Memory Forensics using Virtual Machine Introspection for Cloud Computing. Tobias Zillner, BSc MSc MSc

Similar documents
Run-Time Deep Virtual Machine Introspection & Its Applications

Virtualization for Cloud Computing

Distributed and Cloud Computing

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Full and Para Virtualization

How To Stop A Malicious Process From Running On A Hypervisor

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Evasion Resistant Intrusion Detection Framework at Hypervisor Layer in Cloud

GUEST OPERATING SYSTEM BASED PERFORMANCE COMPARISON OF VMWARE AND XEN HYPERVISOR

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Virtual Machine Security

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Virtualization Technology. Zhiming Shen

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Hypervisor-Based, Hardware-Assisted System Monitoring

STeP-IN SUMMIT June 18 21, 2013 at Bangalore, INDIA. Performance Testing of an IAAS Cloud Software (A CloudStack Use Case)

Distributed Systems. Virtualization. Paul Krzyzanowski

A Hypervisor IPS based on Hardware assisted Virtualization Technology

Basics of Virtualisation

Building Docker Cloud Services with Virtuozzo

Virtualization Technologies (ENCS 691K Chapter 3)

How To Create A Cloud Based System For Aaas (Networking)

CHAPTER 2 THEORETICAL FOUNDATION

Control Tower for Virtualized Data Center Network

Virtualization. Jukka K. Nurminen

Stephen Coty Director, Threat Research

Desktop virtualization using SaaS Architecture

Virtualization and the U2 Databases

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

2) Xen Hypervisor 3) UEC

Development of Type-2 Hypervisor for MIPS64 Based Systems

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Tamper-Resistant, Application-Aware Blocking of Malicious Network Connections

Installing & Using KVM with Virtual Machine Manager COSC 495

Virtual Hosting & Virtual Machines

CMPS223 Final Project Virtual Machine Introspection Techniques

SPACK FIREWALL RESTRICTION WITH SECURITY IN CLOUD OVER THE VIRTUAL ENVIRONMENT

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

COS 318: Operating Systems. Virtual Machine Monitors

Virtual Switching Without a Hypervisor for a More Secure Cloud

Virtualization. Pradipta De

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

CIT 668: System Architecture

How to Secure Infrastructure Clouds with Trusted Computing Technologies

Virtualization System Security

Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009

Detection of virtual machine monitor corruptions

Attacking Hypervisors via Firmware and Hardware

The Xen of Virtualization

Intel s Virtualization Extensions (VT-x) So you want to build a hypervisor?

Chapter 5 Cloud Resource Virtualization

ProMoX: A Protocol Stack Monitoring Framework

Making Data Security The Foundation Of Your Virtualization Infrastructure

Microkernels, virtualization, exokernels. Tutorial 1 CSC469

SURVEY ON VIRTUALIZATION VULNERABILITIES

Full System Emulation:

Intro to Virtualization

Are Cache Attacks on Public Clouds Practical?

Analysis on Virtualization Technologies in Cloud

IT Networking and Security

Security Model for VM in Cloud

Virtualization & Cloud Computing (2W-VnCC)

Compromise-as-a-Service

Security Considerations in Cloud Deployments Matthew Garrett

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Survey on virtual machine security

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Chapter 14 Virtual Machines

Peter Ruissen Marju Jalloh

Distributed System Monitoring and Failure Diagnosis using Cooperative Virtual Backdoors

Satish Mohan. Head Engineering. AMD Developer Conference, Bangalore

Enabling Technologies for Distributed Computing

Virtualization in Linux KVM + QEMU

Introduction to Virtualization & KVM

CLOUD SERVICE SCHEDULE

Windows Azure Security

Exploiting the x86 Architecture to Derive Virtual Machine State Information

Chapter 2 Addendum (More on Virtualization)

Computing in High- Energy-Physics: How Virtualization meets the Grid

Virtualization. Types of Interfaces

Windows Server Virtualization & The Windows Hypervisor

Index. BIOS rootkit, 119 Broad network access, 107

Red Hat enterprise virtualization 3.0 feature comparison

Intel Cloud Builder Guide: Cloud Design and Deployment on Intel Platforms

Type-C Ubuntu Product & Strategy Canonical Ltd.

IT Networking and Security

Jukka Ylitalo Tik TKK, April 24, 2006

Deploying Business Virtual Appliances on Open Source Cloud Computing

Before we can talk about virtualization security, we need to delineate the differences between the

SCSI support on Xen. MATSUMOTO Hitoshi Fujitsu Ltd.

Transcription:

Memory Forensics using Virtual Machine Introspection for Cloud Computing Tobias Zillner, BSc MSc MSc

About Me Tobias Zillner, BSc MSc MSc Vienna, Austria Founder of Zillner IT-Security Independent Security Consultant & Researcher Consulting, Audit, Advisory, Training Security Research Internet of Things, Smart Homes Wireless Security www.zillner.tech SDR Enthusiast

What is it about? And why do we need it?

