[qubes-users] Re: Deep VM Threat Detection?
Hello, is there some change to monitor a malicious VM without risking the dom0 integrity? How can I use one VM to monitor another VM? Kind Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32a909b3-a2d2-483e-8368-d297ab52cbf8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Deep VM Threat Detection?
On Thursday, August 31, 2017 at 1:03:31 PM UTC-7, pixel fairy wrote: > should also stress that the code you pass through would go through dom0, so > be very careful with it! i meant memory, not code. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2c8945b7-a2f5-4b64-bb09-dca08231b9df%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Deep VM Threat Detection?
On Thursday, August 31, 2017 at 1:00:27 PM UTC-7, pixel fairy wrote: > You can do it now if youd like, > https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection > > heres an example for windows guests, https://drakvuf.com/ > > It was discussed on the developers list, but this is high risk code that the > developers would need to audit. > > if you do this, i would recommend passing memory to an analysis vm which only > has permission to alert you to a problem. this would result in a delay and a > performance hit, so not the same effect, but safer against any attack crafted > against this mechanism from taking over your machine. i also hope your very > good at writing fast, tight parsers. go is supposed to be fast and type safe. > maybe it would be a good choice here. > > on a lighter scale, you can also use firejail within the vm, blacklist some > stuff, and set a watch on its logfile to alert you. redhat based appvms can > also do this with selinux. wont catch anything sophisticated enough to > privilege escalate and stop the alert from happening, but also no danger to > dom0. > > im glad vmware did this, for a long time, they only had a tool to dump memory > snapshots (at least for fusion). not a real time running filter like this, > but still fun. should also stress that the code you pass through would go through dom0, so be very careful with it! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d92ac122-4179-4847-a938-b805b62fa1a7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Deep VM Threat Detection?
You can do it now if youd like, https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection heres an example for windows guests, https://drakvuf.com/ It was discussed on the developers list, but this is high risk code that the developers would need to audit. if you do this, i would recommend passing memory to an analysis vm which only has permission to alert you to a problem. this would result in a delay and a performance hit, so not the same effect, but safer against any attack crafted against this mechanism from taking over your machine. i also hope your very good at writing fast, tight parsers. go is supposed to be fast and type safe. maybe it would be a good choice here. on a lighter scale, you can also use firejail within the vm, blacklist some stuff, and set a watch on its logfile to alert you. redhat based appvms can also do this with selinux. wont catch anything sophisticated enough to privilege escalate and stop the alert from happening, but also no danger to dom0. im glad vmware did this, for a long time, they only had a tool to dump memory snapshots (at least for fusion). not a real time running filter like this, but still fun. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25a5d88b-acbc-4733-b864-9f1f0645b6c3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
