The document discusses a system that provides rapid recovery from attacks and increased security for virtual machines using techniques like virtual machine checkpoints, network and file system monitoring to isolate attacks and roll back changes, and defining rules to restrict the behavior of virtual appliances. It proposes a prototype architecture that leverages these techniques and evaluates performance and functionality. The plan of work is to further integrate network and file system monitoring components tightly with the Xen virtual machine monitor and implement a comprehensive set of rules for defining allowed virtual appliance behaviors.

1. System Support for Rapid Recovery and Attack Resistance A Seminar by Todd Deshane Advisor: Jeanna Matthews

2. Overview Motivation of Technology Demo Motivation for This Work Goals Background Prototype Architecture Evaluation of Prototype Plan of Work

3. Terminology Virtual Machine Monitor (VMM) Also know as: hypervisor Thin software layer between the hardware and “guest” operating system First to the hardware Examples of VMMs: VMware, Xen, Parallels, Z/vm, MS Viridian, Qemu, KVM, ...

4. VMM with a Picture

5. VMM in “real life” - Demo Xen running Windows and Linux guests

6. Virtualization Predictions 9 of 10 enterprises will have virtualization by 2007 - Yankee Group (August 2007) Physical servers growth near zero within 2012 - Bernstein (August 2007) Over 50% physical servers will be virtualized in 2011 - IDC (July 2007) Virtualization services market to reach $11.7 billion by 2011 - IDC (July 2007) Server market to hardly grow over 2% annually through 2011 because of virtualization - IDC (July 2007)

7. Virtualization Predictions (cont.) 25% of enterprise data center servers to be virtual by 2010 - Intel (July 2007) A Microsoft hypervisor for Vista expected in mid-2009 - Gartner (July 2007) Virtualization will be part of nearly every aspect of IT by 2015 – Gartner (May 2007) 3 million virtual machines expected in 2009 - Gartner (May 2007)

8. Virtualization Predictions (cont. again) Virtualization and multicore will cost $2.4 billion in customer spending between 2006 and 2010 - IDC (March 2007) OS Virtualization to become mainstream by 2010 - Gartner (December 2006) Virtualization market to grow to $15 billion worldwide by 2009 - IDC (October 2006)

9. Our Work System support for attack resistance and rapid recovery Virtual Machine Technology Intrusion Detection System Virtual Private File Server

10. Motivation Computers on the Internet are vulnerable Even with latest updates and virus definitions Zero day exploits Malware effects User data compromised System controlled by attacker Restoration of system and user data Time-consuming Difficult for users Not always possible (i.e. digital photos)

11. "New methods are being invented, new tricks, and every year it gets worse... We are losing the battle... Most companies don't know they have been attacked." - Bruce Schneier "The average top executive doesn't understand security, but we have to change that... Security is an imperative. It's no longer just a good idea." - Allen Kerr "Virus incidences had surged between 2003, when they detected just over 10,000, and 2006, when they found 80,000. Criminal activity accounted for most of that increase." - Kaspersky Labs

12. "Very sophisticated tools are commercially available in black markets... This has made [the Internet] more attractive for organized crime: [criminals] no longer have to be geeks." - James Lewis "Although security awareness continues to improve, hackers and malicious code authors are releasing threats faster than ever before, with approximately 200 per cent more malicious threats per day than two years ago." - Stuart McClure "Over one third [of IT Companies] hit by a denial-of-service attack while over 44 percent had experienced either a pharming or cache poisoning attack." - Recent Secure64 Survey

13. Goals Provide attack resistance and rapid recovery from exploits Isolate and protect user data from attacks Provide automatic and user-triggered checkpoints of system/application state Safe testing of system and application updates Facilitate forensic analysis

14. Background: Security Early Internet based on openness/trust First documented Internet worm – 1988 Malware: large scale problem – late 1990s Criminal malware networks (botnets) DDOS, digital blackmail, account/credit info Attack defenses Antivirus software Firewalls Intrusion detection systems

15. Background: Virtualization Virtual Machine Monitor Pioneered by IBM Software/hardware co-evolution Intel VT-x and AMD-V Software/hardware co-evolution (again) Next generation virtualization hardware Xen hypervisor (VMM) Paravirtual guests (i.e. Linux, *BSD) HVM guests (i.e. Microsoft Windows)

16. Background: Virtualization+Security VMs used as sandboxes VMs can be monitored from below System security and fault tolerance Replicate system state to a backup VM Secure logging and replay Backtracking intrusions Safe testing/integration of untrusted code Protection against root kits

