Análise de botnet utilizando plataforma de simulação com máquinas virtuais visando detecção e contenção. / Analysis of botnet using simulation platform with virtual machines for detection and containment.

Muzzi, Fernando Augusto Garcia

09 December 2010

As redes de computadores e a internet são ambientes cada vez mais complexos e surgem a cada dia novos serviços, usuários e infraestruturas. A segurança e a privacidade da Informação tornam-se fundamentais para a evolução desses ambientes. O anonimato, a fragilidade da segurança e outros fatores muitas vezes estimulam indivíduos mal-intencionados a criarem ferramentas e técnicas de ataque a sistemas computacionais, resultando em prejuízos de diversas naturezas. A internet cresceu muito nos últimos anos e junto com esse crescimento surgiram novas ameaças, por exemplo, as botnets. Botnet é uma rede formada por bots (robôs), que tornam o computador da vítima infectado e monitorado por agente externo. O grande problema das botnets é que podem ser usadas por grupos mal-intencionados para promover ataques, com efeito prejudicial às pessoas, entidades, organizações e nações. Todavia, apesar de uma grande quantidade de estudos realizados pela comunidade de segurança nos últimos anos, há necessidade de mais estudos sobre o comportamento, propagação e contenção, até pelo fato de haver uma grande variação de métodos de infecção e propagação nesse tipo de ataque. Nesse contexto, esta tese analisa o comportamento da botnet Rxbot e implementa serviços de segurança, como IDS, regras de filtro de pacotes, para analisar e conter a propagação das botnets. É utilizada para análise uma plataforma de simulação, utilizando máquinas virtuais que provêem um ambiente com sistema operacional Windows. As principais contribuições são a detecção e contenção da propagação da botnet utilizando diversos serviços de segurança e análise da propagação dos pacotes do tipo SMTP, por meio da utilização da plataforma de simulação. / Computer networks and the Internet are increasingly complex and new services, users and infrastructure appear every day. The security and privacy of information become critical for the evolution of these infrastructures and services. The anonymity, the fragility of security, and other factors often encourage the malintentioned persons to create tools and techniques to attack computer systems, resulting in losses of various kinds. The Internet has grown in recent years and along with this growth come new threats, such as botnets. Botnet is a network of bots (robots) that make the victim\'s computer become infected and monitored or controled by an external agent. The big problem of botnets is that they can be used by groups to promote malicious attacks, with detrimental effect to people, groups, organizations and nations. However, despite a large amount of studies conducted by the security community in recent years, there is need for further studies on the behavior, spread and containment, due to variation of methods of infection and spread in such attacks. In this context, this thesis analyzes the behavior of botnet Rxbot and implements security services such as IDS, packet filter rules, to analyze and contain the spread of botnets. A simulation platform with virtual machine, providing Windows operating system environment is used. The main contributions are the detection and containment of the spread of botnet using various security services and propagation analysis packages like SMTP by using the simulation platform.

Botnet

Botnet

Máquina virtual

Simulação

Simulation

Virtual machine

Análise de botnet utilizando plataforma de simulação com máquinas virtuais visando detecção e contenção. / Analysis of botnet using simulation platform with virtual machines for detection and containment.

