Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virtual Machines for Security

Posted by michael on from the virtually-impregnable dept.

k-hell writes "Researchers from the University of Michigan are using virtual machines to 'to provide security in an operating-system-independent manner.' They have designed and implemented a replay service for virtual machines called ReVirt, which 'logs enough information to replay a long-term execution of a virtual machine instruction-by-instruction.' A system called BackTracker 'automatically identifies potential sequences of steps that occurred in an intrusion,' and they provide a nice example of BackTracker's output for an attack against a machine that they set up as a honeypot, where an attacker gained access through httpd. Here's the source code."

38 of 106 comments (clear)

  1. Hmm.. by Loki_1929 · · Score: 3, Interesting

    Using a Virtual Machine as a honeypot? Why didn't I think of that? ;)

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
    1. Re:Hmm.. by Zathrus · · Score: 5, Interesting

      Heh... but what's being discussed here seems somewhat different.

      You asked about setting up a honeypot via VM. A pretty good way to go about things.

      This takes it one step further - not only is the honeypot (or even honeynet) in a VM, there's an outer layer that's "watching" the VM(s) and recording the activity. That's really, really good. If you could actually lure some serious attacks to the honeypot then you'd have much more accurate records of what occurred. And, obviously, the observer is supposed to be invisible and undetectable.

      Of course, there's the issue of actually getting real attacks in the first place, instead of just a legion of script kiddies. But that's another ball of wax.

    2. Re:Hmm.. by friscolr · · Score: 4, Insightful
      honeyd mentions this sort of use. So does uml. also look into bait and switch honeypots, they mention using virtual machines as the honeypots (at least they did in a presentation i saw).

      Once Solaris 10 comes out, its zomes might be able to provide a better infrastructure for what the original article was talking about, but the last presentation i saw on zones was unsure about the monitoring capabilities to be built in.

      The performance boost this article mentions sounds nice, but i don't understand what else they accomplished that a tcpdump on the host machine couldn't do.

      links:
      honeyd
      user mode linux
      Bait and switch honeypots
      Solaris 10 zones

      --

      -f
      www.blackant.net

    3. Re:Hmm.. by martyros · · Score: 5, Informative
      Putting security services in VMs has been done for years.

      The particular service we're providing, ReVirt, is new to Virtual Machines (as far as we know). We don't log normal "security" information, like login attemps, etc. We log just enough information to be able to roll the virtual machine back to a previous state, and make it execute exactly the same way.

      One of the (many) problems with security logs is that you frequently don't know everything that you really need to log until after the fact. With our system, you can go back and find out anything you want to know, because you have a live VM doing exactly what it did during the attack.

      BTW, the technique we're using for ReVirt was described back in the late 80's, and implemented in the mid 90's for debugging purposes; we're the first ones, as far as we know, to put it in a (somewhat) general-purpose virtual machine, like UMLinux.

      --

      TCP: Why the Internet is full of SYN.

  2. but.... by HowlinMad · · Score: 4, Interesting

    what if the virtual machine is not secure?

    --
    Great Linux Site
    1. Re:but.... by Monkey-Man2000 · · Score: 3, Interesting

      But then couldn't they prove a real machine is logically secure? Just the implementation may not be. It seems that the implementation is the thing that practically matters in both cases.

      --
      This post was generated by a Cadre of Uber Monkeys for Monkey-Man2000 (603495).
    2. Re:but.... by Beryllium+Sphere(tm) · · Score: 4, Interesting

      Do you mean, what if the virtual machine has a bug that breaks virtualization and allows an attacker to 0wn the real hardware?

      That can happen. There was folklore about ways to break IBM's VM/CMS, for example.

    3. Re:but.... by martyros · · Score: 3, Interesting
      I'm George Dunlap, the main author on the ReVirt paper. So, IIAP/R (programmer/researcher). =)

      There is no way to know if there is a bug in the VM, just as there's no way to know if there's a bug in the operatin gsystem. BUT, the virtual machine montitor, which controls the VM, is a *lot* smaller piece of software than a kernel, with a much simpler interface to provide. Therefore, the hope is that there's less of a chance of an exploitable bug in the VM, than in an operating system.

      --

      TCP: Why the Internet is full of SYN.

  3. The obvious comparison... by nut · · Score: 3, Insightful

    Isn't this called Java?

    --
    Never trust a man in a blue trench coat, Never drive a car when you're dead
  4. Operating System Independence? by kevin_conaway · · Score: 4, Interesting

    They seems make a big point that they want OS independence for their system but they built it using User Mode Linux. How will this be OS independent?

    1. Re:Operating System Independence? by MyPantsAreOnFire! · · Score: 5, Insightful

      You can build another virtual machine that runs on a different platform (Windows) and have the high-level operations of the virtual machine stay the same. So, therefore, the interface that the (potentially attacking) user sees is independent of both the OS and its hardware.

      Simply because they built it on linux first doesn't mean they won't make a VM for another platform, much like Java does. I have a feeling that they're trying to get it right on Linux before they build another VM.

      --
      --My other sig is a ferrari.
    2. Re:Operating System Independence? by blenderfish · · Score: 3, Insightful

      The source is UM-linux specific, but the techniques they are using (i.e., create a narrow secure interface into the kernel, and watch the processor) are applicable to any OS. In particular, if someone could attach this to VMWare, that'd be pretty damn cool!

      - Blenderfish

    3. Re:Operating System Independence? by dki · · Score: 5, Informative

      Not to nitpick, but they don't use User Mode Linux. They use UMLinux, which differs from the former in that in UMLinux the VM is contained in a single host process, whereas in User Mode Linux each guest app has its own process. The confusion comes in because UMLinux is considered a type of User Mode Linux, hence the name. Confusing enough?

  5. Security cameras don't prevent break-ins very well by LostCluster · · Score: 4, Insightful

    Seems like this is a solution for recording the every move a computer makes, so when it is hacked you can play back moment-by-moment what exactly happened.

    The only problem... by the time you realize it's time to look at the playback, the "virtual machine" is already 0wned. Useful for honeypots, but this isn't going to secure a production system... it's not a line of defense, it's a just a very detailed logging of what happened.

  6. UMLinux by dki · · Score: 5, Interesting

    The virtual machine that ReVirt and its predecessor are built on is called UMLinux. I used it for a school project that analyzed a virtual kernel that had been minimized to achieve improved performance. The current incarnation of UMLinux, now called FAUmachine, is available from the FAUmachine project site.

  7. Re:Security cameras don't prevent break-ins very w by Chris_Stankowitz · · Score: 3, Insightful

    There is some validity to your point. However you underime this project and all honey pots/nets when you say they are not a line of defense. They provide very valuable information that then goes into that line. Not to mention if you have a Decoy (one configured exaclty as the real and thought to be secure, except it has no valuable data) honey machine that gets hacked before your production one is. You now know how to prevent the intrider from attacking the real machine.

  8. Not quiet by botzi · · Score: 4, Informative
    Actually your question does make some sense, but isn't completely right.
    The JVM itself is not as secure as its architects would like it to be. When you program for the JVM, you're supposed to use a Java compiler, and actually a lot of the safeguard features come from the compilation process and the specification of the Java language.
    However, in the doc it is stated that the JVM may interpret *every* valid .class file, and although the .class files has a lot of restrictions, it's still possible to write dangerous code.
    Anyway, this VM guys have an interesting idea...

    PS: I'm currently working on a JVM assembler(nothing to take from Jasmin, but the inspiration), that'll have no practical use, of course, but I still hope that there're some people that'll find it interesting......

    --
    1. No sig. 2. ???? 3. Profit!!!
    1. Re:Not quiet by AKAImBatman · · Score: 4, Informative

      Another assembler for Java? How quaint. Seriously, the JVM is one of the most secure VMs in existance. It is also rather pragmatic. The default is to leave the door open for programs, but allow them to install security managers at any level in order to lock down code in the VM. Don't want code to use reflection? Bam! Security manager's got it locked down. Both Applets and Java Web Start include security managers by default to prevent malicious code. The *only* examples of true VM exploits are via Microsoft's VM. That thing has holes so large you can drive the U.S.S. Enterprise (CV-65, not CV-6) through them. Of course, that isn't actually Sun's fault, that's because Microsoft *likes* to punch security holes in the name of "ease of use". Don't even get me started on ActiveX.

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:Not quiet by rreyelts · · Score: 5, Interesting

      If I had mod points, I would mod this down -1 Misinformed.

      When the JVM loads a class, it performs a process called verification which ensures that the class file is structurally sound. You can't, for example, push an integer onto the stack, then try to pull it off as an object reference. http://java.sun.com/docs/books/vmspec/2nd-edition/ html/ConstantPool.doc.html#71817

      Sure, it's possible to generate a class file with invalid, 'dangerous' byte code by using a Java assembler, but it won't pass the mandatory verification stage of the virtual machine. As an example, I've written a program which dynamically modifies the bytecode of existing Java classes using BCEL (http://jakarta.apache.org/bcel/index.html). When I made mistakes that generated subtlely invalid bytecode, the classes would fail the VM's verification stage and not load. BCEL includes its own verifier (Justice), to help you ensure your generating valid bytecode during development.

