Análise de botnet utilizando plataforma de simulação com máquinas virtuais visando detecção e contenção. / Analysis of botnet using simulation platform with virtual machines for detection and containment.

Muzzi, Fernando Augusto Garcia

09 December 2010

As redes de computadores e a internet são ambientes cada vez mais complexos e surgem a cada dia novos serviços, usuários e infraestruturas. A segurança e a privacidade da Informação tornam-se fundamentais para a evolução desses ambientes. O anonimato, a fragilidade da segurança e outros fatores muitas vezes estimulam indivíduos mal-intencionados a criarem ferramentas e técnicas de ataque a sistemas computacionais, resultando em prejuízos de diversas naturezas. A internet cresceu muito nos últimos anos e junto com esse crescimento surgiram novas ameaças, por exemplo, as botnets. Botnet é uma rede formada por bots (robôs), que tornam o computador da vítima infectado e monitorado por agente externo. O grande problema das botnets é que podem ser usadas por grupos mal-intencionados para promover ataques, com efeito prejudicial às pessoas, entidades, organizações e nações. Todavia, apesar de uma grande quantidade de estudos realizados pela comunidade de segurança nos últimos anos, há necessidade de mais estudos sobre o comportamento, propagação e contenção, até pelo fato de haver uma grande variação de métodos de infecção e propagação nesse tipo de ataque. Nesse contexto, esta tese analisa o comportamento da botnet Rxbot e implementa serviços de segurança, como IDS, regras de filtro de pacotes, para analisar e conter a propagação das botnets. É utilizada para análise uma plataforma de simulação, utilizando máquinas virtuais que provêem um ambiente com sistema operacional Windows. As principais contribuições são a detecção e contenção da propagação da botnet utilizando diversos serviços de segurança e análise da propagação dos pacotes do tipo SMTP, por meio da utilização da plataforma de simulação. / Computer networks and the Internet are increasingly complex and new services, users and infrastructure appear every day. The security and privacy of information become critical for the evolution of these infrastructures and services. The anonymity, the fragility of security, and other factors often encourage the malintentioned persons to create tools and techniques to attack computer systems, resulting in losses of various kinds. The Internet has grown in recent years and along with this growth come new threats, such as botnets. Botnet is a network of bots (robots) that make the victim\'s computer become infected and monitored or controled by an external agent. The big problem of botnets is that they can be used by groups to promote malicious attacks, with detrimental effect to people, groups, organizations and nations. However, despite a large amount of studies conducted by the security community in recent years, there is need for further studies on the behavior, spread and containment, due to variation of methods of infection and spread in such attacks. In this context, this thesis analyzes the behavior of botnet Rxbot and implements security services such as IDS, packet filter rules, to analyze and contain the spread of botnets. A simulation platform with virtual machine, providing Windows operating system environment is used. The main contributions are the detection and containment of the spread of botnet using various security services and propagation analysis packages like SMTP by using the simulation platform.

Botnet

Botnet

Máquina virtual

Simulação

Simulation

Virtual machine

Análise de botnet utilizando plataforma de simulação com máquinas virtuais visando detecção e contenção. / Analysis of botnet using simulation platform with virtual machines for detection and containment.

