Open in app

Sign in

Write

Sign in

JailVM and Malware Scanning API in AWS

Jakub Jóźwicki
2 min readFeb 14, 2022

--

Mature organization uses internal reusable Malware Scanning API. Except clamav and standard command-line anti-virus Cyber Defence Center can expose as API malware detonation sandbox. Malware should not be run in a standard container because it can escape and infect the host. It should be run in the Firecracker or Kata containers, both with strong isolation provided by virtualization (KVM). Kata containers require i3.metal. What if don’t want to use metal?

Container with qemu

We can use a container with QEMU inside and a dedicated rootfs. In this approach we have a basic container isolation and isolation from virtualization. Try to escape from this jail :)

OK, so we can run Linux malware. What about Windows? I would run it in Wine: WINEDEBUG=+relay,-debug wine winword.exe (see: https://wiki.winehq.org/Wine_Developer%27s_Guide/Debugging_Wine).

Dockerfile:

## buildah bud -t digitalforensic/jailvm-demo .
FROM ubuntu:22.04
RUN export DEBIAN_FRONTEND=noninteractive; apt-get update && echo “Executing quiet apt-get install” && apt-get -qq install qemu-system
COPY ./rootfs.img /rootfs.img
COPY ./vmlinuz /boot/vmlinuz
COPY ./initrd.img /boot/initrd.img
ENTRYPOINT /usr/bin/qemu-system-x86_64 -kernel /boot/vmlinuz -initrd /boot/initrd.img -append “root=/dev/sda console=ttyS0 init=/bin/bash quiet” -m 2G -drive file=/rootfs.img,format=raw -nographic -serial mon:stdio

and mkrootfs:

#!/bin/bash
## wget https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/20220213T170535Z/stage3-amd64-openrc-20220213T170535Z.tar.xz
dd if=/dev/zero bs=1M count=400 of=./rootfs.img && mkfs.ext4 ./rootfs.img && mkdir /mnt/rootfs 2>/dev/null
mount ./rootfs.img /mnt/rootfs; id=$(podman create ubuntu); podman export $id -o ./image.tar; tar -xf ./image.tar -C /mnt/rootfs; rm -f ./image.tar; podman rm $id; mkdir -p /mnt/rootfs/boot; cp /boot/vmlinuz /mnt/rootfs/boot; cp /boot/initrd.img /mnt/rootfs/boot; echo “echo \”VM active, current PID=\$BASHPID\”” >> /mnt/rootfs/cmd.sh; echo “sleep 10” >> /mnt/rootfs/cmd.sh; echo “echo o > /proc/sysrq-trigger” >> /mnt/rootfs/cmd.sh; chmod +x /mnt/rootfs/cmd.sh; echo “/cmd.sh” >> /mnt/rootfs/etc/bash.bashrc; umount /mnt/rootfs
cp /boot/vmlinuz .
cp /boot/initrd.img .

As you can see we can have a Malware Scanning API on AWS with the ability to autoscale and the proper isolation without the fear of a container escape. Of course it we be also cheap.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Kata
Security

--

--

Jakub Jóźwicki
Jakub Jóźwicki

Written by Jakub Jóźwicki

21 Followers
14 Following

Cloud Security Engineer

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams