3. Motivation
Computers on the Internet are vulnerable
Even with latest updates and virus definitions
Zero day exploits
Malware effects
User data compromised
System controlled by attacker
Restoration of system and user data
Time-consuming
Difficult for users
Not always possible (i.e. digital photos)
4. Motivation
"New methods are being invented, new tricks, and every year it gets
worse... We are losing the battle... Most companies don't know they
have been attacked."
- Bruce Schneier
"The average top executive doesn't understand security, but we have to
change that... Security is an imperative. It's no longer just a good idea."
- Allen Kerr
"Virus incidences had surged between 2003, when they detected just
over 10,000, and 2006, when they found 80,000. Criminal activity
accounted for most of that increase."
- Kaspersky Labs
5. Motivation
"Very sophisticated tools are commercially available in black markets...
This has made [the Internet] more attractive for organized crime:
[criminals] no longer have to be geeks."
- James Lewis
"Although security awareness continues to improve, hackers and
malicious code authors are releasing threats faster than ever before,
with approximately 200 per cent more malicious threats per day than two
years ago."
- Stuart McClure (2006)
"Over one third [of IT Companies] were hit by a denial-of-service attack
while over 44 percent had experienced either a pharming or cache
poisoning attack."
- 2007 Secure64 Survey
6. Motivation
Ooooh! I got some pics from my buddy
Joe :)
John is a typical desktop user that uses his computer to
communicate with friends on IM and email, and surf the web.
7. Without the Rapid Recovery System
010010000100000101000011010010110100010101
Credit Card Numbers, Email Contacts, Passwords
8. With the Rapid Recovery System
John tries to load the pictures in his photo VM, but the action is
denied, since the “pics” are actually executables. An error
message is displayed to John.
9. With the Rapid Recovery System
John really wants to see the pics, so he ignores the error and
copies the “pics” to his Internet VM and clicks on them. The
executable runs and it instantly tries to run its built-in IRC server
and starts scanning for personal data.
10. With the Rapid Recovery System
Either of these actions cause the Internet VM to be reset. The
built-in firewall of the Rapid Recovery System disallows the
Internet VM to create a server. An error message appears when
the Internet VM restarts. John finds out that these were not pics.
11. THE MINEFIELD OF PERSONAL COMPUTER USE
Scenario: Open an attachment containing a mass emailing virus
Without the Rapid Recovery System
Notice a slow down of the machine, unsure of cause.
Reboot machine, still slow.
Look in process list, attempt to kill suspicious process,
regenerates itself.
Call tech support, make an appointment to take the computer to
be fixed.
Newest backup is 1 month old, some recent reports and
pictures lost.
3 weeks later get the machine back with the OS re-installed.
12. THE MINEFIELD OF PERSONAL COMPUTER USE
Scenario: Open an attachment containing a mass emailing virus
With the Rapid Recovery System
The attachment is written into the email log.
The NET-VM flags a violation of the network contract and
pauses the VM.
The system asks the user if they want to rollback to the last
known good image.
Rollback and remount personal data store.
Some system data (logs, etc.) in VM appliance is lost, but no
personal data is lost.
The machine is back in working order in less than 1 hour.
13. THE MINEFIELD OF PERSONAL COMPUTER USE
Scenario: Surf to the wrong website
Without the Rapid Recovery System
A malicious program scans the hard drive for credit card
numbers.
The user does not notice any sign of trouble.
The program sends out a small amount of data containing the
information discovered.
The program installs a backdoor for later use by the attacker.
14. THE MINEFIELD OF PERSONAL COMPUTER USE
Scenario: Surf to the wrong website
With the Rapid Recovery System
The malicious programs begins to read the hard drive for credit
card numbers.
The FS-VM triggers a violation of the data access contract and
pauses the VM.
The system asks the user if they want to rollback to the last
known good image.
Rollback and remount personal data store.
The scan is not completed, the information is not sent, the
backdoor is prevented.
15. THE MINEFIELD OF PERSONAL COMPUTER USE
Scenario: Install a required software update
Without the Rapid Recovery System
After the update, several applications cannot find some required
components.
The user calls tech support and they confirm the problems with
the patch.
The best recommendation is to completely uninstall and re-
install the applications.
It takes a few hours to assemble the installation media, to find
the product keys, and to follow the instructions.
16. THE MINEFIELD OF PERSONAL COMPUTER USE
Scenario: Install a required software update
With the Rapid Recovery System
After the update, several applications cannot find some required
components.
The user calls tech support and they confirm the problems with
the patch.
The user decides to rollback to the last known good image.
The machine is back up in running in minutes.
17. Goals
Provide attack resistance and rapid recovery
Isolate and protect user data from attacks
Provide automatic and user-triggered checkpoints
Safe testing of system and application updates
Facilitate forensic analysis
18. Background: Security
Early Internet based on openness/trust
First documented Internet worm – 1988
Malware: large scale problem – late 1990s
Criminal malware networks (botnets)
DDOS, digital blackmail, account/credit info
Attack defenses
Antivirus software
Firewalls
Intrusion detection systems
19. Background: Virtualization
Virtual Machine Monitor
Pioneered by IBM
Software/hardware co-evolution
Intel VT and AMD-V
Software/hardware co-evolution (again)
Next generation virtualization hardware
Xen hypervisor (VMM)
Paravirtual guests (i.e. Linux, *BSD)
HVM guests (i.e. Microsoft Windows)
20. Background: Virtualization+Security
VMs used as sandboxes
VMs can be monitored from below
System security and fault tolerance
Replicate system state to a backup VM
Secure logging and replay
Backtracking intrusions
Safe testing/integration of untrusted code
Protection against root kits
21. Background: System Reset Facilities
DeepFreeze
Restore to trusted checkpoint on each boot
Windows System Restore
Keep checkpoints of system state for rollback
Both of these lack:
User data protection/rollback
Attack prevention/detection
22. System Architecture
Isolated Network
FS-VM
Management
VMA 1 VMA 2 VMA N
Management
Internal Network
Domain 0 Management NET-VM
Xen Hypervisor
Disk Hardware NIC
Internet
23. Benefits
Intrusion detection and attack prevention
Protection of user data
Checkpoint and restart of virtual machine appliances
Rapid first time installation
Model for software distribution
Complement and enhance backups
24. Evaluation
Resistance/protection against attacks
Categorize attacks
Defense strategies against attacks
Performance overhead
Overhead of virtualization technology
Overhead of file system virtual machine
25. Evaluation: Attacks
Backdoor attacks
Initiate/listen for connections
Send and receive data
Malicious attacks
Copy infected executables to shared folders
Attempt to destroy data
Spyware attacks
Harvest email addresses and other personal data
Vulnerability attacks
Exploit vulnerability in specific server software
26. Evaluation: Defenses
Block unused ports
Backdoor attacks can't access the Internet
Vulnerable services are not running
Restrictions on read, write, and/or append access
Malicious attacks can't write/delete user data
Spyware attacks can't read user data
Detect unexpected behavior and rollback
Anomalies raise errors/warnings
Prompt user or automatic rollback
28. Plan of Work
Construction and integration of a separate NET-VM
component
Tight integration of NET-VM and FS-VM into virtual
machine support layer of Xen
A comprehensive virtual machine appliance contract
system
Evaluation of system
Performance
Functionality
29. System Architecture
Isolated Network
FS-VM
Management
VMA 1 VMA 2 VMA N
Management
Internal Network
Domain 0 Management NET-VM
Xen Hypervisor
Disk Hardware NIC
Internet
30. Plan: Construct and Integrate NET-VM
Network Intrusion Detection System (snort)
Firewall (iptables)
Xen driver domain
31. Plan: Xen Support for NET-VM/FS-VM
NET-VM already possible (driver domain)
FS-VM granted file system access/control
Xen communicates rules to NET-VM and FS-VM
when new domain created
NET-VM and FS-VM detect violations
Violations enforced/communicated to Xen
Appropriate actions taken by Xen
Shutdown
Restart
Restore guest
Notify user
Prepare guest for forensic analysis
32. Plan: Comprehensive Contract System
Virtual machine appliance contracts
Specify the behavior of appliances
Network access
File system access
Use existing NIDS and firewall rules
Build upon existing Xen configuration file
Add file system and network rule support
33. Plan: Evaluation of Modified System
Performance
I/O: read, write
Network: send, receive
CPU overhead
Functionality
Resistance to attack
Recovery from attack
Construct virtual machine appliances
34. Related/Proposed Projects at Clarkson
Log-Structured File System (LFS) for FS-VM
Enable rollback of writes with LFS
Isolation testing of virtualization systems
Performance isolation testing methodology and results
Power testing of virtualization systems
Recommend/improve power-friendly VMMs
Tools for forensic analysis
Capture/export compromised VM
Recommend defense strategies
Tools for contract inspection
Visualize access granted by contract
39. Terminology
Virtual Machine Monitor (VMM)
Also know as: hypervisor
Thin software layer between the hardware and “guest”
operating system
First to the hardware
Examples of VMMs:
VMware, Xen, Parallels, Z/vm, MS Viridian, Qemu,
KVM, ...
