Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Virtual Machine Introspection - Future of the Cloud

In this presentation I'm talking about feature of VMI technology that are vital for malware analysis, intrusion detection and attack prevention in virtualized environment. This presentation is part of my Ph.D. work and contain summary of VMI state in 2013.

  • Login to see the comments

Virtual Machine Introspection - Future of the Cloud

  1. 1. Virtual Machine Introspectio n Future of Cloud Security by Nazar Tymoshyk, Ph.D., CEH, OWASP Lviv Chapter lead, Ukr UISGCON9’13
  2. 2. TODAY Connection to the Cloud means connection to some servers located in datacenter somewhere in the world
  3. 3. IaaS and Security Benefits: • Cost reduction • Flexibility • Scalability • Pay-per-use • Hardware • Utilization • Isolation Cloud - means environment on demand. Cloud could be Private, Public or Hybrid. Most commonly used type of Cloud is Infrastructure as a Service (IaaS). IaaS – is a Operating System with some computing resources on demand. Security for IaaS has same issues as any other network and server infrastructure located in Datacenter.
  4. 4. Environment on Demand? Security applications benefit from virtualization by running in isolated virtual machines (VMs) and building smaller trusted computing bases (TCBs). VDI A sandbox is an execution environment that can restrict access to resources A VM is a heavy-weight sandbox that supports execution of entire operating systems Isolation – guest code cannot read/write outside of the VM Inspection – VMM can examine entire state of the guest system (memory, devices, etc) Interposition – VMM can interrupt guest code at any time
  5. 5. SDN challenge Today SDN if future for Private/Public/Hybrid Cloud. Firewall/IDS sees/protects physical security is “Blind” to all traffic between Servers Traffic between Virtual Machines • Isolation is no longer physical but logical. • Isolation is less precise. • Security guarantees are weaker. Challenge: mapping existing network security components to new cloud architectures.
  6. 6. «Hey You! Get Off My Cloud» Attack • Identify potential targets Map the Cloud • Check if two VMs are co-located on same physical server Determine co-residence • Co-locate attacker VM with target Send probe VM • Extract information, perform DoS Use VM side- channel
  7. 7. Which Hypervisor used by cloud providers? IaaS provider Hypervizor : Amazon, Linode, Rackspace, GoGrid Xen/Citrix Xen Google Compute Engine, Openstack (For private cloud), Rackspace, IBM KVM Azure Hyper-V Bluelock, CSC, VmWare vCloud,, CloudStack, VmWare What is common for all these hypervisors? Father of them was – Qemu emulator  Source:
  9. 9. Key threads for servers in cloud Isolation break-out Blue pill Access Keys leakag e Unavailability OWASP 10 Cloud Risks Vulnerable and old software: Compromised 0-day vulnerability Rootkits / Virus Cloud Security Alliance Top Threats
  10. 10. Nice sample of Cloud threat What about Worm for Windows based cloud servers that use RDP vulnerability? How to recover all VMs in cloud and centrally remove that malware?
  11. 11. Transparency challenge Prove security hygiene of provider infrastructure to third parties. Auditability, certification process, risk analysis methodologies, compliance. Trusted cloud computing technologies provide cryptographic evidence.
  12. 12. What White-Hats doing to catch malware? To monitor/register activity inside operating system most White Hats and researcher use honeypots or production system with different kinds of agents, installed inside OS – key-loggers, spyware, rootkits. KNOW YOUR ENEMY Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Research honeypots are run to gather information about the motives and tactics of the Black- hat community targeting different networks.
  13. 13. Malware Detection Current approach fundamentally flawed: • Malware running in the same system space with anti-malware software at the same privileged level • No clear winner in the arms race between them
  14. 14. Current approach Agent based monitoring and protection: The problem is that all this agents could be detected by user/malefactor and be subverted, and/or disabled by the attacker Main problem of any monitoring system is - Stealthy and Tamper resistanse Kaspersky Enterprise agent, Microsoft Forefront, Ziften
  15. 15. VMI Security – why? 1. Central processing of security functions is more efficient than distributing security controls and related overhead to each VM 2. No host agents required – guaranteeing security for all VMs regardless of operating system type and patch level, and with no impact to applications running inside the VMs. 3. Tamper-proof security. Host-agents are subject to getting compromised by the very malware they aim to thwart (e.g., Conficker turning off A/V). By contrast, hypervisor-based security resides outside the guest-VM, and is thus tamper-proof to any malware
  16. 16. Out of the box VM management The monitoring of virtual machines has many applications in areas such as security and systems management
  18. 18. What VMI is? X-ray view of all VM states, including installed applications, operating systems, and patch levels. Could be used for Detection, Protection and Management, compliance and automated security enforcement. VMI use the capabilities of the hypervisor to supervise VM behavior.
