Understanding Memory Snapshotting by Vinod Ganapathy

Slide Note
Embed
Share

Explore the concept of memory snapshotting through images and insights shared by Vinod Ganapathy at the EECS Symposium. Delve into topics like malware detection, the layer-below principle, and the risks of OS infections due to exploits and social engineering attacks.

seymore_g
seymore_g Follow

Uploaded on Sep 22, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. How to snapshot memory Vinod Ganapathy vg@iisc.ac.in

  2. The layer-below principle The lower you go, the more control you have Least control User app User app gcc Utilities & Libraries ls, ps, & bash utilities libc Syscalls IDT Operating System Kernel Code Process List Hardware Most control CPU Memory I/O devices Vinod Ganapathy - EECS Symposium 2

  3. Example: Malware detection User app Utilities & Libraries Operating System Hardware Vinod Ganapathy - EECS Symposium 3

  4. Example: Malware detection User app Malware detector Utilities & Libraries Operating System Hardware Vinod Ganapathy - EECS Symposium 4

  5. Example: Malware detection User app Malware detector Trusted Layer Utilities & Libraries TCB ps ls cat Operating System Hardware Vinod Ganapathy - EECS Symposium 5

  6. Libraries may be compromised! User app Malware detector Utilities & Libraries ps ls cat Operating System Hardware Vinod Ganapathy - EECS Symposium 6

  7. Solution: Query the OS Query with syscall 1 2 OS reads file Returns true file content 3 User app Malware detector Utilities & Libraries 1 2 3 Operating System System call API TCB Hardware Vinod Ganapathy - EECS Symposium 7

  8. What if the OS is malicious? User app Malware detector Utilities & Libraries Operating System System call API Hardware Vinod Ganapathy - EECS Symposium 8

  9. How does an OS get infected? Exploits of kernel vulnerabilities: Injecting malicious code by exploiting a memory error in the kernel Privilege escalation attacks: Exploit a root process and use resulting administrative privileges to update the kernel Social engineering attacks: Trick user into installing fake kernel updates Defeated via signature verification of kernel updates Trivial to perform prior to the Windows Vista OS Vinod Ganapathy - EECS Symposium 9

  10. How prevalent are OS infections? 2010 Microsoft report: 7% of all infections from client machines due to rootkits[1] 2016 HummingBad Android rootkit:[2] Up to 85 million Android devices infected? Earns malware authors $300,000 each week through fraudulent mobile advertisements Used in many high-profile incidents: Torpig and Storm botnets Sony BMG (2005), Greek wiretapping (2004/5) Microsoft Malware Protection Center, Some Observations on Rootkits, January 2010, https://blogs.technet.microsoft.com/mmpc/2010/01/07/some-observations-on-rootkits [1] CheckPoint Software, From HummingBad to Worse, July 2016, http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf Vinod Ganapathy - EECS Symposium [2] 10

  11. How can we detect OS infection? Ask for help from the layers below User app Malware detector Utilities & Libraries Operating System System call API TCB Hypervisor (a.k.a. Virtual Machine Monitor) Hardware Vinod Ganapathy - EECS Symposium 11

  12. How low can we go? User app Malware detector Utilities & Libraries Operating System [Bluepill, Subvert] Hypervisor Hardware TCB Vinod Ganapathy - EECS Symposium 12

  13. How low can we go? User app Malware detector Utilities & Libraries Operating System Hardware ??? [Stuxnet, Trojaned ICs] TCB Vinod Ganapathy - EECS Symposium 13

  14. Todays talk Memory forensics: Using memory snapshots to detect system infection. Volatility Foundation Vinod Ganapathy - EECS Symposium 14

  15. Modus operandi Target machine Potentially rootkit-infected User app User app Utilities & Libraries Syscall Operating System Kernel Code Process List Hardware Physical Memory TCB Vinod Ganapathy - EECS Symposium 15

  16. Modus operandi Target machine Potentially rootkit-infected Analysis machine Trusted User app User app Utilities & Libraries Syscall Operating System Kernel Code Process List Hardware Physical Memory TCB Vinod Ganapathy - EECS Symposium 16

