Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virtual Machines for Security

Posted by michael on from the virtually-impregnable dept.

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

24 of 106 comments (clear)

  1. Hmm.. by Loki_1929 · · Score: 3, Interesting

    Using a Virtual Machine as a honeypot? Why didn't I think of that? ;)

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
    1. Re:Hmm.. by Zathrus · · Score: 5, Interesting

      Heh... but what's being discussed here seems somewhat different.

      You asked about setting up a honeypot via VM. A pretty good way to go about things.

      This takes it one step further - not only is the honeypot (or even honeynet) in a VM, there's an outer layer that's "watching" the VM(s) and recording the activity. That's really, really good. If you could actually lure some serious attacks to the honeypot then you'd have much more accurate records of what occurred. And, obviously, the observer is supposed to be invisible and undetectable.

      Of course, there's the issue of actually getting real attacks in the first place, instead of just a legion of script kiddies. But that's another ball of wax.

  2. but.... by HowlinMad · · Score: 4, Interesting

    what if the virtual machine is not secure?

    --
    Great Linux Site
    1. Re:but.... by Monkey-Man2000 · · Score: 3, Interesting

      But then couldn't they prove a real machine is logically secure? Just the implementation may not be. It seems that the implementation is the thing that practically matters in both cases.

      --
      This post was generated by a Cadre of Uber Monkeys for Monkey-Man2000 (603495).
    2. Re:but.... by Beryllium+Sphere(tm) · · Score: 4, Interesting

      Do you mean, what if the virtual machine has a bug that breaks virtualization and allows an attacker to 0wn the real hardware?

      That can happen. There was folklore about ways to break IBM's VM/CMS, for example.

    3. Re:but.... by martyros · · Score: 3, Interesting
      I'm George Dunlap, the main author on the ReVirt paper. So, IIAP/R (programmer/researcher). =)

      There is no way to know if there is a bug in the VM, just as there's no way to know if there's a bug in the operatin gsystem. BUT, the virtual machine montitor, which controls the VM, is a *lot* smaller piece of software than a kernel, with a much simpler interface to provide. Therefore, the hope is that there's less of a chance of an exploitable bug in the VM, than in an operating system.

      --

      TCP: Why the Internet is full of SYN.

  3. Operating System Independence? by kevin_conaway · · Score: 4, Interesting

    They seems make a big point that they want OS independence for their system but they built it using User Mode Linux. How will this be OS independent?

    1. Re:Operating System Independence? by martyros · · Score: 2, Interesting
      We'd gladly use VMWare, if they'd just GPL the source code. =)

      Unfortunately, since that's not likely to happen, Plex86 isn't in good shape, and we didn't want to write our own full-fleged VM, we used UMLinux for a prototype and proof-of-concept that the ReVirt idea could work. Maybe someday VMWare or someone else will pick it up.

      BTB, we do use UMLinux (now FAUmachine, I think), but we're looking into porting it to Jeff Dike's User-Mode-Linux soon.

      --

      TCP: Why the Internet is full of SYN.

  4. Innovation in repeats by Anonymous Coward · · Score: 1, Interesting

    That's the first time i've ever seen a story on slashdot simultaneously sitting at the top of both the main story page and the "Older Stuff" box.

    Neat effect, that.

  5. UMLinux by dki · · Score: 5, Interesting

    The virtual machine that ReVirt and its predecessor are built on is called UMLinux. I used it for a school project that analyzed a virtual kernel that had been minimized to achieve improved performance. The current incarnation of UMLinux, now called FAUmachine, is available from the FAUmachine project site.

  6. Re:Security cameras don't prevent break-ins very w by Anonymous Coward · · Score: 1, Interesting

    I would have a virtual machine hosting another virtual virtual machine. If the virtual virtual machine gets owned, the real virtual machine will log on.

  7. Joel mentioned this the other day (sorta) by kworthington · · Score: 4, Interesting

    Joel Spolsky had a similar thought on Monday about using VMWare to run webservers in a virtual machine, and to always have similar virtual machines ready, in case the server is hacked etc. (See his June 2, 2003 entry)

    --
    Hosting: as low as $5.95/Mo
  8. Re:virtual pc on a mac by El+Pollo+Loco · · Score: 4, Interesting

    What they're trying to do, as far as I understand, is put a shell around what's gonna be comprimised. In your example, it would be virtual pc. If outlook gets comprimised, you can shut down virtual pc and it's all good. But in reality, it's not that easy, because virtual pc isn't designed for that. They've designed a different kind, one that's supposed to be secure, and one that even acts on a differnt layer then the OS. Then they added tracking abilitys, etc.

  9. This has been done before... by yorkrj · · Score: 5, Interesting

    But not in exactly the same manner:

    I am reminded of the book "The Cuckoo's Egg" where a system admin at a university tracks down a hacker using teletype machines to monitor the hacker's tracks. Highlights include the reading of reams of teletype hardcopies, and the creation of a honeypot: At one point the author types responses to the hacker, simulating the UNIX box. Wacky!