  19. 19. 2017 – VMI will become production standard 2013 – Juniper/Arbor present new product on RSA Conference based on VmWare VmSafe API 2010 – prototype on Honeynet by Chengyu Song 2009 – prototype done by Nazar Tymoshyk 2007 – xenaccess initiated and transformed to LibVMI 2006 – first prototype by Xiang Yang VMScope 2003 – initial research by T. Garnkel and M. VMI prototypes
  20. 20. VMI architecture x86 Paravirtualisation: The guest OS is modified to better cooperate with the hypervisor. + Sensitive non-privileged instructions are replaced by hypercalls. - Only a limited number of paravirtualized drivers are needed. Not compatible with proprietary kernels. Binary translation: The VMM converts “problem” instructions in smoother binary code. + Compatible with most guest OSes. Does not require specific hardware support. - Requires many optimizations to be efficient. Hardware-assisted virtualization: The hardware facilitates virtualization with specific instructions (e.g., Intel VT-x). + The guest OS runs transparently without modifications. Allows to run OS which cannot be paravirtualized. Security is also enhanced. - Hardware context switching might be
  21. 21. What can be monitored • All user input • Content • Storage/File system • Traffic • Access • MEMORY • Rootkits • Malware on FS • Integrity
  22. 22. Implementation problems - x86 Step 1: Procuring low-level VM states and events Disk blocks, memory pages, registers… Traps, interrupts… Step 2: Reconstructing high-level semantic view Files, directories, processes, and kernel modules… System calls, context switches… Semantic problem: the data accessed through introspection are raw data.
  24. 24. What security features it offers? VM Antivirus control Malware analysis Cloud SIEM VM IPS/IDS VM Forcing Policies VM Honeypot Cloud Firewall VM Patch management Invisible system logging Rootkit prevention
  25. 25. VMI for Cloud management Automated VM compliance assessment based on multiple VM attributes; Quarantine of non- compliant VMs to eliminate administrative errors and reduce risk. Automated security classification and enforcement for new or cloned VMs
  26. 26. MEMORY analysis Registry keys Unpacked malware Access keys Processes Software binary stop unauthorized services from running and prevent zero day attacks against unpatched or vulnerable systems Open sockets
  27. 27. Network introspection • monitors real-time network and user activity in a virtual environment • detecting policy violations such as the use of unauthorized applications on non-standard ports or unpermitted access to a critical host • vm-bridge filter all traffic from and between VMs • ebtables used for firewalling
  28. 28. Program Integrity Detection • Periodically hashes the unchanging sections of each running program • Compares the hashes to known-good hashes • Signature Detector • Periodically scan guest memory for known-bad signatures • Sometimes detects malware in unexpected places, like the filesystem cache
  29. 29. Malware analysis based on syscall tree
  30. 30. Fighting Rootkits NICKLE/QEMU+KQEMU foils the SucKIT rootkit (guest OS: RedHat 8.0) Source: Riley-GuestTransparent.pdf&ei=7VZAUojzAoePswai-ICIDg&usg=AFQjCNGbkvobIvIx6PAJiDjrw70Lbb0HOA&sig2=TnTSklrH5N8xieh6QUlFYw&bvm=bv.52434380,d.d2k
  31. 31. NOW TIME FOR …. DEMO
  32. 32. VMScope prototype Source:
  33. 33. External Scanning Result Internal Scanning Result Diff Source:
  34. 34. Qebek – Sebek rootkit with VMI Currently sbk_dialog supports three types of syscall: they are sys_open, sys_read and sys_socket. QEMU Guest OS Interception Module SVR Helper Routines Breakpoint System Introspection Module Output Module Qebek
  35. 35. VIX – Xen based VMI
  36. 36. Our prototype vEye We create prototype which open following opportunities: • New way to signature generation for Intrusion Detection Systems(IDS) • Malicious software reverse engineering through sys_calls monitoring • Low level software debugging • User activity monitoring outside OS (user is unable to disable monitoring) • Research user/malefactor behavior in Honeypots • Memory monitoring and control outside OS Virtual Machine Introspection with binary translation Allow to collect any action of virtualized OS with VMWare or Qemu from honeypots.
  37. 37. Catching system calls
  38. 38. Catching console activity
  39. 39. Our Monitoring console
  41. 41. Niche players
  42. 42. vShield Source:
  43. 43. VMSafe API VMsafe is an application programming interface to protect applications running in virtual machines. VMsafe applications can come in two forms. The first form is referred to as Fast Path and is composed of just a vmkernel driver that gets installed on the VMware vSphere ESX 4 host. Fast Path has many advantages but only so much really belongs in a driver, and the driver is often used to further transfer necessary information to a virtual appliance. The combination of virtual appliance and vmkernel driver composes the second form, which is known as the Slow Path. Source :
  44. 44. XenAccess=>LibV MI Source:
  45. 45. Juniper / Altor Source:
  46. 46. Juniper VMI for Datacenter security management - Vision
  47. 47. Juniper / Altor
  48. 48. Where is …?
  49. 49. Questions? Thank You! Copyright © 2013 Nazar Tymoshyk Thank you for attention! Nazar Tymoshyk Skype: root_nt Email: