The R-Wall System(Concept of Multiple kernel scanning in detecting

The R-Wall System(Concept of Multiple kernel scanning in detecting

The R-Wall System
Concept of Multiple Kernel Scanning in detecting Malwares
Divyajyoti Das, KIIT University
Somesh Nanda, C.V.R.C.E
Plaban Mohanty,C.E.T
“IT Security for the Next Generation”
Asia Pacific & MEA Cup, Hong Kong
14-16 March, 2012
.
PAGE 2 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup | 14-16 March 2012
MOTIVATION
MOTIVATION
.
Recycler.exe
Windows 7
Ubuntu 10.10
 System Behaves Abnormally.
 Crashed
 All Drives Cleaned
PAGE 4 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
 System is Normal.
| 14-16 March 2012
OBSERVATION
.
PAGE 5 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March 2012
RELATED WORK
1.
2.
3.
4.
5.
MECHANISM OF FILE EXECUTION
MALWARE ATTACKING POINTS
EXPERIMENTS
OBSERVATIONS
GRAPHICAL MODEL
MECHANISM OF FILE EXECUTION
(What happens when we read a file?)
Readfile()
(Win32 API)
Application
User Mode
NtReadfile()
(Kernel32.dll)
•
Application started
Int 2E
(Ntdll.dll)
•
Readfile() called on File1.txt
KiSystemService
(Ntoskrnl.exe)
•
NtReadFile() processed
•
I/O Subsystem called
•
IRP generated
•
Data at File1.txt requested
from ntfs.sys
•
Data on D: requested from
dmio.sys
•
Data on disk 2 requested
from disk.sys
Kernel Mode
Call NtReadFile()
(Ntoskrnl.exe)
Initiate I/O Operation
(driver.sys)
File System Driver
(ntfs.sys, …)
Volume manager disk driver
(ftdisk.sys, dmio.sys)
I/O Manager
Disk Driver (disk.sys)
Disk port driver
Disk miniport driver
1
2
3
Disk Array
PAGE 7 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
MALWARE ATTACKING POINTS
(Points where a Malware can attack a file during its Execution)
Readfile()
(Win32 API)
Application
NtReadfile()
(Kernel32.dll)
Int 2E
(Ntdll.dll)
User Mode
•
Binary replacement eg
modified Exe or Dll
•
Binary modification in memory
•
User land Hooking
•
Kernel Hooking
•
Driver Replacement
•
Direct Kernel Object
Manipulation
•
IO Request Packet Hooking
•
Filter Drivers- File System
Filter, Volume Filter, Bus Filter ,
Disk Filter
Kernel Mode
KiSystemService
(Ntoskrnl.exe)
Call NtReadFile()
(Ntoskrnl.exe)
Initiate I/O Operation
(driver.sys)
File System Driver
(ntfs.sys, …)
Volume manager disk driver
(ftdisk.sys, dmio.sys)
I/O Manager
Disk Driver (disk.sys)
Disk port driver
Disk miniport driver
1
2
3
Disk Array
PAGE 8 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
EXPERIMENT
Windows
Linux
Virus Collection
PAGE 9 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
OBSERVATIONS
(Test Results showing dependence of Malwares on OS)
Windows
Linux/Unix
Others
BrO_AcT,Conflicker,CIH,Fun,Hare,Sh
oerec,Simile,Shankar’s Virus, Xpaj,
Small,Godog,Xorer,Expiro,Pioneer.
Ynit.827,Grip,Vampire,RcrGood,DerFu
nf,Corona,Kru,Fichier,Diesel.962
Cosmac,BackTrack,EasyCrack,Lamer
Exterminator
Delf,Tvido,Magic,Calypso,Agent,Folco
m,Xorer,Perrun,Trats,Dobom,Ostrich,
Wide,Nawa,Grum,Hidrag,Teta,Parite.
Xone,Arches,Hasher,Rexob,Adore,Ko
rk,Caveat,Alaeda,Nuxbee,Podlso
ByteBandit,SCA,SevenDust,Weaponx
,Nvp,Tweesh,TetraCycle
Henkey.Rotten,Porex,Rufoll.1432,HLL
O.Casbo,Sankei.4153,Redemption,Dy
balom,DigiPog,Palevo,ShakBlades
Winux,ZipWorm,Millen,Slapper,Mighty,
Vit,Droiddream,Kork,Bukowski
Code1,Code252,Syst.2402,Kuarahy.4
640
Bybz,WBNA,Randex,Cridex,Huhk,Kar
achun,Bursted,Rustock,xtail,DunDun,
Expiro,Texel,TDSS,Gyd41,Folcom
Kagob a,Kagob b,Rike,RST,42,Bliss
HLLW.Cespol,Ganes.330
Cheburgen,Texel,NvrDoc,Sculament,
Teta.8192,Velost.1186,Heised,Miam.3
657,Beliad,Aegi,Vexi,Baros,Grurev
Millen,Ramen,BadBunny,Arches
Sillyc.213
PAGE 10 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
GRAPHICAL MODEL
.
