Thomas Dangl,Stewart Sentanoe,Hans P. Reiser

DOI: https://doi.org/10.1016/j.sysarc.2024.103101

IF: 5.836

2024-03-03

Journal of Systems Architecture

Abstract:Active and passive virtual machine introspection mechanisms are pivotal for monitoring virtual machines on top of a hypervisor. They enable external tools to monitor and inspect the state from the outside. Active virtual machine introspection mechanisms intercept the execution at predetermined locations of interest synchronous to the execution of the system. Such mechanisms, in particular, require support from the processor vendor by facilitating interpositioning. This support is missing on AMD x86 processors, leading to inferior introspection solutions. We outline implicit assumptions about active introspection mechanisms in previous work, offer constructions for solution strategies on AMD systems, and discuss stealthiness and correctness. We show empirically that such retrofitted software solutions exhibit performance metrics in the same order of magnitude as native hardware solutions. Moreover, we highlight that the open problems for virtual machine introspection on ARM systems and those encountered on AMD x86 are related. Hence, we present an introspection architecture based on KVMi that addresses these open problems. Finally, we demonstrate comparable and, in many cases, superior performance to state-of-the-art solutions on Intel x86 .

computer science, software engineering, hardware & architecture

Chonghua Wang,Xiao-chun Yun,Zhiyu Hao,Lei Cui,Yandong Han,Qingxin Zou

DOI: https://doi.org/10.1007/978-3-319-27137-8_32

2015-01-01

Abstract:Upon practical implementation of virtual machine introspection (VMI), administrators may be overwhelmed by dozens of research works. Specifically, the adopted introspection mechanism perform differently with regard to various performance and security requirements. Besides, most of previous works do not clarify the boundary between Trusted Computing Base (TCB) and attacks towards introspection. This paper aims to help administrators to determine the appropriate introspection approach. Firstly, we summarize current VMI technologies, and present a classification method mainly depending on whether hardware assistance is required, how it solves the semantic gap problem and how introspection is triggered. Secondly, we discuss how to achieve a good trade-off between the two metrics of performance and security. Thirdly, we propose a TCB threat model to employ VMI along with other enhancing mechanism to tackle attacks in different levels of TCB. Finally, we discuss some future trends related to VMI for further improving security.

Huaizhe Zhou,Haihe Ba,Yongjun Wang,Tie Hong

DOI: https://doi.org/10.1587/transinf.2019EDL8148

2020-01-01

IEICE Transactions on Information and Systems

Abstract:The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).

Martin Radev,Mathias Morbitzer

DOI: https://doi.org/10.48550/arXiv.2010.07094

2020-10-14

Abstract:Cloud computing is a convenient model for processing data remotely. However, users must trust their cloud provider with the confidentiality and integrity of the stored and processed data. To increase the protection of virtual machines, AMD introduced SEV, a hardware feature which aims to protect code and data in a virtual machine. This allows to store and process sensitive data in cloud environments without the need to trust the cloud provider or the underlying software. However, the virtual machine still depends on the hypervisor for performing certain activities, such as the emulation of special CPU instructions, or the emulation of devices. Yet, most code that runs in virtual machines was not written with an attacker model which considers the hypervisor as malicious. In this work, we introduce a new class of attacks in which a malicious hypervisor manipulates external interfaces of an SEV or SEV-ES virtual machine to make it act against its own interests. We start by showing how we can make use of virtual devices to extract encryption keys and secret data of a virtual machine. We then show how we can reduce the entropy of probabilistic kernel defenses in the virtual machine by carefully manipulating the results of the CPUID and RDTSC instructions. We continue by showing an approach for secret data exfiltration and code injection based on the forgery of MMIO regions over the VM's address space. Finally, we show another attack which forces decryption of the VM's stack and uses Return Oriented Programming to execute arbitrary code inside the VM. While our approach is also applicable to traditional virtualization environments, its severity significantly increases with the attacker model of SEV-ES, which aims to protect a virtual machine from a benign but vulnerable hypervisor.