Fernando Augusto Garcia Muzzi

09 December 2010

As redes de computadores e a internet são ambientes cada vez mais complexos e surgem a cada dia novos serviços, usuários e infraestruturas. A segurança e a privacidade da Informação tornam-se fundamentais para a evolução desses ambientes. O anonimato, a fragilidade da segurança e outros fatores muitas vezes estimulam indivíduos mal-intencionados a criarem ferramentas e técnicas de ataque a sistemas computacionais, resultando em prejuízos de diversas naturezas. A internet cresceu muito nos últimos anos e junto com esse crescimento surgiram novas ameaças, por exemplo, as botnets. Botnet é uma rede formada por bots (robôs), que tornam o computador da vítima infectado e monitorado por agente externo. O grande problema das botnets é que podem ser usadas por grupos mal-intencionados para promover ataques, com efeito prejudicial às pessoas, entidades, organizações e nações. Todavia, apesar de uma grande quantidade de estudos realizados pela comunidade de segurança nos últimos anos, há necessidade de mais estudos sobre o comportamento, propagação e contenção, até pelo fato de haver uma grande variação de métodos de infecção e propagação nesse tipo de ataque. Nesse contexto, esta tese analisa o comportamento da botnet Rxbot e implementa serviços de segurança, como IDS, regras de filtro de pacotes, para analisar e conter a propagação das botnets. É utilizada para análise uma plataforma de simulação, utilizando máquinas virtuais que provêem um ambiente com sistema operacional Windows. As principais contribuições são a detecção e contenção da propagação da botnet utilizando diversos serviços de segurança e análise da propagação dos pacotes do tipo SMTP, por meio da utilização da plataforma de simulação. / Computer networks and the Internet are increasingly complex and new services, users and infrastructure appear every day. The security and privacy of information become critical for the evolution of these infrastructures and services. The anonymity, the fragility of security, and other factors often encourage the malintentioned persons to create tools and techniques to attack computer systems, resulting in losses of various kinds. The Internet has grown in recent years and along with this growth come new threats, such as botnets. Botnet is a network of bots (robots) that make the victim\'s computer become infected and monitored or controled by an external agent. The big problem of botnets is that they can be used by groups to promote malicious attacks, with detrimental effect to people, groups, organizations and nations. However, despite a large amount of studies conducted by the security community in recent years, there is need for further studies on the behavior, spread and containment, due to variation of methods of infection and spread in such attacks. In this context, this thesis analyzes the behavior of botnet Rxbot and implements security services such as IDS, packet filter rules, to analyze and contain the spread of botnets. A simulation platform with virtual machine, providing Windows operating system environment is used. The main contributions are the detection and containment of the spread of botnet using various security services and propagation analysis packages like SMTP by using the simulation platform.

Botnet

Máquina virtual

Simulação

Botnet

Simulation

Virtual machine

BUILDING A SECURE NETWORK TEST ENVIRONMENT USING VIRTUAL MACHINES

Lee, Byungjin

01 June 2019

The objective of this project is to provide an overview of how to create a secure network test environment using virtual machines with Red Hat CentOS 7. Using virtual machines to create a secure network test environment simplify the workflow of testing several servers including network segmentation, network path redundancy, and traffic control using a firewall. This study suggests a set of guidelines for building a secure network test environment that includes a Domain Name Server (DNS), Web Server, File Transfer Protocol (FTP) Server, and a firewall. The documentation provided in this project is primarily useful for IT students looking to recreate a similar environment of their own and to practice special skills needed within their field of study.

secure network test environment

virtual machine

Computer Engineering

A Virtual Machine for a Type-omega Denotational Proof Language

III, Teodoro Arvizo

01 June 2002

In this thesis, I designed and implemented a virtual machine (VM) for a monomorphic variant of Athena, a type-omega denotational proof language (DPL). This machine attempts to maintain the minimum state required to evaluate Athena phrases. This thesis also includes the design and implementation of a compiler for monomorphic Athena that compiles to the VM. Finally, it includes details on my implementation of a read-eval-print loop that glues together the VM core and the compiler to provide a full, user-accessible interface to monomorphic Athena. The Athena VM provides the same basis for DPLs that the SECD machine does for pure, functional programming and the Warren Abstract Machine does for Prolog.

AI

virtual machine

SECD

SECD machine

denotational proof language

Athena

Système dynamique d'inclusion partielle des méthodes dans l'interpréteur de la machine virtuelle Java Sablevm

Vézina, Sébastien

January 2008

La compilation de codee source vers du code octet combiné avec l'utilisation d'une machine virtuelle ou d'un interpréteur pour l'exécuter est devenue une pratique courante qui permet de conserver une indépendance face à la plateforme matérielle. Les interpréteurs sont portables et offrent une simplicité de développement qui en font un choix intéressant pour la conception de prototypes de nouveaux langages de programmation. L'optimisation des techniques d'interprétation existantes est un sujet de recherche qui nous intéresse particulièrement. Nous avons voulu, par l'entremise de notre projet de recherche, étudier jusqu'où il est possible de pousser l'optimisation dans un interpréteur. Après avoir étudié les types d'interpréteurs existants, nous avons constaté que les interpréteurs les plus performants se basent tous sur le même principe: La réduction du coût associé aux répartitions entre les instructions interprétées. Ce coût est causé par les instructions de répartitions elles-mêmes, mais surtout par l'augmentation du taux d'erreur qu'elles procurent dans les prédicteurs de branchement qui se trouvent au sein des processeurs modernes. Des mauvaises prédictions de branchements occasionnent des coûts importants sur une architecture pipelinée. L'interpréteur linéaire inclusif est un des plus performants qui existe. En nous basant sur cet interpréteur, nous avons fait la conception et l'implémentation d'un mécanisme qui lui permet d'augmenter la longueur des ses super-instructions et par le fait même de diminuer le nombre de répartitions pendant l'exécution. Nous avons mis au point un mécanisme dynamique d'inclusion partielle des méthodes dans cet interpréteur. Nous avons aussi conçu un système de profilage qui nous permet de détecter les sites d'invocations chauds et d'y effectuer l'inclusion du chemin le plus fréquenté de la méthode appelée. En brisant ainsi la frontière entre le corps des méthodes, nous parvenons à augmenter la longueur moyenne des super-instructions. Nous avons surmonté et résolu toutes les difficultés inhérentes à l'implémentation d'un tel système dans une véritable machine virtuelle Java (synchronisation, exceptions, présence d'un nettoyeur de mémoire, présence de sous routines dans le code octet Java). Nous fournissons une étude empirique de l'impact de notre système sur un interpréteur linéaire inclusif en exécutant des applications Java d'envergure. Dans tous les cas étudiés, on arrive à augmenter la longueur moyenne des super-instructions invoquées et à diminuer le nombre de répartitions pendant l'exécution. ______________________________________________________________________________ MOTS-CLÉS DE L’AUTEUR : Interpréteur, Inclusion, Inclusion partielle, Profilage, Machine virtuelle, Java, JVM, SableVM.

