[vbox-dev] How malicious or corrupted snapshots are recovered.

Tue Oct 16 07:30:40 GMT 2012

On Tue, 16 Oct 2012 11:13:34 +0530
prabhjeet kaur <prabhjeetkour at gmail.com> wrote:

> Dear members,
> thanks for reply
> 
> 
> My actual question is:
> 1. Suppose the disk image whose snapshot is taken is affected by some
> malicious content. So, the snapshot we taken is also corrupted.
> Now if this snapshot is used to recover any disk image in future or
> can be used as virtual appliance then it can be dangerous as it
> effects other images.
> 
> How this problem can be overcome. How can we find that snapshot we
> taken 1-2 months before is not malicious.
> This problem can be solved by patching snapshot or we can try some
> other thing to overcome this problem.
> 
> Regards,
> Prabhjeet Kaur

From what I know, here's how snapshotting works. Let's assume the
virtual machine name is vm, and that its disk image is vm.vdi.

Once the snapshot is taken, the vm.vdi file does not receive any
changes. Instead, changes go to dedicated file in ~/VirtualBox
VMs/vm/Snapshots/{88df79d4-6960-497a-9391-7eb59a348612}.vdi 

Now, let's say you take another snapshot. Now neither the the vm.vdi
nor {88df79d4-6960-497a-9391-7eb59a348612}.vdi files are changed, and
the new changes go into file ~/VirtualBox
VMs/vm/Snapshots/{e8e4d524-4497-4665-953b-89d36b717e86}.vdi.

The snapshot file names are just examples, of course.

So, what you could do once you make a snapshot is take the checksums
and sign them (PGP/X.509 or anything else you wish to do) of the
vm.vdi, and all of the other preceding snapshot files. Now, of course,
if the currently running VM gets corrupted with malware (i.e. that last
vdi file), it's as good as dead, but at least you're supposed to have
a safe snapshot back in time to which you can restore.

And of course, you should probably back-up your vdi and snapshots when
you take them.

I don't think you can easily patch the snapshot, though, since it's b
basically disk image. I.e. there's not real logic in it (same
limitation as for physical drives).

Best regards

P.S.
If I'm talking rubbish here, please correct me :)

-- 
Branko Majic
Jabber: branko at majic.rs
Please use only Free formats when sending attachments to me.

Бранко Мајић
Џабер: branko at majic.rs
Молим вас да додатке шаљете искључиво у слободним форматима.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20121016/5af2f7f3/attachment.sig>