  17. Modus operandi Target machine Potentially rootkit-infected Analysis machine Trusted User app User app Utilities & Libraries Syscall Operating System Kernel Code Process List Snapshot of memory pages Hardware Physical Memory TCB Vinod Ganapathy - EECS Symposium 17

  18. Research questions How do we analyze memory snapshots? Large body of work (~15 years) on this topic. How can we snapshot memory pages without involving the target s OS? Focus of this talk! Vinod Ganapathy - EECS Symposium 18

  19. Snapshot acquisition mechanism Tamper resistance Performance isolation Snapshot consistency 1 2 3 Vinod Ganapathy - EECS Symposium 19

  20. Tamper resistance Tamper resistance Performance isolation Snapshot consistency Target should not interfere with snapshot acquisition Vinod Ganapathy - EECS Symposium 20

  21. Tamper resistance Tamper resistance Performance isolation Snapshot consistency Virtualization Target should not interfere with snapshot acquisition Hypervisor can fetch memory from virtual machine without OS involvement Operating System Virtual Hardware Physical Memory Hypervisor Vinod Ganapathy - EECS Symposium 21

  22. Tamper resistance Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor Target should not interfere with snapshot acquisition Co-processor uses DMA OS on target involved in DMA setup Malicious OS can hide portions of memory with malicious content Operating System Hardware Physical Memory Vinod Ganapathy - EECS Symposium 22

  23. Performance isolation Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor Do not halt the target during snapshot acquisition Necessary for situations where frequent snapshot acquisition is necessary Hypervisor-based acquisition requires pausing the virtual machine Co-processor can operate in concert with target Vinod Ganapathy - EECS Symposium 23

  24. Snapshot consistency Inconsistent snapshot Consistent snapshot 24

  25. Snapshot consistency Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor Snapshot should faithfully represent target s state at a given instant in time Operating System CONSISTENT F2 F1 T Hardware CONSISTENT Physical Memory NULL T + F2 F1 Vinod Ganapathy - EECS Symposium 25

  26. Snapshot consistency Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor Snapshot should faithfully represent target s state at a given instant in time Operating System INCONSISTENT F2 T + F1 T Hardware Co-processor cannot pause target. Snapshot may contain pages obtained at different instants in time Physical Memory Vinod Ganapathy - EECS Symposium 26

  27. Introducing SnipSnap Tamper resistance Performance isolation Snapshot consistency Virtualization Co-processor SnipSnap New hardware-based design for memory snapshotting. Proposed deployment? Via die-stacked manufacturing. Vinod Ganapathy - EECS Symposium 27

  28. Die-stacked chip On-chip memory (high-speed) CPU and Memory controller Picture courtesy of AMD Vinod Ganapathy - EECS Symposium 28

  29. Die-stacked chip Traditional (off-chip) DRAM memory On-chip memory (high-speed) Memory bus CPU and Memory controller Picture courtesy of AMD Vinod Ganapathy - EECS Symposium 29

  30. Our use of die-stacking Cache of off-chip DRAM memory Off-chip DRAM On-chip DRAM Memory bus Memory controller Crypto logic CPU On-chip DRAM treated as a page-granularity cache of off-chip DRAM memory Every address accessed by the CPU will result in the page frame being fetched to on-chip DRAM Vinod Ganapathy - EECS Symposium 30

  31. Triggering snapshot acquisition Off-chip DRAM On-chip DRAM Memory bus Memory controller Crypto logic CPU Trigger = Device that communicates to the CPU to enter snapshot acquisition mode: Physical device attached to South/NorthBridge that sends a non-maskable interrupt NIC with Wake-on-LAN-like feature Vinod Ganapathy - EECS Symposium 31

  32. Snapshot acquisition mode 1 Off-chip DRAM CoW Cache Memory bus Memory controller Crypto logic CPU Memory controller splits on-chip DRAM into two parts: Cache of off-chip DRAM memory Copy-on-Write (CoW) area Vinod Ganapathy - EECS Symposium 32

  33. Snapshot acquisition mode 2 Off-chip DRAM CoW Cache Fi Fi Memory bus Memory controller Crypto logic CPU Hardware brings one page frame of off-chip DRAM at a time to on-chip DRAM cache Vinod Ganapathy - EECS Symposium 33