Java virtual machine (Logiciel)

Interpréteur (Logiciel)

Compilation (Informatique)

Code-octet

Interface de débogage de la machine virtuelle Java

Ahmouda, Nizar

January 2006

Le débogage tient une place grandissante dans le cycle de développement d'un logiciel. Les recherches dans ce domaine tentent de créer des outils permettant un accès plus rapide aux fautes, quel que soit le langage de programmation utilisé. Étant donné l'indépendance du code Java vis-à-vis de la plateforme sur laquelle il est exécuté, la machine virtuelle Java doit fournir un ensemble de mécanismes permettant aux outils de débogage d'accéder aux informations relatives à l'exécution de l'application déboguée. Bien que la grande majorité des machines virtuelles commerciales soient dotées de mécanismes de support au débogage, aucune libre, en revanche, n'offrait une telle fonctionnalité à l'achèvement de nos travaux. La principale motivation derrière ce mémoire a été la mise en lumière des différentes étapes jalonnant la mise en place d'une architecture de débogage Java totalement libre. Nous décrivons ici le choix de l'architecture et les critères nous ayant conduits à ce choix. Nous détaillons également les entités intervenant dans cette architecture, leur nature et leur rôle. Nous proposons enfin une critique constructive des normes régissant ce domaine, suggérant quelques améliorations possibles. Dans le cadre de nos travaux, nous avons réalisé l'implantation de l'interface de débogage Java (Java Virtual Machine Debug Interface, JVMDI) au sein de SableVM, machine virtuelle Java libre et conforme aux normes. D'autre part, nous avons développé un module indépendant permettant d'établir la connexion entre machine virtuelle Java et débogueur. Ce module gère également les objets manipulés durant une session de débogage, ainsi que les événements générés par la machine virtuelle. Finalement, nous avons connecté les éléments conçus ou modifiés dans le cadre de notre étude à d'autres éléments existants au préalable (Eclipse, un débogueur Java disponible librement). Les résultats obtenus lors des tests nous ont conforté dans les différents choix effectués lors du développement. L'utilisation de débogueurs totalement indépendants de la machine virtuelle utilisée, tel Eclipse, et la bonne tenue des sessions de débogage effectuées ont permis la validation de la conformité de nos travaux aux normes en vigueur. ______________________________________________________________________________ MOTS-CLÉS DE L’AUTEUR : Machine virtuelle, Java, SableVM, Débogage, Interface de débogage, Architecture de débogage, JDWP, JVMDI, JPDA, JVMTI, JRE.

Java virtual machine (Logiciel)

Mise au point (Informatique)

Interface (Informatique)

Preuve de validité du vérificateur de code octet Java

Lazaar, Jamal

January 2008

L'utilisation du langage Java dans plusieurs environnements (web, systèmes embarqués, systèmes mobiles, etc.) a élevé considérablement le niveau d'exigence envers ce langage, ce qui a amené les chercheurs et les développeurs à s'intéresser au système de sécurité de la Machine Virtuelle Java (MVJ) qui repose principalement sur le vérificateur du code octet. Dans ce mémoire, nous expliquons le fonctionnement du vérificateur Java, son rôle, les différentes techniques proposées pour son implémentation et un algorithme que nous proposons comme alternative sérieuse aux autres vérificateurs qui existent déjà. Nous nous intéresserons plus particulièrement à l'effet des sous-routines sur le bon typage des instructions. Nous présentons aussi une nouvelle approche de vérification de la synchronisation en nous basant sur l'analyse de flot de données et en identifiant les références qui pointent vers le même objet. ______________________________________________________________________________ MOTS-CLÉS DE L’AUTEUR : Machine Virtuelle Java, Code octet, Vérificateur, Synchronisation, Java, ClassLoader, Instructions, Treillis, Analyse de flot de données, Fonctions de transfert, Point fixe.

