Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

Published byPhyllis McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:"— Presentation transcript:

1 November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By: Ryan Lehan Starring: Ryan Lehan

2 Introduction Malware Malware McAfee Avert Labs McAfee Avert Labs Prediction of nearly 800,00 security threats for the year 2008 Prediction of nearly 800,00 security threats for the year 2008 300% growth rate over 2007 300% growth rate over 2007 99% fall in 3 categories 99% fall in 3 categories Identity Theft Identity Theft Data Theft Data Theft System Compromise System Compromise

3 Attack Technique Attack OS directly Attack OS directly Direct access to OS via OS Application Programming Interface (API) Direct access to OS via OS Application Programming Interface (API) Attach other applications Attach other applications Exploiting vulnerability points Exploiting vulnerability points Directly via the application’s API Directly via the application’s API Indirectly via specifically formed files Indirectly via specifically formed files MS 2008 Security Intelligence Report MS 2008 Security Intelligence Report 3 rd party applications are killing their security 3 rd party applications are killing their security Due to the openness of the OS Due to the openness of the OS

4 Modern Operating System

5 Problems Thwarting Malware Expensive Expensive Time Time Money Money Resources Resources Thousands of applications each with the possibility of tens or even hundreds of vulnerability points Thousands of applications each with the possibility of tens or even hundreds of vulnerability points Not a single defense Not a single defense Ant-Virus, Spyware, Adware, Firewall Ant-Virus, Spyware, Adware, Firewall Good tactics require above average computer skills Good tactics require above average computer skills Non-Intuitive Non-Intuitive

6 Current Malware Defensive Techniques Signature Base Signature Base Malicious code recognition by patterns in code (signatures) Malicious code recognition by patterns in code (signatures) Signatures created by security vendor and then downloaded to computer user Signatures created by security vendor and then downloaded to computer user Problem area Problem area Obfuscation – cryptographic technique to masquerade a random code signature Obfuscation – cryptographic technique to masquerade a random code signature Zero Day Attack – window of time from when a vulnerability exists to the time when the security vendors release a patch. Zero Day Attack – window of time from when a vulnerability exists to the time when the security vendors release a patch.

7 Current Malware Defensive Techniques (cont.) Behavior Blocking Behavior Blocking Malicious code recognition based upon user configurable policies Malicious code recognition based upon user configurable policies Monitors the code as it runs in real time Monitors the code as it runs in real time Code attempts a function that violates a predefined policy then action is taken Code attempts a function that violates a predefined policy then action is taken Can thwart zero day attack Can thwart zero day attack Problem area Problem area Policies too tight can cause high false positives Policies too tight can cause high false positives Policies too loose can allow malicious code to run Policies too loose can allow malicious code to run

8 Current Malware Defensive Techniques (cont.) Virtual Machines Virtual Machines Isolates guests operating systems from host operating system Isolates guests operating systems from host operating system Allows user to run within a clean environment Allows user to run within a clean environment Contains malicious code to guest environment only Contains malicious code to guest environment only Problem area Problem area Requires above average computer skills Requires above average computer skills Does not recognize malicious code Does not recognize malicious code Malicious code can still run within the guest environment Malicious code can still run within the guest environment

9 Virtualization Definition: technique of isolation systems, applications, or end users from the physical characteristics of computer resources Definition: technique of isolation systems, applications, or end users from the physical characteristics of computer resources Isolation Isolation Fundamental concept Fundamental concept Process Isolation Process Isolation Data Isolation Data Isolation Virtualized environment should guarantee that any action performed inside the virtual environment cannot interfere outside that environment Virtualized environment should guarantee that any action performed inside the virtual environment cannot interfere outside that environment Break-In: situation when an external process enters into the same environment as another process Break-In: situation when an external process enters into the same environment as another process Break-Out: situation when an internal process escapes from its confined environment Break-Out: situation when an internal process escapes from its confined environment

10 Virtualization (cont.) Shared Resources Shared Resources Just like operating systems Just like operating systems Each isolated environment views the shared resource as an object for its sole use Each isolated environment views the shared resource as an object for its sole use Data storage example Data storage example Single physical resource appear as multiple logical resources Single physical resource appear as multiple logical resources Multiple physical resources appear as a single logical resource Multiple physical resources appear as a single logical resource

11 Current Virtualization Techniques Virtual Machines and Emulators Virtual Machines and Emulators Software that emulates a physical computer Software that emulates a physical computer CPU, Hard Disk, Video, Network card, Memory CPU, Hard Disk, Video, Network card, Memory Run modified and unmodified guest operating systems Run modified and unmodified guest operating systems Guest OS does not know that it is running within a host OS Guest OS does not know that it is running within a host OS Good for isolating host OS Good for isolating host OS Requires above average computer skills Requires above average computer skills

