Virtualization for Security t j Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting John Hoopes Technical Editor Aaron Bawcom Paul Kenealy Wesley J. Noonan Craig A. Schiller Fred Shore Andreas Turriff Mario Vuksan Carsten Willems David Williams
Contents Chapter 1 An Introduction to Virtualization 1 Introduction 2 What Is Virtualization? 2 The History of Virtualization 3 The Atlas Computer 3 The M44/44X Project 4 CP/CMS 4 Other Time-Sharing Projects 5 Virtualization Explosion of the 1990s and Early 2000s 6 The Answer: Virtualization Is 8 Why Virtualize? 9 Decentralization versus Centralization 9 True Tangible Benefits 13 Consolidation 15 Reliability 17 Security 18 How Does Virtualization Work? 19 OS Relationships with the CPU Architecture 20 The Virtual Machine Monitor and Ring-0 Presentation 22 The VMM Role Explored 23 The Popek and Goldberg Requirements 24 The Challenge:VMMs for the x86 Architecture 25 Types of Virtualization 26 Server Virtualization 26 Storage Virtualization 29 Network Virtualization V... 30 Application Virtualization 31 Common Use Cases for Virtualization 32 Technology Refresh 32 Business Continuity and Disaster Recovery 34 Proof of Concept Deployments 35 Virtual Desktops 35 Rapid Development, Test Lab, and Software Configuration Management 36 xi
xii Contents Summary 38 Solutions Fast Track 38 Frequently Asked Questions 42 Chapter 2 Choosing the Right Solution for the Task 45 Introduction 46 Issues and Considerations That Affect Virtualization Implementations 46 Performance 47 Redundancy 47 Operations 48 Backups 48 Security 48 'Evolution^ 49 Discovery 49 Testing 49 Production 49 Mobility 50 Grid 50 Distinguishing One Type of Virtualization from Another 51 Library Emulation 51 Wine 52 Cygwin 53 Processor Emulation 53 Operating System Virtualization 54 Application Virtualization 54 Presentation Virtualization 55 Server Virtualization 55 Dedicated Hardware 55 Hardware Compatibility 56 Paravirtualization 57 I/O Virtualization 58 Hardware Virtualization 58 Summary 60 Solutions Fast Track 61 Frequently Asked Questions 62 Chapter 3 Building a Sandbox 63 Introduction 64 Sandbox Background 64
Contents xiii The Visible Sandbox 65 cwsandbox.exe 68 cwmonitor.dll 69 Existing Sandbox Implementations 72 Describing CWSandbox 74 Creating a Live-DVD with VMware and CWSandbox 78 Setting Up Linux 78 Setting UpVMware Server vl.05 80 Setting Up a Virtual Machine invmware Server 80 Setting Up Windows XP Professional in the Virtual Machine 81 Setting Up CWSandbox v2.x in Windows XP Professional 82 Configuring Linux andvmware Server for Live-DVD Creation 83 Updating Your Live-DVD 85 Summary 86 Solutions Fast Track 86 Frequently Asked Questions 89 Notes 90 Bibliography 90 Chapter 4 Configuring the Virtual Machine 91 Introduction 92 Resource Management 92 Hard Drive and Network Configurations 92 Hard Drive Configuration 93 Growing Disk Sizes 93 Virtual Disk Types 93 Using Snapshots 94 Network Configuration 94 Creating an Interface 94 Bridged.* ч 95 Host-Only 96 Natted 97 Multiple Interfaces 98 Physical Hardware Access 99 Physical Disks 99 USB Devices 103 Interfacing with the Host 104 Cut and Paste 104 How to Install the VM ware Tools in a Virtual Machine 105 How to Install the Virtual Machine Additions in Virtual PC 112