  9. Too much overhead by emo+boy · · Score: 5, Insightful

    "We believe that even an overhead of 58% is not prohibitive for sites that value security."
    I really wonder if 58% overhead is worth it. It seems to me this is still a little massive for this kind of thing. ReVirt and VMWare both do a good job of keeping the overhead down but I think there will have to be innovations in areas other than virtual machines for this kind of thing.

    --
    ___ Shout Central - Crushes your nuts!
    1. Re:Too much overhead by poot_rootbeer · · Score: 4, Insightful

      I really wonder if 58% overhead is worth it.

      If your systems are crucial enough to justify a 58% overhead, you'll know it.

  10. Joel mentioned this the other day (sorta) by kworthington · · Score: 4, Interesting

    Joel Spolsky had a similar thought on Monday about using VMWare to run webservers in a virtual machine, and to always have similar virtual machines ready, in case the server is hacked etc. (See his June 2, 2003 entry)

    --
    Hosting: as low as $5.95/Mo
  11. Re:Security cameras don't prevent break-ins very w by DAQ42 · · Score: 5, Insightful

    Ah, but you seem to miss the advantages of a VM. If you can see exactly how you were compramised, you can then repeat the attack after going back and securing the vulnerability. Thus enabling you to have a fast and easy way to determine vulnerabilities in your code execution. Another great advantage of a virtual machine is that you can very simply and easily revert to a "clean" copy of your machine, before the attack, and have an effective downtime of 3 seconds (the time it takes to stop the VM, select the clean copy, and boot the VM again). So in a production enviornment, you have an added layer of redundancy.

    Take a database as an example. You have your tape backups, your transaction logs, etc. etc, but what if your registry (I'm talking people running MSSQL, but for other platform, think of what happens when someone crafts an improper looping arguement into an SQL write query, hosing your data structures) gets completely foobared. What do you do? Do you a) pull out the tape and have a whole bunch of downtime? Or do you just boot an older VM and apply the transaction logs to the database just before the point where everything went stupid? I think the VM would be a much faster recovery (if you consider that you are running a database that stores several hundred gigs of data, this makes more and more sense). Anyway. It's just a question of whether you feel you can implement and manage it.

    --
    Don't Ask Questions. I don't know the answers and even if I did I wouldn't tell you.
  12. Re:Innovation in repeats by American+AC+in+Paris · · Score: 4, Funny
    That's the first time i've ever seen a story on slashdot simultaneously sitting at the top of both the main story page and the "Older Stuff" box.

    Neat effect, that.

    The one under "Older Stuff" is actually a honeypost made by a virtual editor. It appears that it successfully fooled you into thinking that the post was a mistake!

    Editorial integrity through obfuscation works!

    --

    Obliteracy: Words with explosions

  13. Re:virtual pc on a mac by El+Pollo+Loco · · Score: 4, Interesting

    What they're trying to do, as far as I understand, is put a shell around what's gonna be comprimised. In your example, it would be virtual pc. If outlook gets comprimised, you can shut down virtual pc and it's all good. But in reality, it's not that easy, because virtual pc isn't designed for that. They've designed a different kind, one that's supposed to be secure, and one that even acts on a differnt layer then the OS. Then they added tracking abilitys, etc.

  14. Re:virtual pc on a mac by LostCluster · · Score: 4, Insightful

    Right, you'd still be compromised.

    What this tool does is add a very detailed logging component to the VM software, so that when you're compromised, you have a much easier time figuring out what hit you.

    The problem with most current system logging tools is that they run on the system that they are logging, which means if the attacker gains root access they could kill the logging tool's process first, or tamper with the logs to erase their activities.

    By making the logging tool one in the same with the VM software, if the hacker kills the logging tool the machien they were trying to hack vaporizes. And, if they are able to obtain root on the virtual machine, they'd still need to obtain root on the host OS (which is intentionally a lightwieght OS to decrease the likelyhood of that ever happening) to clean their tracks.

  15. For added security you might want a... by Anonymous Coward · · Score: 3, Funny

    VM within a VM. You know.. just in case attackers who can bend rules start popping up. Can attackers find out whether or not they're in a VM, or can that happen only after december?

  16. Re:virtual pc on a mac by DarkBlackFox · · Score: 3, Informative

    I think that's exactly what they are trying to do, but because of the outer layer (in your case, the mac, in their case, linux), they have some mechanism to examine the network traffic and produce a detailed log of the hack. While it wouldn't directly protect you from the hack, it would provide valuable information as to what exactly was hacked, such that it can be patched to prevent that method from affecting other systems. More or less a tattle-tail for network security than a buffed up security guard.

