Sandbox & Virtualization HIPS

RollbackRx itself have proved to be the one of the most buggy application for me. However I can try BZ with RollbackRx for u, on my system, if u give me a download link.

 

Thank you . You can try with any of the freeware versions, it is similar to the home version, except for few details which shouldn't interfere here (BZ's firewall, for example).

If ever you get the same problem than me, that's not a big problem with Rollback, all you have to do is to reload another snapshot with the sub-system console in Rollback. At least that worked for me .

nicM

 

Hi,

Virtualization and sandboxing softwares have many advantages: easy to manage (limited user's interaction) and to configure, and most of all, make more simple and reliable incidents recovery.

With HIPS based sandboxing and virtualization, security is not only intended for an elite of knoledgeable and skilled users (case for most HIPS), but for the majority of them: teens, seniors, beginners, knowlegeable or not...
From a consumer point of view, it's much more equal.

VMWare is safe and sure, and i just mean that security provided by sofware is never absolute, with or without virtualization technologies.
Infinity, it's important for an attacker to know if the target host is a native system or under VMWare: this information will determine the kind of attack: under VMWare, it's not ineresting to install any malware, but to make an "in the fly attack" as long as the workstation is running (example: data exfiltration via a tunneling backdoor).
If exploits have already affected VMWare, they're not always necessary
( http://secunia.com/search/?search=vmware ).
If the information gathering phase have shown that VNC server is running, then a brute force attack will certainly be enough to launch a remote command in order to know if it is a native system or not.

Currently, some research about "virtual rootkits" (SubVirt/BluePill) shows (but not demonstrates since the POC are not public) that virtualization subversions are possible.
Loïc Duflot has also done some research about attacks via hardwares (processor for instance) which can make easier some privilege escalation (the end of part2 is related to viryualization): http://www.securityfocus.com/columnists/402

But Infinity can keep his excellent beer in the fridge: a script kiddie will not wake up on a morning and say: i have dream...today i will break a VMWare workstation.
There is a big difference between what is technically possible ( exploits, remote access) and what is statistically happens...

Rasheed, there is no fingerprinting malwares, but only fingerprinting tools managed by the hand and brain of an attacker or pen-tester!

The next pdf paper is a summarize of pen-testing methods (non technical, and easy to understand):
w.cert-in.org.in/training/23dec05/PT%20Methodologies.pdf

Socketshield can't be considered as an IDS: IDS products rely mostly on network attacks misuse/signatures detection and needs packet libraries.
Excellent AV like Kav, BitDefender or Nod32 have also a detection of exploits and are not considered as IDS.
A similar and well known example of this kind of product is Blink:
http://www.eeye.com/html/products/blink/index.html

But i'm sure that DefenseWall is an HIPS and that DefenseWall or any other HIPS (PG/OA/SSM/Viguard/SnS etc) are much more needed than SocketShield wich is just a "plus" in a line defense.

For information, virtualization or similar techniques are also used as network attacks prevention:

a summarize about virtualization and security:
http://www.virtualization.info/2006/07/security-by-virtualization.html

Virtualization and honeypot: http://www.honeynet.org/papers/virtual/

Intrusion prevention of network/zero day attacks:

http://www.reflexsecurity.com/

http://www.bufferxone.com/

Hope this helps,

regards

 

About malware breaking out of virtual machines, are hackers already able to do this? I mean there are currently not any known serious holes in VMware, if I´m correct?

 

Known holes?

Superhackers will use unknown (to you anyway) holes.

Seriously, a more realistic consideration is malware that detects it is running in vmware (there are many trival ways to do it), and doesn't do anything evil...

When you think it is safe and try it on your production machine....

I 'heard' attackers try to 'fingerprint' your operating system to learn more about the system, the software it runs etc so they can break it by looking for vulnerabilities.

 

Given enough time and access, a really talented hacker can crack into most anything. That said, most of the time a user isn't defending against a hacker. The user normally has to deal with trojans, viruses, and other "packaged malware" with a limited range of function. While a good hacker could defeat a virtual setup, malicious code as we know it now probably can not, at least not yet.

This is often true. All software has some vulnerability. There is no uncrackable software. By identifying what software you use, a good hacker will then try to exploit the known weaknesses in those apps. Example, some firewalls can be remotely disabled or killed outright if not properly configured. If a hacker can gain an entry point, either from a weakness in the firewall itself or more likely, poorly written firewall rules, he may try to shut it down and make his task easier. Some firewalls ask you for the administrative password when you try to shut them down. If the user didn't set a password or used a weak one, this could be exploited relatively easy. Besides using a good password, another thing the user can do is to use layered security. Layered security is more than a collection of security apps trying to cover "all the bases". They also have to protect each other. In this instance, a HIPS like SSM can be used to protect the firewall in several ways. First, it will prevent much of the malicious code from running in the first place. Beyond that, SSM has an option to "keep a process in memory". This restarts the process if something manages to terminate it. That option is ideal for supporting the firewall and AV.
Right now, virtualization is enjoying an advantage over malware, but the more it's used, the more it will be targeted and eventually defeated. HIPS applications will be attacked as well. Each is just another step in an unending battle.
Has anyone tried running virtualization software on a HIPS protected PC? Using a combination of both methods might be the way to go. Even if something can break out of the sandbox, it would still have to deal with a protected system, which would likely be beyond the ability of packaged malicious code for some time, requiring a talented "human touch" to successfully attack it.
Rick

 

Perhaps VMWare can be improved to make this stuff harder? Also, hopefully the hardware CPU support (Vanderpool, Pacifica) will make it almost impossible to break out of the VM.

 

Here is a thread for VS.

https://www.wilderssecurity.com/showthread.php?p=756621

I haven't used BZ, but VS has worked pretty well for me for a few months now. They just put up a free version of version 1 on download.com now, so that's what I've been using.

 

What is the difference between free and paid version?
Any slow downs or conflicts?

 

Hi Kareldjag, Sincerely wanted to thank you for all the info you bring, as I am always willing to learn, your posts are truely amazing!

Thanx!

 

i cannot find any free versions of BZ at download.com, just a 60-day trial, but teh BZ homepage does have their BZ - single application edition for free.

 

He was talking of VS.

 

my bad. i need to slow down when reading. i did find this tho:

 

thanks.