XIANG Guo-Fu,JIN Hai,ZOU De-Qing,CHEN Xue-Guang

DOI: https://doi.org/10.3724/sp.j.1001.2012.04219

2012-01-01

Journal of Software

Abstract:In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring.Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor.This approach can enhance the effectiveness and anti-attack ability of security tools.From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring.According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring.Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions.It is significant for virtualization research and security monitoring research.

JIN Wei,LI Ming-lu,WENG Chu-liang

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.15.036

2011-01-01

Abstract:This paper aims to explore the security of the Virtual Machine Monitor(VMM),combined with open source virtualization software Xen to analyze the potential threats and vulnerabilities,such as tampering with hypercalls,malicious direct memory access.It designs and implements a way to undermine the stability of virtual machine by modifying VCPU state and meanwhile give countermeasures,such as verifying critical data structures to discover whether it is invaded,or forbidding the loading of module to eliminate all possible security risks posed by the module.

Xianxian Li,Changhui Jiang,Jianxin Li,Bo Li

DOI: https://doi.org/10.1109/NCIS.2011.21

2011-01-01

Abstract:Malicious software is one of the primary threats to information system on Internet, while the traditional host-based and network-based monitoring systems are vulnerable to prevent the malicious behavior of software because most current malicious software is capable of resisting security monitoring. Virtualization technology gives an impactful approach to monitoring the behavior of malicious software since it can provide an abstraction layer between the operating system and the hardware. In this paper, we propose a hardware-virtualization-based security monitor system named VMInsight, which can provide load-time and run-time monitoring for processes. VMInsight intercepts system calls and process behaviors by monitoring changes in the virtual machine CPU register, and it is implemented in the hyper visor, thus is completely transparent to the software and operating system running in the virtual machine. The experimental results show that the performance overhead of VMInsight is less than 10%, and it can be easily applied to the third-party security monitoring system.

Chuliang Weng,Qian Liu,Kenli Li,Deqing Zou

DOI: https://doi.org/10.1109/tc.2016.2560809

2016-01-01

Abstract:In the cloud platform, the startup security of guest virtual machines (VMs) can be guaranteed by existing techniques such as TBoot, however, how to monitor and guarantee their runtime security seems to be a non-trivial challenge, when they are exposed to the Internet. For a practical cloud system, security and performance are two important issues. In this paper, we propose a dynamic framework called CloudMon to detect kernel rootkits and guarantee the runtime security of guest VMs. CloudMon is transparent to a guest VM, neither requires its specific system information, nor has to one-on-one run with it. Meanwhile, CloudMon detects kernel rootkits through self-adjusting monitoring on memory with an acceptable overhead. A working prototype of CloudMon is implemented based on Xen. The case studies on security show that CloudMon is effective to detect kernel rootkits in guest VMs, while the performance experiments demonstrate that it brings a low performance overhead.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Tian Donghai,Jia Xiaoqi,Chen Junhua,Hu Changzhen

DOI: https://doi.org/10.1109/cc.2016.7405709

2016-01-01

Abstract:Recently, virtualization technologies have been widely used in industry. In order to monitor the security of target systems in virtualization environments, conventional methods usually put the security monitoring mechanism into the normal functionality of the target systems. However, these methods are either prone to be tempered by attackers or introduce considerable performance overhead for target systems. To address these problems, in this paper, we present a concurrent security monitoring method which decouples traditional serial mechanisms, including security event collector and analyzer, into two concurrent components. On one hand, we utilize the SIM framework to deploy the event collector into the target virtual machine. On the other hand, we combine the virtualization technology and multi-core technology to put the event analyzer into a trusted execution environment. To address the synchronization problem between these two concurrent components, we make use of Lamport's ring buffer algorithm. Based on the Xen hypervisor, we have implemented a prototype system named COMO. The experimental results show that COMO can monitor the security of the target virtual machine concurrently within a little performance overhead.

Hai Jin,Guofu Xiang,Deqing Zou,Feng Zhao,Min Li,Chen Yu

DOI: https://doi.org/10.1016/j.camwa.2010.01.007

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.

Guofu Xiang,Hai Jin,Deqing Zou

DOI: https://doi.org/10.1109/icoin.2012.6164438

2012-01-01

Abstract:Virtualization can divide or aggregate the underlying resource flexibly, and it attracts attention from both academic and industry in recent years. Guest operating systems in virtual machines can be various, and the states of virtual machines changes all the time. Due to the complexity of virtual computing environment, it brings tremendous challenges for security monitoring. Existing monitoring mechanism can not adapt to the dynamic and diversity of virtual machines. Therefore, a comprehensive monitoring framework, named ComMon, is proposed in this paper, which implements comprehensive monitoring from three aspects: network, process, and file. It has the characteristics of real-time, transparency and generality.

Siqin Zhao,Kang Chen,Weimin Zheng

DOI: https://doi.org/10.1109/ChinaGrid.2009.45

2009-01-01

Abstract:It is very important to protect critical resources such as private data and code in computer systems. It is promising to protect private data and to improve the system security by leveraging the isolation attribute of virtual machine(VM). The isolation attribute of VM is provided by Virtual Machine Monitor (VMM) that runs in higher priority than guest OSes. If the critical components are isolated in VMs,access control can be enforced or attestation can be made when the subject is accessing via VMs. In this way, VMs can improve the security level of critical components such as OS, kernel, data, and applications. For computer system security, VMs can be used to detect malware intrusions and to protect critical components, which can be implemented by integrating detection or protection mechanism in either VMM or VMs. Authentication is required to create trustful VMs. This paper surveys technologies related of using virtual machines to enhance system security.

CHEN Zhu-Hong,CUI Chao-Yuan,WANG Ru-Jing,ZHOU Ji-Dong

DOI: https://doi.org/10.3969/j.issn.1003-3254.2013.07.015

2013-01-01

Abstract:As the foundation of cloud computing,virtualization technology’s security problems are gained more and more attention of the specialists with the development of cloud computing.This paper presents a virtual machine system kernel intrusion detection system,which use the introspection technology provided by Xen hypervisor to get internal states of kernel of the virtual machine.To achieve the goal of monitoring the kernel and preventing it from being compromised.This system can effectively defend the case of attack that dynamically modifies the kernel code and kernel unchanged data structure.

Chen Wen-Zhi,Zhu Hong-Wei,Huang Wei

DOI: https://doi.org/10.1109/CW.2008.110

2008-01-01

Abstract:The security problem became more severe since the security requirement of different applications may conflict with the others in distributed application or grid computing. Virtualization technology can improvethe system's security, but did not satisfy the requirement of virtual resource sharing and inner-domain communication in distributed services and grid computing. By dividing the virtual resources into sharing virtual resources and normal ones, SeVMM provided secure mechanism for inter-domain communication control, which formed the base of multi-level security control model for virtual machine monitors, operating systems and applications. Case study and application showed that SeVMM improved the system's security without causing significant performance penalty.

Xueyuan Yin,Xingshu? Chen,Shusong Tao,Lin Chen

DOI: https://doi.org/10.13232/j.cnki.jnju.2019.02.007

2019-01-01

Abstract:To solve the problem of user virtual machine monitoring in cloud environment,a virtual machine security monitoring method based on real time online analysis of virtual machine memory was proposed.With high privilege of the virtualization layer,virtual machine memory could be obtained outside of virtual machines online transparently. By using the memory analysis mechanism derived from the field of internal forensics,the semantic knowledge of virtual machine memory can be revealed by analyzing some important kernel structures of the virtual machine memory online in the virtualization layer,which effectively solves the semantic gap between the virtual machine and the virtualization layer and leads to achieving fine granularity of information monitoring of virtual machines.Because the monitoring code is under the virtualization layer,outside of the monitored virtual machine and isolated from virtual machine internal codes by the virtualization mechanism,there is no need to deploy monitoring agents in the users’virtual machine.Therefore,any malicious code inside the virtual machine can not bypass and destroy the security monitoring code under the virtualization layer and the transparency and security of the method is improved. The experimental results show that the method can provide a cloud security monitoring service for virtual machines at lower performance cost with agentless.

Qian Liu,Chuliang Weng,Minglu Li,Yuan Luo

DOI: https://doi.org/10.1109/MSP.2010.143

IF: 3.105

2010-01-01

IEEE Security & Privacy

Abstract:Cloud computing relies heavily on virtualization. Virtualization technology has developed rapidly because of the rapid decrease in hardware cost and concurrent increase in hardware computing power. A virtual machine monitor (VMM, also called a hγpervisor) between the hardware and the OS enables multiple virtual machines (VMs) to run on top of a single physical machine. The VMM manages scheduling and dispatching the physical resources to the individual VMs as needed, and the VMs appear to users as separate computers. Widely used virtualization technologies include VMWare, Xen, Denali, and the Kernel-Based Virtual Machine (KVM). In this framework, a module measures executables running in virtual machines (VMs) and transfers the values to a trusted VM. Comparing those values to a reference table containing the trusted measurement values of running executables verifies the executable/s status.

