Abstract
A basic requirement of a secure computer system is that it be up to date with regard to software security patches. Unfortunately, Infrastructure as a Service (IaaS) clouds make this difficult. They leverage virtualization, which provides functionality that causes traditional security patch update systems to fail. In addition, the diversity of operating systems and the distributed nature of administration in the cloud compound the problem of identifying unpatched machines.
In this work, we propose P2, a hypervisor-based patch audit solution. P2 audits VMs and detects the execution of unpatched binary and non-binary files in an accurate, continuous and OSagnostic manner. Two key innovations make P2 possible. First, P2 uses efficient information flow tracking to identify the use of unpatched non-binary files in a vulnerable way.We performed a patch survey and discover that 64% of files modified by security updates do not contain binary code, making the audit of non-binary files crucial. Second, P2 implements a novel algorithm that identifies binaries in mid-execution to allow handling of VMs resumed from a checkpoint or migrated into the cloud. We have implemented a prototype of P2 and and our experiments show that it accurately reports the execution of unpatched code while imposing performance overhead of 4%.
- A. Appleby. MurmurHash 2.0, 2010. http://murmurhash.googlepages.com/.Google Scholar
- S. Beattie, S. Arnold, C. Cowan, P. Wagle, C. Wright, and A. Shostack. Timing the application of security patches for optimal uptime. In Proceedings of the 15th Large Installation Systems Administration Conference (LISA), pages 233--242, Nov. 2002. Google Scholar
Digital Library
- A. Bellissimo, J. Burgess, and K. Fu. Secure software updates: Disappointments and new challenges. In Proceedings of the 1st Usenix Workshop on Hot Topics in Security (HOTSEC), July 2006. Google Scholar
Digital Library
- D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, May 2008. Google Scholar
Digital Library
- W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), Oct. 2008. Google Scholar
Digital Library
- P. M. Chen and B. D. Noble. When virtual is better than real. In The 8th Workshop on Hot Topics in Operating Systems (HotOS 2001), pages 133--138, May 2001. Google Scholar
Digital Library
- P. Chicoine, M. Hassner, M. Noblitt, G. Silvus, B. Weber, and E. Grochowski. Hard disk drive long data sector white paper. Technical report, The International Disk Drive Equipment and Materials Association (IDEMA), Apr. 2007.Google Scholar
- XenClient, 2010. http://www.citrix.com/xenclient.Google Scholar
- M. Dalton, H. Kannan, and C. Kozyrakis. Real-world buffer overflow protection for userspace and kernelspace. In Proceedings of the 17th USENIX Security Symposium, pages 395--410, July 2008. Google Scholar
Digital Library
- T. Garfinkel and M. Rosenblum. When virtual is harder than real: Security challenges in virtual machine based computing environments. In The 10th Workshop on Hot Topics in Operating Systems (HotOS 2005), May 2005. Google Scholar
Digital Library
- T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 10th Symposium on Network and Distributed System Security (NDSS), pages 191--206, Feb. 2003.Google Scholar
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP), pages 193--206, Oct. 2003. Google Scholar
Digital Library
- A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection. In Proceedings of the First European Conference on Systems (EuroSys), Apr. 2006. Google Scholar
Digital Library
- X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 128--138, Oct. 2007. Google Scholar
Digital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Geiger: Monitoring the buffer cache in a virtual machine environment. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), pages 14--24, Oct. 2006. Google Scholar
Digital Library
- A. Joshi, S. T. King, G. W. Dunlap, and P. M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP), pages 91--104, Oct. 2005. Google Scholar
Digital Library
- L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th USENIX Security Symposium, July 2008. Google Scholar
Digital Library
- L. Litty, H. A. Lagar-Cavilla, and D. Lie. Computer meteorology: Monitoring compute clouds. In the 12th Workshop on Hot Topics in Operating Systems (HotOS 2009), May 2009. Google Scholar
Digital Library
- Microsoft. Visual Studio, Microsoft Portable Executable and Common Object File Format specification, May 2006. URL http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx. Rev. 8.0.Google Scholar
- Miło's, Murray, Hand, and Fetterman}satoriG. Mił's, D. G. Murray, S. Hand, and M. Fetterman. Satori: Enlightened page sharing. In Proceedings of the 2009 Annual Usenix Technical Conference, July 2009. Google Scholar
Digital Library
- Nessus, Tenable Network Security, 2010. http://www.nessus.org.Google Scholar
- J. Newsome and D. Song. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the 12th Symposium on Network and Distributed System Security (NDSS), Feb. 2005.Google Scholar
- NIST. National software reference library, 2010. http://www.nsrl.nist.gov/.Google Scholar
- P. Nowak. Internet security moving toward "white list", Sept. 2007. Available at http://www.cbc.ca/news/background/tech/privacy/white-list.html.Google Scholar
- N. L. Petroni, Jr. and M. Hicks. Automated detection of persistent kernel control-flow attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), pages 103--115, Oct. 2007. Google Scholar
Digital Library
- T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS 2009), pages 199--212, Nov. 2009. Google Scholar
Digital Library
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP), Oct. 2007. Google Scholar
Digital Library
- G. E. Suh, J.-W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Oct. 2004. Google Scholar
Digital Library
- R. Ta-Min, L. Litty, and D. Lie. Splitting interfaces: Making trust between applications and operating systems configurable. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI), pages 279--292, Nov. 2006. Google Scholar
Digital Library
- TIS Committee. Tool Interface Standard (TIS) Executable and Linking Format (ELF) specification, May 1995. V1.2.Google Scholar
- VersionTracker. VersionTracker, 2010. http://versiontracker.com/.Google Scholar
- VMware View, 2010. http://www.vmware.com/products/view.Google Scholar
Index Terms
Patch auditing in infrastructure as a service clouds
Recommendations
Patch auditing in infrastructure as a service clouds
VEE '11: Proceedings of the 7th ACM SIGPLAN/SIGOPS international conference on Virtual execution environmentsA basic requirement of a secure computer system is that it be up to date with regard to software security patches. Unfortunately, Infrastructure as a Service (IaaS) clouds make this difficult. They leverage virtualization, which provides functionality ...
Enabling Efficient Hypervisor-as-a-Service Clouds with Ephemeral Virtualization
VEE '16When considering a hypervisor, cloud providers must balance conflicting requirements for simple, secure code bases with more complex, feature-filled offerings. This paper introduces Dichotomy, a new two-layer cloud architecture in which the roles of the ...
Migration of Multi-tier Applications to Infrastructure-as-a-Service Clouds: An Investigation Using Kernel-Based Virtual Machines
GRID '11: Proceedings of the 2011 IEEE/ACM 12th International Conference on Grid ComputingTo investigate challenges of multi-tier application migration to Infrastructure-as-a-Service (IaaS) clouds we performed an experimental investigation by deploying a processor bound and input-output bound variant of the RUSLE2 erosion model to an IaaS ...







Comments