Reaching into virtual machines for forensic data
- By Susan Miller
- Aug 11, 2020
While the security of data and applications in the cloud are generally the responsibility of the tenant, it’s difficult for cybersecurity analysts to investigate data breaches in infrastructure-as-a-service platforms where cloud service providers own the hardware, and processing, storage and resources are distributed.
Researchers at Sandia National Laboratories realized cybersecurity analysts working with on-premises or off-premises IaaS clouds were unable to gather enough data or artifacts from active virtual machines (VMs) in cloud systems to conduct digital forensic investigations and incident response in real time without disturbing the user environment or alerting intruders.
To address this gap, they developed the Cloud Hypervisor-forensics and Incident Response Platform. CHIRP gives analysts a way to extract data from cloud infrastructure at the hypervisor level.
Hypervisors traditionally provide a limited set of application programming interfaces to help software or security analysts access forensic information from the VMs. “We thought those APIs were not enough,” Sandia cybersecurity researcher Caleb Loverro said in a video. “That's why we created CHIRP -- to essentially be able to provide our own APIs. Being given full access to the hardware, we would actually have the same permissions as the hypervisor itself.”
The technology uses what the researchers call “virtual machine introspection” that reaches into the VM to collect data on processor registers, memory, disks, networking and any other hardware-level events critical for reconstructing events, files and operations, the researchers wrote in a 2016 paper. The VMI allows them to “to take advantage of the hypervisor as an instrumentation platform and to integrate that data with more traditional collection mechanisms,” they wrote.
CHIRP’s in-depth, scalable VMI allows fast handling of events, as well as direct access to VM in a safe, stable fashion, Sandia officials said in their description of the technology. Analysts can spot suspicious activities, track and record attacker actions for forensic analysis and retrieve materials transparently from the targeted machines automatically or on-demand.
The goal of the program was to create a common information platform that collected data from all operating systems, all hypervisors, memory, disks and networks and normalize the information so security analysts could have real-time situational awareness, CHIRP Principal Investigator Vincent Urias said.
Those capabilities do not exist in the commercial space, fellow cybersecurity researcher William Stout said. “What makes this technology super novel and super exciting for us as defenders -- and for us as researchers who provide tools for defenders -- is [attackers] can no longer hide. We can see everything that they're doing, and we can pull out that information feed it to people to take action now,” he said.
“I think the ultimate goal for a lot of this -- regardless of where you sit in government industry or academia – is to empower the analyst today,” Urias said. “They’re hamstringed, and we need to give them the power to take back the ability for them to do forensics and incident response when moving to the cloud.”
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.