Abstract
This paper extends the concepts behind cloud services to offer hypervisor-based reliability and security monitors for cloud virtual machines. Cloud VMs can be heterogeneous and as such guest OS parameters needed for monitoring can vary across different VMs and must be obtained in some way. Past work involves running code inside the VM, which is unacceptable for a cloud environment. We solve this problem by recognizing that there are common OS design patterns that can be used to infer monitoring parameters from the guest OS. We extract information about the cloud user's guest OS with the user's existing VM image and knowledge of OS design patterns as the only inputs to analysis. To demonstrate the range of monitoring functionality possible with this technique, we implemented four sample monitors: a guest OS process tracer, an OS hang detector, a return-to-user attack detector, and a process-based keylogger detector.
- F. Bellard. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, pages 41--46, 2005.Google Scholar
Digital Library
- M. Ben-Yehuda, M. D. Day, Z. Dubitzky, M. Factor, N. Har'El, A. Gordon, A. Liguori, O. Wasserman, and B.-A. Yassour. The turtles project: Design and implementation of nested virtualization. In OSDI, volume 10, pages 423--436, 2010.Google Scholar
Digital Library
- P. Cao, E. Badger, Z. Kalbarczyk, R. Iyer, and A. Slagell. Preemptive intrusion detection: Theoretical framework and real-world measurements. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, page 5. ACM, 2015. Google Scholar
Digital Library
- M. Carbone, A. Kataria, R. Rugina, and V. Thampi. Vprobes: Deep observability into the ESXi hypervisor. vmware Technical Journal, 14(5):35--42, 2014.Google Scholar
- C. Chaudet, E. Fleury, I. G. Lassous, H. Rivano, and M.-E. Voge. Optimal positioning of active and passive monitoring devices. In Proceedings of the 2005 ACM conference on Emerging network experiment and technology, pages 71--82. ACM, 2005. Google Scholar
Digital Library
- J. Corbet. (nearly) full tickless operation in 3.10. Online, http://lwn.net/Articles/549580/, 2013.Google Scholar
- Z. Deng, X. Zhang, and D. Xu. Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC '13, pages 289--298, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-2015-3. doi: 10.1145/2523649.2523675. URL http://doi.acm.org/10.1145/2523649.2523675. Google Scholar
Digital Library
- B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on, pages 297--312. IEEE, 2011.Google Scholar
Digital Library
- Z. J. Estrada, C. Pham, F. Deng, L. Yan, Z. Kalbarczyk, and R. K. Iyer. Dynamic vm dependability monitoring using hypervisor probes. In Dependable Computing Conference (EDCC), 2015 Eleventh European, pages 61--72. IEEE, 2015. Google Scholar
Digital Library
- Y. Fu and Z. Lin. Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 586--600. IEEE, 2012.Google Scholar
Digital Library
- T. Garfinkel, M. Rosenblum, et al. A virtual machine introspection based architecture for intrusion detection. In NDSS, volume 3, pages 191--206, 2003.Google Scholar
- Z. Gu, B. Saltaformaggio, X. Zhang, and D. Xu. Face-change: Application-driven dynamic kernel view switching in a virtual machine. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, pages 491--502. IEEE, 2014.Google Scholar
Digital Library
- A. Henderson, A. Prakash, L. K. Yan, X. Hu, X. Wang, R. Zhou, and H. Yin. Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, pages 248--258. ACM, 2014. Google Scholar
Digital Library
- D. W. Hill and J. T. Lynn. Adaptive system and method for responding to computer network security attacks, July 11 2000. US Patent 6,088,804.Google Scholar
- A. W. Jackson, W. Milliken, C. Santiváñez, M. Condell, W. T. Strayer, et al. A topological analysis of monitor placement. In Network Computing and Applications, 2007. NCA 2007. Sixth IEEE International Symposium on, pages 169--178. IEEE, 2007. Google Scholar
Cross Ref
- X. Jiang and X. Wang. "out-of-the-box" monitoring of VM-based high-interaction honeypots. In Recent Advances in Intrusion Detection, pages 198--218. Springer, 2007. Google Scholar
Cross Ref
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking processes in a virtual machine environment. In USENIX Annual Technical Conference, General Track, pages 1--14, 2006.Google Scholar
Digital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. VMM-based hidden process detection and identification using lycosid. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 91--100. ACM, 2008.Google Scholar
Digital Library
- S. Keil and C. Kolbitsch. Kernel-mode exploits primer. Technical report, Technical report, International Secure Systems Lab (isecLAB), 2007.Google Scholar
- A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. KVM: the Linux virtual machine monitor. In In Proc. of the Linux Symposium, volume 1, pages 225--230, 2007.Google Scholar
- R. Krishnakumar. Kernel korner: kprobes-a kernel debugger. Linux Journal, 2005(133):11, 2005.Google Scholar
Digital Library
- Advanced Micro Devices Inc. AMD64 Architecture Programmers Manual Volume 2: System Programming. May 2013.Google Scholar
