Presented at
Black Hat Asia 2017,
March 31, 2017, 11:45 a.m.
(60 minutes)
Protection mechanisms running in the kernel-level (Ring 0) cannot completely prevent security threats such as rootkits and kernel exploits because the threats can subvert the protections with the same privileges. This means protections need to be provided with higher privileges. Creating Ring -1 is plausible using VT such as ARM TrustZone, Intel VT-x, and AMD AMD-v. The existing VT (Virtualization Technologies) supports to separate the worlds into a host (normal world, ring -1, host) and a guest (normal world, ring 0 ~ ring 3). Previous research such as NumChecker, Secvisor, NICKLE, Lares, and OSck used VT to protect kernel. <br> <br> However, there is still room for improvement: OSes running in different worlds have strong semantic gaps, and footprints for running multiple Oses cause system overhead. Well-known hash of LKM and secure VM are also restrictions of previous research for deploying them to real world environment. We want a practical and lightweight kernel protector for defending desktop, stick PC and mobile devices, therefore we needed to design practical and lightweight kernel protector for real world environment.<br> <br> In this talk, we propose a security monitoring framework for operating systems, Shadow-box, using state-of-the-art virtualization technologies. Shadow-box has a novel architecture inspired by a shadow play. We made Shadow-box from scratch, and it is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine, and projects static and dynamic kernel objects of the guest into the host machine so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-Watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. We manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. In that way, Shadow-box can properly introspect the guest operating system and mediate all accesses, even when the operating system is compromised.<br> <br> We deployed and have been successfully operating Shadow-box in real world since last year. Real world environment is different from laboratory environment. So, we have gone through many trials and errors for a year, and have learned lessons from them. We share our know-hows about using virtualization technology and deploying research into the wild.
Presenters:
-
Seunghun Han
- Senior Security Researcher, National Security Research Institute of South Korea
Seunghun Han is an Operating System Security Researcher at National Security Research Institute of South Korea and before that was a Firmware Engineer at Samsung Electronics. He was a speaker at HITBSecConf 2016 and authored the below works:
- 64-bit multi-core OS principles and structure, volume 1 (ISBN-13: 978-8979148367)
- 64-bit multi-core OS principles and structure, volume 2 (ISBN-13: 978-8979148374)
-
Junghwan Kang
- Security Researcher, National Security Research Institute of South Korea
Junghwan Kang is a security researcher at the National Security Research Institute of South Korea. He is interested in everything about information security and hacking. He participated in Final Round of Codegate CTF 2009 and other competitions. These days, he has studied techniques about enhancing the security of operating system and open source software.
Links:
Similar Presentations: