Virtual Machine

Introspection

Future of Cloud Security

by Nazar Tymoshyk, Ph.D., CEH, OWASP Lviv Chapter lead, Ukraine

UISGCON9’13

TODAYConnection to the Cloud means connection to some servers located in datacenter somewhere in the world

IaaS and Security Benefits:• Cost

reduction• Flexibility• Scalability• Pay-per-

use• Hardware• Utilization• Isolation

Cloud - means environment on demand. Cloud could be Private, Public or Hybrid.Most commonly used type of Cloud is Infrastructure as a Service (IaaS). IaaS – is a Operating System with some computing resources on demand.Security for IaaS has same issues as any other network and server infrastructure located in Datacenter.

Environment on Demand?

Security applications benefit from virtualization by

running in isolated virtual machines (VMs) and building

smaller trusted computing bases (TCBs).

VDI

A sandbox is an execution environment that can restrict access to resourcesA VM is a heavy-weight sandbox that supports execution of entire operating systemsIsolation – guest code cannot read/write outside of the VMInspection – VMM can examine entire state of the guest system (memory, devices, etc)Interposition – VMM can interrupt guest code at any time

SDN challenge

Today SDN if future for Private/Public/Hybrid Cloud.Firewall/IDS sees/protects physical security is “Blind” to all traffic between Servers

Traffic between Virtual Machines • Isolation is no longer physical but logical.• Isolation is less precise.• Security guarantees are weaker.

Challenge: mapping existing network security components to new cloud architectures.

«Hey You! Get Off My Cloud» Attack

• Identify potential targets

Map the Cloud

Which Hypervisor used by cloud providers?IaaS provider Hyperviz

or:

Amazon, Linode, Rackspace, GoGrid

Xen/Citrix Xen

Google Compute Engine, Openstack (For private cloud), Rackspace, IBM

KVM

Azure Hyper-V

Bluelock, CSC, VmWare vCloud, Cloud.com, CloudStack,

VmWare

What is common for all these hypervisors?

Father of them was – Qemu emulator Source: http://www.quora.com/What-are-the-hypervisors-used-by-big-IaaS-providers

SOME

PROBLEMS

Key threads for servers in cloud

Isolation break-outBlue pill

Access Keys leakag

e

https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project

Unavailability

OWASP 10 Cloud

Risks

Vulnerable and old software:Compromised

0-day vulnerability

Rootkits / Virus

Cloud Security Alliance

Top Threats

Nice sample of Cloud threat

What about Worm for Windows based cloud servers that use RDP vulnerability?

How to recover all VMs in cloud and centrally remove that malware?

http://thehackernews.com/2012/04/cloudworm-candidate-ms12-020-poc.html

Transparency challenge

Prove security hygiene of provider infrastructure to third parties.

Auditability, certification process, risk analysis methodologies, compliance.

Trusted cloud computing technologies provide cryptographic evidence.

What White-Hats doing to catch malware?

To monitor/register activity inside operating system most White Hats and researcher use honeypots or production system with different kinds of agents, installed inside OS – key-loggers, spyware, rootkits.

KNOW YOUR ENEMY

Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.Research honeypots are run to gather information about the motives and tactics of the Black-hat community targeting different networks. 

Malware Detection

Current approach fundamentally flawed:• Malware running in the same system

space with anti-malware software at the same privileged level

• No clear winner in the arms race between them

Current approach

Agent based monitoring and protection:The problem is that all this agents could be detected by user/malefactor and be subverted, and/or disabled by the attacker

Main problem of any monitoring system is -Stealthy and Tamper resistanse

Kaspersky Enterprise agent, Microsoft Forefront, Ziften

VMI Security – why?

1. Central processing of security functions is more efficient than distributing security controls and related overhead to each VM

2. No host agents required – guaranteeing security for all VMs regardless of operating system type and patch level, and with no impact to applications running inside the VMs.

3. Tamper-proof security. Host-agents are subject to getting compromised by the very malware they aim to thwart (e.g., Conficker turning off A/V).

By contrast, hypervisor-based security resides outside the guest-VM, and is thus tamper-proof to any malware infections inside a VM.

Out of the box VM management

The monitoring of virtual machines has many applications in areas such as security and systems management

VIRTUAL MACHINE INTROSPECTION TECHNOLOGY

What VMI is?

X-ray view of all VM states, including installed applications, operating systems, and patch levels. Could be used for Detection, Protection and Management, compliance and automated security enforcement.VMI use the capabilities of the hypervisor to supervise VM behavior.

2017 – VMI will become production standard2013 – Juniper/Arbor present new product on RSA Conference based on VmWare VmSafe API2010 – prototype on Honeynet by Chengyu Song2009 – prototype done by Nazar Tymoshyk2007 – xenaccess initiated and transformed to LibVMI2006 – first prototype by Xiang Yang VMScope2003 – initial research by T. Garnkel and M. Rosenblum, NDSS conference

VMI prototypes

VMI architecture x86

Paravirtualisation: The guest OS is modified to better cooperate with the hypervisor. + Sensitive non-privileged instructions are replaced by hypercalls. - Only a limited number of paravirtualized drivers are needed. Not compatible with proprietary kernels.Binary translation: The VMM converts “problem” instructions in smoother binary code.+ Compatible with most guest OSes. Does not require specific hardware support. - Requires many optimizations to be efficient.Hardware-assisted virtualization: The hardware facilitates virtualization with specific instructions (e.g., Intel VT-x). + The guest OS runs transparently without modifications. Allows to run OS which cannot be paravirtualized. Security is also enhanced. - Hardware context switching might be costly. Implementation may also be difficult.

What can be monitored

• All user input

• Content

• Storage/File system

• Traffic

• Access

• MEMORY

• Rootkits

• Malware on FS

• Integrity

Implementation problems - x86

Step 1: Procuring low-level VM states and eventsDisk blocks, memory pages, registers…Traps, interrupts…

Step 2: Reconstructing high-level semantic viewFiles, directories, processes, and kernel modules…System calls, context switches…

Semantic problem: the data accessed throughintrospection are raw data.

FEATURES OF

VIRTUAL MACHINE INTROSPECTION

What security features it offers?

VM Antiviruscontrol

Malware analysis

Cloud SIEM

VM IPS/IDS

VM ForcingPolicies

VM Honeypot

Cloud Firewall

VM Patch management

Invisible system logging

Rootkit prevention

VMI for Cloud management

Automated VM compliance assessment based on multiple VM attributes;

Quarantine of non-compliant VMs to eliminate administrative errors and reduce risk.

Automated security classification and enforcement for new or cloned VMs

MEMORY analysis

Registry keys

Unpacked malware

Access keys

Processes

Software binary

stop unauthorized services from running and prevent zero day attacks against unpatched or vulnerable systems

Open sockets

Network introspection

• monitors real-time network and user activity in a virtual environment

• detecting policy violations such as the use of unauthorized applications on non-standard ports or unpermitted access to a critical host

• vm-bridge filter all traffic from and between VMs

• ebtables used for firewalling

Program Integrity Detection

• Periodically hashes the unchanging sections of each running program

• Compares the hashes to known-good hashes

• Signature Detector• Periodically scan guest memory for

known-bad signatures• Sometimes detects malware in

unexpected places, like the filesystem cache

Malware analysis based on syscall tree

Fighting Rootkits

NICKLE/QEMU+KQEMU foils the SucKIT rootkit (guest OS: RedHat 8.0)

Source: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCwQFjAA&url=http%3A%2F%2Fwww.ll.mit.edu%2FRAID2008%2FFiles%2FRAID2008-s1-1-Riley-GuestTransparent.pdf&ei=7VZAUojzAoePswai-ICIDg&usg=AFQjCNGbkvobIvIx6PAJiDjrw70Lbb0HOA&sig2=TnTSklrH5N8xieh6QUlFYw&bvm=bv.52434380,d.d2k

NOW TIME FOR ….

DEMO

VMScope prototype

Source:http://www.ise.gmu.edu/~xjiang

External Scanning Result

Internal Scanning Result

Diff

Source: http://www.ise.gmu.edu/~xjiang

Qebek – Sebek rootkit with VMI

http://honeynet.org/papers/KYT_qebek

Currently sbk_dialog supports three types of syscall: they are sys_open, sys_read and sys_socket.

QEMU

Guest OS

Interception Module

SVR Helper Routines

Breakpoint System

Introspection Module

Output Module

Qebek

VIX – Xen based VMI

Our prototype vEye

We create prototype which open following opportunities:• New way to signature generation for Intrusion Detection

Systems(IDS)• Malicious software reverse engineering through sys_calls

monitoring• Low level software debugging• User activity monitoring outside OS (user is unable to disable

monitoring)• Research user/malefactor behavior in Honeypots• Memory monitoring and control outside OS

Virtual Machine Introspection with binary translation

Allow to collect any action of virtualized OS with VMWare or Qemu from honeypots.

Catching system calls

Catching console activity

Our Monitoring console

WHAT ABOUT PRODUCTION?

Niche players

http://www.vmware.com/files/pdf/products/vcns/VMware-Integrated-Partner-Solutions-Networking-Security.pdf

vShield

Source: http://www.vmware.com/products/vsphere/features-endpoint

VMSafe API

VMsafe is an application programming interface to protect applications running in virtual machines.

VMsafe applications can come in two forms. The first form is referred to as Fast Path and is composed of just a vmkernel driver that gets installed on the VMware vSphere ESX 4 host.

Fast Path has many advantages but only so much really belongs in a driver, and the driver is often used to further transfer necessary information to a virtual appliance. The combination of virtual appliance and vmkernel driver composes the second form, which is known as the Slow Path.

Source : http://www.vspherereference.com/id14.html

XenAccess=>LibVMI

Source:https://code.google.com/p/vmitools/wiki/LibVMIIntroduction

Juniper / Altor

Source: http://www.slideshare.net/junipernetworks/juniper-and-vmware-taking-data-centre-networks-to-the-next-level-15523046?from_search=1

Juniper VMI for Datacenter security management - Vision

Source: http://www.slideshare.net/junipernetworks/juniper-and-vmware-taking-data-centre-networks-to-the-next-level-15523046?from_search=1

Juniper / Altor

Source: http://www.slideshare.net/junipernetworks/juniper-and-vmware-taking-data-centre-networks-to-the-next-level-15523046?from_search=1

Where is …?

Questions?

Thank You!Copyright © 2013 Nazar Tymoshyk

root.nt@gmail.comThank you for attention!

Nazar TymoshykSkype: root_ntEmail: root.nt@gmail.com