HP LabsForensic Virtual Machines

IntroductionForensic Virtual Machines are an innovative approach to dealing with modern malware in next generation infrastructures. They are designed to help Cloud Providers protect themselves from the code that they are hosting, and permit the detection of advanced malware, such as those using root kit or polymorphism techniques.

Dark Clouds Ahead

Cloud infrastructure providers are required to run other people’s code, which they must treat as a black box. They have to provide a professional service to their customers, giving each customer the isolation properties their contract guarantees. In addition, they must protect their own infrastructure from attack by the code they are hosting. Finally, they must be profitable and therefore seek to use their hardware as efficiently as possible.

On the other hand, the world of malware is changing; malware is getting more sophisticated. In particular, there is greater use of components – this raises the “quality” of malicious code whilst shortening the time to implement. There is greater use of polymorphism and rootkit technology in order to evade detection. They are continually raising their game; as a result, “zero day” attacks of malware that is difficult to detect will become commonplace.

So, how does the cloud provider make life as difficult as possible for the malware developers? How can we detect zero day attacks faster?

Satellites and White Blood Cells

Our solution to the challenge of modern malware in the cloud can be expressed by exploring the answers to the following two questions: “Can we exploit the pervasive use

of virtualization technology in the cloud to protect against emerging malware?” and “Can we exploit the componentization of malware to our advantage?”

Let’s consider the first question. Cloud infrastructures are built on top of virtualization. This opens up a technique that we can use: “Introspection”. Virtualization permits one virtual machine (VM) to be able to read the memory pages of another VM. Building on this capability we are able to run our own symptom detection software within our own VMs that looks for symptoms within the customer’s VMs. Consider them to be like Cyber Spy Satellites. This has led us to the notion of Forensic Virtual Machines (FVM).

A FVM is a virtual machine that is owned by the cloud provider. It is minimal in size and is designed to look for one particular symptom, and to issue an event when the symptom is found. The FVM is capable of changing its focus from one VM to another VM – either randomly, or because a symptom has been detected within another VM. The FVMs are designed to be autonomous – they make their own decisions as to when and where to move and they have a limited life span before they shut down and are re-created. We assume that a hypervisor will run one or more customer VMs along with a number of FVMs.

The reason we describe these as cyber satellites is that you can’t hide from a satellite. In fact, you don’t even know when or if a satellite is observing you. Similarly,

because FVMs reside outside of the customer VM, it is not possible for an attacker to know when, if or how it is being observed. It is not possible for these FVMs to be disabled, and introducing a limited lifespan and then recreating them introduces a degree of randomness and unpredictability into the protection system.

The second question considers the componentization of malware. Writers of modern malware are increasingly making use of libraries and toolkits in order to improve the quality of their code and to turn around new zero day attacks more quickly. We can take advantage of this approach by looking for the presence of “tricks of the trade” that these libraries and toolkits provide. Hence, rather than looking for specific attacks or complete malware signatures, we look for some of the components and gain evidence to suggest the existence of malware.

Virtual Machines can be used as “cyber spy satellites” to monitor cloud infrastructure for suspicious activity.

In this example, VM2 is under attack, and FVMs have detected the symptoms of a malware attack and are attracting other FVMs to the problem

HP Labs Forensic Virtual Machines

Get connected www.hpl.hp.comLearn more about HP Labs research and innovations, meet our people, and join the conversation at our Innovation @ HP Labs blog

Share with colleagues

Think white blood cells. In the same way that our bodies can detect a viral intrusion even before we feel sick and quickly deploy white blood cells to surround it, these tiny FVMs can sniff out suspicious activity and then coalesce in that area to verify the threat.

FVMs are very simple, possibly triggered by a single symptom. They are cooperative – they signal the presence of their symptoms and attract other FVMs. We make the assumption that attacks cause “chords” of symptoms to be present. When one symptom in a chord is detected, other FVMs are encouraged to move to the FVM to test for the existence of other symptoms in that chord.

The FVMs can be used for a range of different symptoms. Identified symptoms are correlated with information from other sources to determine the nature of the attacks and to infer the possibility of malicious behavior. This is important for dealing with the diversity of malware.

Examples of the types of symptoms that we aim to detect include: the presence of keywords in application data; the presence, or absence, of named processes; the presence of processes that remain in an “initializing” state indefinitely; anti-virus not running; malformation of system tables; suspicious registry entries; obfuscated binary code – looking for high density of branch/jump instructions; and "hooked" routines – i.e., where malware has inserted "trampoline" code that calls particular malware first before resuming the original unhooked code.

Dynamic Defence

The advantages of this approach are considerable. Not only does it increase the possibility of identifying attacks before they happen, but it means we’re highly efficient in directing our resources towards the greatest area of threat. Even more significantly, it means the security we’re putting into our infrastructure can be dynamic. The location of these forensic virtual machines can be constantly switched in response to the threat environment making it harder for the attacker to avoid.

Learn more at http://www.hpl.hp.com/news/2012/jul-sep/dynamicdefense.html

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Created November 2012 This is an HP Indigo digital print.

Forensic Virtual Machines act similarly to white blood cells, detecting when a customer virtual machine is “infected” and signaling an alert.