Upload
tjylen-veselyj
View
1.816
Download
1
Embed Size (px)
DESCRIPTION
In this presentation I'm talking about feature of VMI technology that are vital for malware analysis, intrusion detection and attack prevention in virtualized environment. This presentation is part of my Ph.D. work and contain summary of VMI state in 2013.
Citation preview
Virtual Machine
Introspection
Future of Cloud Security
by Nazar Tymoshyk, Ph.D., CEH, OWASP Lviv Chapter lead, Ukraine
UISGCON9’13
TODAYConnection to the Cloud means connection to some servers located in datacenter somewhere in the world
IaaS and Security Benefits:• Cost
reduction• Flexibility• Scalability• Pay-per-
use• Hardware• Utilization• Isolation
Cloud - means environment on demand. Cloud could be Private, Public or Hybrid.Most commonly used type of Cloud is Infrastructure as a Service (IaaS). IaaS – is a Operating System with some computing resources on demand.Security for IaaS has same issues as any other network and server infrastructure located in Datacenter.
Environment on Demand?
Security applications benefit from virtualization by
running in isolated virtual machines (VMs) and building
smaller trusted computing bases (TCBs).
VDI
A sandbox is an execution environment that can restrict access to resourcesA VM is a heavy-weight sandbox that supports execution of entire operating systemsIsolation – guest code cannot read/write outside of the VMInspection – VMM can examine entire state of the guest system (memory, devices, etc)Interposition – VMM can interrupt guest code at any time
SDN challenge
Today SDN if future for Private/Public/Hybrid Cloud.Firewall/IDS sees/protects physical security is “Blind” to all traffic between Servers
Traffic between Virtual Machines • Isolation is no longer physical but logical.• Isolation is less precise.• Security guarantees are weaker.
Challenge: mapping existing network security components to new cloud architectures.
«Hey You! Get Off My Cloud» Attack
• Identify potential targets
Map the Cloud
Which Hypervisor used by cloud providers?IaaS provider Hyperviz
or:
Amazon, Linode, Rackspace, GoGrid
Xen/Citrix Xen
Google Compute Engine, Openstack (For private cloud), Rackspace, IBM
KVM
Azure Hyper-V
Bluelock, CSC, VmWare vCloud, Cloud.com, CloudStack,
VmWare
What is common for all these hypervisors?
Father of them was – Qemu emulator Source: http://www.quora.com/What-are-the-hypervisors-used-by-big-IaaS-providers
SOME
PROBLEMS
Key threads for servers in cloud
Isolation break-outBlue pill
Access Keys leakag
e
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project
Unavailability
OWASP 10 Cloud
Risks
Vulnerable and old software:Compromised
0-day vulnerability
Rootkits / Virus
Cloud Security Alliance
Top Threats
Nice sample of Cloud threat
What about Worm for Windows based cloud servers that use RDP vulnerability?
How to recover all VMs in cloud and centrally remove that malware?
http://thehackernews.com/2012/04/cloudworm-candidate-ms12-020-poc.html
Transparency challenge
Prove security hygiene of provider infrastructure to third parties.
Auditability, certification process, risk analysis methodologies, compliance.
Trusted cloud computing technologies provide cryptographic evidence.
What White-Hats doing to catch malware?
To monitor/register activity inside operating system most White Hats and researcher use honeypots or production system with different kinds of agents, installed inside OS – key-loggers, spyware, rootkits.
KNOW YOUR ENEMY
Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.Research honeypots are run to gather information about the motives and tactics of the Black-hat community targeting different networks.
Malware Detection
Current approach fundamentally flawed:• Malware running in the same system
space with anti-malware software at the same privileged level
• No clear winner in the arms race between them
Current approach
Agent based monitoring and protection:The problem is that all this agents could be detected by user/malefactor and be subverted, and/or disabled by the attacker
Main problem of any monitoring system is -Stealthy and Tamper resistanse
Kaspersky Enterprise agent, Microsoft Forefront, Ziften
VMI Security – why?
1. Central processing of security functions is more efficient than distributing security controls and related overhead to each VM
2. No host agents required – guaranteeing security for all VMs regardless of operating system type and patch level, and with no impact to applications running inside the VMs.
3. Tamper-proof security. Host-agents are subject to getting compromised by the very malware they aim to thwart (e.g., Conficker turning off A/V).
By contrast, hypervisor-based security resides outside the guest-VM, and is thus tamper-proof to any malware infections inside a VM.
Out of the box VM management
The monitoring of virtual machines has many applications in areas such as security and systems management
VIRTUAL MACHINE INTROSPECTION TECHNOLOGY
What VMI is?
X-ray view of all VM states, including installed applications, operating systems, and patch levels. Could be used for Detection, Protection and Management, compliance and automated security enforcement.VMI use the capabilities of the hypervisor to supervise VM behavior.
2017 – VMI will become production standard2013 – Juniper/Arbor present new product on RSA Conference based on VmWare VmSafe API2010 – prototype on Honeynet by Chengyu Song2009 – prototype done by Nazar Tymoshyk2007 – xenaccess initiated and transformed to LibVMI2006 – first prototype by Xiang Yang VMScope2003 – initial research by T. Garnkel and M. Rosenblum, NDSS conference
VMI prototypes
VMI architecture x86
Paravirtualisation: The guest OS is modified to better cooperate with the hypervisor. + Sensitive non-privileged instructions are replaced by hypercalls. - Only a limited number of paravirtualized drivers are needed. Not compatible with proprietary kernels.Binary translation: The VMM converts “problem” instructions in smoother binary code.+ Compatible with most guest OSes. Does not require specific hardware support. - Requires many optimizations to be efficient.Hardware-assisted virtualization: The hardware facilitates virtualization with specific instructions (e.g., Intel VT-x). + The guest OS runs transparently without modifications. Allows to run OS which cannot be paravirtualized. Security is also enhanced. - Hardware context switching might be costly. Implementation may also be difficult.