12 Virtual Machine and Emulator

13 Current Virtualization Techniques Language Dependent Virtual Environments Language Dependent Virtual Environments Some computer languages are designed to run only within a virtual environment (sandbox) Some computer languages are designed to run only within a virtual environment (sandbox) Java Java Does not emulate hardware but creates a set of APIs from which the application interfaces with Does not emulate hardware but creates a set of APIs from which the application interfaces with Security advantages over complete virtual machines, but only for that specific computer language Security advantages over complete virtual machines, but only for that specific computer language If a vulnerability exists, patch the environment not the applications If a vulnerability exists, patch the environment not the applications One area not thousands One area not thousands Only works with specific computer languages Only works with specific computer languages

14 Current Virtualization Techniques Application Packaging Application Packaging Builds upon the use of Virtual Machines Builds upon the use of Virtual Machines Applications are pre-built into a ready made virtual environment Applications are pre-built into a ready made virtual environment If package becomes infected, just re-download it If package becomes infected, just re-download it Does not prevent the user from installing other software Does not prevent the user from installing other software

15 Current Virtualization Techniques Virtual Memory Virtual Memory Used by modern operating systems Used by modern operating systems Gives an application the impression that it contiguous working memory all to itself Gives an application the impression that it contiguous working memory all to itself Not designed to thwart malicious code Not designed to thwart malicious code

16 What We Need Strength and security of isolation Strength and security of isolation Seamless operation for all levels of computer skills Seamless operation for all levels of computer skills Intuitive Intuitive Anti-Virus vs Spyware vs Adware Anti-Virus vs Spyware vs Adware Single area for defense Single area for defense Computer user Computer user Vendor maintenance Vendor maintenance

17 Virtualization Technique to Thwart Malware Light-weight Virtual Environment Light-weight Virtual Environment Process and Data isolation happens at the application level Process and Data isolation happens at the application level No guest OS is needed No guest OS is needed Malicious code runs isolated from other applications and OS Malicious code runs isolated from other applications and OS Seamless operation for the user Seamless operation for the user Pure isolation can be counter productive Pure isolation can be counter productive Provides an API or a secure communication channel to the OS or other applications Provides an API or a secure communication channel to the OS or other applications

18 Light-weight Virtual Environment

19 Virtualization Technique to Thwart Malware (cont.) Layered Security Layered Security Policy based, similar to Behavior Blocking. Policy based, similar to Behavior Blocking. Allows for vendor and user configurations Allows for vendor and user configurations Layered Layered To combat the attack, not just recognize To combat the attack, not just recognize To reduce code complexity To reduce code complexity Separation of duty Separation of duty 3 Layers 3 Layers Process Level Security Policies Process Level Security Policies Dictate level of isolation including Trusted and Stateless Dictate level of isolation including Trusted and Stateless Inter Process Communication Security Policies Inter Process Communication Security Policies Dictate if and how applications communicate with each other Dictate if and how applications communicate with each other Auto Configurable Auto Configurable OS API Security Policies OS API Security Policies Dictate if and how application communicate with the OS Dictate if and how application communicate with the OS Auto Configurable Auto Configurable

20 Layered Security

21 Working in Tandem Identity Theft Identity Theft To thwart phishing attacks, many techniques rely on a trusted 3 rd party To thwart phishing attacks, many techniques rely on a trusted 3 rd party 3 rd Party applications will be isolated and can be marked as Trusted 3 rd Party applications will be isolated and can be marked as Trusted Insures the safety of the trusted application as well as enhance the security of applications that use it Insures the safety of the trusted application as well as enhance the security of applications that use it

22 Working in Tandem Data Theft Data Theft Data is isolated Data is isolated Malicious code will not have access to other applications’ data Malicious code will not have access to other applications’ data Access to other data areas will need to pass through the security policies Access to other data areas will need to pass through the security policies

23 Working in Tandem System Compromise System Compromise Process is isolated Process is isolated Malicious code will have a difficult time infecting other applications Malicious code will have a difficult time infecting other applications Removal of direct communication between processes and OS Removal of direct communication between processes and OS If an application is exploited, that application itself is contain within an isolated environment If an application is exploited, that application itself is contain within an isolated environment

24 Dealing with Vulnerabilities Fix the environment Fix the environment No need to fix thousands of applications, just the environment (sandbox) No need to fix thousands of applications, just the environment (sandbox) Language Dependent Virtual Environment (Java) Language Dependent Virtual Environment (Java) Focused Attention Focused Attention Only 4 areas that need to be looked at Only 4 areas that need to be looked at Security policies Security policies Configurable Configurable Virtualization Layer Virtualization Layer OS API OS API OS itself OS itself

25 Conclusion Currently, many tools and techniques for combating malware but they are lacking in one form or another Currently, many tools and techniques for combating malware but they are lacking in one form or another Virtualization is a proven method for strong process and data isolation Virtualization is a proven method for strong process and data isolation Combined with layered security can defeat many forms of malware Combined with layered security can defeat many forms of malware Many benefits for both users and vendors alike Many benefits for both users and vendors alike

Download ppt "November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.

Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.

Lecture 15 Overview. Kinds of Malicious Codes Virus: a program that attaches copies of itself into other programs. – Propagates and performs some unwanted.
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Beyond Anti-Virus by Dan Keller 1987- Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.

Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google