Qingkai Zeng

2013-01-01

Abstract:In order to improve the security of operate systems and applications,the system virtualization technology is studied;the typical security applications and research are discussed.According to the software level of existing researches,the current research progress and future trends from three aspects: security improvement of applications,operating system and virtual machine monitor are analyzed and summarized.An analysis and debug method for malware based on system virtualization be designed,the feasibility and effectiveness of the method are verified by implementing prototype system on the Intel-VT platform.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Chen Wen-Zhi,Zhu Hong-Wei,Huang Wei

DOI: https://doi.org/10.1109/CW.2008.110

2008-01-01

Abstract:The security problem became more severe since the security requirement of different applications may conflict with the others in distributed application or grid computing. Virtualization technology can improvethe system's security, but did not satisfy the requirement of virtual resource sharing and inner-domain communication in distributed services and grid computing. By dividing the virtual resources into sharing virtual resources and normal ones, SeVMM provided secure mechanism for inter-domain communication control, which formed the base of multi-level security control model for virtual machine monitors, operating systems and applications. Case study and application showed that SeVMM improved the system's security without causing significant performance penalty.

XIANG Guo-Fu,JIN Hai,ZOU De-Qing,CHEN Xue-Guang

DOI: https://doi.org/10.3724/sp.j.1001.2012.04219

2012-01-01

Journal of Software

Abstract:In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring.Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor.This approach can enhance the effectiveness and anti-attack ability of security tools.From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring.According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring.Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions.It is significant for virtualization research and security monitoring research.

Ji-Ming Chen,Shi Chen,Xiang Wang,Lin,Li Wang

DOI: https://doi.org/10.1155/2021/2729949

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:With the rapid development of Internet of Things technology, a large amount of user information needs to be uploaded to the cloud server for computing and storage. Side-channel attacks steal the private information of other virtual machines by coresident virtual machines to bring huge security threats to edge computing. Virtual machine migration technology is currently the main way to defend against side-channel attacks. VM migration can effectively prevent attackers from realizing coresident virtual machines, thereby ensuring data security and privacy protection of edge computing based on the Internet of Things. This paper considers the relevance between application services and proposes a VM migration strategy based on service correlation. This strategy defines service relevance factors to quantify the degree of service relevance, build VM migration groups through service relevance factors, and effectively reduce communication overhead between servers during migration, design and implement the VM memory migration based on the post-copy method, effectively reduce the occurrence of page fault interruption, and improve the efficiency of VM migration.

JIN Wei,LI Ming-lu,WENG Chu-liang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.15.036

2011-01-01

Abstract:This paper aims to explore the security of the Virtual Machine Monitor(VMM),combined with open source virtualization software Xen to analyze the potential threats and vulnerabilities,such as tampering with hypercalls,malicious direct memory access.It designs and implements a way to undermine the stability of virtual machine by modifying VCPU state and meanwhile give countermeasures,such as verifying critical data structures to discover whether it is invaded,or forbidding the loading of module to eliminate all possible security risks posed by the module.

Francesco Gadaleta,Raoul Strackx,Nick Nikiforakis,Frank Piessens,Wouter Joosen

DOI: https://doi.org/10.48550/arXiv.1405.6058

2014-05-22

Abstract:Protecting commodity operating systems and applications against malware and targeted attacks has proven to be difficult. In recent years, virtualization has received attention from security researchers who utilize it to harden existing systems and provide strong security guarantees. This has lead to interesting use cases such as cloud computing where possibly sensitive data is processed on remote, third party systems. The migration and processing of data in remote servers, poses new technical and legal questions, such as which security measures should be taken to protect this data or how can it be proven that execution of code wasn't tampered with. In this paper we focus on technological aspects. We discuss the various possibilities of security within the virtualization layer and we use as a case study \HelloRootkitty{}, a lightweight invariance-enforcing framework which allows an operating system to recover from kernel-level attacks. In addition to \HelloRootkitty{}, we also explore the use of special hardware chips as a way of further protecting and guaranteeing the integrity of a virtualized system.

