Version 1.7 a new dawn
lecture: Virtual Machine Introspection
From the Outside Looking In
New methods and approaches for securing cloud environments are becoming increasingly more critical as traditional host security strategies are not well integrated into virtual environments. For example, antivirus scans are a critical component of layered defense-in-depth, but in the cloud they rapidly exhaust available CPU and memory. The cloud environment nevertheless offers a unique opportunity: the ability to peer into a running operating system from an outside perspective, known as virtual machine introspection (VMI). More interestingly, it is also possible to alter the behavior of the virtualized components to help protect virtual systems in real-time. In this talk we will explore the open-source LibVMI library which over the last year, as part of the DARPA Cyber Fast Track program, has been significantly extended to ease the process of developing cloud security solutions.
New methods and approaches for securing cloud environments are becoming increasingly more critical now that virtual environments are being widely adopted by the businesses sector. Despite the fact that virtualization itself is not inherently insecure, the majority of virtual systems are less secure than those physical systems they replace. This curious state arises primarily because traditional host security strategies are not well integrated into virtual environments: as an example, typical antivirus scans are a critical component of layered defense-in-depth, but they rapidly exhaust available CPU and memory when protecting a large number of virtual machines. Some antivirus vendors have taken a small step into virtualization by adapting their existing products to scan the disks of VMs from an external perspective, but this gain in efficiency does not fully realize the potential for protection and monitoring of a virtual environment. In addition, weakly implemented ”self-defense” techniques leave themselves vulnerable to being neutralized by undetected or zero-day attacks. This ”one opportunity” for success is a critical handicap for existing protective measures.
Virtualization nevertheless also offers a unique opportunity: the ability to peer into a running operating system from an outside perspective, known as introspection (VMI). It is possible to observe the memory, storage, CPUs, processes, and kernel of a running virtual machine from a safe vantage point. More interestingly, it is also possible to alter the behavior of all of these components to help protect virtual systems. The open-source LibVMI library has been designed specifically for this purpose, to look at 32-bit or 64-bit virtual machines, both on x86 and ARM. Over the last year, as part of DARPA's Cyber Fast Track program, LibVMI has been significantly extended by our team to ease the process of developing secure intrusion detection and intrusion prevention systems for the cloud. Utilizing Xen's advanced memory access system and the latest virtualization extensions available on Intel processors, LibVMI now offers unique capabilities for instrumenting, inspecting and controlling the execution of hosted guest operating systems and applications. Further combined with Xen's Security Modules, cloud security applications can be now tailored to provide a multi-tiered security environment required for multi-tenant cloud deployments.
In this talk we will explore the finer details how these features can be utilized for the detection of advanced rootkits techniques, while providing a stealthy, tamper resistant environment. Our talk will explore the disaggregation of Xen's trusted computed base (TCB) with the use of the FLASK policy engine, and the changes our team implemented and contributed to Xen and the Linux kernel, to make secure cross-domain introspection part of a coherent mandatory access control system. Diving deeper into the virtualization details of the x86 architecture we will discuss advanced instrumentation techniques via the Extended Page Tables and via software breakpoint injection, and how these features are now accessible via the LibVMI API.
We will also discuss critical details of live memory introspection and highlight common pitfalls in developing secure applications without relying on untrusted and potentially compromised data-sources. We will explore how mapping in-memory Linux and Windows kernels is performed by LibVMI, and compare it to other forensics tools, such as Volatility and Rekall. Our talk will further explore how to use existing forensics tools on live virtual machine to analyze modern malwares. At last, we will briefly discuss open challenges in virtualization security and some of the new CPU features proposed by Intel.
Start time: 16:00
Room: Saal 6
Track: Security & Hacking