17. Background: System Reset Facilities DeepFreeze Restore to trusted checkpoint on each boot Windows System Restore Keep checkpoints of system state for rollback Both of these lack: User data protection/rollback Attack prevention/detection

18. Prototype Architecture

19. Benefits of Prototype Intrusion detection and attack prevention Protection of user data Checkpoint and restart of virtual machine appliances Rapid first time installation Model for software distribution Complement and enhance backups

20. Evaluation of Prototype Resistance/protection against attacks Categorize attacks Defense strategies against attacks Performance overhead Overhead of virtualization technology Overhead of file system virtual machine

21. Evaluation of Prototype: Attacks Backdoor attacks initiate and listen for connections to send and receive data Attacks that copy infected executables to shared folders or attempt to destroy data Attacks that harvest email addresses and other personal data Attacks that exploit vulnerability in specific server software

22. Evaluation of Prototype: Defenses Block unused ports Detect unexpected behavior and rollback to trusted image Restrictions on read, write, and/or append access to personal data Detect unexpected behavior and rollback to trusted image

23. Evaluation of Prototype: Performance

24. Plan of Work Construction and integration of a separate NET-VM component Tight integration of NET-VM and FS-VM into virtual machine support layer of Xen A comprehensive virtual machine appliance contract system Evaluation of system Performance Functionality

25. Plan: Construct and Integrate NET-VM Network Intrusion Detection System (snort) Firewall (iptables) Xen driver domain

26. Plan: Modified Architecture

27. Plan: Comprehensive Contract System Virtual machine appliance contracts Specify the behavior of appliances Network access File system access Use existing NIDS and firewall rules Build upon existing Xen configuration file Add file system and network rule support

28. Plan: Evaluation of Modified System Performance I/O: read, write Network: send, receive CPU overhead Functionality Resistance to attack Recovery from attack Construct virtual machine appliances

29. Related Projects at Clarkson Log-Structured File System for FS-VM Enable rollback of writes with LFS Tools for forensic analysis Capture/export compromised VM Recommend defense strategies Isolation Testing of Virtualization Systems Power Testing of Virtualization Systems Recommend/improve power-friendly VMMs

30. Questions/Comments?

31. Backup Slides

32. Evaluation of Prototype: Attacks Category/Behavior: Backdoor attacks initiate and listen for connections to send and receive data Examples: W32.MyDoom, W32.Bagel Defenses: Block unused ports Detect unexpected behavior and rollback to trusted image

33. Evaluation of Prototype: Attacks Category/Behavior: Attacks that copy infected executables to shared folders or attempt to destroy data Examples: W32.Netsky, W32.Netad Defenses: Restrictions on write access to personal data Detect unexpected behavior and rollback to trusted image

34. Evaluation of Prototype: Attacks Category/Behavior: Attacks that harvest email addresses and other personal data Examples: W32.Zafi.D, PWSteal.Ldpinch.E Defenses: Restrictions on read access to personal data Detect unexpected behavior and rollback to trusted image

35. Evaluation of Prototype: Attacks Category/Behavior: Attacks that exploit vulnerability in specific server software Examples: MySQL UDF, Blaster, Slammer Defenses: Block unused ports (if not running the server software) Detect unexpected behavior and rollback to trusted image (if running the server software)

36. Plan: Xen Support for NET-VM/FS-VM NET-VM already possible (driver domain) FS-VM granted file system access/control Xen communicates rules to NET-VM and FS-VM when new domain created NET-VM and FS-VM detect violations Violations enforced/communicated to Xen Appropriate actions taken by Xen Shutdown/restart/restore guest, notify user, prepare guest for forensic analysis, etc.

37. Plan: File System Rule Language # Example file system rule set for an email client. fs_rule = [ 'id=1, read, 1024, 5' ] # read at most 1024 bytes of data in 5 seconds fs_rule = [ 'id=2, append, 1024, 3' ] # append at most 1024 bytes of data in 3 seconds. fs_rule = [ 'id=3, write, 320, 3' ] # write at most 320 bytes in 3 seconds # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=2 are applied disk = [ 'fsvm:/mnt/email, /home/user/mail,fs_rule=1:2' ] # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=3 are applied. disk = [ 'fsvm:/mnt/email, /home/user/attachments,fs_rule=1:3' ]

38. Plan: Network Rule Language #Email client example continued network_rule = ['id=1, iptables, file=/etc/iptables/email_client'] network_rule = ['id=2, snort, file=/etc/snort/rules/email_client'] vif = [ 'rate=2Mb/s, network_rule=1:2' ]

39. Questions/Comments?