Florian Pester · 4 min read
Securing the Past: How Virtual Machine Introspection Protects Legacy IT Systems
Struggling with outdated IT systems and cybersecurity concerns? Discover how Cyberus is pioneering the use of Virtual Machine Introspection to secure legacy infrastructure.
When we think of modern IT infrastructure, IT security is one of the main (and first) considerations. The current threat landscape, constant threats from ransomware attacks and Advanced Persistent Threats (APTs), as well as regulatory environments — with upcoming regulations such as NIS-2 and the Cyber Resilience Act (CRA) — force operators to apply reasonable risk management and cyber security mechanisms.
This poses a problem for legacy infrastructure that was designed just 10 years ago. While it is often possible to obtain long-term support for operating systems, it is much more difficult to run security software on these systems. With increasing age of infrastructure this problem just becomes worse and worse.
Obtaining malware signatures that are compatible with Windows 7, or Windows Server 2012 is close to impossible. However these systems are often in use in controlling real-world machinery, such as rail infrastructure and even medical devices. Their lifetime is often planned for another couple of decades.
A research question, we at Cyberus focus on, is therefore: How can we use virtualization technology — specifically Virtual Machine Introspection — to ensure security for legacy systems?
What is Virtual Machine Introspection?
When we run a legacy system in a virtual machine, we typically want to isolate it from the host system. However, the host still manages all resources, such as hardware access, memory and CPU state for the virtual machine. Therefore the host has access to all the virtual machine’s resources and can inspect them. It is a bit like looking into the Matrix. This process is called Virtual Machine Introspection or VMI. However there is a challenge with VMI.
The host has access to the virtual machine’s resources, but that access is at the lowest level: Raw 1s and 0s. Since there is a lack of semantic information for the host, this is often called the “Semantic Gap”. In order to be able to make sense of that information — to bridge this semantic gap — we need to have some context about the system running in the virtual machine: What operating system is running and how does this system structure its control and data structures?
The good news is that for legacy systems this information is often known, and since those systems do not change any more it is a one-time effort to apply this information. In past projects we have used VMI to inspect, control or lock-down Windows 7 and Windows 10 installations, but in principle it can be used on any Windows or Linux system.
Integrating Legacy Systems and IT Infrastructure
Once we have semantic information in the host we can ensure that the virtual machine’s state matches what we expect. Good mechanisms to ensure this are to look into running processes in the VM, or into system events such as Windows’ internal event tracing framework, also called ETW.
This information can be forwarded from the modern and secure host to a central Information Security Management System (ISMS), enabling asset management and risk assessment for legacy systems.
We can also implement control steps that take immediate action if something goes wrong, e.g. if the system detects a running malware or even an unknown process. This behaviour can be managed by the ISMS or by the host on its own — depending on the usage scenario.
A simple action would be to reset the virtual machine to a known good state. We can also make sure that only known good processes are allowed to run in the VM or protect unsafe hardware access.
What’s next?
We are currently engaged in a research project, developing a demonstrator for this technology. As a follow-up we plan to integrate this technology into KronoCore. We are currently looking for partners to help shape the focus and answer questions such as:
- Which operating systems to target?
- What other infrastructure to integrate with?
- How useful is a stand-alone version?
Are you operating legacy software systems and are concerned about cybersecurity? Get in touch today to help shape a secure future for legacy systems!