Fernando Augusto Garcia Muzzi

09 December 2010

As redes de computadores e a internet são ambientes cada vez mais complexos e surgem a cada dia novos serviços, usuários e infraestruturas. A segurança e a privacidade da Informação tornam-se fundamentais para a evolução desses ambientes. O anonimato, a fragilidade da segurança e outros fatores muitas vezes estimulam indivíduos mal-intencionados a criarem ferramentas e técnicas de ataque a sistemas computacionais, resultando em prejuízos de diversas naturezas. A internet cresceu muito nos últimos anos e junto com esse crescimento surgiram novas ameaças, por exemplo, as botnets. Botnet é uma rede formada por bots (robôs), que tornam o computador da vítima infectado e monitorado por agente externo. O grande problema das botnets é que podem ser usadas por grupos mal-intencionados para promover ataques, com efeito prejudicial às pessoas, entidades, organizações e nações. Todavia, apesar de uma grande quantidade de estudos realizados pela comunidade de segurança nos últimos anos, há necessidade de mais estudos sobre o comportamento, propagação e contenção, até pelo fato de haver uma grande variação de métodos de infecção e propagação nesse tipo de ataque. Nesse contexto, esta tese analisa o comportamento da botnet Rxbot e implementa serviços de segurança, como IDS, regras de filtro de pacotes, para analisar e conter a propagação das botnets. É utilizada para análise uma plataforma de simulação, utilizando máquinas virtuais que provêem um ambiente com sistema operacional Windows. As principais contribuições são a detecção e contenção da propagação da botnet utilizando diversos serviços de segurança e análise da propagação dos pacotes do tipo SMTP, por meio da utilização da plataforma de simulação. / Computer networks and the Internet are increasingly complex and new services, users and infrastructure appear every day. The security and privacy of information become critical for the evolution of these infrastructures and services. The anonymity, the fragility of security, and other factors often encourage the malintentioned persons to create tools and techniques to attack computer systems, resulting in losses of various kinds. The Internet has grown in recent years and along with this growth come new threats, such as botnets. Botnet is a network of bots (robots) that make the victim\'s computer become infected and monitored or controled by an external agent. The big problem of botnets is that they can be used by groups to promote malicious attacks, with detrimental effect to people, groups, organizations and nations. However, despite a large amount of studies conducted by the security community in recent years, there is need for further studies on the behavior, spread and containment, due to variation of methods of infection and spread in such attacks. In this context, this thesis analyzes the behavior of botnet Rxbot and implements security services such as IDS, packet filter rules, to analyze and contain the spread of botnets. A simulation platform with virtual machine, providing Windows operating system environment is used. The main contributions are the detection and containment of the spread of botnet using various security services and propagation analysis packages like SMTP by using the simulation platform.

Botnet

Máquina virtual

Simulação

Botnet

Simulation

Virtual machine

BUILDING A SECURE NETWORK TEST ENVIRONMENT USING VIRTUAL MACHINES

Lee, Byungjin

01 June 2019

The objective of this project is to provide an overview of how to create a secure network test environment using virtual machines with Red Hat CentOS 7. Using virtual machines to create a secure network test environment simplify the workflow of testing several servers including network segmentation, network path redundancy, and traffic control using a firewall. This study suggests a set of guidelines for building a secure network test environment that includes a Domain Name Server (DNS), Web Server, File Transfer Protocol (FTP) Server, and a firewall. The documentation provided in this project is primarily useful for IT students looking to recreate a similar environment of their own and to practice special skills needed within their field of study.

secure network test environment

virtual machine

Computer Engineering

A Virtual Machine for a Type-omega Denotational Proof Language

III, Teodoro Arvizo

01 June 2002

In this thesis, I designed and implemented a virtual machine (VM) for a monomorphic variant of Athena, a type-omega denotational proof language (DPL). This machine attempts to maintain the minimum state required to evaluate Athena phrases. This thesis also includes the design and implementation of a compiler for monomorphic Athena that compiles to the VM. Finally, it includes details on my implementation of a read-eval-print loop that glues together the VM core and the compiler to provide a full, user-accessible interface to monomorphic Athena. The Athena VM provides the same basis for DPLs that the SECD machine does for pure, functional programming and the Warren Abstract Machine does for Prolog.

AI

virtual machine

SECD

SECD machine

denotational proof language

Athena

Système dynamique d'inclusion partielle des méthodes dans l'interpréteur de la machine virtuelle Java Sablevm

