In this presentation I'm talking about feature of VMI technology that are vital for malware analysis, intrusion detection and attack prevention in virtualized environment. This presentation is part of my Ph.D. work and contain summary of VMI state in 2013.

1. Virtual
Machine
Introspectio
n
Future of Cloud Security
by Nazar Tymoshyk, Ph.D., CEH, OWASP Lviv Chapter lead, Ukr
UISGCON9’13

2. TODAY
Connection to the Cloud
means connection to
some servers located in
datacenter somewhere in
the world

3. IaaS and Security Benefits:
• Cost
reduction
• Flexibility
• Scalability
• Pay-per-use
• Hardware
• Utilization
• Isolation
Cloud - means environment on
demand. Cloud could be
Private, Public or Hybrid.
Most commonly used type of Cloud
is Infrastructure as a Service
(IaaS).
IaaS – is a Operating System with
some computing resources on
demand.
Security for IaaS has same issues
as any other network and server
infrastructure located in Datacenter.

4. Environment
on
Demand?
Security applications benefit from
virtualization by running in
isolated virtual machines (VMs)
and building smaller trusted
computing bases (TCBs).
VDI
A sandbox is an execution environment that can restrict
access to resources
A VM is a heavy-weight sandbox that supports execution of
entire operating systems
Isolation – guest code cannot read/write outside of the VM
Inspection – VMM can examine entire state of the guest
system (memory, devices, etc)
Interposition – VMM can interrupt guest code at any time

5. SDN challenge
Today SDN if future for Private/Public/Hybrid Cloud.
Firewall/IDS sees/protects physical security is
“Blind” to all traffic between Servers
Traffic between Virtual Machines
• Isolation is no longer physical but logical.
• Isolation is less precise.
• Security guarantees are weaker.
Challenge: mapping existing network security
components to new cloud architectures.

6. «Hey You! Get Off My
Cloud» Attack
• Identify potential
targets
Map the Cloud
• Check if two VMs
are co-located on
same physical
server
Determine
co-residence • Co-locate attacker
VM with target
Send probe
VM
• Extract information,
perform DoS
Use VM side-
channel

7. Which Hypervisor used by
cloud providers?
IaaS provider Hypervizor
:
Amazon, Linode, Rackspace,
GoGrid
Xen/Citrix
Xen
Google Compute Engine,
Openstack (For private cloud),
Rackspace, IBM
KVM
Azure Hyper-V
Bluelock, CSC, VmWare vCloud,
Cloud.com, CloudStack,
VmWare
What is common for all these hypervisors?
Father of them was – Qemu emulator 
Source: http://www.quora.com/What-are-the-hypervisors-used-by-big-IaaS-providers

8. SOME
PROBLEMS

9. Key threads for servers in
cloud
Isolation
break-out
Blue pill
Access
Keys
leakag
e
https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project
Unavailability
OWASP
10 Cloud
Risks
Vulnerable and old
software:
Compromised
0-day
vulnerability
Rootkits /
Virus
Cloud
Security
Alliance
Top
Threats

10. Nice sample of Cloud
threat
What about Worm for
Windows based cloud
servers that use RDP
vulnerability?
How to recover all
VMs in cloud and
centrally remove
that malware?
http://thehackernews.com/2012/04/cloudworm-candidate-ms12-020-poc.html

11. Transparency challenge
Prove security hygiene of
provider infrastructure to
third parties.
Auditability, certification
process, risk analysis
methodologies,
compliance.
Trusted cloud computing
technologies provide
cryptographic evidence.

12. What White-Hats doing to
catch malware?
To monitor/register
activity inside operating
system most White
Hats and researcher
use honeypots or
production system with
different kinds of
agents, installed inside
OS – key-loggers,
spyware, rootkits.
KNOW YOUR
ENEMY
Honeypot is a trap set
to detect, deflect, or in
some manner
counteract attempts at
unauthorized use
of information systems.
Research
honeypots are run to
gather information
about the motives and
tactics of the Black-
hat community
targeting different
networks.

