Subverting system authentication with context-aware, reactive virtual machine introspection

Proceedings of the 29th Annual Computer Security Applications Conference Pub Date : 2013-12-09 DOI:10.1145/2523649.2523664

Yangchun Fu, Zhiqiang Lin, Kevin W. Hamlen

{"title":"Subverting system authentication with context-aware, reactive virtual machine introspection","authors":"Yangchun Fu, Zhiqiang Lin, Kevin W. Hamlen","doi":"10.1145/2523649.2523664","DOIUrl":null,"url":null,"abstract":"Recent advances in bridging the semantic gap between virtual machines (VMs) and their guest processes have a dark side: They can be abused to subvert and compromise VM file system images and process images. To demonstrate this alarming capability, a context-aware, reactive VM Introspection (VMI) instrument is presented and leveraged to automatically break the authentication mechanisms of both Linux and Windows operating systems. By bridging the semantic gap, the attack is able to automatically identify critical decision points where authentication succeeds or fails at the binary level. It can then leverage the VMI to transparently corrupt the control-flow or data-flow of the victim OS at that point, resulting in successful authentication without any password-guessing or encryption-cracking. The approach is highly flexible (threatening a broad class of authentication implementations), practical (realizable against real-world OSes and VM images), and useful for both malicious attacks and forensics analysis of virtualized systems and software.","PeriodicalId":127404,"journal":{"name":"Proceedings of the 29th Annual Computer Security Applications Conference","volume":"2018 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 29th Annual Computer Security Applications Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2523649.2523664","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Recent advances in bridging the semantic gap between virtual machines (VMs) and their guest processes have a dark side: They can be abused to subvert and compromise VM file system images and process images. To demonstrate this alarming capability, a context-aware, reactive VM Introspection (VMI) instrument is presented and leveraged to automatically break the authentication mechanisms of both Linux and Windows operating systems. By bridging the semantic gap, the attack is able to automatically identify critical decision points where authentication succeeds or fails at the binary level. It can then leverage the VMI to transparently corrupt the control-flow or data-flow of the victim OS at that point, resulting in successful authentication without any password-guessing or encryption-cracking. The approach is highly flexible (threatening a broad class of authentication implementations), practical (realizable against real-world OSes and VM images), and useful for both malicious attacks and forensics analysis of virtualized systems and software.

查看原文本刊更多论文

通过上下文感知、响应式虚拟机自省来颠覆系统身份验证

最近在弥合虚拟机(VM)及其来宾进程之间的语义差距方面取得的进展有一个缺点:它们可能被滥用来破坏和破坏VM文件系统映像和进程映像。为了演示这种警报功能，本文提出了一种上下文感知的响应式VM Introspection (VMI)工具，并利用它自动破坏Linux和Windows操作系统的身份验证机制。通过弥合语义差距，攻击能够在二进制级别自动识别身份验证成功或失败的关键决策点。然后，它可以利用VMI透明地破坏受害操作系统的控制流或数据流，从而在没有任何密码猜测或加密破解的情况下成功进行身份验证。该方法非常灵活(威胁到广泛的身份验证实现类别)、实用(可针对现实世界的操作系统和VM映像实现)，并且对于恶意攻击和虚拟化系统和软件的取证分析都很有用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 29th Annual Computer Security Applications Conference

自引率

0.00%

发文量