Requirements for Injectable Virtual Machines
Wes Brown | March 14th, 2008 | Filed Under: Development
Much of the last two or three years of my research time has been devoted to the concept of injectable virtual machines and using them in a penetration testing context. I’ve found that once created, they tend to be handy tools that solve other problems too outside of the original intended design goals, such as secure code deployment using lightweight portable virtual machines.
Requirements design can be an iterative process, and after working on several implementations of the injectable virtual machine, the following requirements were codified:
Compact. This is the biggest requirement: that the implementation be compact. How compact you need it to be depends entirely on what you want to do with it. But in general, the smaller the footprint, the more you can do with it. In the past, I’ve targeted 64K-128K of payload size, and considered that pretty good. But the smaller the implementor makes it, the more likely it is to be useful in more contexts such as first stage injection. This also extends to the libraries and bytecode that is generated for the virtual machine, as the virtual machine by itself is useless without logic to drive it. This is why I’m targeting a much smaller payload size in my next implementation, of a few kilobytes. Portability. This is another huge design goal that I think many people who operate in this space miss out on. The implementation of the virtual machine should be portable between platforms. Behaviors should be as similar as possible and abstracted out so as not to distract the programmer-user from the task at hand. A task such as opening a socket on a Windows machine should work on a Unix machine as well. When we have multiple implementations of a virtual machine, we run into the risk of different behaviors, defeating the entire purpose of a portable bytecode virtual machine. Dynamic. The virtual machine should be dynamic. We should be able to modify the behavior of the program and language while executing. By being self-modifying, the language and core functionality can start out very small, but be extended upon. Features that are not needed early in the process such as garbage collection can be added. Squeeze a payload in, and watch it expand, much like a ship in the bottle. Secure. Using the virtual machine for injection purposes should never introduce a state of insecurity to the target machine or network! While it is all but impossible to make a virtual machine immune to examination by a local user who controls the machine, the virtual machine should not be easily attackable from the outside or use a cleartext control channel. Elegance. This cannot be understated. While it is easy to write a functional and spartan language for the purpose, it is not going to be pleasant for the programmer. Programmers are happiest when they have a language that does not get in their way. If the language and virtual machine environment does not have this characteristic, then people are not going to use this tool. Elegant design also lends itself well to other desired traits such as dynamism and compactness.I will be taking a critical eye at the implementations that I have worked on in the past and contrasting it with these requirements, where they succeeded and where they failed. If you, my dear reader, feel that additional requirements should be applied, let me know!
Tags: Development, Requirements, Research
Nate
March 14th, 2008 6:19 pmContext, please. Perhaps an intro and links to your three years of research papers would help.
wbrown
March 14th, 2008 6:48 pmHere’s some context.
I first spoke at Defcon 13 about a Lua-based approach to this problem. This implementation was 120K, and was available under the BSD license. I will need to dig some to put up the source code for this up.
http://www.defcon.org/html/defcon-13/dc13-speakers.html
I then spoke at Defcon 14 and HitB 2006 about a Lisp-based approach to this.
http://www.defcon.org/html/defcon-14/dc-14-speakers.html#BrownW
Slides are available here:
http://conference.hitb.org/hitbsecconf2006kl/materials/DAY%202%20-%20Wes%20Brown%20-%20MOSREF.pdf
Video of the presentation is available here:
http://video.google.com/videoplay?docid=-468113072359282746&q=hitb+wes+brown&total=1&start=0&num=10&so=0&type=search&plindex=0
Source code is available here:
http://sourceforge.net/project/showfiles.php?group_id=141869
Scott Dunlop has since taken the virtual machine and taken it in another direction, WaspVM, which is more general purpose.
I am currently working on the next implementation, which will fulfill the requirements above better than the previous ones, and will write about it.
eris hacker
March 14th, 2008 7:48 pmThat’s nothing. I heard about this guy, Wes Brown, who came up with a kickass injection engine. It would probably own yourz.
Good luck, pal.
Ryan Russell
March 14th, 2008 8:00 pmAh, an agent.
John Waters
March 16th, 2008 3:13 amGood morning WB (It’s morning in Riyadh, anyway)!
Have you played around or considered Inferno as a foundation for an enjection engine? I think that some of the more novel characteristics of the “new new jersy” style of distributed computing (private name spaces, everything as a file, styx, etc.) might be advantageous, or at least interesting.
Johnny of Arabia
Ben S. Knowles
March 24th, 2008 8:22 amInferno, eh? Interesting…
Well it’s already been made into an IE plugin, is that vectorized enough to count? It may be a little big, but it’s quite featureful.
Ref: http://www.vitanuova.com/inferno/plugin/index.html
The Mozilla plugin has long been under development, including some GSoC work: http://code.google.com/p/inferno-plugin/
It’s morning here in Atlanta, which means I get to go home soon. Have a good week all !
Leave a reply