Microsoft Research’s Freta Project aims to find invisible malware running in the cloud.
Human beings are lazy and frugal. As soon as we can stop using a person to do something simple, we do it. People are in a much better position to do expensive and complex things. And so, more than 200 years after the start of the industrial revolution, we continue to automate the workplace.
The latest incarnation is the public cloud, which operates on a massive scale, far beyond that of our own data centers. This very scale is both a benefit and a risk: it gives access to vast amounts of computation and memory – but where there are resources, there are criminals who want to get something for nothing, hijacking your cloud infrastructure for their own purposes and hence. you with the invoice at the end of the month.
SEE: Social Engineering: A Checklist for Professionals (Free PDF) (TechRepublic)
It’s a big deal, and it’s going to get bigger as our virtual infrastructures grow and automatically add scale. We’ve gone from a world where waiters were much loved pets, carefully groomed and given individual names, to a world where we treat them like sheds full of chickens, where all that matters to us is what is delivered. This hands-off approach is appealing to attackers, who can drop rootkits in images and steal resources running cryptocurrency miners or sniff data for valuable snippets. With thousands of servers, who is going to look for the signs of a malware attack on one or two, or a dozen or a hundred?
Attackers have invested in smarter malware that can bypass traditional security tools, hide under the operating system in memory, hide telltale signatures, and even delete themselves as soon as they detect security systems in action. . There is a lot of value in the massive scale of the hyperscale cloud, and it is this value that attackers want to steal.
Scan the cloud: everything
A Microsoft research project, Project Freta, aims to change that, by providing tools to identify malware running on virtual machines in the cloud. It takes a cost-effective approach to malware management, which is only valid for bad actors as long as they are not detected: once identified on a system, malicious code is no longer reusable, because its signature can be added to active analysis tools. But if we are to be successful, we need to be able to scan thousands of devices, with the push of a button.
The very industrial scale of the cloud means that traditional scanning techniques are too slow, searching for one or two compromised images in a growing fleet. It’s a reminder of that old Cold War adage: Your attackers should only be lucky once, you should be lucky every time.
Security specialists at Microsoft Research have reflected on this issue, and Project Freta sums up much of that thinking in a cloud-centric proof of concept. Designed to scan memory for malware, it provides a portal where you can analyze memory snapshots from Linux and Windows virtual machines. Initially focused on virtual machine instances, it is intended to demonstrate techniques and tools that can be used to scan for malware on a large scale.
Under the hood of the Freta project
A key element of the Freta Project’s thinking revolves around the concept of “survival bias”. We are used to thinking that devices that show no signs of malware are clean, not that they might be hosts of undetected malware. The attackers want to bypass our perception, because we let go of our defenses when we are convinced that our tools are doing the necessary work for us. But there’s a fundamental problem with the way we search for malware: Much of what we use is designed to work in a pre-virtualization world, and recent research has shown that it’s possible for them. malware to detect if they are being monitored by hypervisor security tools that are working outside the virtual machine.
This led the Project Freta team to rethink security from the ground up, treating it like a green field. The team proposed four principles for developing detection tools to target modern malware. First: malware cannot detect a sensor until it is installed. Second: No malware can hide out of reach of the sensors. Third: No malware can modify itself until it is sampled. Fourth: No malware can modify a sensor to avoid detection and acquisition. The goal is to have a resilient security environment capable of quickly testing thousands of physical and virtual machines, making it impossible for stealthy malware to function.
Capture memory snapshots
The Freta project builds on these principles by accepting that the perfect is the enemy of the good and that compromises are necessary to achieve these goals. First, it was the realization that the only way to achieve project goals was to capture all memory used, without executing code in the captured memory space. This capture would then be analyzed offline, using cloud resources for speed and the ability to test many captures in parallel, with the entire system built using in-memory secure programming languages and techniques.
SEE: Checklist: Securing Windows 10 Systems (TechRepublic Premium)
The cloud is needed here because it eliminates the need to wait hours or days for the scan to complete, reducing the overall risk to your systems. There is another reason why using the cloud is essential, as modern memory protection techniques randomize memory usage and copying to quickly decode memory could alert malware that it is under attack. The analysis therefore requires significant computational resources to decipher and decode the memory using brute force techniques. Microsoft has had some success here, initially working with Linux and quickly providing support for over 4,000 different kernel versions.
Use of the experimental portal
Microsoft has now delivered a prototype portal that works with hypervisor memory snapshots, running on Azure. It has been tested with Hyper-V, but also works with VMware and with AVML and LiME memory snapshots. However, only Hyper-V is reliable at this point, as it can, as the Project Freta team put it, “provide a reasonable approximation of the element of surprise” that is needed.
Once uploaded to the portal, the contents of a snapshot are analyzed, allowing you to simply review what is happening in a virtual machine at any given time. You can see which processes are in memory, as well as current system calls and open sockets and Unix files. It’s an interesting tool that gives an idea of the kind of data Project Freta can get from an image, with an indicator of possible malware hidden for further analysis. Don’t expect it to be particularly user-friendly, as it’s the first public pass for this type of security tool, and the team has a lot more work to do.
It’s easy to imagine a future more user-focused version of Project Freta that continuously samples all virtual machines running in Azure, providing you with insight into compromised images while providing Microsoft with the information needed to harden its images. basic. At this scale, Microsoft will need to use AI techniques to analyze and imprint malware in thousands, if not millions, of images. It’s an intriguing vision of a future where the economy of cloud security has changed, making hardening virtual machines cheap and expensive to attack them.