Sandor Lukacs

Secure Virtual Machine for Real Time Forensic Tools on Commodity Workstations

Forensic analysis of volatile memory is a crucial part in the Incident Response process. Traditionally, it requires acquiring and transferring a memory dump from the affected workstation over to the analyst’s system, where it is analyzed using established forensic tools such as Volatility or Rekall. Hardware-based virtualization support of modern x86 CPUs was previously used on endpoints to acquire volatile memory in a way that can’t be interfered by malware, but which doesn’t support reusing exiting forensic tools to perform live analysis. We introduce a system that leverages a small, security-oriented hypervisor (HV) to run the original endpoint’s OS inside a virtual machine (VM), alongside another VM dedicated to live forensic analysis using existing forensic tools. The HV enforces isolation between the analyzed OS and the forensic VM, while allowing reliable remote connection to the forensic VM through a dedicated physical network card.

Proposed Processor Extensions for Significant Speedup of Hypervisor Memory Introspection

Hypervisor based memory introspection can greatly enhance the security and trustworthiness of endpoints. The memory introspection logic requires numerous memory address space translations. Those in turn, inevitably, impose a considerable performance penalty. We identified that a significant part of the overall overhead induced by introspection is generated by mappings of guest pages into the virtual memory space of the hypervisor. We show that even if we employ highly efficient software caching, the mapping overhead still remains significant. We propose several new x86 instructions, which can fully eliminate the mapping overhead from memory introspection techniques. We give performance estimates for and argue why we strongly believe the implementation of such instructions to be feasible. The introspection logic also relies on monitoring guest page tables. Here we identified a second important performance overhead source, showing that numerous VM-exits induced by EPT violations are caused by the CPU updating page table A/D bits. We propose a set of simple x86 architectural modifications, that can fully eliminate this overhead.

BITMIX: A hardware accelerated randomized symmetric encryption method

We propose a probabilistic symmetric encryption method that heavily relies on true-random numbers, both to XOR the plaintext with a random block of at least equal length (just like OTP) and to disperse resulting data at bit-level into even more randomness. Our method has several highly needed security properties. It has resistance against both CPA2 and CCA2 attacks, and it has provable ideal statistical properties - assuming that the attacker cannot break in the same time two different 256 bit hash functions and a good randomness source is available. Relying on multiple encryption layers, we argue that our method remains safe even if the involved second layer block cipher (in our implementation example AES256) and/or at most one of the implied hash functions is mathematically broken. The proposed method generates considerable ciphertext expansion and the bit-level operations take significantly more time compared with Intel hardware accelerated AES. However, our implementation shows that the Intel BMI2 instruction set can offer an over 30x speedup for the underlying bit-level dispersion algorithm, thus making our approach performance-wise affordable.

Efficient Provisioning of a Trustworthy Environment for Security-Sensitive Applications

We propose a method to provide the users a trusted secure environment to run their security-sensitive applications within. Our solution runs user applications in different virtual machines (VMs): security-sensitive applications in a trusted green VM, while the others in an untrusted red VM. We isolate the two VMs using hardware virtualization mechanisms and run them alternatively. This contributes for a smaller hypervisor, a safer VM isolation and trusted I/O channels to the green VM. Switching between VMs is based on the ACPI S3 sleep events. The trustworthiness of the green VM is sustained by its reduced and restricted software stack and its launch-time integrity attestation. We focus on reducing the red-to-green VM switching time by applying a stateless strategy for the green VM: use a RAM-disk and start it in a pristine state any time a red-to-green VM switch is performed. We load the green VM’s image in memory and reserve memory space for the green VM at boot time. This leads to a lower switching time of about 18 s.