Liu Mingcan,Jiang Nan,Du Chenglie

DOI: https://doi.org/10.3969/j.issn.1671-4598.2013.02.044

2013-01-01

Abstract:System supporting environment oriented to complex virtual test application provides a good synchronization and interoperability support for all types of test applications.In order to guarantee the correctness and stability of the whole system and applications under supporting environment,it needs a monitoring tool.After analyzing the VTSE prototype architecture,this paper researches the interactive relationship between monitoring module and other modules,and then designs monitoring module division and monitoring program.This paper also determines the monitoring content and accessing method,and the monitoring information storage and viewing method.Finally,the VTSESPY tool is realized.Through several tests verify the information monitoring and exception catching functionalities of VTSESPY,and obtain good result.

Qingkai Zeng

2013-01-01

Abstract:In order to improve the security of operate systems and applications,the system virtualization technology is studied;the typical security applications and research are discussed.According to the software level of existing researches,the current research progress and future trends from three aspects: security improvement of applications,operating system and virtual machine monitor are analyzed and summarized.An analysis and debug method for malware based on system virtualization be designed,the feasibility and effectiveness of the method are verified by implementing prototype system on the Intel-VT platform.

JIANG Nan,WU Jun-Min,ZHU Xiao-Dong,LI Li-Feng,ZHANG Peng-Fei,HUANG Jing

DOI: https://doi.org/10.3969/j.issn.1003-3254.2012.09.003

2012-01-01

Abstract:With the era of multi-core processors,virtualization technology is widely used,and multi-core virtual machine is one of them.The current multi-core virtual machine monitors are generally used hardware virtualization technology through simulating a number of virtual serial ports to monitor for the purpose.This inventive,given based on shared memory multi-core system-level monitoring system virtualization solution,and gives a complete design and implementation.

Alex K. Ohoussou,Hai Jin,Deqing Zou,Feng Zhao,Guofu Xiang,Ge Cheng

DOI: https://doi.org/10.1109/wcins.2010.5541866

2010-01-01

Abstract:One of the motivations for virtualization technology is the desire to develop new services to enhance system security without trusting both the applications and the operating systems. An intrusion detection system is an example of such service that can help to isolate users from malicious attacks. In this paper, we propose hybrid-based intrusion detection architecture in virtual computing environment to detect and isolate harmful behaviors by real-time monitoring and alarming. In contrast to monolithic intrusion detection system, we introduce autonomous agents, acting independently of each other, to monitor the system. The agents are deployed in virtual machines to analyze actions occurring on the network and inside the hosts to determine whether they are potential security violations or not. Our architecture is implemented based on Xen, and the detection management center is deployed in a secure virtual machine.

JIANG Xueyuan,LI Minglu,WENG Chuliang

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.05.007

2011-01-01

Abstract:During the development of network computing and cloud computing,virtualization grows up quickly as the base technology.Virtualization live migration is an important feature for applications based on virtualization.Basic live migration protocol is too simple,and security hazard exists.Based on Xen virtualization platform,the performance of existed security solutions and the influence to live migration of these solutions are tested.The weakness of existed solutions is shown by attack based on sniffer and address resolution protocol(ARP) spoofing.The idea of solving the new problem is given.

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

Dongyang Zhan,Lin Ye,Binxing Fang,Xiaojiang Du,Zhikai Xu

DOI: https://doi.org/10.1587/transinf.2016inp0009

2017-01-01

IEICE Transactions on Information and Systems

Abstract:Protecting critical files in operating system is very important to system security. With the increasing adoption of Virtual Machine Introspection (VMI), designing VMI-based monitoring tools become a preferential choice with promising features, such as isolation, stealthiness and quick recovery from crash. However, these tools inevitably introduce high overhead due to their operation-based characteristic. Specifically, they need to intercept some file operations to monitor critical files once the operations are executed, regardless of whether the files are critical or not. It is known that file operation is high-frequency, so operation-based methods often result in performance degradation seriously. Thus, in this paper we present CFWatcher, a target-based real-time monitoring solution to protect critical files by leveraging VMI techniques. As a target-based scheme, CFWatcher constraints the monitoring into the operations that are accessing target files defined by users. Consequently, the overhead depends on the frequency of target files being accessed instead of the whole filesystem, which dramatically reduces the overhead. To validate our solution, a prototype system is built on Xen with full virtualization, which not only is able to monitor both Linux and Windows virtual machines, but also can take actions to prevent unauthorized access according to predefined policies. Through extensive evaluations, the experimental results demonstrate that the overhead introduced by CFWatcher is acceptable. Especially, the overhead is very low in the case of a few target files.