xiv Contents Summary 113 Solutions Fast Track 113 Frequently Asked Questions 115 Chapter 5 Honeypotting 117 Introduction 118 Herding of Sheep 118 Honeynets 120 Gen I 120 Genii 121 Gen III 121 Where to Put It 121 Local Network 122 Distributed Network 122 Layer 2 Bridges 123 Honeymole 125 Multiple Remote Networks 126 Detecting the Attack 130 Intrusion Detection 130 Network Traffic Capture 131 Monitoring on the Box 132 How to Set Up a Realistic Environment 133 Nepenthes 134 Setting Up the Network 134 Keeping the Bad Stuff in 140 Summary 141 Solutions Fast Track 141 Frequently Asked Questions 143 Note 143 Chapter б Malware Analysis 145 Introduction 146 Setting the Stage 146 How Should Network Access Be Limited? 147 Don't Propagate It Yourself 147 The Researcher May Get Discovered 148 Create a "Victim" That Is as Close to Real as Possible 148 You Should Have a Variety of Content to Offer 148 Give It That Lived-in Look 149 Making the Local Network More Real 149 Testing on VMware Workstation 151 Microsoft Virtual PC 153
Contents xv Looking for Effects of Malware 154 What Is the Malware 's Purpose? 154 How Does It Propagate? 155 Does the Malware Phone Home for Updates? 155 Does the Malware Participate in a Bot-Net? 156 Does the Malware Send the Spoils Anywhere? 156 Does the Malware Behave Differently Depending on the Domain? 157 How Does the Malware Hide and How Can It Be Detected? 157 How Do You Recover from It? 158 Examining a Sample Analysis Report 159 The <Analysis> Section 159 Analysis Of82f78a89bde09a71ef99b3cedb991bcc.exe 160 Analysis ofarman.exe 162 Interpreting an Analysis Report 167 How Does the Bot Install? 168 Finding Out How New Hosts Are Infected 169 How Does the Bot Protect the Local Host and Itself? 171 Determing How/Which C&C Servers Are Contacted 174 How Does the Bot Get Binary Updates? 175 What Malicious Operations Are Performed? 176 Bot-Related Findings of Our Live Sandbox 181 Antivirtualization Techniques 183 Detecting You Are in avirtual Environment 184 Virtualization Utilities 184 VMware I/O Port 184 Emulated Hardware Detection 185 Hardware Identifiers 185 MAC Addresses 185 Hard Drives *. 186 PCI Identifiers Ч... 186 Detecting You Are in a Hypervisor Environment 187 Summary 188 Solutions Fast Track 188 Frequently Asked Questions 189 Chapter 7 Application Testing 191 Introduction 192 Getting Up to Speed Quickly 192 Default Platform 193 Copying a Machine in VMware Server 193 Registering a Machine in Microsoft Virtual Server 195
xvi Contents Known Good Starting Point 196 Downloading Preconfigured Appliances 197 VMware's Appliance Program 197 Microsoft's Test Drive Program 198 Debugging 199 Kernel Level Debugging 199 The Advantage of Open Source Virtualization 207 Summary 208 Solutions Fast Track 208 Frequently Asked Questions 209 Chapter 8 Fuzzing 211 Introduction 212 What Is Fuzzing? 212 Virtualization and Fuzzing 214 Choosing an Effective Starting Point 214 Using a Clean Slate 214 Reducing Startup Time 215 Setting Up the Debugging Tools 215 Preparing to Take Input 217 Preparing for External Interaction 218 Taking the Snapshot 218 Executing the Test 219 Scripting Snapshot Startup 219 Interacting with the Application 220 Selecting Test Data 221 Checking for Exceptions 222 Saving the Results 223 Running Concurrent Tests 223 Summary 225 Solutions Fast Track 225 Frequently Asked Questions 227 Chapter 9 Forensic Analysis 229 Introduction 230 Preparing Your Forensic Environment 231 Capturing the Machine 232 Preparing the Captured Machine to Boot on New Hardware 238 What Can Be Gained by Booting the Captured Machine? 239 Virtualization May Permit You to Observe Behavior That Is Only Visible While Live 242
