Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virtual Machines for Security

Posted by michael on from the virtually-impregnable dept.

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

106 comments

  1. Auto hack response by draziw · · Score: 2, Funny

    See an attack and have it try the same one right afterwards on the source ip. Oh wait - that's probably a box they hacked first. d'oh!

    1. Re:Auto hack response by Anonymous Coward · · Score: 0

      once you have root in that box, see who connects to it and offer a honeypot shell. use the same exploit to root the next system, on and on, until you get to the original IP.

  2. Hmm.. by Loki_1929 · · Score: 3, Interesting

    Using a Virtual Machine as a honeypot? Why didn't I think of that? ;)

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
    1. Re:Hmm.. by rkz · · Score: 2, Funny

      SCO thought of it first!


      --
      There is no god
    2. Re:Hmm.. by Zathrus · · Score: 5, Interesting

      Heh... but what's being discussed here seems somewhat different.

      You asked about setting up a honeypot via VM. A pretty good way to go about things.

      This takes it one step further - not only is the honeypot (or even honeynet) in a VM, there's an outer layer that's "watching" the VM(s) and recording the activity. That's really, really good. If you could actually lure some serious attacks to the honeypot then you'd have much more accurate records of what occurred. And, obviously, the observer is supposed to be invisible and undetectable.

      Of course, there's the issue of actually getting real attacks in the first place, instead of just a legion of script kiddies. But that's another ball of wax.

    3. Re:Hmm.. by Telastyn · · Score: 1

      And this has still been done for more than 3 years. (albeit not open source)

    4. Re:Hmm.. by friscolr · · Score: 4, Insightful
      honeyd mentions this sort of use. So does uml. also look into bait and switch honeypots, they mention using virtual machines as the honeypots (at least they did in a presentation i saw).

      Once Solaris 10 comes out, its zomes might be able to provide a better infrastructure for what the original article was talking about, but the last presentation i saw on zones was unsure about the monitoring capabilities to be built in.

      The performance boost this article mentions sounds nice, but i don't understand what else they accomplished that a tcpdump on the host machine couldn't do.

      links:
      honeyd
      user mode linux
      Bait and switch honeypots
      Solaris 10 zones

      --

      -f
      www.blackant.net

    5. Re:Hmm.. by $hecky · · Score: 0
      You're right. Lots of systems are virtually hackproof.

      Virtually.

      --
      You never know who will get one.
    6. Re:Hmm.. by clarkcox3 · · Score: 1

      "Simpsons did it!"

      --
      There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
    7. Re:Hmm.. by martyros · · Score: 5, Informative
      Putting security services in VMs has been done for years.

      The particular service we're providing, ReVirt, is new to Virtual Machines (as far as we know). We don't log normal "security" information, like login attemps, etc. We log just enough information to be able to roll the virtual machine back to a previous state, and make it execute exactly the same way.

      One of the (many) problems with security logs is that you frequently don't know everything that you really need to log until after the fact. With our system, you can go back and find out anything you want to know, because you have a live VM doing exactly what it did during the attack.

      BTW, the technique we're using for ReVirt was described back in the late 80's, and implemented in the mid 90's for debugging purposes; we're the first ones, as far as we know, to put it in a (somewhat) general-purpose virtual machine, like UMLinux.

      --

      TCP: Why the Internet is full of SYN.

  3. but.... by HowlinMad · · Score: 4, Interesting

    what if the virtual machine is not secure?

    --
    Great Linux Site
    1. Re:but.... by Anonymous Coward · · Score: 0

      That kind of is the point. I think you mean the real machine.

    2. Re:but.... by gmajor · · Score: 1

      Can't they be logically proved to be secure? IIRC, the Java VM is theoretically secure; any exploits come from an improper implementation of the VM. I would think it would be a similar case here.... correct?

    3. Re:but.... by Monkey-Man2000 · · Score: 3, Interesting

      But then couldn't they prove a real machine is logically secure? Just the implementation may not be. It seems that the implementation is the thing that practically matters in both cases.

      --
      This post was generated by a Cadre of Uber Monkeys for Monkey-Man2000 (603495).
    4. Re:but.... by Beryllium+Sphere(tm) · · Score: 4, Interesting

      Do you mean, what if the virtual machine has a bug that breaks virtualization and allows an attacker to 0wn the real hardware?

      That can happen. There was folklore about ways to break IBM's VM/CMS, for example.

    5. Re:but.... by martyros · · Score: 3, Interesting
      I'm George Dunlap, the main author on the ReVirt paper. So, IIAP/R (programmer/researcher). =)

      There is no way to know if there is a bug in the VM, just as there's no way to know if there's a bug in the operatin gsystem. BUT, the virtual machine montitor, which controls the VM, is a *lot* smaller piece of software than a kernel, with a much simpler interface to provide. Therefore, the hope is that there's less of a chance of an exploitable bug in the VM, than in an operating system.

