Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Novel Applications of Xen: Virtual Training & Malware Evaluation

    Hochgeladen von

    Pranav Wadhwani
    38 Ansichten23 Seiten
    This document summarizes two novel applications of the Xen virtualization platform: CYDEST, a virtual training environment for cyber defense, and EXAMIN, a malware testing environment. CYDEST allows for automated dynamic attacks in realistic virtual networks to train cyber defenders. EXAMIN uses a network of heterogeneous virtual machines and external instrumentation to safely test and reverse engineer malware. The document discusses the architectures and tools developed for these projects and seeks feedback on improving Xen support for their needs.

    Originalbeschreibung:

    Originaltitel

    Brueckner_XenSummit08.pdf

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    This document summarizes two novel applications of the Xen virtualization platform: CYDEST, a virtual training environment for cyber defense, and EXAMIN, a malware testing environment. CYDEST allows for automated dynamic attacks in realistic virtual networks to train cyber defenders. EXAMIN uses a network of heterogeneous virtual machines and external instrumentation to safely test and reverse engineer malware. The document discusses the architectures and tools developed for these projects and seeks feedback on improving Xen support for their needs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    38 Ansichten23 Seiten

    Novel Applications of Xen: Virtual Training & Malware Evaluation

    Hochgeladen von

    Pranav Wadhwani
    This document summarizes two novel applications of the Xen virtualization platform: CYDEST, a virtual training environment for cyber defense, and EXAMIN, a malware testing environment. CYDEST allows for automated dynamic attacks in realistic virtual networks to train cyber defenders. EXAMIN uses a network of heterogeneous virtual machines and external instrumentation to safely test and reverse engineer malware. The document discusses the architectures and tools developed for these projects and seeks feedback on improving Xen support for their needs.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 23

    Novel Applications of Xen: Virtual Training & Malware Evaluation

    June 23, 2008 Stephen Brueckner ATC-NY Ithaca, NY

    ATC-NY
    Architecture Technology Corporation

    Introduction
    Novel applications
    Not typical enterprise usage User works both inside & outside VMs One user interacts with many VMs Minimize external footprint inside VMs

    User space

    Minimal changes to Xen Scripting using xm commands

    ATC-NY 08-018

    Xen Summit Boston 2008

    Projects
    CYDEST (virtual training environment)
    Management interface Automating access to VM internals

    EXAMIN (malware testing environment)


    VM configuration tool VM introspection work

    Started 3 and 2 years ago, respectively

    ATC-NY 08-018

    Xen Summit Boston 2008

    Objectives
    Inform you of our projects requirements Show you the tools we developed
    Describe Xen features we built upon
    While seeking advice on alternatives

    Provide feedback to Xen community


    Problems Wish lists Questions

    ATC-NY 08-018

    Xen Summit Boston 2008

    CYDEST: Cyber Defense Trainer


    Realism
    Real attacks & defense tools Both network and hosts Full fidelity (not a simulator) Web access Up 24/7/365 Auto-assessment Automated dynamic attacks

    Availability

    Automation

    ATC-NY 08-018

    Xen Summit Boston 2008

    CYDEST Architecture

    ATC-NY 08-018

    Xen Summit Boston 2008

    Trainees Management Interface


    Goal: Maintain trainees situational awareness Graphical representation (with labels) Component Status (using colors) Controls (buttons) Implementation
    Start, Stop, VNC Net topology, hostnames, IPs, OSs VMs & bridges: up, down, booting/shutting down

    Web-enabled Manually configured

    ATC-NY 08-018

    Xen Summit Boston 2008

    CYDEST Management GUI

    ATC-NY 08-018

    Xen Summit Boston 2008

    Monitor & Control Channels


    Requirements
    Automatable Out-of-band (network traffic not visible to trainee) Reliable (not network dependent) Separate networks (physical & virtual ) Use guests serial consoles Program to negotiate guest interaction Windows serial console listener and shell
    Unfortunately, violates guest sanctity
    9

    Solution

    Consoles to control Windows VMs

    ATC-NY 08-018

    Xen Summit Boston 2008

    CYDEST Network Separation

    ATC-NY 08-018

    10

    Xen Summit Boston 2008

    Monitor & Control Channels (cont.)