Cross Platform Malwares
Malware & Operating Systems
• Percentage of Cross Platform Malwares
very less( Less than 7%)
Windows
• Impact caused is moderate.
Linux
Windows &
Linux
Other OS
• IncognitoRAT
MSIL.Yakizake
Winux
DwnLdr
Boonana Trojan
KoobCls-A
KoobInst-A
KoobStrt-A
PAGE 11 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March 2012
CONCLUSION
.
PAGE 12 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March 2012
IMPLEMENTATION
1. CONCEPT OF MULTIPLE KERNEL SCANNING
2. R-WALL : SOFTWARE APPROACH
3. R-WALL : EMBEDDED APPROACH
CONCEPT OF MULTIPLE KERNEL SCANNING
MALWARE
PAGE 14 |
Kernel A
Kernel B
Kernel C
OBSERVATION
OBSERVATION
OBSERVATION
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
EMBEDDED APPROACH
IMAGINE
.
Wireless Router
R-Wall(Remote Wall)
Anti- Virus
PAGE 16 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March 2012
EMBEDDED ARCHITECTURE
Browser Sp. Data
Decide: Data Browser Sp. OR System Sp.
Decision Engine(1)
Modem
SCRIPT EMULATOR
Decide: Report(A)+Report(B). Allow/Block
Data + Report(A)
Decision Engine(2)
USB
TCP/IP
A
USER
Real Time Operating System(RTOS)
Scanning Engine
Database
Sandbox
Scanning Engine
Sandbox
USER
PAGE 17 |
B
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
PROCESSOR SELECTION
 ARM Cortex A Series
(Cortex A5,Cortex A7, Cortex A8,Cortex A9,Cortex A15)
•
Frequency up to 2.5 Ghz : Cortex A8- 1 Ghz, Cortex A9- 2 Ghz, Cortex A15-2.5 Ghz
•
Delivers up to 4000 DMPIS : Cortex A8- 2000 DMPIS, Cortex A15-4000 DMPIS.
•
Extensible RAM up to 512 MB.
•
Superscalar microprocessor core: 13 stage integer pipelining.
•
Memory tagged as secure and non-secure by the system.
•
Full Hardware Virtualization, Large Physical Address Extensions(Up to 1TB).
•
Support for wide variety of Operating Systems.
•
Physical memory extension larger than 4GB.
PAGE 18 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
KERNEL SELECTION
 Real-Time Operating Systems
•
RTLinux
•
QP(Quantum Platform)
•
FunkOS
•
FreeRTOS
•
ChibiOS/RT
•
BeRTOS
•
OnTime RTOS
•
NuttXRTOS
PAGE 19 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
TCP/IP STACK SELECTION
 CMX-MicroNet
•
•
•
•
•
•
•
•
TCP/IP CMX-MicroNet is an embedded TCP/IP stack specifically designed for
optimized use of Flash and RAM resources on ARM Cortex processor.
Offers true TCP/IP networking via direct, dial-up or Ethernet Connectivity & wireless
Ethernet(802.11b).
Software solution does not require additional processor
Runs stand-alone or with any RTOS
Economical one time fee
Full source code provided
Extremely small Flash/RAM requirements
Supported Protocols:-
TCP PPP
UDP
SLIP IP DHCP
FTP TFTP SMTP HTTP Web Server
PAGE 20 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
SOFTWARE APPROACH
SOFTWARE ARCHITECTURE
Signature Based Detection
Check summing
Static
Heuristic
Known plaintext cryptanalysis
Statistical Analysis
Emulation
Sandbox
A
Sandbox
B
Sandbox
C
Run-time Packers/Archiving Utilities
Database
PAGE 22 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March , 2012
Dynamic
Heuristic
SECURING R-WALL
MALWARES BELOW KERNEL
1.Locking down SMRAM(System Management Mode RAM)
register in BIOS.
R-Wall
Secure
2.Installing a Virtual Machine Monitor that prevents installation
of other VMMs.
3.Disabling ACPI(Advanced Control & Peripheral Interface) in
BIOS & auditing ACPI tables.
PAGE 24 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
Hope you are now convinced that our concept can
“Re-engineer the Anti-Virus” !
PAGE 25 |
"IT Security for the Next Generation", Asia Pacific & MEA Cup
| 14-16 March, 2012
Thank You
Divyajyoti Das, Kalinga Institute of Industrial Technology, Bhubaneswar
“IT Security for the Next Generation”
Asia Pacific & MEA Cup, Hong Kong
14-16 March, 2012