Virtualization for Security - Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting

Front Cover

Virtualization for Security

Copyright

Technical Editor

Contributing Authors

Contents

Chapter 1: An Introduction to Virtualization

Introduction

What Is Virtualization?

The History of Virtualization

The Atlas Computer

The M44/44X Project

CP/CMS

Other Time-Sharing Projects

Virtualization Explosion of the 1990s and Early 2000s

The Answer: Virtualization Is…

Why Virtualize?

Decentralization versus Centralization

True Tangible Benefits

Consolidation

Reliability

Security

How Does Virtualization Work?

OS Relationships with the CPU Architecture

The Virtual Machine Monitor and Ring-0 Presentation

The VMM Role Explored

The Popek and Goldberg Requirements

The Challenge: VMMs for the x86 Architecture

Types of Virtualization

Server Virtualization

Storage Virtualization

Network Virtualization

Application Virtualization

Common Use Cases for Virtualization

Technology Refresh

Business Continuity and Disaster Recovery

Proof of Concept Deployments

Virtual Desktops

Rapid Development, Test Lab, and Software Configuration Management

Summary

Solutions Fast Track

What Is Virtualization?

Why Virtualize?

How Does Virtualization Work?

Types of Virtualization

Common Use Cases for Virtualization

Frequently Asked Questions

Chapter 2: Choosing the Right Solution for the Task

Introduction

Issues and Considerations That Affect Virtualization Implementations

Performance

Redundancy

Operations

Backups

Security

Evolution

Discovery

Testing

Production

Mobility

Grid

Distinguishing One Type of Virtualization from Another

Library Emulation

Wine

Cygwin

Processor Emulation

Operating System Virtualization

Application Virtualization

Presentation Virtualization

Server Virtualization

Dedicated Hardware

Hardware Compatibility

Paravirtualization

I/O Virtualization

Hardware Virtualization

Summary

Solutions Fast Track

Issues and Considerations That Affect Virtualization Implementations

Distinguishing One Type of Virtualization from Another

Frequently Asked Questions

Chapter 3: Building a Sandbox

Introduction

Sandbox Background

The Visible Sandbox

cwsandbox.exe

cwmonitor.dll

Existing Sandbox Implementations

Describing CWSandbox

Creating a Live DVD with VMware and CWSandbox

Setting Up Linux

Setting Up VMware Server v1.05

Setting Up a Virtual Machine in VMware Server

Setting Up Windows XP Professional in the Virtual Machine

Setting Up CWSandbox v2.x in Windows XP Professional

Configuring Linux and VMware Server for Live DVD Creation

Updating Your Live DVD

Summary

Solutions Fast Track

Sandbox Background

Existing Sandbox Implementations

Describing CWSandbox

Creating a Live DVD with VMware and CWSandbox

Frequently Asked Questions

Notes

Bibliography

Chapter 4: Configuring the Virtual Machine

Introduction

Resource Management

Hard Drive and Network Configurations

Hard Drive Configuration

Growing Disk Sizes

Virtual Disk Types

Using Snapshots

Network Configuration

Creating an Interface

Bridged

Host-Only

Natted

Multiple Interfaces

Physical Hardware Access

Physical Disks

USB Devices

Interfacing with the Host

Cut and Paste

How to Install the VMware Tools in a Virtual Machine

How to Install the Virtual Machine Additions in Virtual PC

Summary

Solutions Fast Track

Hard Drive and Network Configurations

Physical Hardware Access

Interfacing with the Host

Frequently Asked Questions

Chapter 5: Honeypotting

Introduction

Herding of Sheep

Honeynets

Gen I

Gen II

Gen III

Where to Put It

Local Network

Distributed Network

Layer 2 Bridges

Honeymole

Multiple Remote Networks

Detecting the Attack

Intrusion Detection

Network Traffic Capture

Monitoring on the Box

How to Set Up a Realistic Environment

Nepenthes

Setting Up the Network

Keeping the Bad Stuff in

Summary

Solutions Fast Track

Herding of Sheep

Detecting the Attack

How to Set Up a Realistic Environment

Frequently Asked Questions

Note

Chapter 6: Malware Analysis

Introduction

Setting the Stage

How Should Network Access Be Limited?

