Skip to content
Sunny Raj edited this page Oct 15, 2016 · 3 revisions

Virtual Machine Introspection

The kernel module we have is a character device, that reads input from a userspace program, stores the contents into an array, and then writes it back when asked. What we are trying to achieve is to cause a buffer overflow, in the kernel module itself. This will be caused when we write past the array size in the module. In theory, we should be able to use libvmi or something similar to be able to detect this after it has happened, and we can roll back to the previous checkpoint once we detect it. Trying to prevent this is not our motive and it is a whole another research area(that Wei is working on as an intern). Our motive is to prevent further damage and rollback as soon as we can.

To do this, currently lets assume the following empty array.

+--+--+--+--+--+--+--+--+--+--+--+
|  |  |  |  |  |  |  |  |  |  |  |
+--+--+--+--+--+--+--+--+--+--+--+

At a known index in the array, lets say at index 5, we will insert a canary (a sequence of bits/char> s).

+--+--+--+--+---+---+---+---+---+---+
|  |  |  |  | C | A | N | A | R | y |
+--+--+--+--+---+---+---+---+---+---+

We will pretend that if someone writes to the array and our canary is modified, they have caused a buffer overflow.

+---+---+---+---+-----+---+---+---+---+---+
| S | U | N | N | *Y* | A | N | A | R | y |
+---+---+---+---+-----+---+---+---+---+---+

In the above case, the canary has been overwritten and there has been a buffer overflow.

Our first task is to cause this buffer overflow and be able to check that the overflow indeed happened. Our next and the difficult task is to detect this from the hypervisor level. We assume we will have very minimal help from Dom-U, which libvmi already needs - the addresses of the kernel data structure. In our case, we would know the starting address of the inserted kernel module and the array in the module.

Superficial Questions

  1. What is the use of the Backup VM? - Preserve history, increase parallelism?
  2. Which checkpoints to save/forget? Can we intelligently choose which checkpoints to save?
  3. What is a scan? What types of scan can we be doing?
  4. What all ca we scan?
    • Static known good pages?
    • Canaries on Kernel Data structure - Need help from the kernel.
    • Process white/black list.
  5. What can we do after a detection of an attack?
    • Rollback to checkpoint before the attack (Primary or Backup).
    • Repeat to see if the attack was transient (more carefully rescan).
    • Need an easy way to get back to the start of the (previous) checkpoint.
    • Run in sandbox after rolling back.
    • Run a detailed network traffic inspection.
    • Flag attacked pages and watch when it is written to (using LIBBDVMI).
    • Get a stack trace?
  6. Why is suspend/resume expensive? What code is executed when a remus suspend is called? How is it different from pause/unpause?
Clone this wiki locally