Annual Computer Security Applications Conference (ACSAC) 2013

Full Program »

Subverting System Authentication Using Context-Aware, Reactive Virtual Machine Introspection

Recent advances in bridging the semantic gap between virtual machines (VMs) and their guest processes have a dark side: They can be abused to subvert and compromise VM file system images and process images. To demonstrate this alarming capability, a context-aware, reactive VM Introspection (VMI) instrument is presented and leveraged to automatically subvert the authentication mechanisms of Linux and Windows operating systems. By bridging the semantic gap, the attack is able to automatically identify critical decision points where authentication succeeds or fails at the binary level. It can then leverage the VMI to transparently corrupt the control-flow or data-flow of the victim OS at that point, resulting in successful authentication without any password-guessing or encryption-cracking. The approach is highly flexible (threatening a broad class of authentication implementations), practical (realizable against real-world OSes and VM images), and useful for both malicious attacks and forensics analysis of virtualized systems and software.

Author(s):

Yangchun Fu    
University of Texas at Dallas
United States

Zhiqiang Lin    
University of Texas at Dallas
United States

Kevin W. Hamlen    
University of Texas at Dallas
United States

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC