Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virtual Machines for Security

Posted by michael on from the virtually-impregnable dept.

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

53 of 106 comments (clear)

  1. Auto hack response by draziw · · Score: 2, Funny

    See an attack and have it try the same one right afterwards on the source ip. Oh wait - that's probably a box they hacked first. d'oh!

  2. Hmm.. by Loki_1929 · · Score: 3, Interesting

    Using a Virtual Machine as a honeypot? Why didn't I think of that? ;)

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
    1. Re:Hmm.. by rkz · · Score: 2, Funny

      SCO thought of it first!


      --
      There is no god
    2. Re:Hmm.. by Zathrus · · Score: 5, Interesting

      Heh... but what's being discussed here seems somewhat different.

      You asked about setting up a honeypot via VM. A pretty good way to go about things.

      This takes it one step further - not only is the honeypot (or even honeynet) in a VM, there's an outer layer that's "watching" the VM(s) and recording the activity. That's really, really good. If you could actually lure some serious attacks to the honeypot then you'd have much more accurate records of what occurred. And, obviously, the observer is supposed to be invisible and undetectable.

      Of course, there's the issue of actually getting real attacks in the first place, instead of just a legion of script kiddies. But that's another ball of wax.

    3. Re:Hmm.. by friscolr · · Score: 4, Insightful
      honeyd mentions this sort of use. So does uml. also look into bait and switch honeypots, they mention using virtual machines as the honeypots (at least they did in a presentation i saw).

      Once Solaris 10 comes out, its zomes might be able to provide a better infrastructure for what the original article was talking about, but the last presentation i saw on zones was unsure about the monitoring capabilities to be built in.

      The performance boost this article mentions sounds nice, but i don't understand what else they accomplished that a tcpdump on the host machine couldn't do.

      links:
      honeyd
      user mode linux
      Bait and switch honeypots
      Solaris 10 zones

      --

      -f
      www.blackant.net

    4. Re:Hmm.. by martyros · · Score: 5, Informative
      Putting security services in VMs has been done for years.

      The particular service we're providing, ReVirt, is new to Virtual Machines (as far as we know). We don't log normal "security" information, like login attemps, etc. We log just enough information to be able to roll the virtual machine back to a previous state, and make it execute exactly the same way.

      One of the (many) problems with security logs is that you frequently don't know everything that you really need to log until after the fact. With our system, you can go back and find out anything you want to know, because you have a live VM doing exactly what it did during the attack.

      BTW, the technique we're using for ReVirt was described back in the late 80's, and implemented in the mid 90's for debugging purposes; we're the first ones, as far as we know, to put it in a (somewhat) general-purpose virtual machine, like UMLinux.

      --

      TCP: Why the Internet is full of SYN.

  3. but.... by HowlinMad · · Score: 4, Interesting

    what if the virtual machine is not secure?

    --
    Great Linux Site
    1. Re:but.... by Monkey-Man2000 · · Score: 3, Interesting

      But then couldn't they prove a real machine is logically secure? Just the implementation may not be. It seems that the implementation is the thing that practically matters in both cases.

      --
      This post was generated by a Cadre of Uber Monkeys for Monkey-Man2000 (603495).
    2. Re:but.... by Beryllium+Sphere(tm) · · Score: 4, Interesting

      Do you mean, what if the virtual machine has a bug that breaks virtualization and allows an attacker to 0wn the real hardware?

      That can happen. There was folklore about ways to break IBM's VM/CMS, for example.

    3. Re:but.... by martyros · · Score: 3, Interesting
      I'm George Dunlap, the main author on the ReVirt paper. So, IIAP/R (programmer/researcher). =)

      There is no way to know if there is a bug in the VM, just as there's no way to know if there's a bug in the operatin gsystem. BUT, the virtual machine montitor, which controls the VM, is a *lot* smaller piece of software than a kernel, with a much simpler interface to provide. Therefore, the hope is that there's less of a chance of an exploitable bug in the VM, than in an operating system.

      --

      TCP: Why the Internet is full of SYN.

  4. The obvious comparison... by nut · · Score: 3, Insightful

    Isn't this called Java?

    --
    Never trust a man in a blue trench coat, Never drive a car when you're dead
  5. Operating System Independence? by kevin_conaway · · Score: 4, Interesting

    They seems make a big point that they want OS independence for their system but they built it using User Mode Linux. How will this be OS independent?

    1. Re:Operating System Independence? by MyPantsAreOnFire! · · Score: 5, Insightful

      You can build another virtual machine that runs on a different platform (Windows) and have the high-level operations of the virtual machine stay the same. So, therefore, the interface that the (potentially attacking) user sees is independent of both the OS and its hardware.

      Simply because they built it on linux first doesn't mean they won't make a VM for another platform, much like Java does. I have a feeling that they're trying to get it right on Linux before they build another VM.

      --
      --My other sig is a ferrari.
    2. Re:Operating System Independence? by blenderfish · · Score: 3, Insightful

      The source is UM-linux specific, but the techniques they are using (i.e., create a narrow secure interface into the kernel, and watch the processor) are applicable to any OS. In particular, if someone could attach this to VMWare, that'd be pretty damn cool!

      - Blenderfish

    3. Re:Operating System Independence? by LostCluster · · Score: 2, Informative

      The UMLinux OS is there to be a thin real OS that runs the simulator which runs the guest OS and their goal is for the simulator to be a good enough emulation of real hardware so that any operating system can be installed as that guest OS....

    4. Re:Operating System Independence? by dki · · Score: 5, Informative

      Not to nitpick, but they don't use User Mode Linux. They use UMLinux, which differs from the former in that in UMLinux the VM is contained in a single host process, whereas in User Mode Linux each guest app has its own process. The confusion comes in because UMLinux is considered a type of User Mode Linux, hence the name. Confusing enough?

    5. Re:Operating System Independence? by martyros · · Score: 2, Interesting
      We'd gladly use VMWare, if they'd just GPL the source code. =)

      Unfortunately, since that's not likely to happen, Plex86 isn't in good shape, and we didn't want to write our own full-fleged VM, we used UMLinux for a prototype and proof-of-concept that the ReVirt idea could work. Maybe someday VMWare or someone else will pick it up.

      BTB, we do use UMLinux (now FAUmachine, I think), but we're looking into porting it to Jeff Dike's User-Mode-Linux soon.

      --

      TCP: Why the Internet is full of SYN.

  6. Security cameras don't prevent break-ins very well by LostCluster · · Score: 4, Insightful

    Seems like this is a solution for recording the every move a computer makes, so when it is hacked you can play back moment-by-moment what exactly happened.

    The only problem... by the time you realize it's time to look at the playback, the "virtual machine" is already 0wned. Useful for honeypots, but this isn't going to secure a production system... it's not a line of defense, it's a just a very detailed logging of what happened.

  7. UMLinux by dki · · Score: 5, Interesting

    The virtual machine that ReVirt and its predecessor are built on is called UMLinux. I used it for a school project that analyzed a virtual kernel that had been minimized to achieve improved performance. The current incarnation of UMLinux, now called FAUmachine, is available from the FAUmachine project site.

  8. Re:Security cameras don't prevent break-ins very w by Chris_Stankowitz · · Score: 3, Insightful

    There is some validity to your point. However you underime this project and all honey pots/nets when you say they are not a line of defense. They provide very valuable information that then goes into that line. Not to mention if you have a Decoy (one configured exaclty as the real and thought to be secure, except it has no valuable data) honey machine that gets hacked before your production one is. You now know how to prevent the intrider from attacking the real machine.

  9. Not quiet by botzi · · Score: 4, Informative
    Actually your question does make some sense, but isn't completely right.
    The JVM itself is not as secure as its architects would like it to be. When you program for the JVM, you're supposed to use a Java compiler, and actually a lot of the safeguard features come from the compilation process and the specification of the Java language.
    However, in the doc it is stated that the JVM may interpret *every* valid .class file, and although the .class files has a lot of restrictions, it's still possible to write dangerous code.
    Anyway, this VM guys have an interesting idea...

    PS: I'm currently working on a JVM assembler(nothing to take from Jasmin, but the inspiration), that'll have no practical use, of course, but I still hope that there're some people that'll find it interesting......

    --
    1. No sig. 2. ???? 3. Profit!!!
    1. Re:Not quiet by AKAImBatman · · Score: 4, Informative

      Another assembler for Java? How quaint. Seriously, the JVM is one of the most secure VMs in existance. It is also rather pragmatic. The default is to leave the door open for programs, but allow them to install security managers at any level in order to lock down code in the VM. Don't want code to use reflection? Bam! Security manager's got it locked down. Both Applets and Java Web Start include security managers by default to prevent malicious code. The *only* examples of true VM exploits are via Microsoft's VM. That thing has holes so large you can drive the U.S.S. Enterprise (CV-65, not CV-6) through them. Of course, that isn't actually Sun's fault, that's because Microsoft *likes* to punch security holes in the name of "ease of use". Don't even get me started on ActiveX.

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:Not quiet by rreyelts · · Score: 5, Interesting

      If I had mod points, I would mod this down -1 Misinformed.

      When the JVM loads a class, it performs a process called verification which ensures that the class file is structurally sound. You can't, for example, push an integer onto the stack, then try to pull it off as an object reference. http://java.sun.com/docs/books/vmspec/2nd-edition/ html/ConstantPool.doc.html#71817

      Sure, it's possible to generate a class file with invalid, 'dangerous' byte code by using a Java assembler, but it won't pass the mandatory verification stage of the virtual machine. As an example, I've written a program which dynamically modifies the bytecode of existing Java classes using BCEL (http://jakarta.apache.org/bcel/index.html). When I made mistakes that generated subtlely invalid bytecode, the classes would fail the VM's verification stage and not load. BCEL includes its own verifier (Justice), to help you ensure your generating valid bytecode during development.

    3. Re:Not quiet by Dan-DAFC · · Score: 2, Insightful

      Sure, it's possible to generate a class file with invalid, 'dangerous' byte code by using a Java assembler, but it won't pass the mandatory verification stage of the virtual machine.

      Unless you turn the verifier off.

      --
      Suck figs.
    4. Re:Not quiet by rreyelts · · Score: 2, Interesting

      1. If you can name a single attack that works against the classloader I'd like to see it. Spoofing is a very old suggested research attack, that was immediately fixed by Sun changing the classloader model so that classes are distinguished by the classloader in which they were loaded.

      2. Yes, native methods have nothing to do with JVM security related to invalid bytecode.

      3. Your point was that somehow crafting bytecode could break the VM security. My point was that that's impossible as the bytecode is verified before it is executed.

      4. I honestly don't remember how I came across BCEL - I knew of it, though, back when it was called JavaClass.

    5. Re:Not quiet by AKAImBatman · · Score: 2, Insightful

      > 2. Yes, native methods have nothing to do with JVM
      > security related to invalid bytecode.

      Just to back up what Toby's saying here, native access is controlled by the secutity manager attached to the classloader. If the classloader doesn't allow it, there can be no native code. An example of this is Applets which implicitly prevent DLLs from being loaded.

      > 4. I honestly don't remember how I came across
      > BCEL - I knew of it, though, back when it was
      > called JavaClass.

      IIRC, it was one of the few successful projects produced by the Java Operating System project.

      --
      Javascript + Nintendo DSi = DSiCade
    6. Re:Not quiet by eckes · · Score: 2, Informative

      JavaVMs had exploits in the past, so I do not see ground for your claim that they are the most safe VMs. I know simulations of turing engines which are far more secure and less exploitable.

      Remember Brown Orifice in netscape VMs?

      Some more: http://www.securitytracker.com/archives/target/130 1.html

  10. Too much overhead by emo+boy · · Score: 5, Insightful

    "We believe that even an overhead of 58% is not prohibitive for sites that value security."
    I really wonder if 58% overhead is worth it. It seems to me this is still a little massive for this kind of thing. ReVirt and VMWare both do a good job of keeping the overhead down but I think there will have to be innovations in areas other than virtual machines for this kind of thing.

    --
    ___ Shout Central - Crushes your nuts!
    1. Re:Too much overhead by poot_rootbeer · · Score: 4, Insightful

      I really wonder if 58% overhead is worth it.

      If your systems are crucial enough to justify a 58% overhead, you'll know it.

  11. Joel mentioned this the other day (sorta) by kworthington · · Score: 4, Interesting

    Joel Spolsky had a similar thought on Monday about using VMWare to run webservers in a virtual machine, and to always have similar virtual machines ready, in case the server is hacked etc. (See his June 2, 2003 entry)

    --
    Hosting: as low as $5.95/Mo
  12. Re:Security cameras don't prevent break-ins very w by DAQ42 · · Score: 5, Insightful

    Ah, but you seem to miss the advantages of a VM. If you can see exactly how you were compramised, you can then repeat the attack after going back and securing the vulnerability. Thus enabling you to have a fast and easy way to determine vulnerabilities in your code execution. Another great advantage of a virtual machine is that you can very simply and easily revert to a "clean" copy of your machine, before the attack, and have an effective downtime of 3 seconds (the time it takes to stop the VM, select the clean copy, and boot the VM again). So in a production enviornment, you have an added layer of redundancy.

    Take a database as an example. You have your tape backups, your transaction logs, etc. etc, but what if your registry (I'm talking people running MSSQL, but for other platform, think of what happens when someone crafts an improper looping arguement into an SQL write query, hosing your data structures) gets completely foobared. What do you do? Do you a) pull out the tape and have a whole bunch of downtime? Or do you just boot an older VM and apply the transaction logs to the database just before the point where everything went stupid? I think the VM would be a much faster recovery (if you consider that you are running a database that stores several hundred gigs of data, this makes more and more sense). Anyway. It's just a question of whether you feel you can implement and manage it.

    --
    Don't Ask Questions. I don't know the answers and even if I did I wouldn't tell you.
  13. Re:Innovation in repeats by American+AC+in+Paris · · Score: 4, Funny
    That's the first time i've ever seen a story on slashdot simultaneously sitting at the top of both the main story page and the "Older Stuff" box.

    Neat effect, that.

    The one under "Older Stuff" is actually a honeypost made by a virtual editor. It appears that it successfully fooled you into thinking that the post was a mistake!

    Editorial integrity through obfuscation works!

    --

    Obliteracy: Words with explosions

  14. Re:virtual pc on a mac by El+Pollo+Loco · · Score: 4, Interesting

    What they're trying to do, as far as I understand, is put a shell around what's gonna be comprimised. In your example, it would be virtual pc. If outlook gets comprimised, you can shut down virtual pc and it's all good. But in reality, it's not that easy, because virtual pc isn't designed for that. They've designed a different kind, one that's supposed to be secure, and one that even acts on a differnt layer then the OS. Then they added tracking abilitys, etc.

  15. Re:virtual pc on a mac by LostCluster · · Score: 4, Insightful

    Right, you'd still be compromised.

    What this tool does is add a very detailed logging component to the VM software, so that when you're compromised, you have a much easier time figuring out what hit you.

    The problem with most current system logging tools is that they run on the system that they are logging, which means if the attacker gains root access they could kill the logging tool's process first, or tamper with the logs to erase their activities.

    By making the logging tool one in the same with the VM software, if the hacker kills the logging tool the machien they were trying to hack vaporizes. And, if they are able to obtain root on the virtual machine, they'd still need to obtain root on the host OS (which is intentionally a lightwieght OS to decrease the likelyhood of that ever happening) to clean their tracks.

  16. For added security you might want a... by Anonymous Coward · · Score: 3, Funny

    VM within a VM. You know.. just in case attackers who can bend rules start popping up. Can attackers find out whether or not they're in a VM, or can that happen only after december?

  17. Re:virtual pc on a mac by DarkBlackFox · · Score: 3, Informative

    I think that's exactly what they are trying to do, but because of the outer layer (in your case, the mac, in their case, linux), they have some mechanism to examine the network traffic and produce a detailed log of the hack. While it wouldn't directly protect you from the hack, it would provide valuable information as to what exactly was hacked, such that it can be patched to prevent that method from affecting other systems. More or less a tattle-tail for network security than a buffed up security guard.

  18. Simple solution. by gilesjuk · · Score: 4, Funny

    Give hackers and virus authors virtual computers made of cardboard :)

  19. Mr. Anderson..... by DarkBlackFox · · Score: 5, Funny

    Smith: "Surprised to see me hack your box?"

    Neo: "No, but you must only realize the truth..."

    Smith: "What truth?"

    Neo: "There is no box" *Click*

  20. This has been done before... by yorkrj · · Score: 5, Interesting

    But not in exactly the same manner:

    I am reminded of the book "The Cuckoo's Egg" where a system admin at a university tracks down a hacker using teletype machines to monitor the hacker's tracks. Highlights include the reading of reams of teletype hardcopies, and the creation of a honeypot: At one point the author types responses to the hacker, simulating the UNIX box. Wacky!

  21. IBM? by BrynM · · Score: 5, Interesting

    Isn't this how IBM has been running Linux on it's S390 mainframes? They can virtualize just about anything because of VM. I remember a disaster recovery simulation at IBM where we restored a copy of our MVS/S390 mainframe within their VM system from our backup tapes. For all intents and purposes, it was our mainframe running inside another OS, and the other OS (VM) logged all of our activity too. We even joked with the IBMers about being able to run VM within VM and MVS within that. This is not new technology, it's just new(ish) to the smaller architectures and a new implementation of the idea.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
    1. Re:IBM? by BrynM · · Score: 2, Interesting
      We did a checkpoint restore and ran some tests. Our customer support staff spent a few hours on the "system" remotely, but we couldn't justify the cost of continual testing so we planned to capture their activity. We then used the captured data from the tests to repeat the process for further testing. If I remember right (it was a few years ago), the IBM sys-programmers captured the data from the initial restore as well. For them, the second restore process was kicked off with a single command.

      Because it was an insurance company I worked for, I can't give too many details without violating my exit NDA. If you contact the IBM Disaster Recovery Center in Boulder, CO, I'm sure they would be happy to answer questions. Alternately, any good S390 systems consultant should be familiar with this type of process.

      --
      US Democracy:The best person for the job (among These pre-selected choices...)
  22. Virtual machines for security by Anonymous Coward · · Score: 2, Insightful

    the more things change, the more they stay the same. virtual machines were used extensively in the '60s and '70s at time-sharing service (both service bureaus and various kinds of institutional in-house) operations .... in part because of the paradigm's isolation capability

    in the early '70s had an operation that had the most sensitive of a large corporation financial & business operations being run on the same online computer that also had significant number of BU and MIT students.

  23. I did something sort of like this once... by Anonvmous+Coward · · Score: 4, Informative

    Not entirely on topic, but I don't have anything really to add to this subject. Back in my Kazaa days, I was a little concerned about viruses etc getting me. So I set up a VM in VM-Ware and ran Kazaa on that. It did lag my computer considerably, but if Kazaa were to infect my machine, it would (in theory) be contained. Sadly, I didn't get infect with anything so I couldn't tell you how effective that was. I was kinda hoping it would be infected so I could analyze what happened. The funny result of this setup was that if you scanned my hard drive, you couldn't find any of the stuff I downloaded unless you fired up VM-Ware.

  24. Sandboxing by OrangeGoo · · Score: 3, Interesting

    Is this similar to the concept of sandboxing, in which a process is executed in a VM where it is isolated from the rest of the system while the OS outside watches to make sure nothing bad happens?

    I've read of this as a potential antivirus solution, but it sounds like a bit much overhead to me. It's still at least reasonably quick to do pattern scanning. Anyway, off topic... heheh :)

  25. Useful for debugging also? by Fastolfe · · Score: 2, Interesting

    This seems like it could be an interesting technique for debugging systems as a whole. Like when my Windows PC hangs randomly for 30 seconds, or does something quirky, it'd be nice if I (or preferably, Microsoft) can understand *why* so that the problem can be corrected. Bit rot sucks.

  26. Sandboxing computer viruses by Logopop · · Score: 5, Interesting

    Virtual PC environments, complete with IP networking and various common protocols are already being used to catch viral behaviour in software before signature files for a new virus are available. New, unknown viruses will actually spread and send mail from one virtual PC to another inside your PC. There's a paper about it here, which was presented at the Virus Bulletin conference last year:
    http://www.norman.com /documents/nvc5_sandbox_technology_2002.pdf
    The technology is available as part of a commercial AV product from this vendor.

  27. The problem with virtual machines. by cyt0plas · · Score: 3, Informative

    Virtual machines are inherantly insecure. Because the internal virtual address space is accessable externally, it can be modified, tampered with, or viewed at will. Regardless of the cryptography, the process can be slowed down, stepped through, and have any protections disabled, or even reversed.

    While it's a nice thought, it doesn't add too much in terms of security, a virtual machine compromised still allows access to the rest of the virtual machine. Raw harware access is not needed to wreak havoc.

    --
    Contact Me (got tired of viruses emailing me).
    1. Re:The problem with virtual machines. by hughk · · Score: 2, Insightful
      It really depends on how the VM is configured. If it is correctly setup then there is remarkably little that can be done. If you remember the so-called' "Orange" book standards for computer security, the only implementations for the highest level were virtual machines running under control of security refence monitor which had been extensively checked and tested.

      The clever bit is keeping the code that needs verification relatively small, which is why I believe Microsoft will fail with Palladium. Knowing them, the trusted base will be too large to thoroughly check.

      --
      See my journal, I write things there
    2. Re:The problem with virtual machines. by multi+io · · Score: 2, Informative
      Because the internal virtual address space is accessable externally, it can be modified, tampered with, or viewed at will.

