skip to main content
tutorial

Using OS Design Patterns to Provide Reliability and Security as-a-Service for VM-based Clouds

Published:08 April 2017Publication History
Skip Abstract Section

Abstract

This paper extends the concepts behind cloud services to offer hypervisor-based reliability and security monitors for cloud virtual machines. Cloud VMs can be heterogeneous and as such guest OS parameters needed for monitoring can vary across different VMs and must be obtained in some way. Past work involves running code inside the VM, which is unacceptable for a cloud environment. We solve this problem by recognizing that there are common OS design patterns that can be used to infer monitoring parameters from the guest OS. We extract information about the cloud user's guest OS with the user's existing VM image and knowledge of OS design patterns as the only inputs to analysis. To demonstrate the range of monitoring functionality possible with this technique, we implemented four sample monitors: a guest OS process tracer, an OS hang detector, a return-to-user attack detector, and a process-based keylogger detector.

References

  1. F. Bellard. QEMU, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, pages 41--46, 2005.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. M. Ben-Yehuda, M. D. Day, Z. Dubitzky, M. Factor, N. Har'El, A. Gordon, A. Liguori, O. Wasserman, and B.-A. Yassour. The turtles project: Design and implementation of nested virtualization. In OSDI, volume 10, pages 423--436, 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. P. Cao, E. Badger, Z. Kalbarczyk, R. Iyer, and A. Slagell. Preemptive intrusion detection: Theoretical framework and real-world measurements. In Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, page 5. ACM, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. M. Carbone, A. Kataria, R. Rugina, and V. Thampi. Vprobes: Deep observability into the ESXi hypervisor. vmware Technical Journal, 14(5):35--42, 2014.Google ScholarGoogle Scholar
  5. C. Chaudet, E. Fleury, I. G. Lassous, H. Rivano, and M.-E. Voge. Optimal positioning of active and passive monitoring devices. In Proceedings of the 2005 ACM conference on Emerging network experiment and technology, pages 71--82. ACM, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. J. Corbet. (nearly) full tickless operation in 3.10. Online, http://lwn.net/Articles/549580/, 2013.Google ScholarGoogle Scholar
  7. Z. Deng, X. Zhang, and D. Xu. Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC '13, pages 289--298, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-2015-3. doi: 10.1145/2523649.2523675. URL http://doi.acm.org/10.1145/2523649.2523675. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. B. Dolan-Gavitt, T. Leek, M. Zhivich, J. Giffin, and W. Lee. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Security and Privacy (SP), 2011 IEEE Symposium on, pages 297--312. IEEE, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Z. J. Estrada, C. Pham, F. Deng, L. Yan, Z. Kalbarczyk, and R. K. Iyer. Dynamic vm dependability monitoring using hypervisor probes. In Dependable Computing Conference (EDCC), 2015 Eleventh European, pages 61--72. IEEE, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Y. Fu and Z. Lin. Space traveling across VM: Automatically bridging the semantic gap in virtual machine introspection via online kernel data redirection. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 586--600. IEEE, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. T. Garfinkel, M. Rosenblum, et al. A virtual machine introspection based architecture for intrusion detection. In NDSS, volume 3, pages 191--206, 2003.Google ScholarGoogle Scholar
  12. Z. Gu, B. Saltaformaggio, X. Zhang, and D. Xu. Face-change: Application-driven dynamic kernel view switching in a virtual machine. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, pages 491--502. IEEE, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. A. Henderson, A. Prakash, L. K. Yan, X. Hu, X. Wang, R. Zhou, and H. Yin. Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, pages 248--258. ACM, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. D. W. Hill and J. T. Lynn. Adaptive system and method for responding to computer network security attacks, July 11 2000. US Patent 6,088,804.Google ScholarGoogle Scholar
  15. A. W. Jackson, W. Milliken, C. Santiváñez, M. Condell, W. T. Strayer, et al. A topological analysis of monitor placement. In Network Computing and Applications, 2007. NCA 2007. Sixth IEEE International Symposium on, pages 169--178. IEEE, 2007. Google ScholarGoogle ScholarCross RefCross Ref
  16. X. Jiang and X. Wang. "out-of-the-box" monitoring of VM-based high-interaction honeypots. In Recent Advances in Intrusion Detection, pages 198--218. Springer, 2007. Google ScholarGoogle ScholarCross RefCross Ref
  17. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: Tracking processes in a virtual machine environment. In USENIX Annual Technical Conference, General Track, pages 1--14, 2006.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. VMM-based hidden process detection and identification using lycosid. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, pages 91--100. ACM, 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. S. Keil and C. Kolbitsch. Kernel-mode exploits primer. Technical report, Technical report, International Secure Systems Lab (isecLAB), 2007.Google ScholarGoogle Scholar
  20. A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori. KVM: the Linux virtual machine monitor. In In Proc. of the Linux Symposium, volume 1, pages 225--230, 2007.Google ScholarGoogle Scholar
  21. R. Krishnakumar. Kernel korner: kprobes-a kernel debugger. Linux Journal, 2005(133):11, 2005.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Advanced Micro Devices Inc. AMD64 Architecture Programmers Manual Volume 2: System Programming. May 2013.Google ScholarGoogle Scholar
  23. Intel Corporation. Intel® 64 and IA-32 Architectures Software Developers Manual Volume 3 (3A, 3B & 3C): System Programming Guide. September 2014.Google ScholarGoogle Scholar
  24. P. Mell and T. Grance. The NIST definition of cloud computing. 2011.Google ScholarGoogle Scholar
  25. J. Nielsen. Response times: The 3 important limits. Usability Engineering, 1993.Google ScholarGoogle Scholar
  26. S. Niemela. Pcmark05 pc performance analysis. White Paper from FutureMark Corp, 2005.Google ScholarGoogle Scholar
  27. S. Ortolani, C. Giuffrida, and B. Crispo. Bait your hook: A novel detection technique for keyloggers. In RAID, pages 198--217. Springer, 2010. Google ScholarGoogle ScholarCross RefCross Ref
  28. S. Panneerselvam, M. Swift, and N. S. Kim. Bolt: Faster reconfiguration in operating systems. In 2015 USENIX Annual Technical Conference (USENIX ATC 15), pages 511--516, Santa Clara, CA, July 2015. USENIX Association. ISBN 978-1-931971-225. URL https://www.usenix.org/conference/atc15/technicalsession/presentation/panneerselvam.Google ScholarGoogle Scholar
  29. B. D. Payne. Simplifying virtual machine introspection using libvmi. Sandia Report, 2012.Google ScholarGoogle ScholarCross RefCross Ref
  30. B. D. Payne, M. De Carbone, and W. Lee. Secure and flexible monitoring of virtual machines. In Proc. 23rd Ann. Computer Security Applications Conf. (ACSAC) 2007., pages 385--397. IEEE, 2007. Google ScholarGoogle ScholarCross RefCross Ref
  31. B. D. Payne, M. Carbone, M. Sharif, and W. Lee. Lares: An architecture for secure active monitoring using virtualization. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 233--247. IEEE, 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. C. Pham, Z. Estrada, P. Cao, Z. Kalbarczyk, and R. K. Iyer. Reliability and security monitoring of virtual machines using hardware architectural invariants. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, pages 13--24. IEEE, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. N. Provos. Improving host security with system call policies. In Usenix Security, volume 3, page 19, 2003.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. N. A. Quynh and K. Suzaki. Xenprobes, a lightweight user-space probing framework for xen virtual machine. In USENIX Annual Technical Conference Proceedings, 2007.Google ScholarGoogle Scholar
  35. D. Rosenberg. Smep: What is it, and how to beat it on linux. Online, http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/, 2011.Google ScholarGoogle Scholar
  36. A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. ACM SIGOPS Operating Systems Review, 41(6):335--350, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. M. I. Sharif, W. Lee, W. Cui, and A. Lanzi. Secure in-VM monitoring using hardware virtualization. In In Proc of the 16th ACM Conference on Computer and Communications Security, CCS '09, pages 477--487, New York, NY, USA, 2009. ACM. ISBN 978-1-60558-894-0. doi: 10.1145/1653662.1653720. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. A. Shishkin and I. Smit. Bypassing intel smep on windows 8 x64 using return-oriented programming. Online, http://blog.ptsecurity.com/2012/09/bypassing-intel-smepon-windows-8-x64.html, 2012.Google ScholarGoogle Scholar
  39. S. Siddha, V. Pallipadi, and A. Ven. Getting maximum mileage out of tickless. In Proceedings of the Linux Symposium, volume 2, pages 201--207. Citeseer, 2007.Google ScholarGoogle Scholar
  40. S. Suneja, C. Isci, E. de Lara, and V. Bala. Exploring VM introspection: Techniques and trade-offs. In ACM SIGPLAN Notices, volume 50, pages 133--146. ACM, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. N. Talele, J. Teutsch, R. Erbacher, and T. Jaeger. Monitor placement for large-scale systems. In Proceedings of the 19th ACM symposium on Access control models and technologies, pages 29--40. ACM, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. K.-l. Tseng. Intel kernel guard technology. Online, https://01.org/intel-kgt, 2015.Google ScholarGoogle Scholar
  43. S. J. Vaughan-Nichols. Ubuntu linux continues to rule the cloud. Online, http://www.zdnet.com/article/ubuntu-linux-continues-to-rule-the-cloud/, 2015.Google ScholarGoogle Scholar
  44. J. Wei, L. K. Yan, and M. A. Hakim. Mose: Live migration based on-the-fly software emulation. In Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pages 221--230, New York, NY, USA, 2015. ACM. ISBN 978-1-4503-3682-6. doi: 10.1145/2818000.2818022. URL http://doi.acm.org/10.1145/2818000.2818022. Google ScholarGoogle ScholarDigital LibraryDigital Library

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in

Full Access

  • Published in

    cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 52, Issue 7
    VEE '17
    July 2017
    256 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/3140607
    Issue’s Table of Contents
    • cover image ACM Conferences
      VEE '17: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments
      April 2017
      261 pages
      ISBN:9781450349482
      DOI:10.1145/3050748

    Copyright © 2017 ACM

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    • Published: 8 April 2017

    Check for updates

    Qualifiers

    • tutorial
    • Research
    • Refereed limited
  • Article Metrics

    • Downloads (Last 12 months)9
    • Downloads (Last 6 weeks)1

    Other Metrics

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!