skip to main content
research-article

Patch auditing in infrastructure as a service clouds

Published:09 March 2011Publication History
Skip Abstract Section

Abstract

A basic requirement of a secure computer system is that it be up to date with regard to software security patches. Unfortunately, Infrastructure as a Service (IaaS) clouds make this difficult. They leverage virtualization, which provides functionality that causes traditional security patch update systems to fail. In addition, the diversity of operating systems and the distributed nature of administration in the cloud compound the problem of identifying unpatched machines.

In this work, we propose P2, a hypervisor-based patch audit solution. P2 audits VMs and detects the execution of unpatched binary and non-binary files in an accurate, continuous and OSagnostic manner. Two key innovations make P2 possible. First, P2 uses efficient information flow tracking to identify the use of unpatched non-binary files in a vulnerable way.We performed a patch survey and discover that 64% of files modified by security updates do not contain binary code, making the audit of non-binary files crucial. Second, P2 implements a novel algorithm that identifies binaries in mid-execution to allow handling of VMs resumed from a checkpoint or migrated into the cloud. We have implemented a prototype of P2 and and our experiments show that it accurately reports the execution of unpatched code while imposing performance overhead of 4%.

References

  1. A. Appleby. MurmurHash 2.0, 2010. http://murmurhash.googlepages.com/.Google ScholarGoogle Scholar
  2. S. Beattie, S. Arnold, C. Cowan, P. Wagle, C. Wright, and A. Shostack. Timing the application of security patches for optimal uptime. In Proceedings of the 15th Large Installation Systems Administration Conference (LISA), pages 233--242, Nov. 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. A. Bellissimo, J. Burgess, and K. Fu. Secure software updates: Disappointments and new challenges. In Proceedings of the 1st Usenix Workshop on Hot Topics in Security (HOTSEC), July 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, May 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), Oct. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. P. M. Chen and B. D. Noble. When virtual is better than real. In The 8th Workshop on Hot Topics in Operating Systems (HotOS 2001), pages 133--138, May 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. P. Chicoine, M. Hassner, M. Noblitt, G. Silvus, B. Weber, and E. Grochowski. Hard disk drive long data sector white paper. Technical report, The International Disk Drive Equipment and Materials Association (IDEMA), Apr. 2007.Google ScholarGoogle Scholar
  8. XenClient, 2010. http://www.citrix.com/xenclient.Google ScholarGoogle Scholar
  9. M. Dalton, H. Kannan, and C. Kozyrakis. Real-world buffer overflow protection for userspace and kernelspace. In Proceedings of the 17th USENIX Security Symposium, pages 395--410, July 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. T. Garfinkel and M. Rosenblum. When virtual is harder than real: Security challenges in virtual machine based computing environments. In The 10th Workshop on Hot Topics in Operating Systems (HotOS 2005), May 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Symposium on Network and Distributed System Security (NDSS), pages 191--206, Feb. 2003.Google ScholarGoogle Scholar
  12. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP), pages 193--206, Oct. 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection. In Proceedings of the First European Conference on Systems (EuroSys), Apr. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 128--138, Oct. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Geiger: Monitoring the buffer cache in a virtual machine environment. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 14--24, Oct. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP), pages 91--104, Oct. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th USENIX Security Symposium, July 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. L. Litty, H. A. Lagar-Cavilla, and D. Lie. Computer meteorology: Monitoring compute clouds. In the 12th Workshop on Hot Topics in Operating Systems (HotOS 2009), May 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Microsoft. Visual Studio, Microsoft Portable Executable and Common Object File Format specification, May 2006. URL http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx. Rev. 8.0.Google ScholarGoogle Scholar
  20. Miło's, Murray, Hand, and Fetterman}satoriG. Mił's, D. G. Murray, S. Hand, and M. Fetterman. Satori: Enlightened page sharing. In Proceedings of the 2009 Annual Usenix Technical Conference, July 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Nessus, Tenable Network Security, 2010. http://www.nessus.org.Google ScholarGoogle Scholar
  22. J. Newsome and D. Song. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the 12th Symposium on Network and Distributed System Security (NDSS), Feb. 2005.Google ScholarGoogle Scholar
  23. NIST. National software reference library, 2010. http://www.nsrl.nist.gov/.Google ScholarGoogle Scholar
  24. P. Nowak. Internet security moving toward "white list", Sept. 2007. Available at http://www.cbc.ca/news/background/tech/privacy/white-list.html.Google ScholarGoogle Scholar
  25. N. L. Petroni, Jr. and M. Hicks. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 103--115, Oct. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pages 199--212, Nov. 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), Oct. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. G. E. Suh, J.-W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Oct. 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. R. Ta-Min, L. Litty, and D. Lie. Splitting interfaces: Making trust between applications and operating systems configurable. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI), pages 279--292, Nov. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. TIS Committee. Tool Interface Standard (TIS) Executable and Linking Format (ELF) specification, May 1995. V1.2.Google ScholarGoogle Scholar
  31. VersionTracker. VersionTracker, 2010. http://versiontracker.com/.Google ScholarGoogle Scholar
  32. VMware View, 2010. http://www.vmware.com/products/view.Google ScholarGoogle Scholar

Index Terms

  1. Patch auditing in infrastructure as a service clouds

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!