xs boston 2008 malware & training

June 23, 2008

Stephen BruecknerATC-NY

Ithaca, NY

Novel Applications of Novel Applications of XenXen: : Virtual Training & Virtual Training &

Malware EvaluationMalware Evaluation

ATC-NYArchitecture Technology Corporation

2ATC-NY 08-018 Xen Summit Boston 2008

Novel applicationsNot typical enterprise usageUser works both inside & outside VMsOne user interacts with many VMsMinimize external footprint inside VMs

User spaceMinimal changes to XenScripting using “xm” commands

IntroductionIntroduction

3ATC-NY 08-018 Xen Summit Boston 2008

CYDEST (virtual training environment)Management interfaceAutomating access to VM internals

EXAMIN (malware testing environment)VM configuration toolVM introspection work

Started 3 and 2 years ago, respectively

ProjectsProjects

4ATC-NY 08-018 Xen Summit Boston 2008

Inform you of our projects’ requirements

Show you the tools we developedDescribe Xen features we built upon

While seeking advice on alternatives

Provide feedback to Xen communityProblemsWish listsQuestions

ObjectivesObjectives

5ATC-NY 08-018 Xen Summit Boston 2008

RealismReal attacks & defense toolsBoth network and hostsFull fidelity (not a simulator)

AvailabilityWeb accessUp 24/7/365

AutomationAuto-assessmentAutomated dynamic attacks

CYDEST: Cyber Defense TrainerCYDEST: Cyber Defense Trainer

6ATC-NY 08-018 Xen Summit Boston 2008

CYDEST ArchitectureCYDEST Architecture

7ATC-NY 08-018 Xen Summit Boston 2008

Goal: Maintain trainee’s situational awarenessGraphical representation (with labels)

Net topology, hostnames, IPs, OSsComponent Status (using colors)

VMs & bridges: “up,” down, booting/shutting downControls (buttons)

Start, Stop, VNCImplementation

Web-enabledManually configured

TraineeTrainee’’s Management Interfaces Management Interface

8ATC-NY 08-018 Xen Summit Boston 2008

CYDEST Management GUICYDEST Management GUI

9ATC-NY 08-018 Xen Summit Boston 2008

RequirementsAutomatableOut-of-band (network traffic not visible to trainee)Reliable (not network dependent)

SolutionSeparate networks (physical & virtual )Use guest’s serial consolesProgram to negotiate guest interaction

Consoles to control Windows VMsWindows serial console listener and shell

Unfortunately, violates guest sanctity

Monitor & Control ChannelsMonitor & Control Channels

10ATC-NY 08-018 Xen Summit Boston 2008

CYDEST Network SeparationCYDEST Network Separation

11ATC-NY 08-018 Xen Summit Boston 2008

open2xm.plAutomated console interactionsQueueing of access requestsExternal & internal timeoutsBuffering I/O (for processes, not humans)XML encapsulation (separation of stdout and sterr)Handles login (handles various users & prompts)Batch mode

ImplementationScripted using “xm console”Currently experimenting with Xen API (XML RPC)

Monitor & Control Channels (cont.)Monitor & Control Channels (cont.)

12ATC-NY 08-018 Xen Summit Boston 2008

A testing/reverse engineering platform

Motivation:Closed-sourced software has uncertain pedigreeMay therefore include embedded malicious code

Virtualization is common approachVM detection currently an anti-tamper technique…Not anticipated to be an issue in the future

EXAMIN: EXAMIN: Exploit and Malware IncubatorExploit and Malware Incubator

13ATC-NY 08-018 Xen Summit Boston 2008

Native kernels (HVMs)Stealthy malware may not execute in paravirt

E.g., LKM rootkit expecting “sysenter_entry”

ComponentsIncubator: the VM networkInstrumentation

Internal: standard toolsExternal: VM introspection

EXAMIN DesignEXAMIN Design

14ATC-NY 08-018 Xen Summit Boston 2008

Objective:User-configurable heterogeneous VM network

Virtual Network Builder (VNB)Front-end topology editorBack-end VM provisioning

Linux (dead image manipulation)mount, chroot, rpm

Windows (provisioning live VMs)Because registry can’t be modified w/o Win API

EXAMIN Incubator CreationEXAMIN Incubator Creation

15ATC-NY 08-018 Xen Summit Boston 2008

EXAMIN VNBEXAMIN VNB

16ATC-NY 08-018 Xen Summit Boston 2008

High-assurance security monitoring servicesVM introspection of guest kernel’s memoryUsing XenAccess (open source introspection library)

Current services:Integrity checking kernel & processes

Code segmentsSpecific structures (IDT, system call table)“Mostly static” structures (module list)

Cross-view checkingHigh assurance versions of standard HIDSNIDS (not true VM introspection)

EXAMIN External InstrumentationEXAMIN External Instrumentation

17ATC-NY 08-018 Xen Summit Boston 2008

EXAMIN: Bridging Semantic GapEXAMIN: Bridging Semantic Gap

18ATC-NY 08-018 Xen Summit Boston 2008

AutomatedDetermine data structure layouts and magic numbers

Generalizable to most OSsImplemented for both Linux and Windows

Run same code on host and guestNo learning curve for a new language or APIEase porting of existing apps

Attend VMsec/CCS in October for detailsPaper submitted…

Bridging Semantic Gap: Bridging Semantic Gap: Preview of WIPPreview of WIP

19ATC-NY 08-018 Xen Summit Boston 2008

EXAMIN: guest isolation guarantees importantContinuous security bug fixes Hypervisor inspection/validation concept practical?Others are working hard on this

Xen’s rapid developmentChanging APIsEmerging toolsBoth are poorly documented

ProblemsProblems

20ATC-NY 08-018 Xen Summit Boston 2008

Faster serial console or equivalent channelEXAMIN’s cross-view checking needs to stream large pcap files from guest to host

Multiple serial consolesCYDEST’s queueing of simultaneous access requests isn’t optimal

Limit of >3 vif’s on a guest?Never mind…new Xen handles up to 8 vifs

Wish ListWish List

21ATC-NY 08-018 Xen Summit Boston 2008

Are there other management interfaces we should look at?

We have unusual requirementsGraph-drawing capability for network topologyIntegrated remote VNC/shell accessDisplay & control of bridgesDisplay of VM internals (hostnames, IPs, OSs)Web browser interface

QuestionsQuestions

22ATC-NY 08-018 Xen Summit Boston 2008

Are there other VM builders we should be considering?

MLN was originally UML, not a very active project

Our requirements:GUI network builderVM configuration: network, users, softwareSupport Linux and Windows

Questions (cont.)Questions (cont.)

23ATC-NY 08-018 Xen Summit Boston 2008

Contact InformationContact InformationATC-NY Cornell Business & Technology Park33 Thornwood Drive, Suite 500Ithaca, NY 14850

Technical Contacts:Mr. Stephen Brueckner, PI

Dr. Frank Adelstein, Co-PI(607) 266-7118

(607) 266-7104steve@atc-nycorp.com

fadelstein@atc-nycorp.com

Management Contact:

Business Development Contact:Ms. Julie Baker

Mr. Gene Proctor(607) 266-7125

(202) 293-9701 x113jbaker@atc-nycorp.com

gproctor@atcorp-dc.com