CSC 574 – Computer and Network Security Contest Stage 1 - ReportSecuring VM Images in Mirage Image FormatArun [email protected] report aims at solving the problem of signing Virtual Machine (VM) images that are stored in Mirage Image Format (MIF)[1]. Mirage aims at reducing VM image sprawl. It treats VM images as structured data, stored in a centrally managed repository. While storing VM images, MIF decouples the mapping of a file name and file content to a manifest that maps the file names to content descriptors and a store that holds contents. Because of this, the physical byte content of the checked in VM image and that of the same image checked out are not the same, even though they are essentially same images. So, signing a VM image during check in and verifying the signature during checkout does not help us in the aspects of security.A virtual machine image manifest or a image manifest is created for every image added to the Mirage. This image manifest holds the encoding formats, partition type and size, reference to file manifest and its checksum, reference to content manifest and its checksum. The file manifest internally contains the file checksum, which is used as the unique identifier in the shard store. Every image added to the Mirage is identified by its image id and the image manifest. The indexer library creates the manifest and returns a image id to every image published in to the Mirage. Method 1 : An Enhancement in the MIFThe solution proposed is to sign the image manifest, instead of signing the checked in VM image. This implies signing the entire file structure of the image, since the image manifest contains the conclusive checksum of all the files and its content, present in the image. This can be integrated in to the indexer. This process does not demand significant extra computation because the checksum of all the files are already computed. The indexer after generating the signature can store it along with the image ID in the image directory or return it to the publisher. To verify the signature, once the image is retrieved, it can be passed through the indexer to generate its image manifest and this can be hashed and verified against the original signature.Method 2 : Signing outside the MIF In this solution, the image file should be opened and the implicit mapping between each and every file and its content should be read. • The root file-system in the VM image should be mounted on a temporary directory and if needed further other file systems in the image should be mounted on the respective directory depending on the mount configuration of the image OS, like the 'fstab' file in Linux.• A content list should be generated, having the absolute path of the files/directories sorted on a specific order which is apt for the implementation. On a Ext3 based Linux system this can be done using the 'find' command run from the root directory. • After creating the list, the status of every entry in the list needs to be collected, like the owner, ACL permissions, type, size etc. This can be done using the 'stat' command, using the proper parameters.• Now a hash can be created for each file, file_hash=HASH(name||stat||content)name → fully qualified namestat → status entries for the filecontent → file content• Next step is to take the snap shot of the systems partition table and create a hash of that. This can be done using the 'fdisk' command after mounting or using “vmware-mount” script.• The next step is to read the MBR of the VM image. One easy way to do this is to peel off of the first 512 bytes of the boot partition of the VM image after mounting using the 'dd' command. The boot partition's information can be extracted from the configuration files in the root file system.• Now the systems BIOS setup needs to be read for computing the hash. This information can be retrieved from the “nvram” files, if VMware images are used.• One final step is to extract the hardware configuration of the Virtual Machine, this might be a optional step depending on the type of VM OS you are dealing with, you may want to look into the configuration files to confirm this. If you are dealing with VMware images this information can be got retrieved the “vmx” file.Now a complete hash can be created on the content, in the content list orderHash = HASH ( MBR data || file-system_geometry || BIOS || hardware_config || file_hash_1 || file_hash_2 || file_hash_3 ||...... )The order is implementation dependent. This above hash can now be be signed.During verification, after checkout the similar hash is computed again on the image file and the signature can be verified. This process is needs extensive computation than the first solution because the image file should be processed completely and the hashes should be computed on every file separately. In the first method the checksum computation is a integral process of the image manifest creation. This solution might also not work for all kind of file systems. It should work for the file systems supported by the MIF (Ext2 & Ext3).References : [1] Darrell Reimer, Arun Thomas, Glenn Ammons, Todd Mummert, Bowen Alpern, and Vasanth Bala. Opening Black Boxes: Using Semantic Information to Combat Virtual Machine Image Sprawl. in Proceedings of the 2008 ACM International Conference on Virtual Execution Environments (VEE