      --

      TCP: Why the Internet is full of SYN.

  4. The obvious comparison... by nut · · Score: 3, Insightful

    Isn't this called Java?

    --
    Never trust a man in a blue trench coat, Never drive a car when you're dead
  5. Operating System Independence? by kevin_conaway · · Score: 4, Interesting

    They seems make a big point that they want OS independence for their system but they built it using User Mode Linux. How will this be OS independent?

    1. Re:Operating System Independence? by MyPantsAreOnFire! · · Score: 5, Insightful

      You can build another virtual machine that runs on a different platform (Windows) and have the high-level operations of the virtual machine stay the same. So, therefore, the interface that the (potentially attacking) user sees is independent of both the OS and its hardware.

      Simply because they built it on linux first doesn't mean they won't make a VM for another platform, much like Java does. I have a feeling that they're trying to get it right on Linux before they build another VM.

      --
      --My other sig is a ferrari.
    2. Re:Operating System Independence? by blenderfish · · Score: 3, Insightful

      The source is UM-linux specific, but the techniques they are using (i.e., create a narrow secure interface into the kernel, and watch the processor) are applicable to any OS. In particular, if someone could attach this to VMWare, that'd be pretty damn cool!

      - Blenderfish

    3. Re:Operating System Independence? by LostCluster · · Score: 2, Informative

      The UMLinux OS is there to be a thin real OS that runs the simulator which runs the guest OS and their goal is for the simulator to be a good enough emulation of real hardware so that any operating system can be installed as that guest OS....

    4. Re:Operating System Independence? by dki · · Score: 5, Informative

      Not to nitpick, but they don't use User Mode Linux. They use UMLinux, which differs from the former in that in UMLinux the VM is contained in a single host process, whereas in User Mode Linux each guest app has its own process. The confusion comes in because UMLinux is considered a type of User Mode Linux, hence the name. Confusing enough?

    5. Re:Operating System Independence? by martyros · · Score: 2, Interesting
      We'd gladly use VMWare, if they'd just GPL the source code. =)

      Unfortunately, since that's not likely to happen, Plex86 isn't in good shape, and we didn't want to write our own full-fleged VM, we used UMLinux for a prototype and proof-of-concept that the ReVirt idea could work. Maybe someday VMWare or someone else will pick it up.

      BTB, we do use UMLinux (now FAUmachine, I think), but we're looking into porting it to Jeff Dike's User-Mode-Linux soon.

      --

      TCP: Why the Internet is full of SYN.

  6. Security cameras don't prevent break-ins very well by LostCluster · · Score: 4, Insightful

    Seems like this is a solution for recording the every move a computer makes, so when it is hacked you can play back moment-by-moment what exactly happened.

    The only problem... by the time you realize it's time to look at the playback, the "virtual machine" is already 0wned. Useful for honeypots, but this isn't going to secure a production system... it's not a line of defense, it's a just a very detailed logging of what happened.

  7. Innovation in repeats by Anonymous Coward · · Score: 1, Interesting

    That's the first time i've ever seen a story on slashdot simultaneously sitting at the top of both the main story page and the "Older Stuff" box.

    Neat effect, that.

    1. Re:Innovation in repeats by American+AC+in+Paris · · Score: 4, Funny
      That's the first time i've ever seen a story on slashdot simultaneously sitting at the top of both the main story page and the "Older Stuff" box.

      Neat effect, that.

      The one under "Older Stuff" is actually a honeypost made by a virtual editor. It appears that it successfully fooled you into thinking that the post was a mistake!

      Editorial integrity through obfuscation works!

      --

      Obliteracy: Words with explosions

  8. Re:Real News by stratjakt · · Score: 1, Funny

    We hardly care about stuff like that in the tech industry. Not when there are buzzwords like "wifi" or "honeypot" to be bandied about.

    --
    I don't need no instructions to know how to rock!!!!
  9. UMLinux by dki · · Score: 5, Interesting

    The virtual machine that ReVirt and its predecessor are built on is called UMLinux. I used it for a school project that analyzed a virtual kernel that had been minimized to achieve improved performance. The current incarnation of UMLinux, now called FAUmachine, is available from the FAUmachine project site.

  10. Re:honeypots by Anonymous Coward · · Score: 0

    I think they're talking about a hairless honeypot.

  11. Re:Security cameras don't prevent break-ins very w by Chris_Stankowitz · · Score: 3, Insightful

    There is some validity to your point. However you underime this project and all honey pots/nets when you say they are not a line of defense. They provide very valuable information that then goes into that line. Not to mention if you have a Decoy (one configured exaclty as the real and thought to be secure, except it has no valuable data) honey machine that gets hacked before your production one is. You now know how to prevent the intrider from attacking the real machine.