Cryptography and Security

CHEN Zhu-Hong,CUI Chao-Yuan,WANG Ru-Jing,ZHOU Ji-Dong

DOI: https://doi.org/10.3969/j.issn.1003-3254.2013.07.015

2013-01-01

Abstract:As the foundation of cloud computing,virtualization technology’s security problems are gained more and more attention of the specialists with the development of cloud computing.This paper presents a virtual machine system kernel intrusion detection system,which use the introspection technology provided by Xen hypervisor to get internal states of kernel of the virtual machine.To achieve the goal of monitoring the kernel and preventing it from being compromised.This system can effectively defend the case of attack that dynamically modifies the kernel code and kernel unchanged data structure.

Chaoyuan Cui,Yun Wu,Yonggang Li,Bingyu Sun

DOI: https://doi.org/10.3837/tiis.2017.03.026

2017-01-01

KSII Transactions on Internet and Information Systems

Abstract:Intrusion detection techniques based on virtual machine introspection (VMI) provide high temper-resistance in comparison with traditional in-host anti-virus tools. However, the presence of semantic gap also leads to the performance and compatibility problems. In order to map raw bits of hardware to meaningful information of virtual machine, detailed knowledge of different guest OS is required. In this work, we present VDSM, a lightweight and general approach based on driver separation mechanism: divide semantic view reconstruction into online driver of view generation and offline driver of semantics extraction. We have developed a prototype of VDSM and used it to do intrusion detection on 13 operation systems. The evaluation results show VDSM is effective and practical with a small performance overhead.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

Nanzi Yang,Wenbo Shen,Jinku Li,Yutian Yang,Kangjie Lu,Jietao Xiao,Tianyu Zhou,Chenggang Qin,Wang Yu,Jianfeng Ma,Kui Ren

DOI: https://doi.org/10.1145/3460120.3484744

2021-01-01

Abstract:Due to its faster start-up speed and better resource utilization efficiency, OS-level virtualization has been widely adopted and has become a fundamental technology in cloud computing. Compared to hardware virtualization, OS-level virtualization leverages the shared-kernel design to achieve high efficiency and runs multiple user-space instances (a.k.a., containers) on the shared kernel. However, in this paper, we reveal a new attack surface that is intrinsic to OS-level virtualization, affecting Linux, FreeBSD, and Fuchsia. The root cause is that the shared-kernel design in OS-level virtualization results containers in sharing thousands of kernel variables and data structures directly and indirectly. Without exploiting any kernel vulnerabilities, a non-privileged container can easily exhaust the shared kernel variables and data structure instances to cause DoS attacks against other containers. Compared with the physical resources, these kernel variables or data structure instances (termed abstract resources) are more prevalent but under-protected. To show the importance of confining abstract resources, we conduct abstract resource attacks that target different aspects of the OS kernel. The results show that attacking abstract resources is highly practical and critical. We further conduct a systematic analysis to identify vulnerable abstract resources in the Linux kernel, which successfully detects 1,010 abstract resources and 501 of them can be repeatedly consumed dynamically. We also conduct the attacking experiments in the self-deployed shared-kernel container environments on the top 4 cloud vendors. The results show that all environments are vulnerable to abstract resource attacks. We conclude that containing abstract resources is hard and give out multiple strategies for mitigating the risks.

