Exercise 1: Virtualization with Virtualbox Duration: 45Min Maximum Points: 10

Home , Full virtualization, Virtualization

RUHR-UNIVERSITY BOCHUM Chair for Exercises Operating System Security System Security WS2009/10 Exercise 1: Virtualization with VirtualBox Duration: 45min Maximum Points: 10

Introduction

Virtualization is mainly used for two reasons: To enable (hardware) resource sharing and to isolate various computing environments (isolation). While the first increases efficiency, the latter can strengthen security by enforcing process- and resource separation. The Virtual Machine Monitor (VMM) is a software component that is located between the hardware and the Virtual Machine (VM) respectively between the Host Operating Sytem (Host OS) and the VM, depending on the type of virtualization. Goldberg [1] defined two types of VMMs: Type I VMMs run on the bare machine hardware. Type II VMMs run on a Host OS. VirtualBox is a virtualization software of Type II. It allows to run 32-bit as well as 64-bit operating systems in a VM on top of a Host OS. It allows to use the hardware virtualization features of modern Intel and AMD processors as well as to virtualize the VM entirely in software. As the practical exercises of this course will make use of VirtualBox, it is essential that you are familiar with it. You will find an exhaustive introduction to virtualization in general at http://www.kernelthread.com/publications/virtualization/. The VirtualBox User Manual [2] is also a good guide for the practical exercises. Don’t hesitate to use it!

1 Homework (3 Points)

1. In which scenarios is virtualization useful? Give a short explanation why.

2. What is a snapshot and what does the virtualization software do when you take a snapshot? How does it handle the virtual disk?

3. Think of the following two scenarios and explain what kind of virtualization software (full virtualization, hardware-assisted virtualization or para-virtualization) you would choose! Justify your decision! a) You have an old, closed-source OS for which vendor support has expired. Your supervisor asks you to run two instances of it (one as a mail and one as a database server) on an older, unused server. b) The IT Department wants to use this brand new open-source OS. They need to run several instances of this OS. Unfortunately, they spend most of their money for lightsabers, USB-coﬀeecup heaters and so forth. Your job is to buy hardware and make the VMs as fast as possible for the least amount of money.

1 RUHR-UNIVERSITY BOCHUM Chair for Exercises Operating System Security System Security WS2009/10

2 Practical Exercises

2.1 Creating a Virtual Machine and Installing an Operating System (2 Points) • Start VirtualBox.

• Create a virtual machine with the following configuration: Name: DSL OS Type: Linux 2.4 Base Memory Size: 256 Virtual Hard Disk: dynamically expanding, Image file name: dsl, Image size: 1 GB • Mount the isofile dsl-4.4.6.iso to the virtual CD-ROM.

• Now, start the VM and boot from CD-ROM.

• You will see the DSL boot prompt. Type install and hit Enter.

• Before you can install the OS, you need to prepare the hard drive. Create a partition table with the following partitions: (Attention: the keyboard layout setting for the started system is en-US! So the letter y is on the german key z.) part. type: FS type: size: ﬂag: 1. partition: primary linux swap (type 82) 256MB 2. partition: primary linux (type 83) the rest Bootable • Go back to the DSL install options screen. Choose: install to hard drive

• When you are asked for a bootloader, choose GRUB.

• During the reboot process the system wants you to eject the CD. Unmount the CD and press enter.

• During the ﬁrst boot, DSL will ask you for some passwords. Just leave them blank and cancel the DSL X Setup dialog.

• If you like, you can now change the keyboard layout to DE in the control panel. Congratulations! You have just installed a DamnSmallLinux into your VM.

2.2 Getting Familiar with Snapshots (1 Point) • Create a snapshot of your running VM.

• We simulate an attack or system failure in the following. Therefore, open a terminal and type: sudo rm /boot/linux24

2 RUHR-UNIVERSITY BOCHUM Chair for Exercises Operating System Security System Security WS2009/10

• Reboot.

• You will notice that the system is not able to boot.

• Revert to the previously taken snapshot and start the VM again.

• Your system should run again now.

2.3 Networking (4 Points) Prepare the following steps:

• Assign a network interface in Network Address Translation (NAT) mode to one VM (choose one of the available VMs from your VirtualBox installation).

• Assign a network interface in Host Interface Networking (HIF) mode to another VM.

Start the VMs and copy a ﬁle directly from one VM to the other VM using a direct network connection. For example, use protocols like the File Transfer Protocol (FTP) or the Secure Copy Protocol (SCP).

1. Which direction did you choose: NAT → HIF or HIF→ NAT?

2. Is the other way round also possible? If it is possible, what would you have to do to make it work?

3. Sniﬀ the network interface of the host. Which traﬃc can you see?

4. Set up a network between the two VMs so the host cannot see the traﬃc of this network by sniﬃng its network interface.

(! Be aware that this is not a secure way to share data. If someone has control over the host, he can control every software running on this host and can therefore change the virtualization software to reveal this data. Also the information has to be stored somewhere in the hardware (e.g., RAM). Others can just access this hardware to read the data.)

3 Bonus Exercises (+3 Points)

An interesting area using VM technology is the application of so-called honeypot environments (”honeypots”). A honeypot is only apparently an exact copy of a productive computing environment. It is used to attract the adversaries’ interest in attacking computer systems to collect data about their techniques and behaviour. However, adversaries may be able to detect that the target system is running in a VM and thus may let their malware behave diﬀerently to counter analysis. But not only adversaries are interested in VM detection. Think of malware that uses virtualization technology. It may be hard

3 RUHR-UNIVERSITY BOCHUM Chair for Exercises Operating System Security System Security WS2009/10 to detect by conventional malware scanners. You can use http://bluepillproject.org as a starting point for your research. Keep in mind that Rutkowska has a hacker-centric point of view which is not always scientiﬁc. List all the references you refer to.

1. Name the four diﬀerent categories of methods to detect that you are running inside a VM and give a short explanation of each one of them.

2. At the BlackHat 2006 conference, Rutkowska introduced a VM technology called ”BluePill”. BluePill claims to prevent VM detection. Discuss each of the four diﬀerent VM detection approaches in the context of their eﬀect on BluePill.

3. Think of the following scenario: You assume that you have a VMM running directly on the platform’s hardware (no Host OS). Inside this VMM runs an operating sytem. An adversary has managed to install a bluepilled VMM between the hardware and the VMM. Can you detect the bluepilled VMM from inside the Guest OS? Explain!

4. Where else can you place the bluepilled VMM detection software? Will this approach be more promising and is there a drawback in this approach?

References

[1] R. P. Goldberg, Cambridge, Massachusetts, United States. Architecture of virtual machines. In Proceedings of the ACM Workshop on Virtual Computer Systems, 1973 Pages 74-112.

[2] Sun Microsystems, Inc. VirtualBox User Manual, Version 3.08. Available online at http://download.virtualbox.org/virtualbox/3.0.8/UserManual.pdf.