  10. IBM? by BrynM · · Score: 5, Interesting

    Isn't this how IBM has been running Linux on it's S390 mainframes? They can virtualize just about anything because of VM. I remember a disaster recovery simulation at IBM where we restored a copy of our MVS/S390 mainframe within their VM system from our backup tapes. For all intents and purposes, it was our mainframe running inside another OS, and the other OS (VM) logged all of our activity too. We even joked with the IBMers about being able to run VM within VM and MVS within that. This is not new technology, it's just new(ish) to the smaller architectures and a new implementation of the idea.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
    1. Re:IBM? by BrynM · · Score: 2, Interesting
      We did a checkpoint restore and ran some tests. Our customer support staff spent a few hours on the "system" remotely, but we couldn't justify the cost of continual testing so we planned to capture their activity. We then used the captured data from the tests to repeat the process for further testing. If I remember right (it was a few years ago), the IBM sys-programmers captured the data from the initial restore as well. For them, the second restore process was kicked off with a single command.

      Because it was an insurance company I worked for, I can't give too many details without violating my exit NDA. If you contact the IBM Disaster Recovery Center in Boulder, CO, I'm sure they would be happy to answer questions. Alternately, any good S390 systems consultant should be familiar with this type of process.

      --
      US Democracy:The best person for the job (among These pre-selected choices...)
  11. Sandboxing by OrangeGoo · · Score: 3, Interesting

    Is this similar to the concept of sandboxing, in which a process is executed in a VM where it is isolated from the rest of the system while the OS outside watches to make sure nothing bad happens?

    I've read of this as a potential antivirus solution, but it sounds like a bit much overhead to me. It's still at least reasonably quick to do pattern scanning. Anyway, off topic... heheh :)

  12. Re:Not quiet by rreyelts · · Score: 5, Interesting

    If I had mod points, I would mod this down -1 Misinformed.

    When the JVM loads a class, it performs a process called verification which ensures that the class file is structurally sound. You can't, for example, push an integer onto the stack, then try to pull it off as an object reference. http://java.sun.com/docs/books/vmspec/2nd-edition/ html/ConstantPool.doc.html#71817

    Sure, it's possible to generate a class file with invalid, 'dangerous' byte code by using a Java assembler, but it won't pass the mandatory verification stage of the virtual machine. As an example, I've written a program which dynamically modifies the bytecode of existing Java classes using BCEL (http://jakarta.apache.org/bcel/index.html). When I made mistakes that generated subtlely invalid bytecode, the classes would fail the VM's verification stage and not load. BCEL includes its own verifier (Justice), to help you ensure your generating valid bytecode during development.

  13. Useful for debugging also? by Fastolfe · · Score: 2, Interesting

    This seems like it could be an interesting technique for debugging systems as a whole. Like when my Windows PC hangs randomly for 30 seconds, or does something quirky, it'd be nice if I (or preferably, Microsoft) can understand *why* so that the problem can be corrected. Bit rot sucks.

  14. Sandboxing computer viruses by Logopop · · Score: 5, Interesting

    Virtual PC environments, complete with IP networking and various common protocols are already being used to catch viral behaviour in software before signature files for a new virus are available. New, unknown viruses will actually spread and send mail from one virtual PC to another inside your PC. There's a paper about it here, which was presented at the Virus Bulletin conference last year:
    http://www.norman.com /documents/nvc5_sandbox_technology_2002.pdf
    The technology is available as part of a commercial AV product from this vendor.

  15. Just for security? by timeOday · · Score: 4, Interesting

    If I understand this correctly, this virtual machine provides logging so you can "rewind" to any previous state. That would be invaluable in debugging during software development! Sure it would be good for finding security flaws, but equally good for squashing many other kinds of bugs. Perfect for anybody who ever loaded up a core file and though "how did THAT value get in there?"

  16. Re:Not quiet by rreyelts · · Score: 2, Interesting

    1. If you can name a single attack that works against the classloader I'd like to see it. Spoofing is a very old suggested research attack, that was immediately fixed by Sun changing the classloader model so that classes are distinguished by the classloader in which they were loaded.

    2. Yes, native methods have nothing to do with JVM security related to invalid bytecode.

    3. Your point was that somehow crafting bytecode could break the VM security. My point was that that's impossible as the bytecode is verified before it is executed.

    4. I honestly don't remember how I came across BCEL - I knew of it, though, back when it was called JavaClass.

  17. Doing this for software security / anti-hacking by jonathanclark · · Score: 3, Interesting

    A slightly different idea for using VMs to enhance security....

    Over the last few years, I've been developing a "thin" virtual machine that runs in user-mode. The purpose of this is to allow software to be deployed in a pre-installed state, rather than having to install a bunch of file, make registry changes, etc - just distribute a single EXE that can run directly from CDROM or a download link.

    Besides simplfying the installation process and prevent conflicts with other packages (DLL Hell, etc). This method of software distribution also helps protect intellectual property - for example if you use the Macromedia Flash ActiveX component - not only can your application create object instances without having to register it in the system registry - but the macromedia code automatically goes through the virtual machine to read compress/encrypted files included in the archive.

    The virtual machine only takes up about 100k on disk and 500-1MB in RAM and runs on top of any version of Windows (no linux, sorry) without drivers or reboots.

    Check it out:
    http://thinstall.com/help

    Jonathan Clark

    --
    -- Virtual Windows Project
  18. This reminded me of an older Symantec patent by Anonymous Coward · · Score: 1, Interesting

    US Patent 6,067,410
    In 2000 Symantec proposed that a virus should be evaluated on a virtual machine in order to avoid any damage to the real machine. The patent also describes a virus identification, removal, and state restoration method. Is the proposed method infringing on their patent?