Microsoft Research has developed a system called Project Freta to do scan thousands of virtual cloud machines for malware. It has launched the project as a prototype for public use.
Virtual machines (VMs) are software versions of computers that run in a cloud environment. They replicate an entire PC running an operating system like Linux or Windows, and many of them can run on a single piece of hardware at the same time. This has led to cloud environments with thousands of VMs running concurrently. That creates a challenge for systems administrators who want to ensure that none of the VMs are running malware.
Cloud management tools have tackled this by scanning the virtual machines for malware, but this involves running supporting software on each VM. That is time-consuming, and it can also alert malware running on the system that something is looking for it. In some cases, it could cause the malware to realize that it is running in a VM and terminate itself, escaping detection.
Microsoft Research developed Project Freta to completely separate what it calls the security plane from the computing plane, scanning large numbers of VMs while remaining invisible to malware. To do that, it needed a scanning mechanism that left the VM’s memory completely untouched.
Project Freta scans the VM’s memory without running anything in it. It then works out what system objects the VM holds based on a live in-memory snapshot of the Linux system, looking for processes, in-memory files, kernel modules and networks, among other things.
The system can detect rootkits and other advanced malware, the company said in a blog post announcing the project.
The research team developed the software in Rust, which is a programming language with memory safety properties built in.
The system processes large numbers of VMs in short order, and is equipped to fingerprint operating systems from the memory image. It started by scanning for Linux, because there are so many different kernels available for that operating system. “With Linux behind us, Windows support is on our roadmap,” the company said.
Admins can already test it out by linking their Azure accounts to the project’s portal, although Microsoft is holding back extra functionality that enables it to copy memory from live VMs to an offline analysis environment. This should enable it to scale to more than 10,000 VMs at a time, it said.