Suchen und Finden
Service
Virtualization for Security - Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting
John Hoopes
Verlag Elsevier Reference Monographs, 2009
ISBN 9780080879352 , 384 Seiten
Format PDF, ePUB, OL
Kopierschutz DRM
Front Cover
1
Virtualization for Security
4
Copyright
5
Technical Editor
6
Contributing Authors
7
Contents
12
Chapter 1: An Introduction to Virtualization
22
Introduction
23
What Is Virtualization?
23
The History of Virtualization
24
The Atlas Computer
24
The M44/44X Project
25
CP/CMS
25
Other Time-Sharing Projects
26
Virtualization Explosion of the 1990s and Early 2000s
27
The Answer: Virtualization Is…
29
Why Virtualize?
30
Decentralization versus Centralization
30
True Tangible Benefits
34
Consolidation
36
Reliability
38
Security
39
How Does Virtualization Work?
40
OS Relationships with the CPU Architecture
41
The Virtual Machine Monitor and Ring-0 Presentation
43
The VMM Role Explored
44
The Popek and Goldberg Requirements
45
The Challenge: VMMs for the x86 Architecture
46
Types of Virtualization
47
Server Virtualization
47
Storage Virtualization
50
Network Virtualization
51
Application Virtualization
52
Common Use Cases for Virtualization
53
Technology Refresh
53
Business Continuity and Disaster Recovery
55
Proof of Concept Deployments
56
Virtual Desktops
56
Rapid Development, Test Lab, and Software Configuration Management
57
Summary
59
Solutions Fast Track
59
What Is Virtualization?
59
Why Virtualize?
60
How Does Virtualization Work?
60
Types of Virtualization
61
Common Use Cases for Virtualization
61
Frequently Asked Questions
63
Chapter 2: Choosing the Right Solution for the Task
65
Introduction
66
Issues and Considerations That Affect Virtualization Implementations
66
Performance
67
Redundancy
67
Operations
68
Backups
68
Security
68
Evolution
69
Discovery
69
Testing
69
Production
69
Mobility
70
Grid
70
Distinguishing One Type of Virtualization from Another
71
Library Emulation
71
Wine
72
Cygwin
73
Processor Emulation
73
Operating System Virtualization
74
Application Virtualization
74
Presentation Virtualization
75
Server Virtualization
75
Dedicated Hardware
75
Hardware Compatibility
76
Paravirtualization
77
I/O Virtualization
78
Hardware Virtualization
78
Summary
80
Solutions Fast Track
81
Issues and Considerations That Affect Virtualization Implementations
81
Distinguishing One Type of Virtualization from Another
81
Frequently Asked Questions
82
Chapter 3: Building a Sandbox
83
Introduction
84
Sandbox Background
83
The Visible Sandbox
85
cwsandbox.exe
88
cwmonitor.dll
89
Existing Sandbox Implementations
92
Describing CWSandbox
94
Creating a Live DVD with VMware and CWSandbox
83
Setting Up Linux
98
Setting Up VMware Server v1.05
100
Setting Up a Virtual Machine in VMware Server
100
Setting Up Windows XP Professional in the Virtual Machine
101
Setting Up CWSandbox v2.x in Windows XP Professional
102
Configuring Linux and VMware Server for Live DVD Creation
103
Updating Your Live DVD
105
Summary
106
Solutions Fast Track
83
Sandbox Background
106
Existing Sandbox Implementations
107
Describing CWSandbox
107
Creating a Live DVD with VMware and CWSandbox
108
Frequently Asked Questions
109
Notes
110
Bibliography
110
Chapter 4: Configuring the Virtual Machine
111
Introduction
112
Resource Management
112
Hard Drive and Network Configurations
112
Hard Drive Configuration
113
Growing Disk Sizes
113
Virtual Disk Types
113
Using Snapshots
114
Network Configuration
114
Creating an Interface
114
Bridged
115
Host-Only
116
Natted
117
Multiple Interfaces
118
Physical Hardware Access
119
Physical Disks
119
USB Devices
123
Interfacing with the Host
124
Cut and Paste
124
How to Install the VMware Tools in a Virtual Machine
125
How to Install the Virtual Machine Additions in Virtual PC
132
Summary
133
Solutions Fast Track
133
Hard Drive and Network Configurations
133
Physical Hardware Access
134
Interfacing with the Host
134
Frequently Asked Questions
135
Chapter 5: Honeypotting
137
Introduction
138
Herding of Sheep
138
Honeynets
140
Gen I
140
Gen II
141
Gen III
141
Where to Put It
141
Local Network
142
Distributed Network
142
Layer 2 Bridges
143
Honeymole
145
Multiple Remote Networks
146
Detecting the Attack
150
Intrusion Detection
150
Network Traffic Capture
151
Monitoring on the Box
152
How to Set Up a Realistic Environment
153
Nepenthes
154
Setting Up the Network
154
Keeping the Bad Stuff in
160
Summary
161
Solutions Fast Track
161
Herding of Sheep
161
Detecting the Attack
161
How to Set Up a Realistic Environment
162
Frequently Asked Questions
163
Note
163
Chapter 6: Malware Analysis
165
Introduction
166
Setting the Stage
166
How Should Network Access Be Limited?
