engineering. One common method to deal with these issues is code obfuscation. However, in most case it was shown to be ineffective. Code encryption is a much more effective means of defying reverse engineering, but it requires managing a secret key available to none but the permissible users. The authors propose a new and innovative solution. Critical functions in protected software are encrypted using well-known encryption algorithms. Following verification by external attestation, a thin hypervisor is used as the basis of an eco-system …

System for Executing Encrypted Java Programs

Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot

Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.

Hypervisor-Based White Listing of Executables

We describe an efficient system for ensuring code integrity of an operating system (OS), both its own code and application code. The proposed system can protect from an attacker who has full control over the OS kernel. An evaluation of the system's performance suggests the induced overhead is negligible. peerReviewed

Enforcing trust for execution-protection in modern environments

The business world is exhibiting a growing dependency on computer systems, their operations and the databases they contain. Unfortunately, it also suffers from an ever growing recurrence of malicious software attacks. Malicious attack vectors are diverse and the computer-security industry is producing an abundance of behavioral-pattern detections to combat the phenomenon. Modern processors contain hardware virtualization capabilities that support implementation of hypervisors for the purpose of managing multiple Virtual-Machines (VMs) on a single computer platform. The facilities provided by hardware virtualization grant the hypervisor control of the hardware platform at an effective privil…