  12. Not quiet by botzi · · Score: 4, Informative
    Actually your question does make some sense, but isn't completely right.
    The JVM itself is not as secure as its architects would like it to be. When you program for the JVM, you're supposed to use a Java compiler, and actually a lot of the safeguard features come from the compilation process and the specification of the Java language.
    However, in the doc it is stated that the JVM may interpret *every* valid .class file, and although the .class files has a lot of restrictions, it's still possible to write dangerous code.
    Anyway, this VM guys have an interesting idea...

    PS: I'm currently working on a JVM assembler(nothing to take from Jasmin, but the inspiration), that'll have no practical use, of course, but I still hope that there're some people that'll find it interesting......

    --
    1. No sig. 2. ???? 3. Profit!!!
    1. Re:Not quiet by AKAImBatman · · Score: 4, Informative

      Another assembler for Java? How quaint. Seriously, the JVM is one of the most secure VMs in existance. It is also rather pragmatic. The default is to leave the door open for programs, but allow them to install security managers at any level in order to lock down code in the VM. Don't want code to use reflection? Bam! Security manager's got it locked down. Both Applets and Java Web Start include security managers by default to prevent malicious code. The *only* examples of true VM exploits are via Microsoft's VM. That thing has holes so large you can drive the U.S.S. Enterprise (CV-65, not CV-6) through them. Of course, that isn't actually Sun's fault, that's because Microsoft *likes* to punch security holes in the name of "ease of use". Don't even get me started on ActiveX.

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:Not quiet by rreyelts · · Score: 5, Interesting

      If I had mod points, I would mod this down -1 Misinformed.

      When the JVM loads a class, it performs a process called verification which ensures that the class file is structurally sound. You can't, for example, push an integer onto the stack, then try to pull it off as an object reference. http://java.sun.com/docs/books/vmspec/2nd-edition/ html/ConstantPool.doc.html#71817

      Sure, it's possible to generate a class file with invalid, 'dangerous' byte code by using a Java assembler, but it won't pass the mandatory verification stage of the virtual machine. As an example, I've written a program which dynamically modifies the bytecode of existing Java classes using BCEL (http://jakarta.apache.org/bcel/index.html). When I made mistakes that generated subtlely invalid bytecode, the classes would fail the VM's verification stage and not load. BCEL includes its own verifier (Justice), to help you ensure your generating valid bytecode during development.

    3. Re:Not quiet by botzi · · Score: 1
      When the JVM loads a class, it performs a process called verification which ensures that the class file is structurally sound.

      1. The class loader isn't in any case an absolute defence. If I recall correctly there're a number of possible attacks to the calss loader, and new ones are still being discovered..... I can't find the link for the moment, but I'm I've found somewhere a working class spoofing example(Jasmin & Java)... If I do find it. I'll post it here.
      2. There're and always will be problems with "(un)trusted" native methods.(even if that's out of scope of my previous post).

      When I made mistakes that generated subtlely invalid bytecode, the classes would fail the VM's verification stage and not load.

      It's normal for invalid bytecode to fail executing. That was not my point when I said dangerous.

      existing Java classes using BCEL
      I would realy like to hear from you how did you found the BCEL package???? I was considering building all my work on it, but finally droped this idea, and now it starts looking more and more that this was somehow a bad decision.

      --
      1. No sig. 2. ???? 3. Profit!!!
    4. Re:Not quiet by Dan-DAFC · · Score: 2, Insightful

      Sure, it's possible to generate a class file with invalid, 'dangerous' byte code by using a Java assembler, but it won't pass the mandatory verification stage of the virtual machine.

      Unless you turn the verifier off.

      --
      Suck figs.
    5. Re:Not quiet by Anonymous Coward · · Score: 0

      Maybe your fan is broken? I find that to often be the case when a computer is not quiet enough.

    6. Re:Not quiet by rreyelts · · Score: 2, Interesting

      1. If you can name a single attack that works against the classloader I'd like to see it. Spoofing is a very old suggested research attack, that was immediately fixed by Sun changing the classloader model so that classes are distinguished by the classloader in which they were loaded.

      2. Yes, native methods have nothing to do with JVM security related to invalid bytecode.

      3. Your point was that somehow crafting bytecode could break the VM security. My point was that that's impossible as the bytecode is verified before it is executed.

      4. I honestly don't remember how I came across BCEL - I knew of it, though, back when it was called JavaClass.

    7. Re:Not quiet by rreyelts · · Score: 0

      I was going to say that this is the equivalent to saying, "unless you run as root", but it's even worse than that. In practice, many people do run as root, while nobody ever turns the verifier off on their virtual machine. There is just no advantage.