167
Don’t Propagate It Yourself
167
The Researcher May Get Discovered
168
Create a “Victim” That Is as Close to Real as Possible
168
You Should Have a Variety of Content to Offer
168
Give It That Lived-in Look
169
Making the Local Network More Real
169
Testing on VMware Workstation
171
Microsoft Virtual PC
173
Looking for Effects of Malware
174
What Is the Malware’s Purpose?
174
How Does It Propagate?
175
Does the Malware Phone Home for Updates?
175
Does the Malware Participate in a Bot-Net?
176
Does the Malware Send the Spoils Anywhere?
176
Does the Malware Behave Differently Depending on the Domain?
177
How Does the Malware Hide and How Can It Be Detected?
177
How Do You Recover from It?
178
Examining a Sample Analysis Report
179
The
Section 179
Analysis of 82f78a89bde09a71ef99b3cedb991bcc.exe
180
Analysis of arman.exe
182
Interpreting an Analysis Report
187
How Does the Bot Install?
188
Finding Out How New Hosts Are Infected
189
How Does the Bot Protect the Local Host and Itself?
191
Determing How/Which C&C Servers Are Contacted
194
How Does the Bot Get Binary Updates?
195
What Malicious Operations Are Performed?
196
Bot-Related Findings of Our Live Sandbox
201
Antivirtualization Techniques
203
Detecting You Are in a Virtual Environment
204
Virtualization Utilities
204
VMware I/O Port
204
Emulated Hardware Detection
205
Hardware Identifiers
205
MAC Addresses
205
Hard Drives
206
PCI Identifiers
206
Detecting You Are in a Hypervisor Environment
207
Summary
208
Solutions Fast Track
208
How Should Network Access Be Limited?
208
Looking for Effects of Malware
208
Antivirtualization Techniques
208
Frequently Asked Questions
209
Chapter 7: Application Testing
211
Introduction
212
Getting Up to Speed Quickly
212
Default Platform
213
Copying a Machine in VMware Server
213
Registering a Machine in Microsoft Virtual Server
215
Known Good Starting Point
216
Downloading Preconfigured Appliances
217
VMware’s Appliance Program
217
Microsoft’s Test Drive Program
218
Debugging
219
Kernel Level Debugging
219
The Advantage of Open Source Virtualization
227
Summary
228
Solutions Fast Track
228
Getting Up to Speed Quickly
228
Debugging
228
Frequently Asked Questions
229
Chapter 8: Fuzzing
231
Introduction
232
What Is Fuzzing?
232
Virtualization and Fuzzing
234
Choosing an Effective Starting Point
234
Using a Clean Slate
234
Reducing Startup Time
235
Setting Up the Debugging Tools
235
Preparing to Take Input
237
Preparing for External Interaction
238
Taking the Snapshot
238
Executing the Test
239
Scripting Snapshot Startup
239
Interacting with the Application
240
Selecting Test Data
241
Checking for Exceptions
242
Saving the Results
243
Running Concurrent Tests
243
Summary
245
Solutions Fast Track
245
What Is Fuzzing?
245
Virtualization and Fuzzing
245
Choosing an Effective Starting Point
245
Preparing for External Interaction
246
Executing the Test
246
Frequently Asked Questions
247
Chapter 9: Forensic Analysis
249
Introduction
250
Preparing Your Forensic Environment
251
Capturing the Machine
252
Preparing the Captured Machine to Boot on New Hardware
258
What Can Be Gained by Booting the Captured Machine?
259
Virtualization May Permit You to Observe Behavior That Is Only Visible While Live
262
Using the System to Demonstrate the Meaning of the Evidence
262
The System May Have Proprietary/ Old Files That Require Special Software
262
Analyzing Time Bombs and Booby Traps
263
Easier to Get in the Mind-Set of the Suspect
263
Collecting Intelligence about Botnets or Virus-Infected Systems
264
Collecting Intelligence about a Case
264
Capturing Processes and Data in Memory
265
Performing Forensics of a Virtual Machine
265
Caution: VM-Aware Malware Ahead
267
Summary
269
Solutions Fast Track
269
Preparing Your Forensic Environment
269
Capturing the Machine
270
Preparing the Captured Machine to Boot on New Hardware
270
What Can Be Gained by Booting the Captured Machine?
