HyBIS: Windows Guest Protection through Advanced Memory Introspection

📝 Abstract

Effectively protecting the Windows OS is a challenging task, since most implementation details are not publicly known. Windows has always been the main target of malwares that have exploited numerous bugs and vulnerabilities. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for latest Windows (8.x and 10), advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of Windows OSes.

💡 Analysis

Effectively protecting the Windows OS is a challenging task, since most implementation details are not publicly known. Windows has always been the main target of malwares that have exploited numerous bugs and vulnerabilities. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for latest Windows (8.x and 10), advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of Windows OSes.

📄 Content

1 HyBIS: Windows Guest Protection through Advanced Memory Introspection Roberto Di Pietro, Federico Franzoni, Flavio Lombardi Abstract—Effectively protecting the Windows OS is a challenging task, since most implementation details are not publicly known. Windows has always been the main target of malwares that have exploited numerous bugs and vulnerabilities. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for latest Windows (8.x and 10), advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of Windows OSes. Index Terms—Computer security, Memory Forensics, Introspection, Windows. ! 1 INTRODUCTION Securing the Windows OS is a very challenging task, given its complexity and also given that its internals are not publicly known. Over time, a large set of malwares have targeted vulner- abilities in Windows OSes and services. Due to the very large installed base of Windows OSes, there is a great amount of new malware produced every year, which implements ad- vanced methods for detection avoidance. The problem is particularly interesting for recent Windows versions, which have not yet been fully analyzed/investigated by the research community. Among the different kinds of malware, rootk- its represent the most complex and dangerous threats. In fact, rootkits can alter the system’s perception of itself, and conceal malicious activities over a large period of time (i.e. APTs • Roberto Di Pietro is with Bell Labs, Cyber Security Research, 91620 Nozay, Paris, France. He is also with Maths Dept. Univ. of Padua, Italy. E-mail: roberto.di_pietro@alcatel-lucent.com (R. Di Pietro) Federico Franzoni holds a M.Sc. in Computer Science from Sapienza University of Rome, Italy. E-mail: fed.franzoni@gmail.com Flavio Lombardi is with IAC-CNR, via dei Taurini 19, 00185, Rome, Italy. E-mail: flavio.lombardi@cnr.it (F. Lombardi). [1]). In particular, modern rootkits can directly manipulate memory structures to further en- hance their stealthiness. As such, security tools can hardly detect them and are usually unable react to the infection. For this reason, rootkit detection is a vital task for protecting Windows and it is then fundamental to make it as effective as possible. 1.1 Motivation Current monitoring approaches cannot provide an adequate level of protection against rootkits targeting Windows OSes. In fact, most present solutions operate at the same level as rootkits do[2], [3]. By tampering with the functions leveraged by security tools, rootkits are able to evade detection from within the OS. Hence, anti-rootkit tools working at the OS level cannot be trusted in case of rootkit infection. When the OS is running in a virtual machine, however, this problem can be addressed in a different way. Such a scenario, in fact, allows an external observation of the OS, from a more trustworthy and isolated environment. This capability is provided by the hypervisor, which can directly access VM components without leveraging OS functions. Such a capability enables the adoption of virtual machine introspection (VMI) [4], [5], 2 which consists of inferring the guest OS se- mantics from the analysis of the status of VM components. VMI provides a valuable tool to counter rootkits since they can hardly conceal their presence to an monitoring system not dependent on OS functions. On the one hand, VMI on Windows guest is however hard in practice as it requires some specific OS information to in order to make sense out of raw machine data[5]. This is one of the challenges of our present work, and it is also one of the main contribution of this work. On the other hand, VMI can be supported by the use of the forensic memory analysis (FMA), which provides the means for extracting OS information from raw memory data. In fact, as stated above, modern rootkits manipulate memory to avoid detection and can thus be identified by inspecting the same memory contents[6]. This is a clear advantage over rootkits and allows the implementation of more reliable security systems. Moreover, once the infection has been iden- tified, the hypervisor also allows an effective reaction. In fact, by leveraging unfettered full access to physical resources, a security tool can directly manipulate the VM and stop rootkit activities. All these features, render the hypervisor a very attractive place where to implement sec

This content is AI-processed based on ArXiv data.