    8. Re:Not quiet by AKAImBatman · · Score: 2, Insightful

      > 2. Yes, native methods have nothing to do with JVM
      > security related to invalid bytecode.

      Just to back up what Toby's saying here, native access is controlled by the secutity manager attached to the classloader. If the classloader doesn't allow it, there can be no native code. An example of this is Applets which implicitly prevent DLLs from being loaded.

      > 4. I honestly don't remember how I came across
      > BCEL - I knew of it, though, back when it was
      > called JavaClass.

      IIRC, it was one of the few successful projects produced by the Java Operating System project.

      --
      Javascript + Nintendo DSi = DSiCade
    9. Re:Not quiet by eckes · · Score: 2, Informative

      JavaVMs had exploits in the past, so I do not see ground for your claim that they are the most safe VMs. I know simulations of turing engines which are far more secure and less exploitable.

      Remember Brown Orifice in netscape VMs?

      Some more: http://www.securitytracker.com/archives/target/130 1.html

  13. Re:Security cameras don't prevent break-ins very w by Anonymous Coward · · Score: 1, Interesting

    I would have a virtual machine hosting another virtual virtual machine. If the virtual virtual machine gets owned, the real virtual machine will log on.

  14. Too much overhead by emo+boy · · Score: 5, Insightful

    "We believe that even an overhead of 58% is not prohibitive for sites that value security."
    I really wonder if 58% overhead is worth it. It seems to me this is still a little massive for this kind of thing. ReVirt and VMWare both do a good job of keeping the overhead down but I think there will have to be innovations in areas other than virtual machines for this kind of thing.

    --
    ___ Shout Central - Crushes your nuts!
    1. Re:Too much overhead by poot_rootbeer · · Score: 4, Insightful

      I really wonder if 58% overhead is worth it.

      If your systems are crucial enough to justify a 58% overhead, you'll know it.

  15. virtual pc on a mac by double_plus_ungod · · Score: 1

    hypothetically...

    if i ran virtual pc on my mac and used outlook--i could still be compromised by bugbear... and that's secure?

    is this what they're trying to do? or am i on the wrong track?

    --

    ----
    http://www.hellection.com
    1. Re:virtual pc on a mac by El+Pollo+Loco · · Score: 4, Interesting

      What they're trying to do, as far as I understand, is put a shell around what's gonna be comprimised. In your example, it would be virtual pc. If outlook gets comprimised, you can shut down virtual pc and it's all good. But in reality, it's not that easy, because virtual pc isn't designed for that. They've designed a different kind, one that's supposed to be secure, and one that even acts on a differnt layer then the OS. Then they added tracking abilitys, etc.

    2. Re:virtual pc on a mac by LostCluster · · Score: 4, Insightful

      Right, you'd still be compromised.

      What this tool does is add a very detailed logging component to the VM software, so that when you're compromised, you have a much easier time figuring out what hit you.

      The problem with most current system logging tools is that they run on the system that they are logging, which means if the attacker gains root access they could kill the logging tool's process first, or tamper with the logs to erase their activities.

      By making the logging tool one in the same with the VM software, if the hacker kills the logging tool the machien they were trying to hack vaporizes. And, if they are able to obtain root on the virtual machine, they'd still need to obtain root on the host OS (which is intentionally a lightwieght OS to decrease the likelyhood of that ever happening) to clean their tracks.

    3. Re:virtual pc on a mac by DarkBlackFox · · Score: 3, Informative

      I think that's exactly what they are trying to do, but because of the outer layer (in your case, the mac, in their case, linux), they have some mechanism to examine the network traffic and produce a detailed log of the hack. While it wouldn't directly protect you from the hack, it would provide valuable information as to what exactly was hacked, such that it can be patched to prevent that method from affecting other systems. More or less a tattle-tail for network security than a buffed up security guard.

  16. Joel mentioned this the other day (sorta) by kworthington · · Score: 4, Interesting

    Joel Spolsky had a similar thought on Monday about using VMWare to run webservers in a virtual machine, and to always have similar virtual machines ready, in case the server is hacked etc. (See his June 2, 2003 entry)

    --
    Hosting: as low as $5.95/Mo
  17. Re:Security cameras don't prevent break-ins very w by blenderfish · · Score: 1

    Sure, but there's a lot of peace in mind in knowing nobody has rootkitted your production server, not to mention knowing the exact hole used to obtain access. Even better than sending your logs to a line printer ;)

    Also, I bet, if you're already going to the trouble of monitoring every branch your cpu takes, and all your vmkernel system calls, you could go the extra mile and proactively look for suspicious behavior (odd binaries being called, weird IP traffic, overwriting system files, etc.,) and trigger a silent alarm somewhere. Think 'proactive canary'.