  34. Snapshot acquisition mode 3 Off-chip DRAM + Page# + Rand# Fi CoW Cache Memory bus Memory controller Crypto logic CPU Crypto logic digitally signs contents of page: Random nonce used to prevent replay attacks Same nonce used for all pages in snapshot Vinod Ganapathy - EECS Symposium 34

  35. Snapshot acquisition mode 4 Off-chip DRAM + Page# + Rand# Fi CoW Cache Memory bus Memory controller Crypto logic CPU Disk Hardware instructs OS to write signed page to external medium: Even if OS is infected, it cannot cheat, since integrity of page is protected by the hardware Vinod Ganapathy - EECS Symposium 35

  36. Snapshot acquisition mode 5 Off-chip DRAM CoW Cache Fj Fj Memory bus Memory controller Crypto logic CPU CPU continues to execute concurrently: If it writes to page Fj that has not yet been copied Memory controller makes a copy of the original page in the Copy-on-Write area When hardware ready to snapshot Fj, copy created from Copy-on-Write area Vinod Ganapathy - EECS Symposium 36

  37. At conclusion of acquisition + 1 + R + N + R + 0 + R F1 FN F0 Consistent snapshot of off-chip memory at instant when acquisition was initiated Snapshot is tamper-resistant even to a corrupted OS Obtained without pausing target machine Vinod Ganapathy - EECS Symposium 37

  38. Security analysis + 1 + R + N + R + 0 + R F1 FN F0 Malicious OS cannot: Corrupt pages in snapshot: Integrity Hide pages from snapshot: Completeness Replay old snapshot: Freshness Clean itself during snapshot acquisition because Copy-on-Write stores original page: External control Verified SnipSnap s design using the TLA+ model checker [Lamport] Vinod Ganapathy - EECS Symposium 38

  39. Evaluation Hardware emulator using a NUMA system. Evaluated: Memory-intensive workloads canneal, dedup, memcached, graph500, mcf, cfar10, mnist Effectiveness of performance-isolation claim Time to procure full snapshot of memory 39

  40. Application performance with virtual machine-based snapshotting 3 Normalized performance degradation 2.5 2 1.5 1 512M 2G 8GB DRAM size net-100 net-10 ssd 40

  41. Application performance with SnipSnap-based snapshotting 2.8 Normalized performance degradation net-100 net-10 ssd 2.6 2.4 2.2 2 1.8 1.6 1.4 1.2 1 512M 2G 8GB 512M 2G 8GB Virtual machine SnipSnap DRAM sizes 41

  42. Thank you Vinod Ganapathy Google Secure, Consistent, High-Performance Memory Snapshotting for a copy of the paper

Related


Understanding Memory Organization in Computers

Understanding Memory Organization in Computers

manisa
Understanding Memory Organization in Computers

Understanding Memory Organization in Computers

capri
Understanding Memory Allocation in Operating Systems

Understanding Memory Allocation in Operating Systems

mae
Understanding Cache and Virtual Memory in Computer Systems

Understanding Cache and Virtual Memory in Computer Systems

katy
Understanding Memory Management in Operating Systems

Understanding Memory Management in Operating Systems

asriel
Understanding Memory Basics in Digital Systems

Understanding Memory Basics in Digital Systems

apenl
Understanding Shared Memory Architectures and Cache Coherence

Understanding Shared Memory Architectures and Cache Coherence

henri
Understanding Memory Encoding and Retention Processes

Understanding Memory Encoding and Retention Processes

maey813
Understanding Memory Management in Computer Systems

Understanding Memory Management in Computer Systems

guil_bin
Dynamic Memory Management Overview

Dynamic Memory Management Overview

wkam
Dynamic Memory Allocation in Computer Systems: An Overview

Dynamic Memory Allocation in Computer Systems: An Overview

kashton
Understanding AARCH64 Linux Kernel Memory Management

Understanding AARCH64 Linux Kernel Memory Management

ziva
Understanding Garbage Collection in Java Programming

Understanding Garbage Collection in Java Programming

elva
Understanding Memory Management in C Programming

Understanding Memory Management in C Programming

taan749
Understanding Your Memory System: A Guide to Enhancing Recall

Understanding Your Memory System: A Guide to Enhancing Recall

atl_wen
Enhancing Memory and Concentration Techniques for Academic Success

Enhancing Memory and Concentration Techniques for Academic Success

luz_gi
Managing Memory Pressure in Data-Parallel Programs

Managing Memory Pressure in Data-Parallel Programs

naue424
Enhancing Memory Security with H2ORAM and Secure Memory Techniques

Enhancing Memory Security with H2ORAM and Secure Memory Techniques

larimore_l
Comprehensive ICU Protocol for Sedation, Analgesia, and Delirium Control by Dr. Vinod Srivastava

