Cryptography Reference
In-Depth Information
First, the
out-of-host
property is covered by deploying our system as a thin
client and not inside the VMs under protection. Second, all the remote access
protocols used in thin client environments provide a medium both for
injection
and
verification
. Figure 1 depicts what we previously described. On the lower
right corner is the central server, on the left side, the thin clients and on the
top right corner, our system. As our system only needs to communicate with
the central server, we can safely adjust its proximity to it, reducing network
overhead imposed on intermediate links.
In our prototype implementation, we assumed that there is a Linux version of
the client part of the remote access protocol. For instance, in our evaluation (Sec-
tion 4.1) we used VNC [11], which is a standard remote access protocol. Although
this is not a requirement, it greatly improves scalability, because it allows us to
easily initiate many remote access sessions, concurrently. Overall, the implemen-
tation was similar to our original system with the primary exception being that
we leveraged out-of-the-box tools, as opposed to customizing. The main motiva-
tion behind that was to make our system as generic as possible and thus easily
portable to other remote access protocols. More precisely, we used a vanilla version
of GNU Xnee
2
for the injection of the previously recorded believable user actions,
both mouse and keyboard. These actions were injected in a full screen view of the
client side remote access software, Xvnc here. For the verification, we used the Im-
ageMagick software suite
3
. More specifically, we made use of the
utility in
import
order to grab arbitrary portions of the screen and the
utility, to count
the absolute number of different pixels. Finally, in order to enable the capability
of concurrently injecting to multiple virtual machines, and thus the scalability of
the system, we leveraged the Virtual Frame buffer (part of the X server). By do-
ing this, we could simultaneously execute many full screen remote access sessions,
each in a distinct X server (using the
compare
xvfb-run
utility).
4 Evaluation
Our evaluation is divided in three parts, Subsection 4.1 examines the perfor-
mance and scalability factors of our technique, when applied to a thin client
environment. Next, we present the results on an exfiltration study we did us-
ing a relatively large number of malware samples. Finally, we discuss some real
“hits” we had during the evaluation of our system.
4.1 Performance
In order to evaluate the performance and scalability of our system in a thin
client setup, we set up such an environment in our lab. Using that as a testbed,
we measured both the overhead and the limits of our system.
More precisely, we used three Dell PowerEdge R410 servers, each having 8
CPU cores, 24Gb of memory and 1 TB of storage. For the virtualization layer,
Search WWH ::
Custom Search