Jiangyong Shi,Yuexiang Yang,Chuan Tang

DOI: https://doi.org/10.1186/s40064-016-2257-7

2016-05-17

SpringerPlus

Abstract:In this paper, we introduce hypervisor introspection, an out-of-box way to monitor the execution of hypervisors. Similar to virtual machine introspection which has been proposed to protect virtual machines in an out-of-box way over the past decade, hypervisor introspection can be used to protect hypervisors which are the basis of cloud security. Virtual machine introspection tools are usually deployed either in hypervisor or in privileged virtual machines, which might also be compromised. By utilizing hardware support including nested virtualization, EPT protection and #BP, we are able to monitor all hypercalls belongs to the virtual machines of one hypervisor, include that of privileged virtual machine and even when the hypervisor is compromised. What's more, hypercall injection method is used to simulate hypercall-based attacks and evaluate the performance of our method. Experiment results show that our method can effectively detect hypercall-based attacks with some performance cost. Lastly, we discuss our furture approaches of reducing the performance cost and preventing the compromised hypervisor from detecting the existence of our introspector, in addition with some new scenarios to apply our hypervisor introspection system.

Yutao Liu,Yubin Xia,HaiBing Guan,Binyu Zang

DOI: https://doi.org/10.1109/HPCA.2014.6835951

2014-01-01

Abstract:Virtual machine introspection, which provides tamperresistant, high-fidelity “out of the box” monitoring of virtual machines, has many prominent security applications including VM-based intrusion detection, malware analysis and memory forensic analysis. However, prior approaches are either intrusive in stopping the world to avoid race conditions between introspection tools and the guest VM, or providing no guarantee of getting a consistent state of the guest VM. Further, there is currently no effective means for timely examining the VM states in question. In this paper, we propose a novel approach, called TxIntro, which retrofits hardware transactional memory (HTM) for concurrent, timely and consistent introspection of guest VMs. Specifically, TxIntro leverages the strong atomicity of HTM to actively monitor updates to critical kernel data structures. Then TxIntro can mount introspection to timely detect malicious tampering. To avoid fetching inconsistent kernel states for introspection, TxIntro uses HTM to add related synchronization states into the read set of the monitoring core and thus can easily detect potential inflight concurrent kernel updates. We have implemented and evaluated TxIntro based on Xen VMM on a commodity Intel Haswell machine that provides restricted transactional memory (RTM) support. To demonstrate the effectiveness of TxIntro, we implemented a set of kernel rootkit detectors using TxIntro. Evaluation results show that TxIntro is effective in detecting these rootkits, and is efficient in adding negligible performance overhead.

guofeng wang,chuanyi liu,jie lin

DOI: https://doi.org/10.1007/978-3-662-43908-1_4

2014-01-01

Abstract:Modern malware attacks are designed intricately, transport data encrypted, so monitoring network traffic can't solve such attacks completely. Therefore, network monitoring and analysis need to be combined with system behavior monitoring and memory analysis, and the latter is more important. In this article we propose a hardware-based virtualization prototype system, combined with memory analysis tools to monitor and counterwork malicious attacks actively. The system is based on Xen virtualization platform, which monitoring virtual machine behavior by capturing specific events. The events are triggered by some specific behaviors associated with malicious software monitoring, such as executing privileged instruction, system calls, memory writing, etc. When necessary, we can dump the memory of the virtual machine, use memory analysis tools for detailed analysis, so as to achieve the purpose of monitoring and counterworking.

Rui Wu,Ping Chen,Peng Liu,Bing Mao

DOI: https://doi.org/10.1109/DSN.2014.59

2014-01-01

Abstract:Existing VMI techniques have high overhead, and require customized introspection programs/tools for different guest OS versions - lack of generality. In this paper, we present Shadow Context, a system for close-to-real time manual-effort-free VMI. Shadow Context can meet several important real-world VMI needs which existing VMI techniques cannot. Compared to other automatic introspection tool generation techniques, Shadow Contexthas two merits: (1) Its overhead is significantly less. It achieves close-to-real time VMI. (2) It significantly improves the practical usefulness of introspection tools by allowing one introspection program to inspect a variety of guest OS versions. These merits are achieved via a new concept called \"Shadow Context\" which allows the guest OSessystem call code to be reused inside a \"shadowed\" portion of the context of the out-of-guest inspection program. Besides, Shadow Context is secure enough to defend against a variety of real world attacks. Shadow Context is designed, implemented and systematically evaluated. Experimental results show that the performance overhead is about 75%with a median initialization time of 0.117 milliseconds.