Outline Introduction & Background Virtual Machine Introspection (VMI) Use cases Prototype Summary

Motivation Relocation of systems and services into cloud environments is on the rise Users loose direct access / control over their systems Forensic methods are limited in the cloud Enable the user to perform their own forensic investigations Forensic as a Service

Memory forensics & Virtual machine Introspection

Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence

Hardware virtualization One / Multiple guest OS on virtualized hardware Managed by Virtual Machine Monitor (VMM) Hypervisor Provides interfaces and controls interactions with hardware CPU, memory, network, storage, Hypervisor on own OS Host OS

Native vs. hosted virtualization Application Application Application Guest OS Application Application Application Guest OS Application Application Guest OS Application Application Application Guest OS Hypervisor Application Application Application Hypervisor Hardware Native virtualization Host OS Hardware Hosted virtualization

Virtual machine Introspection Virtual Introspection (VI) is the process by which the state of a virtual machine (VM) is observed from either the Virtual Machine Monitor (VMM), or from some virtual machine other than the one being examined. 1 1 : Brian Hay and Kara Nance. Forensics examination of volatile system data using virtual introspection. SIGOPS Oper. Syst. Rev., 42(3):74 82, April 2008

Semantic gap Difference between the presentation of data from volatile memory by the OS and the raw data format Requires VMI to perform the same translation of the the raw memory data as the OS At least some knowledge about the guest OS is necessary

How does it work? http://libvmi.com/docs/gcode-intro.html

Advantages No altering of the target system Very hard to detect the monitoring Live analysis of memory content Data size for analysis (storage much larger than memory) Detection of advanced memory only malware More reliable data No data corruption through malware

Countermeasures Detection Timing analysis - unusual patterns in the frequency at which it is scheduled for execution Page fault analysis - the target VM may be able to detect unusual patterns in the distribution of page faults Direct Kernel Structure Manipulation (DKSM) VMI assumes that OS implement certain kernel- and data structures DKSM modifies this structures and prevents monitoring Sytanx based: targeted deletion/addition/manipulation of data structures Sematic: semantics of the data structures are changed Combined: mix of syntax and semantics manipulation

Fields of application Examples Rootkit detection Manipulation of memory access Interception of system calls Cryptographic key extraction On the fly encrypted container Network forensics IDS / IPS

Prototype

Solution approach Combining existing tools for a novel approach Open Source Minimal overhead Transparent for the user

Architecture Cloud Solution Open Nebula Cloud Management Server Memory Forensic Services VMI Library LibVMI Cloud Node Host OS Ubuntu Forensic Tool Volatility Hypervisor - Xen Guest VM

VM1 VM2 Dom U Dom U Dom 0 Hypervisor Cloud Node Cloud Control Services Cloud Management Server

VM1 VM2 Forensic Tool Memory Forensic Service VMI Library Dom U Dom U Dom 0 Hypervisor Cloud Node Cloud Control Services Memory Forensic Service Cloud Management Server

Open nebula extensions www.opennebula.org

Memory forensic services Self developed management and control services Client Server model Platform independent PKI for secure communication Command whitelisting

Forensic Process Collection Examination Analysis Reporting Media Data Information Evidence

Forensic Process OS on Cloud Node Data provided by LibVMI Collected by Volatility Collection Examination Analysis Reporting Media Data Information Evidence

Forensic Process OS on Cloud Node Collected data checked by Volatility Data extraction for forensic purpose Collection Examination Analysis Reporting Media Data Information Evidence

Forensic Process Partially OS on Cloud Node Collected data checked by Volatility Partially on user system Analysis with additional tools by user Collection Examination Analysis Reporting Media Data Information Evidence

Forensic Process Completely on user system Collection Examination Analysis Reporting Media Data Information Evidence

Advantages User gets easy access to the data No changes on the target VM necessary Memory analysis not on the possibly compromised system No stop/pausing of the analyzed machine required Operation of the VM does not get influenced Analysis can be done either local or over the network Reduction of local load / network load Usage of existing authentication and authorization system

Disadvantages Configuration necessary Knowledge about the guest OS required Installation overhead for cloud provider Additional attack surface Security is crucial for the added services User segregation is very important

LibVMI config example

Volatility / Libvmi usage

Use case Kernel level root kit detection Modifying of data structures, which display the processes currently running on the system System call interception Interrupt hooking Modifying the kernel memory image Intercepting calls handled by the VFS Virtual memory subversion

Use case Enduser VM in Iaas cloud

Demo

Summary

Summary Investigations in cloud environments get more and more common Hypervisor forensics VMI is a very interesting solution approach Fully Open Source based working prototype Enables fast responses to security incidents Lot of room for enhancements Different use cases for VMI in clouds possible

Black hat sound bytes Hypervisor forensics / VMI are very powerful and interesting technologies FaaS gives power to the end user Memory analysis is a huge benefit for forensic investigations

Q & A Please fill out the Black Hat Feedback Form

Contact Tobias Zillner tobias@zillner.tech www.zillner.tech +43 664 8829 8290

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information