    - Blenderfish

  18. Re:Security cameras don't prevent break-ins very w by DAQ42 · · Score: 5, Insightful

    Ah, but you seem to miss the advantages of a VM. If you can see exactly how you were compramised, you can then repeat the attack after going back and securing the vulnerability. Thus enabling you to have a fast and easy way to determine vulnerabilities in your code execution. Another great advantage of a virtual machine is that you can very simply and easily revert to a "clean" copy of your machine, before the attack, and have an effective downtime of 3 seconds (the time it takes to stop the VM, select the clean copy, and boot the VM again). So in a production enviornment, you have an added layer of redundancy.

    Take a database as an example. You have your tape backups, your transaction logs, etc. etc, but what if your registry (I'm talking people running MSSQL, but for other platform, think of what happens when someone crafts an improper looping arguement into an SQL write query, hosing your data structures) gets completely foobared. What do you do? Do you a) pull out the tape and have a whole bunch of downtime? Or do you just boot an older VM and apply the transaction logs to the database just before the point where everything went stupid? I think the VM would be a much faster recovery (if you consider that you are running a database that stores several hundred gigs of data, this makes more and more sense). Anyway. It's just a question of whether you feel you can implement and manage it.

    --
    Don't Ask Questions. I don't know the answers and even if I did I wouldn't tell you.
  19. For added security you might want a... by Anonymous Coward · · Score: 3, Funny

    VM within a VM. You know.. just in case attackers who can bend rules start popping up. Can attackers find out whether or not they're in a VM, or can that happen only after december?

    1. Re:For added security you might want a... by Anonymous Coward · · Score: 0

      or can that happen only after december?

      Or maybe you meant Early Novermber unless you know something I don't?

  20. Simple solution. by gilesjuk · · Score: 4, Funny

    Give hackers and virus authors virtual computers made of cardboard :)

  21. Murphy's Law by Anonymous Coward · · Score: 0

    If you run xxx OS within yyy OS within zzz OS, you WILL be hit at all three OS's at the same time.

    Let's see, I know if I run xxx OS it'll be compromised 50% of the time, let's improve security by running it within the yyy OS that is compromised 2% of the time to improve security.

  22. Mr. Anderson..... by DarkBlackFox · · Score: 5, Funny

    Smith: "Surprised to see me hack your box?"

    Neo: "No, but you must only realize the truth..."

    Smith: "What truth?"

    Neo: "There is no box" *Click*

    1. Re:Mr. Anderson..... by Anonymous Coward · · Score: 0

      Hahahaha

      Mod this baby up, +5!!!!

  23. This has been done before... by yorkrj · · Score: 5, Interesting

    But not in exactly the same manner:

    I am reminded of the book "The Cuckoo's Egg" where a system admin at a university tracks down a hacker using teletype machines to monitor the hacker's tracks. Highlights include the reading of reams of teletype hardcopies, and the creation of a honeypot: At one point the author types responses to the hacker, simulating the UNIX box. Wacky!

  24. IBM? by BrynM · · Score: 5, Interesting

    Isn't this how IBM has been running Linux on it's S390 mainframes? They can virtualize just about anything because of VM. I remember a disaster recovery simulation at IBM where we restored a copy of our MVS/S390 mainframe within their VM system from our backup tapes. For all intents and purposes, it was our mainframe running inside another OS, and the other OS (VM) logged all of our activity too. We even joked with the IBMers about being able to run VM within VM and MVS within that. This is not new technology, it's just new(ish) to the smaller architectures and a new implementation of the idea.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
    1. Re:IBM? by martyros · · Score: 1
      Did you restore a copy at some point (i.e., a checkpoint), or did you log all the input going into it, so that you could replay it, and generate exactly the same execution, race conditions and all?

      If you have a reference, I'm sure the covirt group would appreciate it, so we can learn from it / acknowledge prior work more completely. =) -George Dunlap (main ReVirt author)

      --

      TCP: Why the Internet is full of SYN.

    2. Re:IBM? by BrynM · · Score: 2, Interesting
      We did a checkpoint restore and ran some tests. Our customer support staff spent a few hours on the "system" remotely, but we couldn't justify the cost of continual testing so we planned to capture their activity. We then used the captured data from the tests to repeat the process for further testing. If I remember right (it was a few years ago), the IBM sys-programmers captured the data from the initial restore as well. For them, the second restore process was kicked off with a single command.

      Because it was an insurance company I worked for, I can't give too many details without violating my exit NDA. If you contact the IBM Disaster Recovery Center in Boulder, CO, I'm sure they would be happy to answer questions. Alternately, any good S390 systems consultant should be familiar with this type of process.

