Security of virtual machines

Friday, April 20. 2007
Tavis Ormandy just gave an interesting presentation at CanSecWest'07 about the security of virtual machines (QEMU, VMware, Bochs, ...) entitled "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environment". Using fuzzing and other techniques, he managed to find quite a few bugs in popular VMs, amongst others:
  • heap overflow in QEMU's NE2000 network device

  • heap overflow in QEMU's VGA code

  • vulnerability in VMware's power management code

For example, his summary for the security of QEMU is:
An attacker with access to a QEMU virtualized environment could potentially compromise the virtual machine process and execute arbitrary code with the privileges of the emulator. Malware being studied inside QEMU, even in an unprivileged state, can terminate the virtual machine safely and reliably.

Regarding malware analysis, these results presumably mean that the malware analysis process should be carried out on a native machine with some kind of restore cards since we can not trust the malware code. We use such a setup within CWSandbox and the results look promising.

Tavis also released a paper describing the results in detail. The paper also includes some proof-of-concept demos. Soon you can also find his presentation at the CanSec website.

Abstract
As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security
exposure to the hosts of hostile virtualized environment.
Posted by Thorsten Holz in paper at 23:24 | Comments (0) | Trackbacks (0)

Rishi: Identify Bot Contaminated Hosts

Thursday, April 19. 2007
HotBots'07 took place last week in Boston. The paper by Jan Göbel and me is now available and I also publish the slides from my talk.
This workshop was by invitation only. As a courtesy, USENIX made the accepted papers available to everyone.


Continue reading "Rishi: Identify Bot Contaminated Hosts "

Posted by Thorsten Holz in paper at 17:54 | Comment (1) | Trackbacks (0)

Program for HotBots'07 / Rishi

Thursday, April 5. 2007
The program for the First Workshop on Hot Topics in Understanding Botnets is now online. The program committee accepted 11 papers from 32 submissions. Together with Jan Göbel, I also submitted a paper which was accepted. The paper entitled "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation", describes a simple, yet effective methods to detect bot-contaminated hosts within a given network. It tries to detect suspicious IRC nicknames and preliminary results show the usefulness. I will upload the paper once the workshop is over.

Abstract:
In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C\&C server, as well as, the channels a bot joined and the additional parameters which were set. The software "Rishi" implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 bot-infected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.
Posted by Thorsten Holz in administrativa, paper at 08:50 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 3 entries)