Upload
the-linux-foundation
View
375
Download
2
Tags:
Embed Size (px)
Citation preview
June 23, 2008
Stephen BruecknerATC-NY
Ithaca, NY
Novel Applications of Novel Applications of XenXen: : Virtual Training & Virtual Training &
Malware EvaluationMalware Evaluation
ATC-NYArchitecture Technology Corporation
2ATC-NY 08-018 Xen Summit Boston 2008
Novel applicationsNot typical enterprise usageUser works both inside & outside VMsOne user interacts with many VMsMinimize external footprint inside VMs
User spaceMinimal changes to XenScripting using “xm” commands
IntroductionIntroduction
3ATC-NY 08-018 Xen Summit Boston 2008
CYDEST (virtual training environment)Management interfaceAutomating access to VM internals
EXAMIN (malware testing environment)VM configuration toolVM introspection work
Started 3 and 2 years ago, respectively
ProjectsProjects
4ATC-NY 08-018 Xen Summit Boston 2008
Inform you of our projects’ requirements
Show you the tools we developedDescribe Xen features we built upon
While seeking advice on alternatives
Provide feedback to Xen communityProblemsWish listsQuestions
ObjectivesObjectives
5ATC-NY 08-018 Xen Summit Boston 2008
RealismReal attacks & defense toolsBoth network and hostsFull fidelity (not a simulator)
AvailabilityWeb accessUp 24/7/365
AutomationAuto-assessmentAutomated dynamic attacks
CYDEST: Cyber Defense TrainerCYDEST: Cyber Defense Trainer
6ATC-NY 08-018 Xen Summit Boston 2008
CYDEST ArchitectureCYDEST Architecture
7ATC-NY 08-018 Xen Summit Boston 2008
Goal: Maintain trainee’s situational awarenessGraphical representation (with labels)
Net topology, hostnames, IPs, OSsComponent Status (using colors)
VMs & bridges: “up,” down, booting/shutting downControls (buttons)
Start, Stop, VNCImplementation
Web-enabledManually configured
TraineeTrainee’’s Management Interfaces Management Interface
8ATC-NY 08-018 Xen Summit Boston 2008
CYDEST Management GUICYDEST Management GUI
9ATC-NY 08-018 Xen Summit Boston 2008
RequirementsAutomatableOut-of-band (network traffic not visible to trainee)Reliable (not network dependent)
SolutionSeparate networks (physical & virtual )Use guest’s serial consolesProgram to negotiate guest interaction
Consoles to control Windows VMsWindows serial console listener and shell
Unfortunately, violates guest sanctity
Monitor & Control ChannelsMonitor & Control Channels
10ATC-NY 08-018 Xen Summit Boston 2008
CYDEST Network SeparationCYDEST Network Separation
11ATC-NY 08-018 Xen Summit Boston 2008
open2xm.plAutomated console interactionsQueueing of access requestsExternal & internal timeoutsBuffering I/O (for processes, not humans)XML encapsulation (separation of stdout and sterr)Handles login (handles various users & prompts)Batch mode
ImplementationScripted using “xm console”Currently experimenting with Xen API (XML RPC)
Monitor & Control Channels (cont.)Monitor & Control Channels (cont.)
12ATC-NY 08-018 Xen Summit Boston 2008
A testing/reverse engineering platform
Motivation:Closed-sourced software has uncertain pedigreeMay therefore include embedded malicious code
Virtualization is common approachVM detection currently an anti-tamper technique…Not anticipated to be an issue in the future
EXAMIN: EXAMIN: Exploit and Malware IncubatorExploit and Malware Incubator
13ATC-NY 08-018 Xen Summit Boston 2008
Native kernels (HVMs)Stealthy malware may not execute in paravirt
E.g., LKM rootkit expecting “sysenter_entry”
ComponentsIncubator: the VM networkInstrumentation
Internal: standard toolsExternal: VM introspection
EXAMIN DesignEXAMIN Design
14ATC-NY 08-018 Xen Summit Boston 2008
Objective:User-configurable heterogeneous VM network
Virtual Network Builder (VNB)Front-end topology editorBack-end VM provisioning
Linux (dead image manipulation)mount, chroot, rpm
Windows (provisioning live VMs)Because registry can’t be modified w/o Win API
EXAMIN Incubator CreationEXAMIN Incubator Creation
15ATC-NY 08-018 Xen Summit Boston 2008
EXAMIN VNBEXAMIN VNB
16ATC-NY 08-018 Xen Summit Boston 2008
High-assurance security monitoring servicesVM introspection of guest kernel’s memoryUsing XenAccess (open source introspection library)
Current services:Integrity checking kernel & processes
Code segmentsSpecific structures (IDT, system call table)“Mostly static” structures (module list)
Cross-view checkingHigh assurance versions of standard HIDSNIDS (not true VM introspection)
EXAMIN External InstrumentationEXAMIN External Instrumentation
17ATC-NY 08-018 Xen Summit Boston 2008
EXAMIN: Bridging Semantic GapEXAMIN: Bridging Semantic Gap
18ATC-NY 08-018 Xen Summit Boston 2008
AutomatedDetermine data structure layouts and magic numbers
Generalizable to most OSsImplemented for both Linux and Windows
Run same code on host and guestNo learning curve for a new language or APIEase porting of existing apps
Attend VMsec/CCS in October for detailsPaper submitted…
Bridging Semantic Gap: Bridging Semantic Gap: Preview of WIPPreview of WIP
19ATC-NY 08-018 Xen Summit Boston 2008
EXAMIN: guest isolation guarantees importantContinuous security bug fixes Hypervisor inspection/validation concept practical?Others are working hard on this
Xen’s rapid developmentChanging APIsEmerging toolsBoth are poorly documented
ProblemsProblems
20ATC-NY 08-018 Xen Summit Boston 2008
Faster serial console or equivalent channelEXAMIN’s cross-view checking needs to stream large pcap files from guest to host
Multiple serial consolesCYDEST’s queueing of simultaneous access requests isn’t optimal
Limit of >3 vif’s on a guest?Never mind…new Xen handles up to 8 vifs
Wish ListWish List
21ATC-NY 08-018 Xen Summit Boston 2008
Are there other management interfaces we should look at?
We have unusual requirementsGraph-drawing capability for network topologyIntegrated remote VNC/shell accessDisplay & control of bridgesDisplay of VM internals (hostnames, IPs, OSs)Web browser interface
QuestionsQuestions
22ATC-NY 08-018 Xen Summit Boston 2008
Are there other VM builders we should be considering?
MLN was originally UML, not a very active project
Our requirements:GUI network builderVM configuration: network, users, softwareSupport Linux and Windows
Questions (cont.)Questions (cont.)
23ATC-NY 08-018 Xen Summit Boston 2008
Contact InformationContact InformationATC-NY Cornell Business & Technology Park33 Thornwood Drive, Suite 500Ithaca, NY 14850
Technical Contacts:Mr. Stephen Brueckner, PI
Dr. Frank Adelstein, Co-PI(607) 266-7118
(607) [email protected]
Management Contact:
Business Development Contact:Ms. Julie Baker
Mr. Gene Proctor(607) 266-7125
(202) 293-9701 [email protected]