      --
      US Democracy:The best person for the job (among These pre-selected choices...)
    3. Re:IBM? by Anonymous Coward · · Score: 0

      basically all the mainframes now ship with a subset of virtual machine called LPARS ... within the microcode of the machine possible to partition lsome number of isolated virtual/logical machines (i.e. LPARS ... Logical PARtionS). The big difference between LPARS and the mainframe virtual machine operating system is that LPARS dedicate real storage .... while virtual machine operating system can page. They both take advantage of various microcode features for accelerating virtual machine thruput.

  25. Virtual machines for security by Anonymous Coward · · Score: 2, Insightful

    the more things change, the more they stay the same. virtual machines were used extensively in the '60s and '70s at time-sharing service (both service bureaus and various kinds of institutional in-house) operations .... in part because of the paradigm's isolation capability

    in the early '70s had an operation that had the most sensitive of a large corporation financial & business operations being run on the same online computer that also had significant number of BU and MIT students.

  26. Easy to hack by Anonymous Coward · · Score: 0

    Flip the lightswitch ON and OFF repeatidly :D

  27. Re:Security cameras don't prevent break-ins very w by Anonymous Coward · · Score: 0

    that's not really how a vm would work.

    unless you have a couple spare disk arrays with hundreds of gigs of free space, you can't just "boot a clean VM" and be back were you were before.

    and if you have hundreds of gig free, why not just copy the backup in place and go?

    this virtual machine stuff doesn't help here it just gets in the way

  28. I did something sort of like this once... by Anonvmous+Coward · · Score: 4, Informative

    Not entirely on topic, but I don't have anything really to add to this subject. Back in my Kazaa days, I was a little concerned about viruses etc getting me. So I set up a VM in VM-Ware and ran Kazaa on that. It did lag my computer considerably, but if Kazaa were to infect my machine, it would (in theory) be contained. Sadly, I didn't get infect with anything so I couldn't tell you how effective that was. I was kinda hoping it would be infected so I could analyze what happened. The funny result of this setup was that if you scanned my hard drive, you couldn't find any of the stuff I downloaded unless you fired up VM-Ware.

  29. Sandboxing by OrangeGoo · · Score: 3, Interesting

    Is this similar to the concept of sandboxing, in which a process is executed in a VM where it is isolated from the rest of the system while the OS outside watches to make sure nothing bad happens?

    I've read of this as a potential antivirus solution, but it sounds like a bit much overhead to me. It's still at least reasonably quick to do pattern scanning. Anyway, off topic... heheh :)

  30. Useful for debugging also? by Fastolfe · · Score: 2, Interesting

    This seems like it could be an interesting technique for debugging systems as a whole. Like when my Windows PC hangs randomly for 30 seconds, or does something quirky, it'd be nice if I (or preferably, Microsoft) can understand *why* so that the problem can be corrected. Bit rot sucks.

  31. Sandboxing computer viruses by Logopop · · Score: 5, Interesting

    Virtual PC environments, complete with IP networking and various common protocols are already being used to catch viral behaviour in software before signature files for a new virus are available. New, unknown viruses will actually spread and send mail from one virtual PC to another inside your PC. There's a paper about it here, which was presented at the Virus Bulletin conference last year:
    http://www.norman.com /documents/nvc5_sandbox_technology_2002.pdf
    The technology is available as part of a commercial AV product from this vendor.

  32. The problem with virtual machines. by cyt0plas · · Score: 3, Informative

    Virtual machines are inherantly insecure. Because the internal virtual address space is accessable externally, it can be modified, tampered with, or viewed at will. Regardless of the cryptography, the process can be slowed down, stepped through, and have any protections disabled, or even reversed.

    While it's a nice thought, it doesn't add too much in terms of security, a virtual machine compromised still allows access to the rest of the virtual machine. Raw harware access is not needed to wreak havoc.

    --
    Contact Me (got tired of viruses emailing me).
    1. Re:The problem with virtual machines. by hughk · · Score: 2, Insightful
      It really depends on how the VM is configured. If it is correctly setup then there is remarkably little that can be done. If you remember the so-called' "Orange" book standards for computer security, the only implementations for the highest level were virtual machines running under control of security refence monitor which had been extensively checked and tested.

      The clever bit is keeping the code that needs verification relatively small, which is why I believe Microsoft will fail with Palladium. Knowing them, the trusted base will be too large to thoroughly check.

      --
      See my journal, I write things there
    2. Re:The problem with virtual machines. by multi+io · · Score: 2, Informative
      Because the internal virtual address space is accessable externally, it can be modified, tampered with, or viewed at will.

      You can modify, view, and tamper with native assembly code as well. I don't know what you mean by "accessable externally". The virtual address space of a server application running on a virtual machine most definitively isn't accessible automatically to the clients.