41. Virtualization Predictions
9 of 10 enterprises will have virtualization by 2007 -
Yankee Group (August 2007)
Physical servers growth near zero within 2012 -
Bernstein (August 2007)
Over 50% physical servers will be virtualized in 2011 -
IDC (July 2007)
Virtualization services market to reach $11.7 billion by
2011 - IDC (July 2007)
Server market to hardly grow over 2% annually
through 2011 because of virtualization - IDC (July
2007)
42. Virtualization Predictions
25% of enterprise data center servers to be virtual by
2010 - Intel (July 2007)
A Microsoft hypervisor for Vista expected in mid-2009
- Gartner (July 2007)
Virtualization will be part of nearly every aspect of IT
by 2015 – Gartner (May 2007)
3 million virtual machines expected in 2009 - Gartner
(May 2007)
43. Virtualization Predictions
Virtualization and multicore will cost $2.4 billion in
customer spending between 2006 and 2010 - IDC
(March 2007)
OS Virtualization to become mainstream by 2010 -
Gartner (December 2006)
Virtualization market to grow to $15 billion worldwide
by 2009 - IDC (October 2006)
47. Plan: File System Rule Language
# Example file system rule set for an email client.
fs_rule = [ 'id=1, read, 1024, 5' ]
# read at most 1024 bytes of data in 5 seconds
fs_rule = [ 'id=2, append, 1024, 3' ]
# append at most 1024 bytes of data in 3 seconds.
fs_rule = [ 'id=3, write, 320, 3' ]
# write at most 320 bytes in 3 seconds
# The email mount point is accessible to the email client, and fs_rules
# with id=1 and id=2 are applied
disk = [ 'fsvm:/mnt/email, /home/user/mail,fs_rule=1:2' ]
# The email mount point is accessible to the email client, and fs_rules
# with id=1 and id=3 are applied.
disk = [ 'fsvm:/mnt/email, /home/user/attachments,fs_rule=1:3' ]
48. Plan: Network Rule Language
#Email client example continued
network_rule = ['id=1, iptables, file=/etc/iptables/email_client']
network_rule = ['id=2, snort, file=/etc/snort/rules/email_client']
vif = [ 'rate=2Mb/s, network_rule=1:2' ]
50. Evaluation of Prototype: Attacks
Category/Behavior: Backdoor attacks initiate and
listen for connections to send and receive data
Examples: W32.MyDoom, W32.Bagel
Defenses:
Block unused ports
Detect unexpected behavior and rollback to trusted
image
51. Evaluation of Prototype: Attacks
Category/Behavior: Attacks that copy infected
executables to shared folders or attempt to destroy
data
Examples: W32.Netsky, W32.Netad
Defenses:
Restrictions on write access to personal data
Detect unexpected behavior and rollback to trusted
image
52. Evaluation of Prototype: Attacks
Category/Behavior: Attacks that harvest email
addresses and other personal data
Examples: W32.Zafi.D, PWSteal.Ldpinch.E
Defenses:
Restrictions on read access to personal data
Detect unexpected behavior and rollback to trusted
image
53. Evaluation of Prototype: Attacks
Category/Behavior: Attacks that exploit vulnerability in
specific server software
Examples: MySQL UDF, Blaster, Slammer
Defenses:
Block unused ports (if not running the server software)
Detect unexpected behavior and rollback to trusted
image (if running the server software)