[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-discuss] Rapid VM deployment with fork(2)

From: Felix von Leitner
Subject: [Qemu-discuss] Rapid VM deployment with fork(2)
Date: Sat, 19 Sep 2015 13:37:54 +0200
User-agent: Mutt/1.5.21 (2010-09-15)

Hi qemu devs,

I was playing with the thought of using qemu for automated malware
testing of email attachments. Basically, and email with a Word
attachment comes in, you open it in a qemu VM and see if it does
anything evil.

If we had to boot or resume a VM for each attachment, I wager that would
be prohibitively expensive.

So my thinking is: start a qemu with a Windows with Office, Java and
Flash, then have it sit there. When an attachment comes in, use a web
service or something to get qemu for fork a copy of the VM off, and then
we would need to upload the file into it and shellexecute it. Or maybe
don't upload the file but use a network share, whatever.

The central performance requirement would be that you can quickly fork
off a pre-booted VM, and that it does not actually write anything to
disk, ever. The latter could be achieved with copy-on-write, I assume.
One would have to make sure that after the fork the forked copy writes
somewhere else. I expect this to be a minor problem.

The next question would be how you'd do the introspection into the VM to
get the most diagnostics you possibly can on what the malware tried to
do to the system.

Thoughts? Maybe I'm missing something and qemu already supports all



PS: I'm not on the list, please Cc me. I'll check the archives in the
next days, too.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]