  17. Simple solution. by gilesjuk · · Score: 4, Funny

    Give hackers and virus authors virtual computers made of cardboard :)

  18. Mr. Anderson..... by DarkBlackFox · · Score: 5, Funny

    Smith: "Surprised to see me hack your box?"

    Neo: "No, but you must only realize the truth..."

    Smith: "What truth?"

    Neo: "There is no box" *Click*

  19. This has been done before... by yorkrj · · Score: 5, Interesting

    But not in exactly the same manner:

    I am reminded of the book "The Cuckoo's Egg" where a system admin at a university tracks down a hacker using teletype machines to monitor the hacker's tracks. Highlights include the reading of reams of teletype hardcopies, and the creation of a honeypot: At one point the author types responses to the hacker, simulating the UNIX box. Wacky!

  20. IBM? by BrynM · · Score: 5, Interesting

    Isn't this how IBM has been running Linux on it's S390 mainframes? They can virtualize just about anything because of VM. I remember a disaster recovery simulation at IBM where we restored a copy of our MVS/S390 mainframe within their VM system from our backup tapes. For all intents and purposes, it was our mainframe running inside another OS, and the other OS (VM) logged all of our activity too. We even joked with the IBMers about being able to run VM within VM and MVS within that. This is not new technology, it's just new(ish) to the smaller architectures and a new implementation of the idea.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  21. I did something sort of like this once... by Anonvmous+Coward · · Score: 4, Informative

    Not entirely on topic, but I don't have anything really to add to this subject. Back in my Kazaa days, I was a little concerned about viruses etc getting me. So I set up a VM in VM-Ware and ran Kazaa on that. It did lag my computer considerably, but if Kazaa were to infect my machine, it would (in theory) be contained. Sadly, I didn't get infect with anything so I couldn't tell you how effective that was. I was kinda hoping it would be infected so I could analyze what happened. The funny result of this setup was that if you scanned my hard drive, you couldn't find any of the stuff I downloaded unless you fired up VM-Ware.

  22. Sandboxing by OrangeGoo · · Score: 3, Interesting

    Is this similar to the concept of sandboxing, in which a process is executed in a VM where it is isolated from the rest of the system while the OS outside watches to make sure nothing bad happens?

    I've read of this as a potential antivirus solution, but it sounds like a bit much overhead to me. It's still at least reasonably quick to do pattern scanning. Anyway, off topic... heheh :)

  23. Sandboxing computer viruses by Logopop · · Score: 5, Interesting

    Virtual PC environments, complete with IP networking and various common protocols are already being used to catch viral behaviour in software before signature files for a new virus are available. New, unknown viruses will actually spread and send mail from one virtual PC to another inside your PC. There's a paper about it here, which was presented at the Virus Bulletin conference last year:
    http://www.norman.com /documents/nvc5_sandbox_technology_2002.pdf
    The technology is available as part of a commercial AV product from this vendor.

  24. The problem with virtual machines. by cyt0plas · · Score: 3, Informative

    Virtual machines are inherantly insecure. Because the internal virtual address space is accessable externally, it can be modified, tampered with, or viewed at will. Regardless of the cryptography, the process can be slowed down, stepped through, and have any protections disabled, or even reversed.

    While it's a nice thought, it doesn't add too much in terms of security, a virtual machine compromised still allows access to the rest of the virtual machine. Raw harware access is not needed to wreak havoc.

    --
    Contact Me (got tired of viruses emailing me).
  25. Just for security? by timeOday · · Score: 4, Interesting

    If I understand this correctly, this virtual machine provides logging so you can "rewind" to any previous state. That would be invaluable in debugging during software development! Sure it would be good for finding security flaws, but equally good for squashing many other kinds of bugs. Perfect for anybody who ever loaded up a core file and though "how did THAT value get in there?"

  26. Doing this for software security / anti-hacking by jonathanclark · · Score: 3, Interesting

    A slightly different idea for using VMs to enhance security....

    Over the last few years, I've been developing a "thin" virtual machine that runs in user-mode. The purpose of this is to allow software to be deployed in a pre-installed state, rather than having to install a bunch of file, make registry changes, etc - just distribute a single EXE that can run directly from CDROM or a download link.

    Besides simplfying the installation process and prevent conflicts with other packages (DLL Hell, etc). This method of software distribution also helps protect intellectual property - for example if you use the Macromedia Flash ActiveX component - not only can your application create object instances without having to register it in the system registry - but the macromedia code automatically goes through the virtual machine to read compress/encrypted files included in the archive.

    The virtual machine only takes up about 100k on disk and 500-1MB in RAM and runs on top of any version of Windows (no linux, sorry) without drivers or reboots.

    Check it out:
    http://thinstall.com/help

    Jonathan Clark

    --
    -- Virtual Windows Project