Don’t Propagate It Yourself

The Researcher May Get Discovered

Create a “Victim” That Is as Close to Real as Possible

You Should Have a Variety of Content to Offer

Give It That Lived-in Look

Making the Local Network More Real

Testing on VMware Workstation

Microsoft Virtual PC

Looking for Effects of Malware

What Is the Malware’s Purpose?

How Does It Propagate?

Does the Malware Phone Home for Updates?

Does the Malware Participate in a Bot-Net?

Does the Malware Send the Spoils Anywhere?

Does the Malware Behave Differently Depending on the Domain?

How Does the Malware Hide and How Can It Be Detected?

How Do You Recover from It?

Examining a Sample Analysis Report

The Section

Analysis of 82f78a89bde09a71ef99b3cedb991bcc.exe

Analysis of arman.exe

Interpreting an Analysis Report

How Does the Bot Install?

Finding Out How New Hosts Are Infected

How Does the Bot Protect the Local Host and Itself?

Determing How/Which C&C Servers Are Contacted

How Does the Bot Get Binary Updates?

What Malicious Operations Are Performed?

Bot-Related Findings of Our Live Sandbox

Antivirtualization Techniques

Detecting You Are in a Virtual Environment

Virtualization Utilities

VMware I/O Port

Emulated Hardware Detection

Hardware Identifiers

MAC Addresses

Hard Drives

PCI Identifiers

Detecting You Are in a Hypervisor Environment

Summary

Solutions Fast Track

How Should Network Access Be Limited?

Looking for Effects of Malware

Antivirtualization Techniques

Frequently Asked Questions

Chapter 7: Application Testing

Introduction

Getting Up to Speed Quickly

Default Platform

Copying a Machine in VMware Server

Registering a Machine in Microsoft Virtual Server

Known Good Starting Point

Downloading Preconfigured Appliances

VMware’s Appliance Program

Microsoft’s Test Drive Program

Debugging

Kernel Level Debugging

The Advantage of Open Source Virtualization

Summary

Solutions Fast Track

Getting Up to Speed Quickly

Debugging

Frequently Asked Questions

Chapter 8: Fuzzing

Introduction

What Is Fuzzing?

Virtualization and Fuzzing

Choosing an Effective Starting Point

Using a Clean Slate

Reducing Startup Time

Setting Up the Debugging Tools

Preparing to Take Input

Preparing for External Interaction

Taking the Snapshot

Executing the Test

Scripting Snapshot Startup

Interacting with the Application

Selecting Test Data

Checking for Exceptions

Saving the Results

Running Concurrent Tests

Summary

Solutions Fast Track

What Is Fuzzing?

Virtualization and Fuzzing

Choosing an Effective Starting Point

Preparing for External Interaction

Executing the Test

Frequently Asked Questions

Chapter 9: Forensic Analysis

Introduction

Preparing Your Forensic Environment

Capturing the Machine

Preparing the Captured Machine to Boot on New Hardware

What Can Be Gained by Booting the Captured Machine?

Virtualization May Permit You to Observe Behavior That Is Only Visible While Live

Using the System to Demonstrate the Meaning of the Evidence

The System May Have Proprietary/ Old Files That Require Special Software

Analyzing Time Bombs and Booby Traps

Easier to Get in the Mind-Set of the Suspect

Collecting Intelligence about Botnets or Virus-Infected Systems

Collecting Intelligence about a Case

Capturing Processes and Data in Memory

Performing Forensics of a Virtual Machine

Caution: VM-Aware Malware Ahead

Summary

Solutions Fast Track

Preparing Your Forensic Environment

Capturing the Machine

Preparing the Captured Machine to Boot on New Hardware

What Can Be Gained by Booting the Captured Machine?