Contents xvii Using the System to Demonstrate the Meaning of the Evidence 242 The System May Have Proprietary/Old Files That Require Special Software 242 Analyzing Time Bombs and Booby Traps 243 Easier to Get in the Mind-Set of the Suspect 243 Collecting Intelligence about Botnets or Virus-Infected Systems 244 Collecting Intelligence about a Case 244 Capturing Processes and Data in Memory 245 Performing Forensics of a Virtual Machine 245 Caution: VM-Aware Malware Ahead 247 Summary 249 Solutions Fast Track 249 Frequently Asked Questions 253 Chapter 10 Disaster Recovery 255 Introduction 256 Disaster Recovery in a Virtual Environment 256 Simplifying Backup and Recovery 257 File Level Backup and Restore 257 System-Level Backup and Restore 258 Shared Storage Backup and Restore 259 Allowing Greater Variation in Hardware Restoration 261 Different Number of Servers 262 Using Virtualization for Recovery of Physical Systems 262 Using Virtualization for Recovery of Virtual Systems 263 Recovering from Hardware Failures 265 Redistributing the Data Center 265 Summary 267 Solutions Fast Track 268 Frequently Asked Questions * ч... 269 Chapter 11 High Availability: Reset to Good 271 Introduction 272 Understanding High Availability 272 Providing High Availability for Planned Downtime 273 Providing High Availability for Unplanned Downtime 274 Reset to Good 275 Utilizing Vendor Tools to Reset to Good 275 Utilizing Scripting or Other Mechanisms to Reset to Good 277 Degrading over Time 277
xviii Contents Configuring High Availability 278 Configuring Shared Storage 278 Configuring the Network 278 Setting Up a Pool or Cluster of Servers 279 Maintaining High Availability 280 Monitoring for Overcommitment of Resources 280 Security Implications 281 Performing Maintenance on a High Availability System 282 Summary 284 Solutions Fast Track 285 Frequently Asked Questions 287 Chapter 12 Best of Both Worlds: Dual Booting 289 Introduction 290 How to Set Up Linux to Run Both Natively and Virtually 290 Creating a Partition for Linux on an Existing Drive 291 Setting Up Dual Hardware Profiles 295 Issues with Running Windows Both Natively andvirtualized 296 Precautions When Running an Operating System on Both Physical andvirtualized Platforms 296 Booting a Suspended Partition 296 Deleting the Suspended State 297 Changing Hardware Configurations Can Affect Your Software 297 Summary 299 Solutions Fast Track 299 Frequently Asked Questions 300 Chapter 13 Protection in Untrusted Environments 301 Introduction 302 Meaningful Uses of Virtualization in Untrusted Environments 302 Levels of Malware Analysis Paranoia 308 Using Virtual Machines to Segregate Data 316 Using Virtual Machines to Run Software You Don't Trust 318 Using Virtual Machines for Users You Don't Trust 321 Setting up the Client Machine 322 Installing Only What You Need 322 Restricting Hardware Access 322 Restricting Software Access 322 Scripting the Restore 323
Contents xix Summary 325 Solutions Fast Track 325 Frequently Asked Questions 327 Notes 328 Chapter 14 Training 329 Introduction 330 Setting Up Scanning Servers 330 Advantages of Using a Virtual Machine instead of a Live-CD Distribution 331 Persistence 331 Customization 331 Disadvantages of Using a Virtual Machine instead of a Live-CD 332 Default Platforms 332 Scanning Servers in a Virtual Environment 333 Setting Up Target Servers 334 Very "Open" Boxes for Demonstrating during Class 335 Suggested Vulnerabilities for Windows 335 Suggested Vulnerabilities for Linux 336 Suggested Vulnerabilities for Application Vulnerability Testing 336 Creating the Capture-the-Flag Scenario 339 Harder Targets 339 Snapshots Saved Us 340 Require Research to Accomplish the Task 341 Introduce Firewalls 341 Multiple Servers Requiring Chained Attacks 341 Adding Some Realism 342 Loose Points for Damaging the Environment 342 Demonstrate What the Attack Looks Like on IDS 343 Out Brief. * 343 Cleaning up Afterward 343 Saving Your Back 344 Summary 345 Solutions Fast Track 345 Frequently Asked Questions 347 Index 349