Mailing List Archive

Hi Mickaël,
Thanks for your interest in the project. Here are my answers...

>I'm interesting about your project, and especialy how it is working now.
>Is it freezed ? Are you always working on it ? I hope so.

The project is in a pre-alpha stage. We are maintaining it and we are hoping
that people that is interested in the concept can continue our work.

>do you use XenStore to transfert the binary?

No, we are not using XenStore to send the file. Currently the file is being
sent through the network using SSH. This was our first approach, however, I
think there are many other mechanisms that will have better performance that
this one. For example, you can use shared memory between VMs, of course this
will impose a security risk that need to be considered.

>And for the test guest, are you root too ? If so, a malware could change
the display
>result or something else to cheat on the result. If not, it could
>change some other stuff to bypass a simple "display result".

The guest that will run the suspicious file is a Windows machine. The
malware can do whatever it wants in that machine and it won't affect the
user VM. Right now, if you look at the screenshots, you will see that there
are two windows machines. The final idea is that the user machine uses the
full screen and when it opens an application in the sandbox machine, the
application windows is displayed on the user machine desktop, even when it
is actually running in the other VM. We were thinking about different
mechanisms to do this, one can be that the Dom0 overlays the sandbox machine
display over the user VM, or maybe we can use the Windows XP windows manager
or the GDI+ to send the windows to the other machine (I don’t know if this
is possible...)

>So, I think the only way to analyse a malware execution is to have an
>external point of view. Have you a good (simple) solution to debug an
>application from a virtual host through the virtualizer ?

No, we don’t have yet a mechanism to do that. That should be one of the
features that Isolated Execution should provide to the antivirus software to
allow them to detect a malware or a virus in the sandbox maybe based on the
behavior.

>Have you get feedback for a security use ?

We were always looking at the market needs for a solution like this. The
concept of security through isolation has been around for some time,
however, I think there are many problems with usability and deployment that
were not solved yet. One example is what Symantec is doing
(http://news.cnet.com/8301-1009_3-10142893-83.html). The use case that they
are proposing is a user surfing the web and downloading a suspicious file,
then that file is run in a sandbox machine. This is very similar to what
Isolated Execution is proposing.

Well, as you can see, the project is an early stage and there are many
things to do (another thing for example is how to copy the changes that were
done to the sandbox machine to the user machine if the file is not a virus).
So, you are welcome to participate.

Best regards,
Pablo

>-----Original Message-----
>From: Giusti, Gisela
>Sent: Tuesday, January 20, 2009 5:59 PM
>To: Passera, Pablo R
>Subject: FW: [Xen-research] Security through Isolation in Xen
>
> FYI
>
>-----Original Message-----
>From: Mickaël Salaün [mailto:mickael.salaun@digikod.net]
>Sent: Tuesday, January 20, 2009 5:57 PM
>To: Colsani, Guillermo E
>Cc: Protti, Duilio J; Giusti, Gisela
>Subject: Re: [Xen-research] Security through Isolation in Xen
>
>Hi all,
>
>I'm interesting about your project, and especialy how it is working now.
>Is it freezed ? Are you always working on it ? I hope so.
>
>I have some questions about it's design: do you use XenStore to
>transfert the binary? And if it is the correct way, you must have admin
>right on the main host to send the file isn't it ? And for the test
>guest, are you root too ? If so, a malware could change the display
>result or something else to cheat on the result. If not, it could
>change some other stuff to bypass a simple "display result".
>
>So, I think the only way to analyse a malware execution is to have an
>external point of view. Have you a good (simple) solution to debug an
>application from a virtual host through the virtualizer ?
>
>Have you get feedback for a security use ?
>
>Best regards,
>Mickaël Salaün
>
>
>
>Colsani, Guillermo E a écrit :
>> Hi all,
>>
>>
>>
>> Together with some other coworkers we have been working on a reference
>> implementation of the security through isolation concept using
>> virtualization. This project is using Xen to provide a contained
>> virtualized environment where malware can run without affecting the
>> whole system.
>>
>> The goal for this project is to foster the usage of virtualization
>> technology in client platforms (desktops and notebooks) using security
>> as a usage driver. This reference implementation provides certain
>> capabilities which serve as a starting point for the long term goal;
>> some of them are:
>>
>> - To manage paused Sandbox Virtual Machines ready to be awaken
>> instantaneously to execute suspicious applications
>>
>> - To destroy and re-open the Sandbox Virtual Machines once the
>> contained suspicious application was closed
>>
>>
>>
>> Especially, we think that the module which manages the
>> Ready-to-be-executed Sandbox VMs (VM-Pool at Domain 0) may be suitable
>> for other purposes such as high availability of virtual appliances,
>> short-delay responses for highly loaded services, among others; so
>we’d
>> like to hear from any suggestion on how to adapt it to meet new needs.
>>
>> We invite you to try the current version of the project Isolated
>> Execution. You can find the code and the documentation about how to
>> compile and install it at Source Forge:
>> http://isolated-exec.sourceforge.net
>> <http://isolated-exec.sourceforge.net/>. Also, at
>> http://isolated-exec.sourceforge.net/?q=node/6, you can find a flash
>> description of what the “early-product” does.
>>
>>
>>
>> We’d appreciate to receive feedback from the community about the
>overall
>> concept, and whether you’d like to go deep on any aspect of it. Given
>> that this is a reference implementation and is not complete, we think
>> that the Xen Research Community is the right group to enrich the
>design
>> and evolve the model. We invite you to post comments/suggestions at
>> http://isolated-exec.sourceforge.net/?q=node/4.
>>
>>
>>
>> Thanks and see you there!
>>
>> Guillermo
>>
>>