What can be monitored
• All user input
• Content
• Storage/File system
• Traffic
• Access
• MEMORY
• Rootkits
• Malware on FS
• Integrity
Implementation problems - x86
Step 1: Procuring low-level VM states and eventsDisk blocks, memory pages, registers…Traps, interrupts…
Step 2: Reconstructing high-level semantic viewFiles, directories, processes, and kernel modules…System calls, context switches…
Semantic problem: the data accessed throughintrospection are raw data.
FEATURES OF
VIRTUAL MACHINE INTROSPECTION
What security features it offers?
VM Antiviruscontrol
Malware analysis
Cloud SIEM
VM IPS/IDS
VM ForcingPolicies
VM Honeypot
Cloud Firewall
VM Patch management
Invisible system logging
Rootkit prevention
VMI for Cloud management
Automated VM compliance assessment based on multiple VM attributes;
Quarantine of non-compliant VMs to eliminate administrative errors and reduce risk.
Automated security classification and enforcement for new or cloned VMs
MEMORY analysis
Registry keys
Unpacked malware
Access keys
Processes
Software binary
stop unauthorized services from running and prevent zero day attacks against unpatched or vulnerable systems
Open sockets
Network introspection
• monitors real-time network and user activity in a virtual environment
• detecting policy violations such as the use of unauthorized applications on non-standard ports or unpermitted access to a critical host
• vm-bridge filter all traffic from and between VMs
• ebtables used for firewalling
Program Integrity Detection
• Periodically hashes the unchanging sections of each running program
• Compares the hashes to known-good hashes
• Signature Detector• Periodically scan guest memory for
known-bad signatures• Sometimes detects malware in
unexpected places, like the filesystem cache
Malware analysis based on syscall tree
Fighting Rootkits
NICKLE/QEMU+KQEMU foils the SucKIT rootkit (guest OS: RedHat 8.0)
Source: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCwQFjAA&url=http%3A%2F%2Fwww.ll.mit.edu%2FRAID2008%2FFiles%2FRAID2008-s1-1-Riley-GuestTransparent.pdf&ei=7VZAUojzAoePswai-ICIDg&usg=AFQjCNGbkvobIvIx6PAJiDjrw70Lbb0HOA&sig2=TnTSklrH5N8xieh6QUlFYw&bvm=bv.52434380,d.d2k
NOW TIME FOR ….
DEMO
VMScope prototype
Source:http://www.ise.gmu.edu/~xjiang
External Scanning Result
Internal Scanning Result
Diff
Source: http://www.ise.gmu.edu/~xjiang
Qebek – Sebek rootkit with VMI
http://honeynet.org/papers/KYT_qebek
Currently sbk_dialog supports three types of syscall: they are sys_open, sys_read and sys_socket.
QEMU
Guest OS
Interception Module
SVR Helper Routines
Breakpoint System
Introspection Module
Output Module
Qebek
VIX – Xen based VMI
Our prototype vEye
We create prototype which open following opportunities:• New way to signature generation for Intrusion Detection
Systems(IDS)• Malicious software reverse engineering through sys_calls
monitoring• Low level software debugging• User activity monitoring outside OS (user is unable to disable
monitoring)• Research user/malefactor behavior in Honeypots• Memory monitoring and control outside OS
Virtual Machine Introspection with binary translation
Allow to collect any action of virtualized OS with VMWare or Qemu from honeypots.
Catching system calls
Catching console activity
Our Monitoring console
WHAT ABOUT PRODUCTION?
Niche players
http://www.vmware.com/files/pdf/products/vcns/VMware-Integrated-Partner-Solutions-Networking-Security.pdf
vShield
Source: http://www.vmware.com/products/vsphere/features-endpoint
VMSafe API
VMsafe is an application programming interface to protect applications running in virtual machines.
VMsafe applications can come in two forms. The first form is referred to as Fast Path and is composed of just a vmkernel driver that gets installed on the VMware vSphere ESX 4 host.
Fast Path has many advantages but only so much really belongs in a driver, and the driver is often used to further transfer necessary information to a virtual appliance. The combination of virtual appliance and vmkernel driver composes the second form, which is known as the Slow Path.
Source : http://www.vspherereference.com/id14.html
XenAccess=>LibVMI
Source:https://code.google.com/p/vmitools/wiki/LibVMIIntroduction
Juniper / Altor
Source: http://www.slideshare.net/junipernetworks/juniper-and-vmware-taking-data-centre-networks-to-the-next-level-15523046?from_search=1
Juniper VMI for Datacenter security management - Vision
Source: http://www.slideshare.net/junipernetworks/juniper-and-vmware-taking-data-centre-networks-to-the-next-level-15523046?from_search=1
Juniper / Altor
Source: http://www.slideshare.net/junipernetworks/juniper-and-vmware-taking-data-centre-networks-to-the-next-level-15523046?from_search=1
Where is …?
Questions?
Thank You!Copyright © 2013 Nazar Tymoshyk
[email protected] you for attention!
Nazar TymoshykSkype: root_ntEmail: [email protected]