The new Microsoft Research project hopes to automate virtual-machine forensics in the cloud.
Microsoft has unveiled Project Freta, a potential future virtual-machine (VM) forensics service that will allow anyone to automatically ferret out malicious software hiding in memory on cloud infrastructure.
But unlike Microsoft’s commercial security services and innovations for Microsoft Defender Advanced Threat Protection (ATP), Project Freta comes from Microsoft Research and for now is classified as a ‘technology demonstration’.
“Project Freta intends to automate and democratize VM forensics to a point where every user and every enterprise can sweep volatile memory for unknown malware with the push of a button – no setup required,” says Mike Walker, a senior director at Microsoft Research’s New, or NExT, Security Ventures team.
Freta for now is a free, cloud-based service that provides “automated full-system volatile memory inspection of Linux systems” by way of VM snapshots. It involves capturing a memory snapshot of the Hyper-V Linux guest OS. However, the Freta portal can also ingest VMware snapshots too.
Users would log into the Project Freta portal and then submit images of the Linux OSs being used in a specific Azure region. The idea is that users can get a memory dump from a VM where the host stealthily takes a memory dump from a guest without modifying its RAM or file contents.
Project Freta’s goals seem lofty but perhaps not out of reach. Could Microsoft really guarantee that Azure will catch all malware, such as rootkits hiding in volatile memory on hardware in Azure? Walker hopes so and believes achieving this would make it too expensive for malware makers to produce rootkits and other in-memory malware for the cloud.
He notes that in the cloud, the hypervisor is the key barrier an attacker must break through to know whether they’ve been caught by a security sensor. Should the attacker pierce that barrier, as forensic researchers demonstrated was possible in 2018, the attacker could, for example, self-destruct to evade discovery.
The project appears to be consistent with the goals of recent innovations in Microsoft Defender ATP targeting kernel rootkits and fileless malware on Windows 10 PCs and servers, but with a focus on forensics in the cloud.
As Walker notes, Project Freta aims to offer what no public cloud currently provides. “While snapshot-based memory forensics is a field now in its second decade, no commercial cloud has yet provided customers the ability to perform full memory audits of thousands of virtual machines (VMs) without intrusive capture mechanisms and a priori forensic readiness.”
The project’s analysis portal can currently automatically fingerprint and audit a memory snapshot of “most cloud-based VMs”, with over 4,000 kernel versions supported. If all goes well during the prototype, Project Freta could spell trouble for forensic consulting shops whose tasks would be automated.
Project Freta produces a report via the portal as well as its REST and Python application programming interfaces.
Project Freta currently consists of an analysis engine that consumes “snapshots of whole-system Linux volatile memory and extracts an enumeration of system objects”, and a sensor built for Azure that lets users move a live VM’s virtual memory to an offline environment for analysis without disrupting execution.
“Completed in the winter of 2019, this sensor capability is currently only available to Microsoft researchers and is not fielded to any of our commercial clouds – executive briefings and demos are available,” explains Walker.
“This sensor, coupled with the Freta analysis environment, demonstrates a path to cheap, automated memory forensic audits of large enterprises (10,000+ VMs).”