Cryptography and Security

Amjad Rehman,Sultan Alqahtani,Ayman Altameem,Tanzila Saba

DOI: https://doi.org/10.1007/s13042-013-0166-4

2013-04-09

International Journal of Machine Learning and Cybernetics

Abstract:Currently Virtual Machines (VMs) have many applications and their use is growing constantly as the hardware gets more powerful and usage more regulated allowing for scaling, monitoring, portability, security applications and many other uses. There are many types of virtualization techniques that can be employed on many levels from simple sandbox to full fledged streamlined managed access. While scaling, software lifecycles and diversity are just some of security challenges faced by VM developers the failure to properly implement those mechanisms may lead to VM escape, host access, denial of service and more. There are many exploits found in the last couple of years which were fixed on latest versions but some systems are still running them and vulnerable as presented, mostly to host based attacks and some have dramatic consequences.

LIU Qian,LUO Yuan,WENG Chu-liang,LI Ming-lu

DOI: https://doi.org/10.3969/j.issn.1674-9456.2010.06.012

2010-01-01

Abstract:Access control is the widely used way to guarantee the security of communication between virtual machines(VMs).But it is limited in flexibility and scalability.To overcome this limitation,this paper proposes a suite of security protocols for virtual machine systems.These security protocols establish a trusted path from bottom hardware to applications in VMs,by utilizing trusted platform module(TPM) as the trusted root.As a result,security functions,including granting key and certificate,identity authentication,secure communication between VMs,key and certificate update,are fulfilled successfully.Besides,these security protocols are implemented in Xen.

Ding Shun,Li Minglu,Weng Chuliang,Liu Qian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.06.015

2012-01-01

Abstract:As virtualization is widely applied to various fields such as cloud computing,it gradually becomes a target that various malicious attacks aim at.The runtime security of virtual machines is of the most importance.Aiming at this problem,a monitoring scheme suitable for virtualized environments is proposed.Moreover a security monitoring prototype system of a virtual machine is implemented in Xen.With this scheme,a privileged virtual machine can execute dynamic and customized monitoring upon the massive client virtual machines hosted in a same physical machine.Particularly,this system is very effective at detecting rootkits inside OS kernels.The security monitoring scheme can effectively increase the security not only of client virtual machines but also of the whole VM system.

Jinan Shen,Deqing Zou,Hai Jin,Kai Yang,Bin Yuan,Weiming Li

DOI: https://doi.org/10.1109/cc.2016.7781724

2016-01-01

China Communications

Abstract:In traditional framework, mandatory access control (MAC) system and malicious software are run in kernel mode. Malicious software can stop MAC systems to be started and make it do invalid. This problem cannot be solved under the traditional framework if the operating system (OS) is comprised since malwares are running in ring0 level. In this paper, we propose a novel way to use hypervisors to protect kernel integrity and the access control system in commodity operating systems. We separate the access control system into three parts: policy management (PM), security server (SS) and policy enforcement (PE). Policy management and the security server reside in the security domain to protect them against malware and the isolation feather of the hypervisor can protect them from attacks. We add an access vector cache (AVC) between SS and PE in the guest OS, in order to speed up communication between the guest OS and the security domain. The policy enforcement module is retained in the guest OS for performance. The security of AVC and PE can be ensured by using a memory protection mechanism. The goal of protecting the OS kernel is to ensure the security of the execution path. We implement the system by a modified Xen hypervisor. The result shows that we can secure the security of the access control system in the guest OS with no overhead compared with modules in the latter. Our system offers a centralized security policy for virtual domains in virtual machine environments.

LIU Yu-tao,CHEN Hai-bo

DOI: https://doi.org/10.11959/j.issn.2096-109x.2016.00091

2016-01-01

Abstract:The virtualization security has increasingly drawn widespread attention with the spread of cloud computing in recent years.Thanks to another level of indirection,virtualization can provide stronger isolation mechanisms,as well as bottom-up security services for upper-level software.On the other side,the extra indirection brings complexity and overhead as well,which poses huge challenges.A series of recent representative work done by the institute of parallel and distributed system shanghai jiaotong university,including providing security services of trusted execution environment,virtual machine monitoring,intra-domain isolation,as well as optimizing trusted computing base and cross-world calls in the virtualization environment.Finally the problems and directions in the space of virtualization security were summarized.

Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

De-qing ZOU,Kai YANG,Xiao-xu ZHANG,Bo-yang YUAN,Ming-lu FENG

DOI: https://doi.org/10.6040/j.issn.1671-9352.2.2014.438

2014-01-01

Abstract:In order to improve the safety level of the system effectively,a kind of mechanism scheme of access control system in virtual domain that uses hypervisors to protect kernel integrity and access control system in commodity operat-ing systems was put forward.Access control system was separated into three parts:Policy Management (PM),Securi-ty Server (SS)and Policy Enforcement (PE).Prototype system SEVD (security-enhanced virtual domain)was imple-mented and evaluated by modified Xen hypervisor.Test results show that SEVD can secure the security of access con-trol system in Guest OS and avoid popular rootkits attacks while it have no overhead comparing with SELinux.Our sys-tem also can centralized security policy for virtual domains in virtual machine environment.

