Protecting the Computer from Ring 0 – A New Concept in Improving Incident ResponseReturn to TOC presented at FIRST 2014

by Mariko Miya, Kouichi Miyashita,

Summary : We are introducing a new concept of technology developed from a completely different point of view, with a focus on computer mechanism. This presentation is about discussing this new concept and how this can be advantageous to incident response in the future.
In general, the CPU processes so that application programs do not affect programs that are necessary for continuing the operation of the computer, giving privileges to each application program.
The relationship between Rings (Privilege Levels) and Software (including malware) is as follows:
The operation level of the CPU consists of 4 levels with Ring 0 as the top with most privileges and Ring 3 as the lowest. Ring 1 and Ring 2 are not normally used, and 2 levels: Ring 0 and Ring 3 are only actually used.
Ring 3 – Application and some parts of the OS software (API). Least privileged (least trusted with the highest ring number)
Ring 0 – CPU and Kernel. Most privileged (most trusted), can operate all hardware including CPU, HDD, memory etc.
Malware (=software), also has 2 privilege levels in the ring theory (malware executed as Ring 3, and malware executed as Ring 0)
Malware aims to exploit privilege of Ring 0, which enables the malware to freely manipulate all hardware (CPU, HDD, memory etc.) and can deface anti-virus software (that operate at Ring 0) that have the same privilege, in order to operate safely and reliably in the computer.
[About ‘Full’ and ‘Zig’]
Currently, there are 3 product concepts: ‘Full’, ‘Zig’, and ‘Full VX-t’.
‘Full’ keeps the most privileged Ring 0 while launching before the OS. This creates a 3 level structure Ring 0 (FULL), Ring 2 (CPU), Ring 3 (APP) using Ring Protection, and controls all software (including malware) so that it does not become raised to Ring 0.
How does this technology work?
‘Full’ launches first by rewriting the MBR (Master Boot Record). Then, the OS launches under FULL admin. When launched, it maintains a protective environment and handles areas where Ring level raise occurs.
‘Zig’ launches as a driver on the OS. It launches as a part of the OS (Kernel Driver) in the 2 levels: Ring 0 (OS) and Ring 3 (APP), and controls software (including malware) that operate in Ring 3 so that it does not move up to Ring 0.
-- ‘Zig’ has some functions of FULL with increased OS dependency and versatility.
As for malware operating in Ring 3, FULL and ZIG monitors API operating in Kernel mode (over 4000) and process information in real-time, then stops unspecified processes (including malware) under certain processing conditions such as launch program path, written path, privilege given by OS (Tokens), etc.
-- Proxy CPU command used in API “syscall / sysenter” (move Ring 3 to Ring 0) using FULL/ZIG logic. It grasps all intentions of Kernel use from Ring3.
Malware in the BIOS and MBR level with FULL, by looking at the boot log (when there is an abnormality, FULL does not launch successfully)
[About ‘Full VT ver.’]
By using a hardware-assisted mechanism typified by Intel VT-x, we were able to expand compatibility (supported platforms) by taking out OS dependency and still maintain and provide similar functions as FULL.
In addition, by making the built environment CPU supported, it enabled complete virtualization, which is expected to improve performance with more flexible and in-depth protection and hardware support.
1. Usage as a Monitoring Tool
Extracts logs of hardware exploits by Ring 0 viruses and malfunctions from Ring 3 viruses involving API (Kernel mode), and also detects BIOS and MBR abnormalities.
2. Usage as a Tool for Protection
Protects the computer from malfunctions from Ring0 viruses, Ring 3 viruses involving API (Kernel mode), and BIOS level viruses
Examples of use:
- Protecting from targeted attacks etc. where it involves making the user download malware from the internet or with email attachments
- Protecting from attacks that try to take the pc’s administrator privileges by exploiting vulnerabilities in MS Office products etc.
- Protecting from information leakage or attacks that send information externally by exploiting vulnerabilities in Adobe products etc.
- There is no need to analyze or create patterns of attacks
- There is no need to create a special engine for detection
- Can operate fully on-premise
- There is a possibility that normal process that are not directly recognized by the user (ex. automatic updates, etc.) do not work
- When a user uses the pc in a way the administrator does not assume, the unexpected parts will not work
[Outlook for the future]
We are currently conducting research and development on implementing “function to monitor program operation by grasping process of API,”which would make possible monitoring file I/0, communication data, communication destination etc. Unlike the conventional API hooks, this is a mechanism for covering all API, so it would be possible to monitor and forbid behavior in applications that were difficult to see in software that existed thus far.
Not to mention computer protection, we are further looking for possible use as a malware analysis tool, then by using this as a base technology, implementation of a new protection platform covering the entire system and network would be possible in the coming future.
So by going “back to the ‘root’ of computer structure”…
How can this support us in incident response?
[Advantages to Incident Response]
- The basics of incident response are [Detect -> Triage -> Respond] but it is necessary to analyze techniques and mechanisms of the attack in advance in order to make this work.
- This technology does not involve understanding the mechanisms of the attack, so the response flow would become [Protect/Detect -> Awareness -> Readjustment]. While the technology denies malware operation, responders would need to improve parts that interfere with its operation.