0000000000916840

AUTHOR

Roee Leon

showing 12 related works from this author

Modern Blue Pills and Red Pills

2020

This article presents the concept of blue pill, a stealth hypervisor-based rootkit, that was introduced by Joanna Rutkowska in 2006. The blue pill is a malicious thin hypervisor-based rootkit that takes control of the victim machine. Furthermore, as the blue pill does not run under the operating system context, the blue pill is very difficult to detect easily. The red pill is the competing concept (i.e., a forensics software that runs on the inspected machine and detects the existence of malicious hypervisor or blue pill). The concept of attestation of a host ensuring that no hypervisor is running was first introduced by Kennel and Jamieson in 2002. Modern advances in hypervisor technology …

Software_OPERATINGSYSTEMSTraditional medicineComputer sciencePill
researchProduct

Hypervisor-based Protection of Code

2019

The code of a compiled program is susceptible to reverse-engineering attacks on the algorithms and the business logic that are contained within the code. The main existing countermeasure to reverse-engineering is obfuscation. Generally, obfuscation methods suffer from two main deficiencies: 1) the obfuscated code is less efficient than the original and 2) with sufficient effort, the original code may be reconstructed. We propose a method that is based on cryptography and virtualization. The most valuable functions are encrypted and remain inaccessible even during their execution, thus preventing their reconstruction. A specially crafted hypervisor is responsible for decryption, execution, a…

Computer Networks and CommunicationsComputer science0211 other engineering and technologiesCryptography02 engineering and technologysecurityComputer securitycomputer.software_genreEncryptionkryptografiaObfuscationCode (cryptography)tietoturvavirtual machine monitorsSafety Risk Reliability and QualitySystem bustrusted platform moduleta113021110 strategic defence & security studiescode protectioncryptographybusiness.industryHypervisorVirtualizationObfuscation (software)businesscomputerIEEE Transactions on Information Forensics and Security
researchProduct

Arm Hypervisor and Trustzone Alternatives

2020

Many scenarios such as DRM, payments, and homeland security require a trusted and verified trusted execution environment (TEE) on ARM. In most cases such TEE should be available in source code mode. The vendor cannot conduct code review and ensure that the operating system is trustworthy unless source code is available. Android and other rich execution environments (REEs) support various TEE implementations. Each TEE implementation has its own unique way of deploying trusted applications and features. Most TEEs in ARM can be started at TrustZone™ or Hyp (Hypervisor) mode. Choosing a proper TEE operating system can be a problem for trusted application developers and hardware vendors. This ar…

0303 health sciences03 medical and health sciencesComputer science0202 electrical engineering electronic engineering information engineeringOperating system020206 networking & telecommunicationsHypervisor02 engineering and technologycomputer.software_genrecomputer030304 developmental biology
researchProduct

Efficient Protection for VDI Workstations

2019

Many enterprises migrate to a private cloud VDI environment. In such an environment multiple workstations are served by a single powerful server. On such an environment each VDI workstation receives only a limited CPU power. An average of less than a quarter of a core per planned VDI workstation is a common setup. Under such cases, anti-virus and application control software load is multiplied by the number of VDI workstation running on each server. These security applications take merely a few percentages of a single core on a normal desktop. However, on a VDI server where the multiple VDI workstations run on a single server, they may consume 20-25 percent the load. Naturally, such an incr…

021110 strategic defence & security studiesCPU power dissipationWorkstationComputer sciencebusiness.industry0211 other engineering and technologiesControl softwareSingle serverCloud computing02 engineering and technologycomputer.software_genreVirtualizationlaw.inventionlawControl system0202 electrical engineering electronic engineering information engineeringOperating system020201 artificial intelligence & image processingSingle-corebusinesscomputer2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom)
researchProduct

Hypervisor-assisted Atomic Memory Acquisition in Modern Systems

2019

Reliable memory acquisition is essential to forensic analysis of a cyber-crime. Various methods of memory acquisition have been proposed, ranging from tools based on a dedicated hardware to software only solutions. Recently, a hypervisor-based method for memory acquisition was proposed (Qi et al., 2017; Martignoni et al., 2010). This method obtains a reliable (atomic) memory image of a running system. The method achieves this by making all memory pages non-writable until they are copied to the memory image, thus preventing uncontrolled modification of these pages. Unfortunately, the proposed method has two deficiencies: (1) the method does not support multiprocessing and (2) the method does…

integrity of a memory snapshotreliabilityvirtualisointiComputer scienceforensic soundnessHypervisormuistit (tietotekniikka)computer.software_genrevirtualizationatomicitymemory forensicsmemory acquisitionOperating systemMemory acquisitionlive forensicstietoturvacomputerProceedings of the 5th International Conference on Information Systems Security and Privacy
researchProduct

Hypervisor Memory Introspection and Hypervisor Based Malware Honeypot

2020

Memory acquisition is a tool used in advanced forensics and malware analysis. Various methods of memory acquisition exist. Such solutions are ranging from tools based on dedicated hardware to software-only solutions. We proposed a hypervisor based memory acquisition tool. [22]. Our method supports ASLR and Modern operating systems which is an innovation compared to past methods [27, 36]. We extend the hypervisor assisted memory acquisition by adding mass storage device honeypots for the malware to cross and propose hiding the hypervisor using bluepill technology.

