Shadow-Box: The Practical and Omnipotent Sandbox

PRESENTATION SLIDES (PDF)

WHITEPAPER (PDF)

Protection mechanisms running in the kernel-level (Ring 0) cannot completely prevent security threats such as rootkits and kernel exploits, because the threats can subvert the protections with the same privileges. Protections need to be provided with higher privileges. Creating Ring -1 is plausible using VT such as ARM TrustZone, Intel VT-x, and AMD AMD-v. The existing VT (Virtualization Technologies) has support to separate worlds in a host (secure world, ring -1) and a guest (normal world, ring 0 ~ ring 3). However, there is still rooms for improvement: OSes running in different worlds may have semantic gaps, and footprints for running multiple Oses can be lessened to be suitable for stick PCs and mobile devices with limited resources (CPU, memory, power).

In this paper, we propose a security monitoring framework for operating systems we call Shadow-box that exploits the state-of-the-art virtualization technologies. Shadow-box has a novel architecture designs inspired by shadow play. We made Shadow-box from scratch, and it is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, LightBox, efficiently isolates an OS inside a guest machine, and projects static and dynamic kernel objects of the guest into the host machine, so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-Watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. We manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. In that way, Shadow-box can properly introspect the guest operating system and mediate all accesses, even when the operating system is compromised.

Shadow-box has a small footprint and small source code size (assembly and C language). It also features a flexible architecture. We chose a loadable kernel module (LKM) architecture and avoid kernel code modification. As a result, Shadow-box can be applied to various versions of Linux and Android easily, and all the protections are applied to an existing system on-the-fly. Because of these features, it can be used for various purposes, such as malware defense and analysis, information flow control, auditing, etc. For our demo we will implement an integrity protector for an operating system kernel and show how it effectively neutralizes well-known rootkits and malicious root accesses of malware in Linux.

CONFERENCE
Location: Track 2 Date: April 13, 2017 Time: 4:30 pm - 5:30 pm Seunghun Han