The Semantic Gap Challenge - PowerPoint PPT Presentation

Loading...

PPT – The Semantic Gap Challenge PowerPoint presentation | free to download - id: 8610b9-Y2FhN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

The Semantic Gap Challenge

Description:

The Semantic Gap Challenge ... they gain breaking into to at the cost of loosing the internal ... in the box This makes the anti malware system ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 29
Provided by: KMc125
Learn more at: http://cs.ucf.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: The Semantic Gap Challenge


1
The Semantic Gap Challenge
  • Stealthy Malware Detection Through VMM-Based
    Out-of-the-Box Semantic View Reconstruction
  • November 2007
  • ACM Association for Computing Machinery
  • Authors Xuxian Jiang-North Carolina State
    University
  • Xinyuan Wang-George Mason Univeristy
  • Dongyan Xu-Purdue University

2
Definition
  • Semantic of, pertaining to, or arising from the
    different meanings
  • of words or other symbols
  • Semantics the study of meanings the language
    used to achieve a desired effect on an audience
    especially through the use of words with novel or
    dual meanings

3
Essential Data/Main Idea
  • There is a recent trend in malware to equip the
    software with stealthy techniques to detect,
    evade and avoid malware detection attempts The
    fundamental limitation of current host-based anti
    malware systems is they run inside the host they
    are protecting. This is called "in-the-box" which
    makes them vulnerable to counter detection and
    avoidance by certain malwares.
  • To fix this limitation, many solutions are using
    Virtual Machine technologies and placing the
    malware detection facilities outside of the
    protected VM bubble. This is called
    "out-of-the-box". Yet, they gain breaking into to
    at the cost of loosing the internal semantic view
    of the host which is enjoyed by the "in-the-box"
    approach. This causes a technical challenge
    called the "semantic gap".

4
Abstract
  • The paper about the design, implementation and
    evaluation of VM Watcher and "out of the box"
    approach that overcomes the semantic gap
    challenge.
  • New technique called "guest view casting"
  • Developed to reconstruct internal semantic views
    (files, ps and kernel modules) of VM from the
    outside, rather than typical inside approach.

5
Abstract
  • New technique casts semantic definitions of guest
    OS Data Structures and functions
  • Puts on the Virtual Machine Monitor (VMM) Level
    VM state
  • Semantic view reconstructed from multiple
    perspectives
  • Reconstruct these details for system call events
    (ps, call , parameters, return value) in the
    VM increases the semantic view.

6
Abstract
  • With semantic gap bridged we identify two unique
    malware detection capabilities
  • View comparison-based malware detection and it's
    demonstration in rootkit detection
  • Out of the box deployment of host based anti
    malware software with improved detection accuracy
    tamper resistance

7
Introduction
  • Internet malware-rootkits and bots are getting
    very sneaky and elusive. They hide their presence
    from detection factilities anti malware
    software
  • Host based anti malwared systems are installed
    and executed inside the hosts they are monitoring
    and protecting in the box
  • This makes the anti malware system visible,
    tangible, and unavoidable to the malware inside
    the host

8
Introduction
  • Now with Virtual Machine technologies we can use
    this to our advantage. Use the strong isolation
    and confines ps inside VM so that even if it's
    compromised by malware, it will be hard to
    compromise systems outside the VM
  • semantic gap between the VM view from inside
    the box vs outside the box
  • Inside views ps, files, kernel modules
  • Outside views memory pgs, registers, disk blocks

9
In the Box vs Out of the Box
10
VM Watcher
  • Advantages to both views.
  • VM Watcher-a VMM based out of the box approach
    overcomes the semantic gap challenge
  • It starts the Virtual Machine view in a non
    intrusive manner so it can inspect low level VM
    states without influencing the VM's execution
  • guest view casting a new technique

11
Guest View Casting
  • This new approach reconstructs the VMs internal
    view files, dir, ps, and kernel level modules
    for out of the box malware detection
  • Based on the observation that the guest Operating
    System of a VM provides all the necessary
    definitions of guest data structures functions
    to construct the VM sematic view cast them on
    the VMM level observation
  • Also externally remake the sematic view of the
    target Virtual Machine

12
Design Goals
  • VM Watcher should not disturb the system state of
    the VM being monitored
  • VM Watcher should narrow the sematic gap so that
    malware detection systems run inside the VM can
    also run outside the VM
  • VM Watcher should be generic and applicable to a
    wide range of existing VMMs.
  • 2 approaches full virtualization (VMWare, QEMU)
    para virtualization (Xen, User Mode Linux)

