Journal of Convergence for Information Technology (융합정보논문지)

Convergence Society for SMB (중소기업융합학회)
권호 표지
DOI QR코드

DOI QR Code

Meltdown Threat Dynamic Detection Mechanism using Decision-Tree based Machine Learning Method

의사결정트리 기반 머신러닝 기법을 적용한 멜트다운 취약점 동적 탐지 메커니즘

  • Lee, Jae-Kyu (Division of Computer Engineering, Hanshin University) ;
  • Lee, Hyung-Woo (Division of Computer Engineering, Hanshin University)
  • 이재규 (한신대학교 컴퓨터공학부) ;
  • 이형우 (한신대학교 컴퓨터공학부)
  • Received : 2018.10.18
  • Accepted : 2018.12.20
  • Published : 2018.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we propose a method to detect and block Meltdown malicious code which is increasing rapidly using dynamic sandbox tool. Although some patches are available for the vulnerability of Meltdown attack, patches are not applied intentionally due to the performance degradation of the system. Therefore, we propose a method to overcome the limitation of existing signature detection method by using machine learning method for infrastructures without active patches. First, to understand the principle of meltdown, we analyze operating system driving methods such as virtual memory, memory privilege check, pipelining and guessing execution, and CPU cache. And then, we extracted data by using Linux strace tool for detecting Meltdown malware. Finally, we implemented a decision tree based dynamic detection mechanism to identify the meltdown malicious code efficiently.

본 논문은 동적 샌드박스 도구를 이용하여 최근 급증하고 있는 멜트다운(Meltdown) 악성코드를 사전에 검출 및 차단하는 방법을 제시하였다. 멜트다운 공격 취약점에 대한 패치가 일부 제공되고 있으나 여전히 해당 시스템의 성능 저하 등의 이유로 의도적으로 패치를 적용하지 않는 경우가 많다. 이와 같이 적극적인 패치가 적용되지 않은 인프라를 위해 머신러닝 기법을 이용하여 기존의 시그니처 탐지 방식의 한계를 극복하는 방법을 제시하였다. 우선 멜트다운의 원리를 이해하기 위해 가상 메모리, 메모리 권한 체크, 파이프 라이닝과 추측 실행, CPU 캐시 등 4가지의 운영체제 구동 방식을 분석하고 이를 토대로 멜트다운 악성코드에 리눅스 strace 도구를 활용하여 데이터를 추출하는 메커니즘을 제공하였으며 이를 기반으로 의사 결정 트리 기법을 적용하여 멜트다운 악성코드를 판별하는 메커니즘을 구현하였다.

Keywords

JKOHBZ_2018_v8n6_209_f0001.png 이미지

Fig. 1. CVE-2017-5754 Detail

JKOHBZ_2018_v8n6_209_f0002.png 이미지

Fig. 2. Intel, AMD CPU Interrupt rollback point

JKOHBZ_2018_v8n6_209_f0003.png 이미지

Fig. 3. Meltdown Attack Flowchart

JKOHBZ_2018_v8n6_209_f0004.png 이미지

Fig. 4. Meltdown attack Assembly language(x86)

JKOHBZ_2018_v8n6_209_f0005.png 이미지

Fig. 5. cache Locality of reference

JKOHBZ_2018_v8n6_209_f0006.png 이미지

Fig. 6. Physical Memory and Virtual Memory

JKOHBZ_2018_v8n6_209_f0007.png 이미지

Fig. 7. x86_64 linux kernel map

JKOHBZ_2018_v8n6_209_f0008.png 이미지

Fig. 8. page fault handler

JKOHBZ_2018_v8n6_209_f0009.png 이미지

Fig. 9. Page Fault Handler

JKOHBZ_2018_v8n6_209_f0010.png 이미지

Fig. 10. open_process.py

JKOHBZ_2018_v8n6_209_f0011.png 이미지

Fig. 11. Meltdown Attack Detection Result

JKOHBZ_2018_v8n6_209_f0012.png 이미지

Fig. 12. filter_addr.py

JKOHBZ_2018_v8n6_209_f0013.png 이미지

Fig. 13. Meltdown attack detection with decision tree

Table 1. Threshold value variation with load

JKOHBZ_2018_v8n6_209_t0001.png 이미지

Table 2. Signature vs Heuristic vs Decision Tree

JKOHBZ_2018_v8n6_209_t0002.png 이미지

References

  1. M. Lipp. et al. (2018). "Meltdown: Reading Kernel Memory from User Space. https://meltdownattack.com/meltdown.pdf.
  2. CVE-2017-5754 Detail, NIST (2017). https://nvd.nist.gov/vuln/detail/CVE-2017-5754.
  3. paboldin. (2018). meltdown-exploit. github. https://github.com/paboldin/meltdown-exploit.
  4. Timing attack, WIKIPEDIA. (2018). https://en.wikipedia.org/wiki/Timing_attack.
  5. S. J. Paek & J. M. Choi. (2015). Linux Kernel Internal, ArtStudio Book.
  6. Recommendation for countermeasures against OpenSSL vulnerability (HeartBleed). KrCert, https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=20884.
  7. Decision tree learning, WIKIPEDIA. (2018).https://en.wikipedia.org/wiki/Decision_tree_learning.
  8. I. Erez, M. Daniel, A. Yoav, G. Aviv & O. Ben. (2018). Detection of the Meltdown and Spectre Vulnerability. Check Point Research. https://research.checkpoint.com/detection-meltdown-spectre-vulnerabilities-using-checkpoint-cpu-level-technology/
  9. Code Pierce. (2018). Detecting Spectre and Meltdown Using Hardware Performance Counters. ENDGAME Online Website (Our Blog). https://www.endgame.com/blog/technical-blog/detecting-spectre-and-meltdown-using-hardware-performance-counters
  10. S. Hong & Y. J. Seo. (2016). Countermeasure of Sniffing Attack: Survey. Journal of Convergence Society for SMB, 6(2), 31-36. DOI : 10.22156/CS4SMB.2016.6.2.031
  11. H. J. Mun, S. H. Choi & Y. C. Hwang. (2016). Effective Countermeasure to APT Attacks using Big Data. Journal of Convergence Society for SMB, 6(1), 17-23. DOI : 10.22156/CS4SMB.2016.6.1.017
  12. M. S. Gu1 & Y. Z. Li. (2015). A Study of Countermeasures for Advanced Persistent Threats attacks by malicious code. Journal of Convergence Society for SMB, 5(4), 37-42.