      I don't see how additional possibilities in the hands of *the server's administrator* could weaken security.

      The additional software layer in virtual machines enables you to easily impose all kinds of restrictions like very fine-grained access control etc. on the running code.

      Imagine you have written a server application running as root. The application reads "untrusted" configuration files written by less privileged users. You want to make those configuration files as powerful and flexible as possible. So you might want to define a turing-complete configuration language for use in those files. The "easiest" solution would be to allow arbitrary shared libraries containing assembly code to be used as configuration files. Of course, this solution throws all security measures out of the window. So, in order to still retain a decent level of security in this situation, you have to settle on a software layer of some sort in your server, which reads and executes the the configuration files written by the users on their behalf, applying all necessary security checks on the fly. Voila - you have written a virtual machine.

      (in fact, scripting languages like Perl and Ruby have special "tainted modes" to facilitate such uses)

    3. Re:The problem with virtual machines. by cyt0plas · · Score: 1

      By accessable, I am referring to the outside (host) environment. It may work as a nice way of controlling external connections; however, it will not work when the entire environment is accessable (in other words, it makes a nice server, but a bad palladium replacement).

      --
      Contact Me (got tired of viruses emailing me).
    4. Re:The problem with virtual machines. by cyt0plas · · Score: 1

      Or, they could do something dumb like allocate a 256 character buffer, then actually let 256 characters be entered in (null termination assumed here). And, since it would be digitally signed (to prevent tampering, of course), changing it would break all the apps. It would be rather appropriate to exploit the palladium "secure" subsystem by using palladium itself to load arbitrary code to the secure area.

      --
      Contact Me (got tired of viruses emailing me).
    5. Re:The problem with virtual machines. by hughk · · Score: 1
      Exactly, you have to be very careful as to how the software can be protected. Secure hardware makes it easier (non-executable stack and separate I and D spaces) but that isn't always possible (however Linux can ron on an x86 with non-exeutable stack).

      The real key is designing so as small a part as possible of the system must be secured and then hand checking and testing of the critical code. MS isn't really good at either of these.

      --
      See my journal, I write things there
  33. article text by Anonymous Coward · · Score: 2, Funny

    The CoVirt Project
    The CoVirt project is investigating how to use virtual machines to provide security in an operating-system-independent manner. Virtual-machine security services can work even if an attacker gains complete control over the guest operating system.

    One hard part of designing virtual-machine security services is the semantic gap between the virtual machine and those services. Services in the virtual machine operate below the abstractions provided by the guest operating system and applications. This can make it difficult to provide services. For example, it is difficult to provide a service that checks file system integrity without knowledge of on-disk structures.

    Another potential challenge of using virtual machines is that running all applications above the virtual machine hurts performance due to virtualization overhead. Commercial virtual machine monitors such as VMware achieve excellent performance by executing (mostly) directly on the bare hardware. However, we would like to use a virtual-machine monitor that runs as a user-mode application on top of a host operating system (so-called Type II VMM), and these tend to be an order of magnitude slower than a standalone system. We modified a host OS (Linux) to enable it to better support a virtual-machine monitor. The resulting virtual-machine monitor and modified guest OS (based on UMLinux) runs even kernel-intensive applications at about 14-35% overhead. See our USENIX paper for details.

    We have designed and implemented a replay service for virtual machines called ReVirt. ReVirt logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction. This enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions.

    We designed and implemented a system called BackTracker that will help system administrators understand (and thereby recover from) an intrusion. BackTracker automatically identifies potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g. a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph.

    Here is an example of BackTracker's output for an attack against a machine that we set up as a honeypot. It shows an attacker gaining access through httpd, downloading a tar archive using wget, then installing a set of files using tar and gzip. The attacker then ran the program openssl-too, which read the configuration files that were unpacked. We detected the intrusion when the openssl-too process began scanning other machines on our network for vulnerable ports.

    Project members
    Papers
    Presentations
    Project Sponsors
    Source Code

  34. Re:about slashdot, and RTFA *article text* by Anonymous Coward · · Score: 0

    For all you lazy people who are only reading the article cause it's copied here... don't forget to click the links!

  35. Of course they do by freeweed · · Score: 1

    Security cameras may not prevent a *specific* break-in, but information gained from that break-in can help to further secure a location. How did the burglar get in, how did she bypass our security mechanisms, etc. Same goes for honeypots and computer networks.

    Saying "security cameras don't prevent break-ins very well" is kind of like saying "crash investigations don't prevent accidents". On a single event, you're right. But that's not the point at all.

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  36. Just for security? by timeOday · · Score: 4, Interesting

    If I understand this correctly, this virtual machine provides logging so you can "rewind" to any previous state. That would be invaluable in debugging during software development! Sure it would be good for finding security flaws, but equally good for squashing many other kinds of bugs. Perfect for anybody who ever loaded up a core file and though "how did THAT value get in there?"