Vézina, Sébastien

January 2008

La compilation de codee source vers du code octet combiné avec l'utilisation d'une machine virtuelle ou d'un interpréteur pour l'exécuter est devenue une pratique courante qui permet de conserver une indépendance face à la plateforme matérielle. Les interpréteurs sont portables et offrent une simplicité de développement qui en font un choix intéressant pour la conception de prototypes de nouveaux langages de programmation. L'optimisation des techniques d'interprétation existantes est un sujet de recherche qui nous intéresse particulièrement. Nous avons voulu, par l'entremise de notre projet de recherche, étudier jusqu'où il est possible de pousser l'optimisation dans un interpréteur. Après avoir étudié les types d'interpréteurs existants, nous avons constaté que les interpréteurs les plus performants se basent tous sur le même principe: La réduction du coût associé aux répartitions entre les instructions interprétées. Ce coût est causé par les instructions de répartitions elles-mêmes, mais surtout par l'augmentation du taux d'erreur qu'elles procurent dans les prédicteurs de branchement qui se trouvent au sein des processeurs modernes. Des mauvaises prédictions de branchements occasionnent des coûts importants sur une architecture pipelinée. L'interpréteur linéaire inclusif est un des plus performants qui existe. En nous basant sur cet interpréteur, nous avons fait la conception et l'implémentation d'un mécanisme qui lui permet d'augmenter la longueur des ses super-instructions et par le fait même de diminuer le nombre de répartitions pendant l'exécution. Nous avons mis au point un mécanisme dynamique d'inclusion partielle des méthodes dans cet interpréteur. Nous avons aussi conçu un système de profilage qui nous permet de détecter les sites d'invocations chauds et d'y effectuer l'inclusion du chemin le plus fréquenté de la méthode appelée. En brisant ainsi la frontière entre le corps des méthodes, nous parvenons à augmenter la longueur moyenne des super-instructions. Nous avons surmonté et résolu toutes les difficultés inhérentes à l'implémentation d'un tel système dans une véritable machine virtuelle Java (synchronisation, exceptions, présence d'un nettoyeur de mémoire, présence de sous routines dans le code octet Java). Nous fournissons une étude empirique de l'impact de notre système sur un interpréteur linéaire inclusif en exécutant des applications Java d'envergure. Dans tous les cas étudiés, on arrive à augmenter la longueur moyenne des super-instructions invoquées et à diminuer le nombre de répartitions pendant l'exécution. ______________________________________________________________________________ MOTS-CLÉS DE L’AUTEUR : Interpréteur, Inclusion, Inclusion partielle, Profilage, Machine virtuelle, Java, JVM, SableVM.

Java virtual machine (Logiciel)

Interpréteur (Logiciel)

Compilation (Informatique)

Code-octet

Interface de débogage de la machine virtuelle Java

Ahmouda, Nizar

January 2006

Le débogage tient une place grandissante dans le cycle de développement d'un logiciel. Les recherches dans ce domaine tentent de créer des outils permettant un accès plus rapide aux fautes, quel que soit le langage de programmation utilisé. Étant donné l'indépendance du code Java vis-à-vis de la plateforme sur laquelle il est exécuté, la machine virtuelle Java doit fournir un ensemble de mécanismes permettant aux outils de débogage d'accéder aux informations relatives à l'exécution de l'application déboguée. Bien que la grande majorité des machines virtuelles commerciales soient dotées de mécanismes de support au débogage, aucune libre, en revanche, n'offrait une telle fonctionnalité à l'achèvement de nos travaux. La principale motivation derrière ce mémoire a été la mise en lumière des différentes étapes jalonnant la mise en place d'une architecture de débogage Java totalement libre. Nous décrivons ici le choix de l'architecture et les critères nous ayant conduits à ce choix. Nous détaillons également les entités intervenant dans cette architecture, leur nature et leur rôle. Nous proposons enfin une critique constructive des normes régissant ce domaine, suggérant quelques améliorations possibles. Dans le cadre de nos travaux, nous avons réalisé l'implantation de l'interface de débogage Java (Java Virtual Machine Debug Interface, JVMDI) au sein de SableVM, machine virtuelle Java libre et conforme aux normes. D'autre part, nous avons développé un module indépendant permettant d'établir la connexion entre machine virtuelle Java et débogueur. Ce module gère également les objets manipulés durant une session de débogage, ainsi que les événements générés par la machine virtuelle. Finalement, nous avons connecté les éléments conçus ou modifiés dans le cadre de notre étude à d'autres éléments existants au préalable (Eclipse, un débogueur Java disponible librement). Les résultats obtenus lors des tests nous ont conforté dans les différents choix effectués lors du développement. L'utilisation de débogueurs totalement indépendants de la machine virtuelle utilisée, tel Eclipse, et la bonne tenue des sessions de débogage effectuées ont permis la validation de la conformité de nos travaux aux normes en vigueur. ______________________________________________________________________________ MOTS-CLÉS DE L’AUTEUR : Machine virtuelle, Java, SableVM, Débogage, Interface de débogage, Architecture de débogage, JDWP, JVMDI, JPDA, JVMTI, JRE.

