Uncategorized

The Threat of Virtualization: Hypervisor-Based Rootkits on the ARM Architecture

The Threat of Virtualization: Hypervisor-Based Rootkits on the ARM Architecture
Robert Buhren, Julian Vetter, Jan C. Nordholz

The virtualization capabilities of today’s systems offer rootk-its excellent hideouts, where they are fairly immune to countermeasures. In this paper, we evaluate the vulnerability to hypervisor-based rootkits of ARM-based platforms, considering both ARMv7 and ARMv8. We implement a proof-of-concept rootkit to prove the validity of our findings. We then detail the anatomy of an attack wherein a hypervisor rootkit and a userspace process collaborate to undermine the isolation properties enforced by the Linux kernel. Based on our discoveries, we explore the possibilities of mitigating each attack vector. Finally, we discuss methods to detect such highly privileged rootkits so as to conceive more effective countermeasures.

https://www.researchgate.net/publication/309770683_The_Threat_of_Virtualization_Hypervisor-Based_Rootkits_on_the_ARM_Architecture

 

Standard
Uncategorized

SimpleSvm: hypervisor for AMD Windows systems

SimpleSvm is a minimalistic educational hypervisor for Windows on AMD processors. It aims to provide small and explanational code to use Secure Virtual Machine (SVM), the AMD version of Intel VT-x, with Nested Page Tables (NPT) from a windows driver. SimpleSvm is inspired by SimpleVisor, an Intel x64/EM64T VT-x specific hypervisor for Windows, written by Alex Ionescu.

https://github.com/tandasat/SimpleSvm

Standard
Uncategorized

MemoryMonRWX: Windows hypervisor to detect rootkits

Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

http://igorkorkin.blogspot.com/2017/03/memorymonrwx-detect-kernel-mode.html

Standard