13
Enabling Techniques
  • Non Intrusive VM Introspection provide low level
    VM states externally. Non intrusive technique to
    gain full VM state including registers, memory
    disk
  • Guest View Casting external reconstruction of
    the sematic level view of VM thus bridging the
    semantic gap

14
Implementation
  • VM Watcher w/ 4 existing VM's VMWare, QEMU, Xen
    UML. The implemenation details
  • Open source VMM QEMU, Xen UML. Close source
    VMWare only exposes raw disk blocks raw memory
    pgs. Open source allows full access to low level
    VM states and events

15
Narrowing Semantic Gap
  • 3 unique detection monitoring capabilities
  • (i) view comparison based malware detection and
    its demonstration in rootkit detection
  • (ii) out-of-the-box deployment of off-the-shelf
    anti malware software with improved detection
    accuracy and tamper-resistance
  • (iii) nonintrusive system call monitoring for
    malware and intrusion behavior observation

16
Experiments
  • Evaluation experiments with real-world malware
  • Includes elusive kernel-level rootkits
  • Demonstrates VMwatcher's practicality and
    effectiveness
  • 1 Viewed comparison on volatile states
  • 2 Viewed comparison on persistent states
  • 3 Viewed comparison on both volatile
    persistent states
  • 4 Cross platform malware detection

17
1 View comparison on volatile states
  • Involves Windows kernel FU rootkit. It runs and
    hides in process w/ PID 336. VMWare running w/
    host OS is Scientific Linux 4.4 guest OS is
    Windows XP SP2.
  • Windows cmd shell PID 1080 is c reated and
    invokes the FU rootkit to hide ps 336. The hidden
    ps is running SSH. The Windows Task Mgr does not
    list the SSH client ps indicating that this ps
    has been hidden
  • Exposed by VM Watcher external view.

18
Experiment 1
  • The small box w/ solid lines indicates the
    SSHClient.exe ps which is not shown by Win Task
    Mgr.
  • VM Watcher can be readily adopted by real world
    honey pots to detect in the wild rootkit attacks.
  • Also recent incidents show the same FU rootkit
    has been actively used to hide the presence of
    advanced bots

19
Experiment 1
20
Ex 3-Adore-ng Rootkit
  • Advanced Linux kernel rootkit that replaces
    kernel level function pointers to hide files ps
  • Adore-ng infection on a Xen Fedora Core 4 Virtual
    Machine
  • Four xterm windows
  • 0 inside the VM where adore-ng kernel mod is
    loaded w/ backdoor ps PID 1490
  • 1 external view of VM mounted devices
  • 2 files under the dir /root/demo in the VM
  • 3 current running ps inside VM

21
Experiment 3- Volatile Persistant States
22
Out of the box Malware Detection
23
Anti-Virus Scanning Time
24
Summary
  • VM Watcher is a VMM approach that enables out of
    the box malware detection
  • Addresses the semantic gap challenge
  • VM Watcher has stronger tamper resistance by
    moving anti malware facilities out of the
    monitored VM while maintaining a current semantic
    view of the VM inside the box via external
    semantic view reconstruction

25
Summary
  • VM Watcher prototype on Linux and Windows
    platforms shows it's practical nature and
    effectivness
  • The experiments with real world self hiding
    rootkits demonstrates the power of new malware
    detection capabilites introducted by VM Watcher

26
Good/Bad Points
  • Good points very concrete experiments shown
    towards end of the paper that brought it all
    together
  • Used a variety of open source proprietary
    Operating Systems and current anti virus
    softwares in experimentations
  • Bad pointsWas not able to discuss Experiments 2
    and 4 due to time constraints (me)
  • Guest view casting Figures were confusing

27
Good/Bad Points
  • Vocabulary used was very extensive and advanced
  • With the technical nature of the paper, the
    vocabulary used should have been more basic in
    nature to facilitate better understanding
  • Had to reread the paper a few times to understand
    the jist of the paper

28
Improvements Future Work
  • Great experiments were done in relation to
    malware/rootkit detection
  • Virtual Machine experimentation was great. Liked
    the use of open source VM's such as Xen, QEMU,
    and UML.
  • Talked about different VM states full vs para
    virtualization. Future work with this would be
    great.
  • Further discussion of honey pots and in the
    wild rootkit attacks would improve the paper
About PowerShow.com