Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virtual Machines for Security

Posted by michael on from the virtually-impregnable dept.

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

9 of 106 comments (clear)

  1. Auto hack response by draziw · · Score: 2, Funny

    See an attack and have it try the same one right afterwards on the source ip. Oh wait - that's probably a box they hacked first. d'oh!

  2. Re:Hmm.. by rkz · · Score: 2, Funny

    SCO thought of it first!


    --
    There is no god
  3. Re:Real News by stratjakt · · Score: 1, Funny

    We hardly care about stuff like that in the tech industry. Not when there are buzzwords like "wifi" or "honeypot" to be bandied about.

    --
    I don't need no instructions to know how to rock!!!!
  4. Re:Innovation in repeats by American+AC+in+Paris · · Score: 4, Funny
    That's the first time i've ever seen a story on slashdot simultaneously sitting at the top of both the main story page and the "Older Stuff" box.

    Neat effect, that.

    The one under "Older Stuff" is actually a honeypost made by a virtual editor. It appears that it successfully fooled you into thinking that the post was a mistake!

    Editorial integrity through obfuscation works!

    --

    Obliteracy: Words with explosions

  5. For added security you might want a... by Anonymous Coward · · Score: 3, Funny

    VM within a VM. You know.. just in case attackers who can bend rules start popping up. Can attackers find out whether or not they're in a VM, or can that happen only after december?

  6. Simple solution. by gilesjuk · · Score: 4, Funny

    Give hackers and virus authors virtual computers made of cardboard :)

  7. Mr. Anderson..... by DarkBlackFox · · Score: 5, Funny

    Smith: "Surprised to see me hack your box?"

    Neo: "No, but you must only realize the truth..."

    Smith: "What truth?"

    Neo: "There is no box" *Click*

  8. article text by Anonymous Coward · · Score: 2, Funny

    The CoVirt Project
    The CoVirt project is investigating how to use virtual machines to provide security in an operating-system-independent manner. Virtual-machine security services can work even if an attacker gains complete control over the guest operating system.

    One hard part of designing virtual-machine security services is the semantic gap between the virtual machine and those services. Services in the virtual machine operate below the abstractions provided by the guest operating system and applications. This can make it difficult to provide services. For example, it is difficult to provide a service that checks file system integrity without knowledge of on-disk structures.

    Another potential challenge of using virtual machines is that running all applications above the virtual machine hurts performance due to virtualization overhead. Commercial virtual machine monitors such as VMware achieve excellent performance by executing (mostly) directly on the bare hardware. However, we would like to use a virtual-machine monitor that runs as a user-mode application on top of a host operating system (so-called Type II VMM), and these tend to be an order of magnitude slower than a standalone system. We modified a host OS (Linux) to enable it to better support a virtual-machine monitor. The resulting virtual-machine monitor and modified guest OS (based on UMLinux) runs even kernel-intensive applications at about 14-35% overhead. See our USENIX paper for details.

    We have designed and implemented a replay service for virtual machines called ReVirt. ReVirt logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction. This enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions.

    We designed and implemented a system called BackTracker that will help system administrators understand (and thereby recover from) an intrusion. BackTracker automatically identifies potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g. a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph.

    Here is an example of BackTracker's output for an attack against a machine that we set up as a honeypot. It shows an attacker gaining access through httpd, downloading a tar archive using wget, then installing a set of files using tar and gzip. The attacker then ran the program openssl-too, which read the configuration files that were unpacked. We detected the intrusion when the openssl-too process began scanning other machines on our network for vulnerable ports.

    Project members
    Papers
    Presentations
    Project Sponsors
    Source Code

  9. Re:That can happen by makapuf · · Score: 2, Funny

    you just need to choose the right pill ...