Frequently Asked Questions

Chapter 10: Disaster Recovery

Introduction

Disaster Recovery in a Virtual Environment

Simplifying Backup and Recovery

File Level Backup and Restore

System-Level Backup and Restore

Shared Storage Backup and Restore

Allowing Greater Variation in Hardware Restoration

Different Number of Servers

Using Virtualization for Recovery of Physical Systems

Using Virtualization for Recovery of Virtual Systems

Recovering from Hardware Failures

Redistributing the Data Center

Summary

Solutions Fast Track

Disaster Recovery in a Virtual Environment

Simplifying Backup and Recovery

Allowing Greater Variation in Hardware restoration

Recovering from Hardware Failures

Redistributing the Data Center

Frequently Asked Questions

Chapter 11: High Availability: Reset to Good

Introduction

Understanding High Availability

Providing High Availability for Planned Downtime

Providing High Availability for Unplanned Downtime

Reset to Good

Utilizing Vendor Tools to Reset to Good

Utilizing Scripting or Other Mechanisms to Reset to Good

Degrading over Time

Configuring High Availability

Configuring Shared Storage

Configuring the Network

Setting Up a Pool or Cluster of Servers

Maintaining High Availability

Monitoring for Overcommitment of Resources

Security Implications

Performing Maintenance on a High Availability System

Summary

Solutions Fast Track

Understanding High Availability

Reset to Good

Configuring High Availability

Maintaining High Availability

Frequently Asked Questions

Chapter 12: Best of Both Worlds: Dual Booting

Introduction

How to Set Up Linux to Run Both Natively and Virtually

Creating a Partition for Linux on an Existing Drive

Setting Up Dual Hardware Profiles

Issues with Running Windows Both Natively and Virtualized

Precautions When Running an Operating System on Both Physical and Virtualized Platforms

Booting a Suspended Partition

Deleting the Suspended State

Changing Hardware Configurations Can Affect Your Software

Summary

Solutions Fast Track

How to Set Up Linux to Run Both Natively and Virtually

Issues with Running Windows Both Natively and Virtualized

Frequently Asked Questions

Chapter 13: Protection in Untrusted Environments

Introduction

Meaningful Uses of Virtualization in Untrusted Environments

Levels of Malware Analysis Paranoia

Using Virtual Machines to Segregate Data

Using Virtual Machines to Run Software You Don’t Trust

Using Virtual Machines for Users You Don’t Trust

Setting up the Client Machine

Installing Only What You Need

Restricting Hardware Access

Restricting Software Access

Scripting the Restore

Summary

Solutions Fast Track

Using Virtual Machines to Segregate Data

Using Virtual Machines to Run Software You Don’t Trust

Using Virtual Machines for Users You Don’t Trust

Frequently Asked Questions

Notes

Chapter 14: Training

Introduction

Setting Up Scanning Servers

Advantages of Using a Virtual Machine instead of a Live-CD Distribution

Persistence

Customization

Disadvantages of Using a Virtual Machine instead of a Live-CD

Default Platforms As Well to Use a Variety of Tools

Scanning Servers in a Virtual Environment

Setting Up Target Servers

Very “Open” Boxes for Demonstrating during Class

Suggested Vulnerabilities for Windows

Suggested Vulnerabilities for Linux

Suggested Vulnerabilities for Application Vulnerability Testing

Creating the Capture-the-Flag Scenario

Harder Targets

Snapshots Saved Us

Require Research to Accomplish the Task

Introduce Firewalls

Multiple Servers Requiring Chained Attacks

Adding Some Realism

Loose Points for Damaging the Environment

Demonstrate What the Attack Looks Like on IDS

Out Brief

Cleaning up Afterward

Saving Your Back

Summary

Solutions Fast Track

Setting Up Scanning Servers

Setting Up Target Servers

Creating the Capture-the-Flag Scenario

Out Brief

Cleaning Up Afterward

Saving Your Back

Frequently Asked Questions

Index