This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Virtualization technique is quickly becoming a standard technique for business. The technology lets one computer or server run multiple operating systems, or multiple sessions of an operating system at the same time. Which lets users run many applications and functions on a single computer or server, instead of running them on different machines as in the old technology.
The big challenge that faces the organizations now is how to secure the virtualized system, which are vulnerable to the same type of threats as real systems. Virtualized systems cannot always be secured by the same technique as real systems, because each virtualized system on the same machine may face different threats and need different security levels, and we need additional security techniques to secure the channels between the virtualized system on the same machine .
In [Steven J. Vaughan-Nichols 2008], the author studies several virtual system security problems. He traces the virtual system history form security point of view and find that the virtualization creates new security challenge for organization, and the administrator must ensure that every single virtualized system follows the rules and policies of the organization such as limiting access to some data and applications. An important example of new problem create by using virtualization is that the network-based security system don't usually trace the communication between two virtual machines installed on the same server. The author also present the important of security zones to enhance the level of security for virtual systems. In security zones the host server divide the virtualized systems into zones, each zone has its security level depending on the virtualized systems requirements.
VME Detection and Mitigation Techniques
In [Mattehw Carpenter, Tom Liston, and Ed Skoudis 2007 ], the authors focus in his article on detection and mitigation techniques for the most famous VME product nowadays, VMware. they present two methods used by malware to detect VMware. The first method is relating to VMware communication channel. The communication between host and guest operating systems occur via a custom communications channel hard-coded into all products of VMware. The guest and host operating systems work together during this channels for a range of functions, including enhanced GUI performance, support for data moving out and in of the host clipboard, and files dragging and dropping from guest and host and vice versa. The authors discovered a sample program with a small piece of code that checked for presence of this type of communications channel's. The second method to detect VMware exist is the Red Pill techniques. The physical memory is shared by of the operating system of guest which virtualized by software running by the operating system of host, a VME usually
introduces some differences in the location of memory global items mapping. Like the locations of (IDT) the Interrupt Descriptor Table, and (LDT) the Local Descriptor Table to map the host and guest operating systems. The malware can detect VMware by looking at new memory location. Red Pill was the first released tool that used this technique.
There are many methods to prevent malware form detecting VME . The authors have discussed two mainly useful methods to prevent the most popular VME detection techniques used by malicious attacker from detect the VME and mitigate malware effect. The first method is undocumented VMware options. VMware VMX configuration files contain many parameters that can be changed by the administrator of VMware to set the guest machine. Some of these configuration files are well-known and documented. After many experiments a lot of undocumented configuration files wear found. The amazing result was that changing some parameters in this undocumented configuration files can prevent or control behaviours that allow malware from VMware detection. For example we can prevent Jerry.c from detect VMware by setting VMX file parameters as in the following program snippet:
[ation.disable = "TRUE"]
[ation.disable = "TRUE"]
[n.disable = "TRUE"]
[n.disable = "TRUE" ]
The changes in VXM configuration files can prevent many of currently detection techniques, but the functionality and ease-of-use of gust machine will be effected, such as copy-past vi clipboard, and drag-drop. Because this undesirable effect we search for alternate techniques to prevent VMware detection. The alternate techniques is called altering the magic value. In this method we patch VMware binary executable file to disable or change the magic value of VMX that related to the communication channel. The authors group [Mattehw Carpenter, Tom Liston, AND Ed Skoudis] developed VMmutate tool which is a tool use to alter VMware binary value.
Virtualization and Sandboxing for Combating Malware
[Chris Greamo and Anup Ghosh], the authors present the important rule of sandboxing, partial virtualization, and full virtualization in combating malware. In April 2010 a study by Cyveillance showed that current antivirus programs aren't effective in discovering the threat. The Cyveillance study, which studies 13 of the most well-known antivirus products, found that, the average of malware that was detected on one day after the malware became known is only 19%, and also, the average detection rate for all 13 products only reached to 61.7% on average after 30 days. Antivirus programs are still an essential part of computer security, but it is very clear that they don't have the enough ability against a threat that continuity produces new thousands of malware day after day.
To deal with the big gap left by antivirus programs, a new class of computer security products that use sandboxing application and virtualization to deal with malware threats by containing their malicious behaviour. In sandboxing we try to contain code or fault isolation. High-profile applications that currently use sandboxing include Google Chrome browser, Adobe Reader X, and Internet Explorer in Protecting Mode. Separating untested code from the system using some type of a sandbox can considerably mitigate the malware by preventing malicious behaviour from effecting the other computer programs.
Full virtualization gives a high degree of control, in terms of the vulnerable application, without requiring changes to the application. If any part of the application is affected by malware, the attacker can only gain access to the guest environment's data, programs, resources, and OS, not the original host's. Simple hardware virtualization doesn't give a secure solution, we must satisfy the some points for a secure confinement solution like network and host isolation, real-time detection that control unseen attacks, fast complete clean state recovery when malware detected. Figure 1 shows sandboxing and virtualization to address the malware and compares them in terms of protection level and ease of deployment.
Figure 1. Comparison between sandboxing and virtualization security in terms of protection level and ease of deployment
[Hsien-De Huang, Chang-Shing Lee, Hung-Yu Kao, Yi-Lang Tsai, and Jee-Gong Chang 2011], the authors design experimental model to analysis malware behaviour in real environment because as the authors see there are many difference between real environment and virtual environment. There are many anti VM applications to prevent analysis and discover malware in VM environment. This experimental model represent the implementation of Taiwan Malware Analysis Net (TWMAN), which represents a real operation environment to analysis and report malware behaviour. Figure 2 shows the flowchart for TWMAN model .
Figure. flowchart of TWMAN model
TWMAN is a client-server model and configured to automatically run the analysis. Linux operation systems is installed in server, while Microsoft Windows is installed in client. The client downloads malware form the repository of Linux server, the client collect information about register change and file changes like image of dump memory, then the client have to restart and save the infect image of windows as an image file in Linux server. This procedure is repeated 4840 times and then the result was analyzed and reported. The result of this experiment was very interested. TWMAN can detect a lot of malware behaviour that can't be detected by VM environment and sandbox environment.