Nanzi Yang,Wenbo Shen,Jinku Li,Yutian Yang,Kangjie Lu,Jietao Xiao,Tianyu Zhou,Chenggang Qin,Wang Yu,Jianfeng Ma,Kui Ren

DOI: https://doi.org/10.1145/3460120.3484744

2021-01-01

Abstract:Due to its faster start-up speed and better resource utilization efficiency, OS-level virtualization has been widely adopted and has become a fundamental technology in cloud computing. Compared to hardware virtualization, OS-level virtualization leverages the shared-kernel design to achieve high efficiency and runs multiple user-space instances (a.k.a., containers) on the shared kernel. However, in this paper, we reveal a new attack surface that is intrinsic to OS-level virtualization, affecting Linux, FreeBSD, and Fuchsia. The root cause is that the shared-kernel design in OS-level virtualization results containers in sharing thousands of kernel variables and data structures directly and indirectly. Without exploiting any kernel vulnerabilities, a non-privileged container can easily exhaust the shared kernel variables and data structure instances to cause DoS attacks against other containers. Compared with the physical resources, these kernel variables or data structure instances (termed abstract resources) are more prevalent but underprotected. To show the importance of confining abstract resources, we conduct abstract resource attacks that target different aspects of the OS kernel. The results show that attacking abstract resources is highly practical and critical. We further conduct a systematic analysis to identify vulnerable abstract resources in the Linux kernel, which successfully detects 1,010 abstract resources and 501 of them can be repeatedly consumed dynamically. We also conduct the attacking experiments in the self-deployed shared-kernel container environments on the top 4 cloud vendors. The results show that all environments are vulnerable to abstract resource attacks. We conclude that containing abstract resources is hard and give out multiple strategies for mitigating the risks.

Chao Su,Xuhua Ding,Qingkai Zeng

DOI: https://doi.org/10.1109/dsn48987.2021.00045

2021-01-01

Abstract:Out-of-VM introspection is an imperative part of security analysis. The legacy methods either modify the system, introducing enormous overhead, or rely heavily on hardware features, which are neither available nor practical in most cloud environments. In this paper, we propose a novel analysis method, named as Catcher, that utilizes CPU cache to perform out-of-VM introspection. Catcher does not make any modifications to the target program and its running environment, nor demands special hardware support. Implemented upon Linux KVM, it natively introspects the target's virtual memory. More importantly, it uses the cache-based side channel to infer the target control flow. To deal with the inherent limitations of the side channel, we propose several heuristics to improve the accuracy and stability of Catcher. Our experiments against various malware armored with packing techniques show that Catcher can recover the control flow in real time with around 67% to 97% accuracy scores. Catcher incurs a negligible overhead to the system and can be launched at anytime to monitor an ongoing attack inside a virtual machine.

CUI Chao-yuan,WU Yun,LI Ping,ZHANG Xiao-ming

DOI: https://doi.org/10.11959/j.issn.1000-436x.2015103

2015-01-01

Abstract:Virtual machine introspection(VMI)has been widely used in areas such as intrusion detection and malware analysis.However,due to the existence of semantic gap,the generality and the efficiency of VMI were partly influenced while getting internal information of a virtual machine.By analyzing the deficiencies of existing technology of semantic gap restoration,a method called ModSG was proposed to bridge the semantic gap.ModSG was a modularity system,it divided semantic restoration into two parts.One was online phase that interact directly with user to construct semantic views,the other was offline phase that only interact with operating system to parse high-level semantic knowledge.Both were implemented via independent module,and the latter provided the former with necessary kernel information during semantic view construction.Experiments on different virtual machine states and different kernel versions show that the ModSG is accurate and efficient in narrowing semantic gap.The modular design and deployment also make ModSG easily to be extended to other operating systems and virtualization platforms.