    open2xm.pl
    Automated console interactions Queueing of access requests External & internal timeouts Buffering I/O (for processes, not humans) XML encapsulation (separation of stdout and sterr) Handles login (handles various users & prompts) Batch mode Scripted using xm console Currently experimenting with Xen API (XML RPC)
    11
    Xen Summit Boston 2008

    Implementation

    ATC-NY 08-018

    EXAMIN: Exploit and Malware Incubator


    A testing/reverse engineering platform Motivation:
    Closed-sourced software has uncertain pedigree May therefore include embedded malicious code

    Virtualization is common approach

    VM detection currently an anti-tamper technique Not anticipated to be an issue in the future

    ATC-NY 08-018

    12

    Xen Summit Boston 2008

    EXAMIN Design
    Native kernels (HVMs)
    Stealthy malware may not execute in paravirt
    E.g., LKM rootkit expecting sysenter_entry

    Components

    Incubator: the VM network Instrumentation

    Internal: standard tools External: VM introspection

    ATC-NY 08-018

    13

    Xen Summit Boston 2008

    EXAMIN Incubator Creation


    Objective:
    User-configurable heterogeneous VM network

    Virtual Network Builder (VNB)


    Front-end topology editor Back-end VM provisioning
    mount, chroot, rpm

    Linux (dead image manipulation) Windows (provisioning live VMs)


    Because registry cant be modified w/o Win API

    ATC-NY 08-018

    14

    Xen Summit Boston 2008

    EXAMIN VNB

    ATC-NY 08-018

    15

    Xen Summit Boston 2008

    EXAMIN External Instrumentation


    High-assurance security monitoring services Current services:
    VM introspection of guest kernels memory Using XenAccess (open source introspection library) Integrity checking kernel & processes

    Cross-view checking High assurance versions of standard HIDS NIDS (not true VM introspection)
    Xen Summit Boston 2008

    Code segments Specific structures (IDT, system call table) Mostly static structures (module list)

    ATC-NY 08-018

    16

    EXAMIN: Bridging Semantic Gap

    ATC-NY 08-018

    17

    Xen Summit Boston 2008

    Bridging Semantic Gap: Preview of WIP


    Automated Generalizable to most OSs
    Determine data structure layouts and magic numbers Implemented for both Linux and Windows No learning curve for a new language or API Ease porting of existing apps Paper submitted

    Run same code on host and guest

    Attend VMsec/CCS in October for details

    ATC-NY 08-018

    18

    Xen Summit Boston 2008

    Problems
    EXAMIN: guest isolation guarantees important
    Continuous security bug fixes Hypervisor inspection/validation concept practical? Others are working hard on this

    Xens rapid development

    Changing APIs Emerging tools Both are poorly documented

    ATC-NY 08-018

    19

    Xen Summit Boston 2008

    Wish List
    Faster serial console or equivalent channel
    EXAMINs cross-view checking needs to stream large pcap files from guest to host

    Multiple serial consoles

    CYDESTs queueing of simultaneous access requests isnt optimal

    Limit of >3 vifs on a guest?

    Never mindnew Xen handles up to 8 vifs

    ATC-NY 08-018

    20

    Xen Summit Boston 2008

    Questions
    Are there other management interfaces we should look at? We have unusual requirements

    Graph-drawing capability for network topology Integrated remote VNC/shell access Display & control of bridges Display of VM internals (hostnames, IPs, OSs) Web browser interface

    ATC-NY 08-018

    21

    Xen Summit Boston 2008

    Questions (cont.)
    Are there other VM builders we should be considering? Our requirements:
    MLN was originally UML, not a very active project

    GUI network builder VM configuration: network, users, software Support Linux and Windows

    ATC-NY 08-018

    22

    Xen Summit Boston 2008

    Contact Information
    ATC-NY Cornell Business & Technology Park 33 Thornwood Drive, Suite 500 Ithaca, NY 14850 Technical Contacts: Mr. Stephen Brueckner, PI (607) 266-7118 steve@atc-nycorp.com Management Contact: Ms. Julie Baker (607) 266-7125 jbaker@atc-nycorp.com Dr. Frank Adelstein, Co-PI (607) 266-7104 fadelstein@atc-nycorp.com Business Development Contact: Mr. Gene Proctor (202) 293-9701 x113 gproctor@atcorp-dc.com

    ATC-NY 08-018

    23

    Xen Summit Boston 2008

    Das könnte Ihnen auch gefallen