      You can modify, view, and tamper with native assembly code as well. I don't know what you mean by "accessable externally". The virtual address space of a server application running on a virtual machine most definitively isn't accessible automatically to the clients.

      I don't see how additional possibilities in the hands of *the server's administrator* could weaken security.

      The additional software layer in virtual machines enables you to easily impose all kinds of restrictions like very fine-grained access control etc. on the running code.

      Imagine you have written a server application running as root. The application reads "untrusted" configuration files written by less privileged users. You want to make those configuration files as powerful and flexible as possible. So you might want to define a turing-complete configuration language for use in those files. The "easiest" solution would be to allow arbitrary shared libraries containing assembly code to be used as configuration files. Of course, this solution throws all security measures out of the window. So, in order to still retain a decent level of security in this situation, you have to settle on a software layer of some sort in your server, which reads and executes the the configuration files written by the users on their behalf, applying all necessary security checks on the fly. Voila - you have written a virtual machine.

      (in fact, scripting languages like Perl and Ruby have special "tainted modes" to facilitate such uses)

  28. article text by Anonymous Coward · · Score: 2, Funny

    The CoVirt Project
    The CoVirt project is investigating how to use virtual machines to provide security in an operating-system-independent manner. Virtual-machine security services can work even if an attacker gains complete control over the guest operating system.

    One hard part of designing virtual-machine security services is the semantic gap between the virtual machine and those services. Services in the virtual machine operate below the abstractions provided by the guest operating system and applications. This can make it difficult to provide services. For example, it is difficult to provide a service that checks file system integrity without knowledge of on-disk structures.

    Another potential challenge of using virtual machines is that running all applications above the virtual machine hurts performance due to virtualization overhead. Commercial virtual machine monitors such as VMware achieve excellent performance by executing (mostly) directly on the bare hardware. However, we would like to use a virtual-machine monitor that runs as a user-mode application on top of a host operating system (so-called Type II VMM), and these tend to be an order of magnitude slower than a standalone system. We modified a host OS (Linux) to enable it to better support a virtual-machine monitor. The resulting virtual-machine monitor and modified guest OS (based on UMLinux) runs even kernel-intensive applications at about 14-35% overhead. See our USENIX paper for details.

    We have designed and implemented a replay service for virtual machines called ReVirt. ReVirt logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction. This enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions.

    We designed and implemented a system called BackTracker that will help system administrators understand (and thereby recover from) an intrusion. BackTracker automatically identifies potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g. a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph.

    Here is an example of BackTracker's output for an attack against a machine that we set up as a honeypot. It shows an attacker gaining access through httpd, downloading a tar archive using wget, then installing a set of files using tar and gzip. The attacker then ran the program openssl-too, which read the configuration files that were unpacked. We detected the intrusion when the openssl-too process began scanning other machines on our network for vulnerable ports.

    Project members
    Papers
    Presentations
    Project Sponsors
    Source Code

  29. Just for security? by timeOday · · Score: 4, Interesting

    If I understand this correctly, this virtual machine provides logging so you can "rewind" to any previous state. That would be invaluable in debugging during software development! Sure it would be good for finding security flaws, but equally good for squashing many other kinds of bugs. Perfect for anybody who ever loaded up a core file and though "how did THAT value get in there?"

  30. Doing this for software security / anti-hacking by jonathanclark · · Score: 3, Interesting

    A slightly different idea for using VMs to enhance security....

    Over the last few years, I've been developing a "thin" virtual machine that runs in user-mode. The purpose of this is to allow software to be deployed in a pre-installed state, rather than having to install a bunch of file, make registry changes, etc - just distribute a single EXE that can run directly from CDROM or a download link.

    Besides simplfying the installation process and prevent conflicts with other packages (DLL Hell, etc). This method of software distribution also helps protect intellectual property - for example if you use the Macromedia Flash ActiveX component - not only can your application create object instances without having to register it in the system registry - but the macromedia code automatically goes through the virtual machine to read compress/encrypted files included in the archive.

    The virtual machine only takes up about 100k on disk and 500-1MB in RAM and runs on top of any version of Windows (no linux, sorry) without drivers or reboots.

    Check it out:
    http://thinstall.com/help

    Jonathan Clark

    --
    -- Virtual Windows Project
  31. Re:That can happen by makapuf · · Score: 2, Funny

    you just need to choose the right pill ...