Benedict Schlüter,Supraja Sridhara,Mark Kuhne,Andrin Bertschi,Shweta Shinde

2024-04-04

Abstract:Hardware-based Trusted execution environments (TEEs) offer an isolation granularity of virtual machine abstraction. They provide confidential VMs (CVMs) that host security-sensitive code and data. AMD SEV-SNP and Intel TDX enable CVMs and are now available on popular cloud platforms. The untrusted hypervisor in these settings is in control of several resource management and configuration tasks, including interrupts. We present Heckler, a new attack wherein the hypervisor injects malicious non-timer interrupts to break the confidentiality and integrity of CVMs. Our insight is to use the interrupt handlers that have global effects, such that we can manipulate a CVM's register states to change the data and control flow. With AMD SEV-SNP and Intel TDX, we demonstrate Heckler on OpenSSH and sudo to bypass authentication. On AMD SEV-SNP we break execution integrity of C, Java, and Julia applications that perform statistical and text analysis. We explain the gaps in current defenses and outline guidelines for future defenses.

Cryptography and Security

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

Siqi Zhao,Xuhua Ding,Wen Xu,Dawu Gu

2017-01-01

Abstract:Software-based MMU emulation lies at the heart of out-of-VM live memory introspection, an important technique in the cloud setting that applications such as live forensics and intrusion detection depend on. Due to the emulation, the software-based approach is much slower compared to native memory access by the guest VM. The slowness not only results in undetected transient malicious behavior, but also inconsistent memory view with the guest; both undermine the effectiveness of introspection. We propose the immersive execution environment (ImEE) with which the guest memory is accessed at native speed without any emulation. Meanwhile, the address mappings used within the ImEE are ensured to be consistent with the guest throughout the introspection session. We have implemented a prototype of the ImEE on Linux KVM. The experiment results show that ImEE-based introspection enjoys a remarkable speed up, performing several hundred times faster than the legacy method. Hence, this design is especially useful for realtime monitoring, incident response and high-intensity introspection.

Jietao Xiao,Nanzi Yang,Wenbo Shen,Jinku Li,Xin Guo,Zhiqiang Dong,Fei Xie,Jianfeng Ma

2023-01-01

Abstract:People proposed to use virtualization techniques to reinforce the isolation between containers. In the design, each container runs inside a lightweight virtual machine (called microVM). MicroVM-based containers benefit from both the security of microVM and the high efficiency of the container, and thus are widely used on the public cloud. However, in this paper, we demonstrate a new attack surface that can be exploited to break the isolation of the microVM-based container, called operation forwarding attacks. Our key observation is that certain operations of the microVM-based container are forwarded to host system calls and host kernel functions. The attacker can leverage the operation forwarding to exploit the host kernel's vulnerabilities and exhaust host resources. To fully understand the security risk of operation forwarding attacks, we divide the components of the microVM-based container into three layers according to their functionalities and present corresponding attacking strategies to exploit the operation forwarding of each layer. Moreover, we design eight attacks against Kata Containers and Firecracker-based containers and conduct experiments on the local environment, AWS, and Alibaba Cloud. Our results show that the attacker can trigger potential privilege escalation, downgrade 93.4% IO performance and 75.0% CPU performance of the victim container, and even crash the host. We further give security suggestions for mitigating these attacks.

Jianhua Sun,Hao Chen,Cheng Chang,Xingbang Li

2013-01-01

Computing and Informatics

Abstract:Kernel rootkits pose significant challenges on defensive techniques as they run at the highest privilege level along with the protection systems. Modern architectural approaches such as the NX protection have been used in mitigating attacks, however determined attackers can still bypass these defenses with specifically crafted payloads. In this paper, we propose a virtualized Harvard memory architecture to address the kernel code integrity problem, which virtually separates the code fetch and data access on the kernel code to prevent kernel from code modifications. We have implemented the proposed mechanism in commodity operating system, and the experimental results show that our approach is effective and incurs very low overhead.