Java virtual machine (Logiciel)

Code-octet

Vérification formelle

Structuring extensions in system infrastructure software using aspects

Baldwin, Jennifer Ellen

28 September 2006

Many significant system extensions are hard to modularize. Consequently, their addition to a software system can jeopardize fundamental software engineering principles such as maintainability, understandability and evolvability. For example, the distributed Java Virtual Machine (dJVM) is a cluster aware implementation of a JVM in which distribution was retroactively added as an extension to an existing system. The prototype implementation of the dJVM relies on a patch file applied to IBM’s Jikes Research Virtual Machine (RVM), introducing distribution code into roughly 55% of the original 1166 Java files. In order to better determine the efficacy of modern modularization techniques such as aspect-oriented programming (AOP) in the context of system extensions, we offer up a case study based on distribution. The thesis of this work is that aspects can enhance extensibility of low-level system infrastructure software and be effectively integrated with existing software practices for introducing widespread change.

Distribution

Aspect-Oriented Programming

Patch

Java Virtual Machine

Computer Science

Performance Optimization of Linux Networking for Latency-Sensitive Virtual Systems

January 2015

abstract: Virtual machines and containers have steadily improved their performance over time as a result of innovations in their architecture and software ecosystems. Network functions and workloads are increasingly migrating to virtual environments, supported by developments in software defined networking (SDN) and network function virtualization (NFV). Previous performance analyses of virtual systems in this context often ignore significant performance gains that can be acheived with practical modifications to hypervisor and host systems. In this thesis, the network performance of containers and virtual machines are measured with standard network performance tools. The performance of these systems utilizing a standard 3.18.20 Linux kernel is compared to that of a realtime-tuned variant of the same kernel. This thesis motivates improving determinism in virtual systems with modifications to host and guest kernels and thoughtful process isolation. With the system modifications described, the median TCP bandwidth of KVM virtual machines over bridged network interfaces, is increased by 10.8% with a corresponding reduction in standard deviation of 87.6%. Docker containers see a 8.8% improvement in median bandwidth and 4.4% reduction in standard deviation of TCP measurements using similar bridged networking. System tuning also reduces the standard deviation of TCP request/response latency (TCP RR) over bridged interfaces by 86.8% for virtual machines and 97.9% for containers. Hardware devices assigned to virtual systems also see reductions in variance, although not as noteworthy. / Dissertation/Thesis / Masters Thesis Computer Science 2015

Computer science

container

determinism

latency

network

performance

virtual machine

Optimization of CPU Scheduling in Virtual Machine Environments

Venkatesh, Venkataramanan

January 2015

Data centres and other infrastructures in the field of information technology suffer from the major issue of ‘server sprawl’, a term used to depict the situation wherein a number of servers consume resources inefficiently, when compared to the business value of outcome obtained from them. Consolidation of servers, rather than dedicating whole servers to individual applications, optimizes the usage of hardware resources, and virtualization achieves this by allowing multiple servers to share a single hardware platform. Server virtualization is facilitated by the usage of hypervisors, among which Xen is widely preferred because of its dual virtualization modes, virtual machine migration support and scalability. This research work involves an analysis of the CPU scheduling algorithms incorporated into Xen, on the basis of the algorithm’s performance in different workload scenarios. In addition to performance evaluation, the results obtained lay emphasis on the importance of compute intensive or I/O intensive domain handling capacity of a hypervisor’s CPU scheduling algorithm in virtualized server environments. Based on this knowledge, the selection of CPU scheduler in a hypervisor can be aligned with the requirements of the hosted applications. A new credit-based VCPU scheduling scheme is proposed, in which the credits remaining for each VCPU after every accounting period plays a significant role in the scheduling decision. The proposed scheduling strategy allows those VCPUs of I/O intensive domains to supersede others, in order to favour the reduction of I/O bound domain response times and the subsequent bottleneck in the CPU run queue. Though a small percentage of context switch overhead is introduced, the results indicate substantial improvement of I/O handling and fairness in re-source allocation between the host and guest domains.

Virtualization

Cloud Computing

Hypervisor

Virtual machine monitors

Server consolidation

Scheduling