Slashdot Mirror
Virtual Machines for Security
k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called
ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."
what if the virtual machine is not secure?
Great Linux Site
They seems make a big point that they want OS independence for their system but they built it using User Mode Linux. How will this be OS independent?
Heh... but what's being discussed here seems somewhat different.
You asked about setting up a honeypot via VM. A pretty good way to go about things.
This takes it one step further - not only is the honeypot (or even honeynet) in a VM, there's an outer layer that's "watching" the VM(s) and recording the activity. That's really, really good. If you could actually lure some serious attacks to the honeypot then you'd have much more accurate records of what occurred. And, obviously, the observer is supposed to be invisible and undetectable.
Of course, there's the issue of actually getting real attacks in the first place, instead of just a legion of script kiddies. But that's another ball of wax.
The virtual machine that ReVirt and its predecessor are built on is called UMLinux. I used it for a school project that analyzed a virtual kernel that had been minimized to achieve improved performance. The current incarnation of UMLinux, now called FAUmachine, is available from the FAUmachine project site.
Joel Spolsky had a similar thought on Monday about using VMWare to run webservers in a virtual machine, and to always have similar virtual machines ready, in case the server is hacked etc. (See his June 2, 2003 entry)
Hosting: as low as $5.95/Mo
What they're trying to do, as far as I understand, is put a shell around what's gonna be comprimised. In your example, it would be virtual pc. If outlook gets comprimised, you can shut down virtual pc and it's all good. But in reality, it's not that easy, because virtual pc isn't designed for that. They've designed a different kind, one that's supposed to be secure, and one that even acts on a differnt layer then the OS. Then they added tracking abilitys, etc.
But not in exactly the same manner:
I am reminded of the book "The Cuckoo's Egg" where a system admin at a university tracks down a hacker using teletype machines to monitor the hacker's tracks. Highlights include the reading of reams of teletype hardcopies, and the creation of a honeypot: At one point the author types responses to the hacker, simulating the UNIX box. Wacky!
Isn't this how IBM has been running Linux on it's S390 mainframes? They can virtualize just about anything because of VM. I remember a disaster recovery simulation at IBM where we restored a copy of our MVS/S390 mainframe within their VM system from our backup tapes. For all intents and purposes, it was our mainframe running inside another OS, and the other OS (VM) logged all of our activity too. We even joked with the IBMers about being able to run VM within VM and MVS within that. This is not new technology, it's just new(ish) to the smaller architectures and a new implementation of the idea.
US Democracy:The best person for the job (among These pre-selected choices...)
If I had mod points, I would mod this down -1 Misinformed.
/ html/ConstantPool.doc.html#71817
When the JVM loads a class, it performs a process called verification which ensures that the class file is structurally sound. You can't, for example, push an integer onto the stack, then try to pull it off as an object reference. http://java.sun.com/docs/books/vmspec/2nd-edition
Sure, it's possible to generate a class file with invalid, 'dangerous' byte code by using a Java assembler, but it won't pass the mandatory verification stage of the virtual machine. As an example, I've written a program which dynamically modifies the bytecode of existing Java classes using BCEL (http://jakarta.apache.org/bcel/index.html). When I made mistakes that generated subtlely invalid bytecode, the classes would fail the VM's verification stage and not load. BCEL includes its own verifier (Justice), to help you ensure your generating valid bytecode during development.
Virtual PC environments, complete with IP networking and various common protocols are already being used to catch viral behaviour in software before signature files for a new virus are available. New, unknown viruses will actually spread and send mail from one virtual PC to another inside your PC. There's a paper about it here, which was presented at the Virus Bulletin conference last year: /documents/nvc5_sandbox_technology_2002.pdf
http://www.norman.com
The technology is available as part of a commercial AV product from this vendor.
If I understand this correctly, this virtual machine provides logging so you can "rewind" to any previous state. That would be invaluable in debugging during software development! Sure it would be good for finding security flaws, but equally good for squashing many other kinds of bugs. Perfect for anybody who ever loaded up a core file and though "how did THAT value get in there?"