- Intel Corporation. Intel® 64 and IA-32 Architectures Software Developers Manual Volume 3 (3A, 3B & 3C): System Programming Guide. September 2014.Google Scholar
- P. Mell and T. Grance. The NIST definition of cloud computing. 2011.Google Scholar
- J. Nielsen. Response times: The 3 important limits. Usability Engineering, 1993.Google Scholar
- S. Niemela. Pcmark05 pc performance analysis. White Paper from FutureMark Corp, 2005.Google Scholar
- S. Ortolani, C. Giuffrida, and B. Crispo. Bait your hook: A novel detection technique for keyloggers. In RAID, pages 198--217. Springer, 2010. Google Scholar
Cross Ref
- S. Panneerselvam, M. Swift, and N. S. Kim. Bolt: Faster reconfiguration in operating systems. In 2015 USENIX Annual Technical Conference (USENIX ATC 15), pages 511--516, Santa Clara, CA, July 2015. USENIX Association. ISBN 978-1-931971-225. URL https://www.usenix.org/conference/atc15/technicalsession/presentation/panneerselvam.Google Scholar
- B. D. Payne. Simplifying virtual machine introspection using libvmi. Sandia Report, 2012.Google Scholar
Cross Ref
- B. D. Payne, M. De Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Proc. 23rd Ann. Computer Security Applications Conf. (ACSAC) 2007., pages 385--397. IEEE, 2007. Google Scholar
Cross Ref
- B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 233--247. IEEE, 2008.Google Scholar
Digital Library
- C. Pham, Z. Estrada, P. Cao, Z. Kalbarczyk, and R. K. Iyer. Reliability and security monitoring of virtual machines using hardware architectural invariants. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, pages 13--24. IEEE, 2014. Google Scholar
Digital Library
- N. Provos. Improving host security with system call policies. In Usenix Security, volume 3, page 19, 2003.Google Scholar
Digital Library
- N. A. Quynh and K. Suzaki. Xenprobes, a lightweight user-space probing framework for xen virtual machine. In USENIX Annual Technical Conference Proceedings, 2007.Google Scholar
- D. Rosenberg. Smep: What is it, and how to beat it on linux. Online, http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/, 2011.Google Scholar
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. ACM SIGOPS Operating Systems Review, 41(6):335--350, 2007. Google Scholar
Digital Library
- M. I. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure in-VM monitoring using hardware virtualization. In In Proc of the 16th ACM Conference on Computer and Communications Security, CCS '09, pages 477--487, New York, NY, USA, 2009. ACM. ISBN 978-1-60558-894-0. doi: 10.1145/1653662.1653720. Google Scholar
Digital Library
- A. Shishkin and I. Smit. Bypassing intel smep on windows 8 x64 using return-oriented programming. Online, http://blog.ptsecurity.com/2012/09/bypassing-intel-smepon-windows-8-x64.html, 2012.Google Scholar
- S. Siddha, V. Pallipadi, and A. Ven. Getting maximum mileage out of tickless. In Proceedings of the Linux Symposium, volume 2, pages 201--207. Citeseer, 2007.Google Scholar
- S. Suneja, C. Isci, E. de Lara, and V. Bala. Exploring VM introspection: Techniques and trade-offs. In ACM SIGPLAN Notices, volume 50, pages 133--146. ACM, 2015. Google Scholar
Digital Library
- N. Talele, J. Teutsch, R. Erbacher, and T. Jaeger. Monitor placement for large-scale systems. In Proceedings of the 19th ACM symposium on Access control models and technologies, pages 29--40. ACM, 2014. Google Scholar
Digital Library
- K.-l. Tseng. Intel kernel guard technology. Online, https://01.org/intel-kgt, 2015.Google Scholar
- S. J. Vaughan-Nichols. Ubuntu linux continues to rule the cloud. Online, http://www.zdnet.com/article/ubuntu-linux-continues-to-rule-the-cloud/, 2015.Google Scholar
- J. Wei, L. K. Yan, and M. A. Hakim. Mose: Live migration based on-the-fly software emulation. In Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pages 221--230, New York, NY, USA, 2015. ACM. ISBN 978-1-4503-3682-6. doi: 10.1145/2818000.2818022. URL http://doi.acm.org/10.1145/2818000.2818022. Google Scholar
Digital Library
Recommendations
Using OS Design Patterns to Provide Reliability and Security as-a-Service for VM-based Clouds
VEE '17: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsThis paper extends the concepts behind cloud services to offer hypervisor-based reliability and security monitors for cloud virtual machines. Cloud VMs can be heterogeneous and as such guest OS parameters needed for monitoring can vary across different ...
VMDriver: A Driver-Based Monitoring Mechanism for Virtualization
SRDS '10: Proceedings of the 2010 29th IEEE Symposium on Reliable Distributed SystemsMonitoring virtual machine (VM) is an essential function for virtualized platforms. Existing solutions are either coarse-grained – monitoring in granularity of VM level, or not general – only support specific monitoring functions for particular guest ...
Security Challenges of Virtualization in Cloud Computing
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesRecent years have been advanced in cloud computing technology. Virtualization supports cloud computing to virtualize the resources to provide software-as-a-service, infrastructure-as-a-service and platform-as-a-service mainly. Many Virtual Machines are ...







Comments