Recommended Hardening for Malware Analysis

IncusOS
1

Good morning,

I have an IncusOS cluster with OVN set up to provide “isolated” networking for each of my Incus Projects.

Because IncusOS is relatively new, I am just double-checking that I haven’t missed anything or that there isn’t any known VM-escape vulnerabilities.

Since OVN networks are “isolated” from each other (as much as virtual networks can be) and Incus Projects give another layer of isolation, are the risks of VM-escape higher than other virtualization options?

My current plan:

  • Create a new project solely for analysis
  • Use a USB-to-Ethernet NIC, directly attached to the analysis box (This specific project wouldn’t be OVN)
  • Assign that NIC it’s own subnet, isolated from the rest of the network, only able to talk to the internet
  • I should still have access to the VM through the default management interface (Incus CLI / WebGUI), but the VM shouldn’t know it exists
  • Set the Project to isolate images, profiles, networks, network zones, storage buckets, and storage volumes
  • Set the Project to limit all resources to the minimum necessary for the analysis setup
  • Set the VM resource limits to the minimum to run the OS

Other than that, everything else would be default settings.

The one thing that I think could be an issue is /dev/incus, since that’s the connection to the management interface. If I wanted to disallow that, I would have to set up FTP, SSH, or some other form of control for the analysis machine.

My questions are:

  1. Is there any hardening that is IncusOS-specific that I might have missed?
  2. What kind of access does a VM have to /dev/incus?
  3. Are there any known VM-escape issues? Since IncusOS is immutable, there isn’t any ‘persistence’ malware could gain, so I can reboot the physical machine after an analysis out of caution.

Just as a little aside: I’m a cybersecurity analyst but my specialty is digital forensics and incident response (DFIR). My work’s malware analyst has CAPE set up, but I want to build a malware analysis sandbox for personal research and to get better at investigating real malware in different environments and operating systems. I have a background in cybersecurity, but not specifically malware analysis.