13. Malware Detection
Current approach fundamentally flawed:
• Malware running in the same system
space with anti-malware software at the
same privileged level
• No clear winner in the arms race between
them

14. Current approach
Agent based monitoring and protection:
The problem is that all this agents could be
detected by user/malefactor and be
subverted, and/or disabled by the attacker
Main problem of any monitoring system is -
Stealthy and Tamper resistanse
Kaspersky Enterprise agent, Microsoft Forefront, Ziften

15. VMI Security –
why?
1. Central processing of security functions is more
efficient than distributing security controls and
related overhead to each VM
2. No host agents required – guaranteeing security for
all VMs regardless of operating system type and
patch level, and with no impact to applications
running inside the VMs.
3. Tamper-proof security. Host-agents are subject to
getting compromised by the very malware they aim
to thwart (e.g., Conficker turning off A/V).
By contrast, hypervisor-based security resides outside
the guest-VM, and is thus tamper-proof to any malware

16. Out of the box VM management
The monitoring of virtual machines
has many applications in areas
such as security and systems
management

17. VIRTUAL MACHINE
INTROSPECTION
TECHNOLOGY

18. What VMI is?
X-ray view of all VM states, including installed
applications, operating systems, and patch
levels. Could be used for Detection, Protection
and Management, compliance and automated
security enforcement.
VMI use the capabilities of the hypervisor to
supervise VM behavior.

19. 2017 – VMI will become production standard
2013 – Juniper/Arbor present new product on
RSA Conference based on VmWare VmSafe
API
2010 – prototype on Honeynet by Chengyu
Song
2009 – prototype done by Nazar Tymoshyk
2007 – xenaccess initiated and transformed to
LibVMI
2006 – first prototype by Xiang Yang VMScope
2003 – initial research by T. Garnkel and M.
VMI prototypes

20. VMI architecture
x86
Paravirtualisation: The guest OS is
modified to better cooperate with the
hypervisor.
+ Sensitive non-privileged instructions are
replaced by hypercalls.
- Only a limited number of paravirtualized
drivers are needed. Not compatible with
proprietary kernels.
Binary translation: The VMM converts
“problem” instructions in smoother binary
code.
+ Compatible with most guest OSes.
Does not require specific hardware
support.
- Requires many optimizations to be
efficient.
Hardware-assisted virtualization:
The hardware facilitates virtualization with
specific instructions (e.g., Intel VT-x).
+ The guest OS runs transparently
without modifications. Allows to run OS
which cannot be paravirtualized. Security
is also enhanced.
- Hardware context switching might be

21. What can be monitored
• All user input
• Content
• Storage/File
system
• Traffic
• Access
• MEMORY
• Rootkits
• Malware on FS
• Integrity

22. Implementation problems -
x86
Step 1: Procuring low-level VM states and events
Disk blocks, memory pages, registers…
Traps, interrupts…
Step 2: Reconstructing high-level semantic view
Files, directories, processes, and kernel modules…
System calls, context switches…
Semantic
problem: the
data accessed
through
introspection are
raw data.

23. FEATURES OF
VIRTUAL MACHINE
INTROSPECTION

24. What security features it
offers?
VM Antivirus
control
Malware
analysis
Cloud SIEM
VM IPS/IDS
VM Forcing
Policies
VM Honeypot
Cloud Firewall
VM Patch
management
Invisible system
logging
Rootkit
prevention

25. VMI for Cloud
management
Automated VM
compliance assessment
based on multiple VM
attributes;
Quarantine of non-
compliant VMs to
eliminate administrative
errors and reduce risk.
Automated security
classification and
enforcement for new or
cloned VMs

26. MEMORY analysis
Registry keys
Unpacked
malware
Access
keys
Processes
Software
binary
stop unauthorized
services from running
and prevent zero day
attacks against
unpatched
or vulnerable systems
Open
sockets