Comprehensive ICU Protocol for Sedation, Analgesia, and Delirium Control by Dr. Vinod Srivastava

oslo
Understanding MIPS Part II: Memory Organization and Instructions

Understanding MIPS Part II: Memory Organization and Instructions

dulce
Understanding Memory Units in Computing

Understanding Memory Units in Computing

maryam
Understanding Computer Memory Systems and Organization

Understanding Computer Memory Systems and Organization

bessie
Memory Management Techniques in Operating Systems

Memory Management Techniques in Operating Systems

izuku
Understanding Memory Management Concepts at Carnegie Mellon University

Understanding Memory Management Concepts at Carnegie Mellon University

faizan

More Related Content

Understanding How Your Brain Works: Memory, Attention, and Processing
Understanding How Your Brain Works: Memory, Attention, and Processing
Understanding Dynamic Memory Allocation in C++ with Memory Diagrams
Understanding Dynamic Memory Allocation in C++ with Memory Diagrams
Understanding Dynamic Memory Allocation in Programming
Understanding Dynamic Memory Allocation in Programming
Understanding SQL Server Memory Architecture and Debugging Memory Issues
Understanding SQL Server Memory Architecture and Debugging Memory Issues
Theories of Long-Term Memory: Types and Evidence
Theories of Long-Term Memory: Types and Evidence
Managing DRAM Latency Divergence in Irregular GPGPU Applications
Managing DRAM Latency Divergence in Irregular GPGPU Applications
Enhancing Memory with the Memory Journey Technique
Enhancing Memory with the Memory Journey Technique
Understanding Memory Allocation in C Programming
Understanding Memory Allocation in C Programming
Understanding Modern C++ Memory Management and Smart Pointers in Programming Labs
Understanding Modern C++ Memory Management and Smart Pointers in Programming Labs
Understanding Shape Memory Alloys: Properties and Applications
Understanding Shape Memory Alloys: Properties and Applications
Understanding Shared Memory Architectures and Cache Coherence
Understanding Shared Memory Architectures and Cache Coherence
Understanding Shared Memory Systems in Computer Architecture
Understanding Shared Memory Systems in Computer Architecture
Understanding the Basics of Memory Functioning
Understanding the Basics of Memory Functioning
Understanding Bartlett's Theory of Reconstructive Memory
Understanding Bartlett's Theory of Reconstructive Memory
Understanding Memory Management Techniques: Segmentation vs. Paging
Understanding Memory Management Techniques: Segmentation vs. Paging
Understanding Memory Layout and Allocation in Computer Systems at Carnegie Mellon University
Understanding Memory Layout and Allocation in Computer Systems at Carnegie Mellon University
Understanding Caches and the Memory Hierarchy in Computer Systems
Understanding Caches and the Memory Hierarchy in Computer Systems
Memory Management Strategies in Operating Systems
Memory Management Strategies in Operating Systems
Home and Leisure Accident Prevention and Memory Disorders Awareness
Home and Leisure Accident Prevention and Memory Disorders Awareness
ConCORD: Exploiting Memory Content Redundancy Through Content-aware Services
ConCORD: Exploiting Memory Content Redundancy Through Content-aware Services
Overcoming Memory Constraints in Deep Neural Network Design
Overcoming Memory Constraints in Deep Neural Network Design
Understanding Descriptor Tables and Registers in Computer Systems
Understanding Descriptor Tables and Registers in Computer Systems
Understanding Computer Memory Fundamentals
Understanding Computer Memory Fundamentals
Understanding Sequential Logic in NUS CS2100 Lecture #19
Understanding Sequential Logic in NUS CS2100 Lecture #19