Safe Vulnerability Assessment
As the number of system vulnerabilities multiplies in recent years, vulnerability assessment has emerged as a powerful system security administration tool that can identify vulnerabilities in existing systems before they are exploited. Although there are many commercial vulnerability assessment tools in the market, none of them can formally guarantee that the assessment process never compromises the computer systems being tested.
In one study, all scanners studied caused adverse effects on the network servers being tested. Some scanner crashed at least five servers during an assessment run. According to a Nessus document, every existing network-based vulnerability scanner comes with the risk of crashing the systems/services being tested, or even worse leaving permanent damaging side effects. There are several reasons why this accidental damage could happen in practice. First, some protocol implementations do not handle errors very well, so any unexpected inputs may crash them. Second, if vulnerability is related to memory errors, e.g., buffer overflow vulnerability, a scanner would send enough data to overflow the buffer, and the overflow could result in unpredictable program execution, including a program crash, or some undesirable modifications to the system state.
This project develops a vulnerability assessment support engine Vase that can ensure the safety of the vulnerability testing process. Vase allows a vulnerability assessment tool to test an exact replica of a production-mode network service, including both hardware and system software components, while guaranteeing that the production-mode network service is fully isolated from the testing process.
Vase has two components: Feather-weight Virtual Machine (FVM) and network application duplicator. FVM is a virtual machine technology that creates virtual machine at the operating system layer. An FVM virtual machine is an execution environment on the Microsoft Windows platform. In the execution environment, applications have an illusion of accessing the operating system exclusively. Thus to applications, each FVM virtual machine looks as real as the native host machine. The network application duplicator is a tool that can prepare an FVM virtual machine and duplicate all network applications from host machine to FVM virtual machine.
Although existing virtual machine technologies such as VMware do provide full isolation, they are not appropriate for vulnerability testing because it takes too long to clone a virtual machine from a physical machine, especially for systems with hundreds of gigabytes of active disk space. Moreover, any patching to or reconfiguration of the physical machine requires a full copying to synchronize the physical and virtual machines. Instead, Vase uses FVM to solve the problem of quickly cloning a physical machine to a virtual machine, and makes it possible to conduct vulnerability assessment in an automatic and safe way.
The challenges of this project are as follows:
l Design and implementation of the virtualization and isolation logic of FVM on Microsoft Windows.
l Automatically and quickly create duplicate network applications on the same physical machine for vulnerability assessment
The key contributions of this project is that it automates the entire process of vulnerability testing and thus for the first time makes it feasible to run vulnerability testing frequently and safely as traditional virus scanning.
Experiments on a Windows-based prototype show that Nessus assessment results against an FVM virtual machine are identical to those against a real machine. Furthermore, modifications to the file system and registry state made by vulnerability assessment runs are completely isolated from the host machine. Finally, the performance impact of vulnerability assessment runs on production network services is as low as 3%.
l Fanglu Guo, Yang Yu, and Tzi-cker Chiueh, ``Automated and Safe Vulnerability Assessment,'' in Proceedings of 21st Annual Computer Security Applications Conference (ACSAC 2005), December 2005 (Best Paper Award)
l Yang Yu, Fanglu Guo, Lap-chung Lam, Susanta Nanda, and Tzi-cker Chiueh, ``Feather-weight Virtual Machine and Its Applications,'' under submission
l Hardware level VM
n VMware
n
Xen
Barham, P., Dragovic, B.,
Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer,
R., Pratt,
n
l OS level VM
n FVM http://www.ecsl.cs.sunysb.edu/fvm/
n GreenBorder, http://www.greenborder.com/
n Jails: Confining the omnipotent root
n SWsoft, Virtual Private Server
n
Zhenkai Liang, V.
l Vulnerability assessment
n The article which mentioned dozens of vulnerability assessment tools
n http://www.tenablesecurity.com/images/pdfs/blended_security_checks.pdf