Java virtual machine (Logiciel)

Mise au point (Informatique)

Interface (Informatique)

Preuve de validité du vérificateur de code octet Java

Lazaar, Jamal

January 2008

L'utilisation du langage Java dans plusieurs environnements (web, systèmes embarqués, systèmes mobiles, etc.) a élevé considérablement le niveau d'exigence envers ce langage, ce qui a amené les chercheurs et les développeurs à s'intéresser au système de sécurité de la Machine Virtuelle Java (MVJ) qui repose principalement sur le vérificateur du code octet. Dans ce mémoire, nous expliquons le fonctionnement du vérificateur Java, son rôle, les différentes techniques proposées pour son implémentation et un algorithme que nous proposons comme alternative sérieuse aux autres vérificateurs qui existent déjà. Nous nous intéresserons plus particulièrement à l'effet des sous-routines sur le bon typage des instructions. Nous présentons aussi une nouvelle approche de vérification de la synchronisation en nous basant sur l'analyse de flot de données et en identifiant les références qui pointent vers le même objet. ______________________________________________________________________________ MOTS-CLÉS DE L’AUTEUR : Machine Virtuelle Java, Code octet, Vérificateur, Synchronisation, Java, ClassLoader, Instructions, Treillis, Analyse de flot de données, Fonctions de transfert, Point fixe.

Java virtual machine (Logiciel)

Code-octet

Vérification formelle

Towards Self-Healing Systems: Re-establishing Trust in Compromised Systems

Grizzard, Julian B.

10 April 2006

Computer systems are subject to a range of attacks that can compromise their intended operations. Conventional wisdom states that once a system has been compromised, the only way to recover is to format and reinstall. In this work, we present methods to automatically recover or self-heal from a compromise. We term the system an intrusion recovery system. The design consists of a layered architecture in which the production system and intrusion recovery system run in separate isolated virtual machines. The intrusion recovery system monitors the integrity of the production system and repairs state if a compromise is detected. A method is introduced to track the dynamic control flow graph of the production system guest kernel. A prototype of the system was built and tested against a suite of rootkit attacks. The system was able to recover from all attacks at a cost of about a 30% performance penalty.

Virtual machine

End-user security

Intrusion detection

Intrusion recovery

Rootkits

Concise Analysis of Malware Behavior

Tsai, Hung-Shiuan

10 January 2012

In recent years the popularity of the internet, the network not only providing information to the general users to browse the contents of the site, but also has some network service like e-mail, e-commerce, and social networks. Although these online services are convenient for general users, also provide the possible hackers to abuse these services through the internet to spread malware. As the number of malware is increasing very fast, in order to understand the behavior of malware better, in the research we create a malware analysis environment, after the execute of malware samples to record the behavior of malware, and the behavior of malware to aggregation the original records to provide users with a summary analysis of the behavior. Which lists the important and malware-related behavior, if users need access to more detailed content and then further click to view. In the research, use existing analysis tools and memory forensics technology for analysis. By memory forensics technology that can identify some malware that attempts to hide the behavior in order to detectability. In addition to record the behavior of malware, the present research get the original complex to integrate and simplify log file. The last of analysis generates a summary report, which lists the malware¡¦s main behavior. So that the user can grasp malware to the extent and scope of the impact, if necessary can further see a more complete record. Look forward to control the behavior of malware more easily and efficiently.

Virtual Machine

Memory Forensics

Malware Behavior

Dynamic Analysis

Malware

Structuring extensions in system infrastructure software using aspects

Baldwin, Jennifer Ellen

28 September 2006

Many significant system extensions are hard to modularize. Consequently, their addition to a software system can jeopardize fundamental software engineering principles such as maintainability, understandability and evolvability. For example, the distributed Java Virtual Machine (dJVM) is a cluster aware implementation of a JVM in which distribution was retroactively added as an extension to an existing system. The prototype implementation of the dJVM relies on a patch file applied to IBM’s Jikes Research Virtual Machine (RVM), introducing distribution code into roughly 55% of the original 1166 Java files. In order to better determine the efficacy of modern modularization techniques such as aspect-oriented programming (AOP) in the context of system extensions, we offer up a case study based on distribution. The thesis of this work is that aspects can enhance extensibility of low-level system infrastructure software and be effectively integrated with existing software practices for introducing widespread change.

Distribution

Aspect-Oriented Programming

Patch

Java Virtual Machine

Computer Science