27. Network introspection
• monitors real-time network
and user activity in a virtual
environment
• detecting policy violations
such as the use of
unauthorized applications
on non-standard ports or
unpermitted access to a
critical host
• vm-bridge filter all
traffic from and
between VMs
• ebtables used for
firewalling

28. Program Integrity
Detection
• Periodically hashes the unchanging sections of
each running program
• Compares the hashes to known-good hashes
• Signature Detector
• Periodically scan guest memory for known-bad
signatures
• Sometimes detects malware in unexpected
places, like the filesystem cache

29. Malware analysis based
on syscall tree

30. Fighting Rootkits
NICKLE/QEMU+KQEMU foils the SucKIT rootkit (guest OS: RedHat 8.0)
Source:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCwQFjAA&url=http%3A%2F%2Fwww.ll.mit.edu%2FRAID2008%2FFiles%2FRAID2008-s1-1-
Riley-GuestTransparent.pdf&ei=7VZAUojzAoePswai-ICIDg&usg=AFQjCNGbkvobIvIx6PAJiDjrw70Lbb0HOA&sig2=TnTSklrH5N8xieh6QUlFYw&bvm=bv.52434380,d.d2k

31. NOW TIME FOR ….
DEMO

32. VMScope prototype
Source:http://www.ise.gmu.edu/~xjiang

33. External
Scanning
Result
Internal
Scanning
Result
Diff
Source: http://www.ise.gmu.edu/~xjiang

34. Qebek – Sebek rootkit with
VMI
http://honeynet.org/papers/KYT_qebek
Currently sbk_dialog supports three types of syscall: they are sys_open, sys_read
and sys_socket.
QEMU
Guest OS
Interception
Module
SVR Helper
Routines
Breakpoint
System
Introspection Module
Output
Module
Qebek

35. VIX – Xen based VMI

36. Our prototype vEye
We create prototype which open following opportunities:
• New way to signature generation for Intrusion Detection Systems(IDS)
• Malicious software reverse engineering through sys_calls monitoring
• Low level software debugging
• User activity monitoring outside OS (user is unable to disable monitoring)
• Research user/malefactor behavior in Honeypots
• Memory monitoring and control outside OS
Virtual Machine Introspection with binary
translation
Allow to collect any action of virtualized OS with
VMWare or Qemu from honeypots.

37. Catching system calls

38. Catching console activity

39. Our Monitoring console

40. WHAT ABOUT PRODUCTION?

41. Niche players
http://www.vmware.com/files/pdf/products/vcns/VMware-Integrated-Partner-Solutions-Networking-Security.pdf

42. vShield
Source: http://www.vmware.com/products/vsphere/features-endpoint

43. VMSafe API
VMsafe is an application programming
interface to protect applications running in
virtual machines.
VMsafe applications can come in two
forms. The first form is referred to as Fast
Path and is composed of just a vmkernel
driver that gets installed on the VMware
vSphere ESX 4 host.
Fast Path has many advantages but only so
much really belongs in a driver, and the
driver is often used to further transfer
necessary information to a virtual
appliance.
The combination of virtual appliance and
vmkernel driver composes the second
form, which is known as the Slow Path.
Source : http://www.vspherereference.com/id14.html

44. XenAccess=>LibV
MI
Source:https://code.google.com/p/vmitools/wiki/LibVMIIntroduction

45. Juniper / Altor
Source: http://www.slideshare.net/junipernetworks/juniper-and-vmware-taking-data-centre-networks-to-the-next-level-15523046?from_search=1

46. Juniper VMI for Datacenter
security management - Vision

47. Juniper / Altor

48. Where is …?

49. Questions?
Thank You!
Copyright © 2013 Nazar Tymoshyk
root.nt@gmail.com
Thank you for
attention!
Nazar Tymoshyk
Skype: root_nt
Email: root.nt@gmail.com