271
Frequently Asked Questions
273
Chapter 10: Disaster Recovery
275
Introduction
276
Disaster Recovery in a Virtual Environment
276
Simplifying Backup and Recovery
277
File Level Backup and Restore
277
System-Level Backup and Restore
278
Shared Storage Backup and Restore
279
Allowing Greater Variation in Hardware Restoration
281
Different Number of Servers
282
Using Virtualization for Recovery of Physical Systems
282
Using Virtualization for Recovery of Virtual Systems
283
Recovering from Hardware Failures
285
Redistributing the Data Center
285
Summary
287
Solutions Fast Track
288
Disaster Recovery in a Virtual Environment
288
Simplifying Backup and Recovery
288
Allowing Greater Variation in Hardware restoration
288
Recovering from Hardware Failures
289
Redistributing the Data Center
289
Frequently Asked Questions
290
Chapter 11: High Availability: Reset to Good
291
Introduction
292
Understanding High Availability
292
Providing High Availability for Planned Downtime
293
Providing High Availability for Unplanned Downtime
294
Reset to Good
295
Utilizing Vendor Tools to Reset to Good
295
Utilizing Scripting or Other Mechanisms to Reset to Good
297
Degrading over Time
297
Configuring High Availability
298
Configuring Shared Storage
298
Configuring the Network
298
Setting Up a Pool or Cluster of Servers
299
Maintaining High Availability
300
Monitoring for Overcommitment of Resources
300
Security Implications
301
Performing Maintenance on a High Availability System
302
Summary
304
Solutions Fast Track
305
Understanding High Availability
305
Reset to Good
305
Configuring High Availability
305
Maintaining High Availability
305
Frequently Asked Questions
307
Chapter 12: Best of Both Worlds: Dual Booting
309
Introduction
310
How to Set Up Linux to Run Both Natively and Virtually
310
Creating a Partition for Linux on an Existing Drive
311
Setting Up Dual Hardware Profiles
315
Issues with Running Windows Both Natively and Virtualized
316
Precautions When Running an Operating System on Both Physical and Virtualized Platforms
316
Booting a Suspended Partition
316
Deleting the Suspended State
317
Changing Hardware Configurations Can Affect Your Software
317
Summary
319
Solutions Fast Track
319
How to Set Up Linux to Run Both Natively and Virtually
319
Issues with Running Windows Both Natively and Virtualized
319
Frequently Asked Questions
320
Chapter 13: Protection in Untrusted Environments
321
Introduction
322
Meaningful Uses of Virtualization in Untrusted Environments
322
Levels of Malware Analysis Paranoia
328
Using Virtual Machines to Segregate Data
336
Using Virtual Machines to Run Software You Don’t Trust
338
Using Virtual Machines for Users You Don’t Trust
341
Setting up the Client Machine
342
Installing Only What You Need
342
Restricting Hardware Access
342
Restricting Software Access
342
Scripting the Restore
343
Summary
345
Solutions Fast Track
345
Using Virtual Machines to Segregate Data
345
Using Virtual Machines to Run Software You Don’t Trust
345
Using Virtual Machines for Users You Don’t Trust
346
Frequently Asked Questions
347
Notes
348
Chapter 14: Training
349
Introduction
350
Setting Up Scanning Servers
350
Advantages of Using a Virtual Machine instead of a Live-CD Distribution
351
Persistence
351
Customization
351
Disadvantages of Using a Virtual Machine instead of a Live-CD
352
Default Platforms As Well to Use a Variety of Tools
352
Scanning Servers in a Virtual Environment
353
Setting Up Target Servers
354
Very “Open” Boxes for Demonstrating during Class
355
Suggested Vulnerabilities for Windows
355
Suggested Vulnerabilities for Linux
356
Suggested Vulnerabilities for Application Vulnerability Testing
356
Creating the Capture-the-Flag Scenario
359
Harder Targets
359
Snapshots Saved Us
360
Require Research to Accomplish the Task
361
Introduce Firewalls
361
Multiple Servers Requiring Chained Attacks
361
Adding Some Realism
362
Loose Points for Damaging the Environment
362
Demonstrate What the Attack Looks Like on IDS
363
Out Brief
363
Cleaning up Afterward
363
Saving Your Back
364
Summary
365
Solutions Fast Track
365
Setting Up Scanning Servers
365
Setting Up Target Servers
365
Creating the Capture-the-Flag Scenario
365
Out Brief
366
Cleaning Up Afterward
366
Saving Your Back
366
Frequently Asked Questions
367
Index
369