    1. Re:Just for security? by Anonymous Coward · · Score: 0

      One word: Vexmon.

      Think of it a bit like the illicit lovechild between Softice and VMware. Fully decoupled virtual machines with extremely sophisticated history, state, monitoring and debugging capabilities.

      Literally the number one reversing and cracking tool, excepting maybe the human brain... you ain't never seen an "unbreakable" protection fall so fast. Hell, feed it the right keys (and apparently there is a way to get them) and the latest version can emulate a TCPA-compliant box. That might be why the crackers are keepin' it to themselves for now...

  37. There is another interisting option... by Anonymous Coward · · Score: 0

    Our framework contains a bytecode interpreter written in Java.
    It allows you to execute specially marked methods or classes under complete control including the execution of every opcode.
    I think using such approach you can implement additional security mechanisms other then the standard JVM.

  38. Re:Security cameras don't prevent break-ins very w by martyros · · Score: 1
    Here's the problem we're trying to address. Say someone breaks into your system. At some time later you notice something strange, follow it up, and find that you've been hacked. You don't know:
    • How they broke in (what the exploit was)
    • When they broke in
    • What they saw (if they d/l'd any sensitive data: credit cards, company information, whatever), or
    • What they changed (if they installed any backdoors, trojaned binaries, etc).
    Current techniques require a lot of time, a lot of expertise, a lot of Sherlock-holmes style educted guessing, and in the end you may just not know the answer. Apply some patches, restore from backup, hope you fixed the hole and didn't miss any trojans.

    With our system, you will be able to go back and find out all of these things with complete confidence and accuracy (once we have the proper analysis tools in place, that is).

    That's what a security camera is good for. =)

    --

    TCP: Why the Internet is full of SYN.

  39. Re:Security cameras don't prevent break-ins very w by zogger · · Score: 1

    that seems to be it. It's like guard dogs, they give a warning, and also if the bad guys are armed, serve as expendable bullet magnets.

  40. Doing this for software security / anti-hacking by jonathanclark · · Score: 3, Interesting

    A slightly different idea for using VMs to enhance security....

    Over the last few years, I've been developing a "thin" virtual machine that runs in user-mode. The purpose of this is to allow software to be deployed in a pre-installed state, rather than having to install a bunch of file, make registry changes, etc - just distribute a single EXE that can run directly from CDROM or a download link.

    Besides simplfying the installation process and prevent conflicts with other packages (DLL Hell, etc). This method of software distribution also helps protect intellectual property - for example if you use the Macromedia Flash ActiveX component - not only can your application create object instances without having to register it in the system registry - but the macromedia code automatically goes through the virtual machine to read compress/encrypted files included in the archive.

    The virtual machine only takes up about 100k on disk and 500-1MB in RAM and runs on top of any version of Windows (no linux, sorry) without drivers or reboots.

    Check it out:
    http://thinstall.com/help

    Jonathan Clark

    --
    -- Virtual Windows Project
    1. Re:Doing this for software security / anti-hacking by Anonymous Coward · · Score: 0

      To heck with security... We need this just for configuration management. The environment I work in is huge, with a large number of people changing a large number of files in ways that are not always directly trackable. I would love, as a system architect, to be able to see the changes made during the course of a day on a given system, so that I could apply the same changes across all the machines in our environment if they were needed, or even to back-out poor changes. No one makes tools to do this over a distributed environment. The more of a tool base that we have that can track changes, the better the future will be.

  41. Re:That can happen by makapuf · · Score: 2, Funny

    you just need to choose the right pill ...

  42. This reminded me of an older Symantec patent by Anonymous Coward · · Score: 1, Interesting

    US Patent 6,067,410
    In 2000 Symantec proposed that a virus should be evaluated on a virtual machine in order to avoid any damage to the real machine. The patent also describes a virus identification, removal, and state restoration method. Is the proposed method infringing on their patent?

    1. Re:This reminded me of an older Symantec patent by jrum · · Score: 1

      Actually there is a difference. The patent is very specific to viruses. It is essentialy about simulating downloaded file operation not about an entire virtual machine. SYMC protects the machine from viruses not hacks. Similar concept, different focus.

  43. Re:Mr. Anderson..... (spoiler) by FauxPasIII · · Score: 1

    -nod- In fact, the last couple scenes in Reloaded make it seem like The Matrix is based upon just this kind of layered VM model... the world where Zion exists is a simulation running on bare metal (or is it ?), inside of which there is a virtual machine running The Matrix... and everytime The One owns it, they just roll it back and start over.

    --
    25% Funny, 25% Insightful, 25% Informative, 25% Troll