YANG Feng,JIANG Hui,ZHUGE Jian-wei,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.08.040

2012-01-01

Abstract:Due to the advantages of resources utilization,management and isolation,Virtualization Technology has been widely used in the areas of virtual server,malware analysis and cloud computing platform.The malicious code writers and security researchers start a new game in Virtualization Technology,and how to detect the presence of virtual environments becomes a hot research topic.This paper,introduces the significance of Virtual Machine Environment(VME) Detection Methods,uses examples to describe the principles and methods of local and remote VME detection,makes a summary of VME Detection Methods,indicates the direction of Virtualization transparency,analyses and discusses the future trend.

Donghai Tian,Deguang Kong,Changzhen Hu,Peng Liu

DOI: https://doi.org/10.1109/securware.2010.9

2010-01-01

Abstract:Operating system security (OS) is the basis for trust computing. As the kernel rootkits become popular and lots of kernel vulnerabilities are exposed, the OS kernel suffers a large number of attacks. It is difficult to protect the kernel by its own module because the kernel rootkits has the same ability to cripple the security module within the same kernel space. Recently, with the virtualization renaissance, virtualization technology provides many new ways to improve the system security. Utilizing this new technology, we present a kernel protection system called VMhuko. By monitoring the kernel data access actively, VMhuko can defend the kennel data attacks on the fly. The intensive experiment shows that VMhuko can protect the kernel with moderate performance.

Dan-dan ZHAO,Xing-shu CHEN,Xin JIN

DOI: https://doi.org/10.6040/j.issn.1671-9352.1.2016.083

2017-01-01

Abstract:To enhance the security capabilities of kernel-based virtual machine(KVM) Hypervisor, a multi-level security capabilities enhancement technology was proposed based on multi vulnerabilities, including Hypervisor type trick, VMX instructions monitoring, the ioctl system call interface protection, dynamical KVM code measurement and antiunloading technology, to enhance the security capabilities of the KVM Hypervisor and detect some unknown attacks base interfaces of KVM in time. Eventually a prototype system on the full-virtualization platform of KVM was implemented which was called (Security-KVM, Sec-KVM). The experimental result shows that the Sec-KVM is able to hide the virtualization type of the Hypervisor which enhanced the ability of anti-attack of Hypervisor, dynamically measure the integrity of the KVM and the ioctl system call interface which prevented spread of the attacks, and detect some unknown attacks based KVM service interfaces.

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/gcc.2009.14

2009-01-01

Abstract:When a denial-of-service happens, the malicious programs often occupies too much computing resources. A defending schema proposed in this paper can use virtual machine monitor to detect such attack by adapting threshold of available resources. If the defending system assures existence of attack, it will live duplicates the operating system together with the tagged applications to reserved isolated environment. The isolated environment is another virtual machine that is similar to the original one. At the meantime, execution of the operating system and tagged application keeps continuously both in new environment and original one. Through this way, the defending system can protect the running of the operating system and tagged applications from denial-of-service attack.

Hai Jin,Guofu Xiang,Deqing Zou,Feng Zhao,Min Li,Chen Yu

DOI: https://doi.org/10.1016/j.camwa.2010.01.007

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.

Donghai Tian,Jingfeng Xue,Changzhen Hu,Xuanya Li

DOI: https://doi.org/10.1587/transinf.e97.d.1648

2014-01-01

IEICE Transactions on Information and Systems

Abstract:A whitelisting approach is a promising solution to prevent unwanted processes (e.g., malware) getting executed. However, previous solutions suffer from limitations in that: 1) Most methods place the whitelist information in the kernel space, which could be tempered by attackers; 2) Most methods cannot prevent the execution of kernel processes. In this paper, we present VAW, a novel application whitelisting system by using the virtualization technology. Our system is able to block the execution of unauthorized user and kernel processes. Compared with the previous solutions, our approach can achieve stronger security guarantees. The experiments show that VAW can deny the execution of unwanted processes effectively with a little performance overhead.