021110 strategic defence & security studiesAtomicitySoftware_OPERATINGSYSTEMSHoneypotComputer science0211 other engineering and technologiesHypervisor02 engineering and technologycomputer.software_genreVirtualizationMemory forensicsMass storage0202 electrical engineering electronic engineering information engineeringOperating systemMalware020201 artificial intelligence & image processingMalware analysiscomputer
researchProduct

Hypervisor-Based White Listing of Executables

2019

We describe an efficient system for ensuring code integrity of an operating system (OS), both its own code and application code. The proposed system can protect from an attacker who has full control over the OS kernel. An evaluation of the system's performance suggests the induced overhead is negligible. peerReviewed

operating systemsmicroprogrammingdatabasesvirtualisointiComputer Networks and CommunicationsComputer science0211 other engineering and technologiesListing (computer)02 engineering and technologycomputer.software_genre020204 information systemsMicrocode0202 electrical engineering electronic engineering information engineeringCode (cryptography)Overhead (computing)virtual machine monitorstietoturvaElectrical and Electronic Engineeringimage segmentation021110 strategic defence & security studieskäyttöjärjestelmätLinuxHypervisorcomputer.file_formatmonitoringOperating systemohjelmointiExecutableLawcomputerIEEE Security & Privacy
researchProduct

Creating modern blue pills and red pills

2019

The blue pill is a malicious stealthy hypervisor-based rootkit. The red pill is a software package that is designed to detect such blue pills. Since the blue pill was originally proposed there has been an ongoing arms race between developers that try to develop stealthy hypervisors and developers that try to detect such stealthy hypervisors. Furthermore, hardware advances have made several stealth attempts impossible while other advances enable even more stealthy operation. In this paper we describe the current status of detecting stealth hypervisors and methods to counter them. peerReviewed

tekninen rikostutkintaforensicsvirtualisointikyberrikollisuusinformation securitytietoturvakyberturvallisuusvirtualizationtietomurtoverkkohyökkäykset
researchProduct

Using Hypervisors to Overcome Structured Exception Handler Attacks

2019

Microsoft windows is a family of client and server operating systems that needs no introduction. Microsoft windows operating system family has a feature to handle exceptions by storing in the stack the address of an exception handler. This feature of Microsoft Windows operating system family is called SEH (Structured exception handlers). When using SEH the exception handler address is specifically located on the stack like the function return address. When an exception occurs the address acts as a trampoline and the EIP jumps to the SEH address. By overwriting the stack one can create a unique type of return oriented programming (ROP) exploit that force the instruction pointer to jump to a …

WindowshaittaohjelmatSEHapplication controlhypervisortietoturvarootkit
researchProduct

Preventing Execution of Unauthorized Native-Code Software

2017

The business world is exhibiting a growing dependency on computer systems, their operations and the databases they contain. Unfortunately, it also suffers from an ever growing recurrence of malicious software attacks. Malicious attack vectors are diverse and the computer-security industry is producing an abundance of behavioral-pattern detections to combat the phenomenon. This paper proposes an alternative approach, based on the implementation of an attested, and thus trusted, thin-hypervisor. Secondary level address translation tables, governed and fully controlled by the hypervisor, are configured in order to assure that only pre-whitelisted instructions can be executed in the system. Thi…

cybersecuritywhitelistingtrusted computinghypervisorattestationAPT-protection
researchProduct

System for Executing Encrypted Native Programs

2017

An important aspect of protecting software from attack, theft of algorithms, or illegal software use, is eliminating the possibility of performing reverse engineering. One common method to deal with these issues is code obfuscation. However, in most case it was shown to be ineffective. Code encryption is a much more effective means of defying reverse engineering, but it requires managing a secret key available to none but the permissible users. The authors propose a new and innovative solution. Critical functions in protected software are encrypted using well-known encryption algorithms. Following verification by external attestation, a thin hypervisor is used as the basis of an eco-system …

cyber-securitytrusted computinghypervisorattestation
researchProduct

Arm security alternatives

2019

Many real-world scenarios such as protecting DRM, online payments and usage in NFC payments in embedded devices require a trustworthy “trusted execution environment” (TEE) platform. The TEE should run on the ARM architecture. That is popular in embedded devices. Furthermore, past experience has proved that such TEE platform should be available in source code form. Without the source code 3rd parties and user cannot be conducted code review audit. Lack of review put doubt on the system as a trustworthy environment. The popular Android OS supports various TEE implementations. Each TEE OS implementation has its own unique way of deploying trusted applications(trustlets) and its own distinct fe…

avoin lähdekoodiverkkomaksaminenvirtualisointitrusted computingARM architectureTrustZonekyberturvallisuusvirtualization
researchProduct