Lei ZHANG,Xing-shu CHEN,Yi REN,Hui LI

DOI: https://doi.org/10.3969/j.issn.1671-1122.2015.04.010

2015-01-01

Abstract:Kernel-level Rootkits of virtual machine in cloud can destroy the integrity of virtual machine of tenant. This paper presents a kind of kernel-level Rootkit detection technology based on Virtual Machine Monitor (VMM). This technology establishes True Module List (TML) by critical path breakpoint and obtains the virtual machine''s kernel module view, the user mode view was established by bottom-up calls from VMM, and the reconstructed kernel mode view of virtual machine was get in the VMM layer, then by cross-referencing these three views to detect Rootkit hidden in a virtual machine. Finally, a prototype system was realized based on the Kernel-based Virtual Machine (KVM), experimental results showed that Rootkits in Virtual Machine could be quickly and ac-curately detected in the prototype system, details of Rootkit could be reported according to TML, the overall per-formance loss of the prototype system was in acceptable range.

li ruan,yikai sun,limin xiao,mingfa zhu

DOI: https://doi.org/10.1007/978-3-642-41591-3_13

2013-01-01

Abstract:Recently, virtualization technology has revived and become the key support of the clouds. KVM (Kernel virtual machine) based on Linux kernel-level achieves its popularity however with security risks. Therefore, the virtual environment and vulnerability detecting of KVM is of theoretical significance and great application value. However, there are few reports on virtual environment and vulnerability detection for KVM. This paper introduces a virtual environment and vulnerability method which includes the CPU cycle based detection algorithms, the internet time detection algorithms and multithread counter detection algorithms, etc.. In the vulnerability detection of KVM, denial of service attack is simulated and its detection method is proposed. Function and performance tests are also introduced.

LI Xun,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.015

2011-01-01

Computer Science

Abstract:Kernel-level attacks compromise operating system security by tampering with critical data and control flow in the kernel.Current approaches defend against these attacks by applying code integrity or control flow integrity control methods.However,they focus on only a certain aspect and cannot give a complete integrity monitoring solution.This paper analyzed the kernel integrity principle and got practical requirements to ensure kernel integrity.Critical data objects effect operating system function directly.Only certain code is able to modify critical data objects at certain conditions to ensure data integrity.All factors about code execution sequence are protected and monitored to ensure control flow integrity.Implementation in Xen VMM(Virtual Machine Monitor) using hardware virtualization,or referred to as HVM(Hardware Virtual Machine) is introduced to protect and monitor Linux kernel.Experiments show that the solution can detect and prevent attacks and bugs compromising the kernel.

Xiaoguang Wang,Yong Qi,Zhi Wang,Yue Chen,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2017.2675991

2019-01-01

Abstract:The OS kernel is critical to the security of a computer system. Many systems have been proposed to improve its security. A fundamental weakness of those systems is that page tables, the data structures that control the memory protection, are not isolated from the vulnerable kernel, and thus subject to tampering. To address that, researchers have relied on virtualization for reliable kernel memory protection. Unfortunately, such memory protection requires to monitor every update to the guest's page tables. This fundamentally conflicts with the recent advances in the hardware virtualization support. In this paper, we propose SecPod, an extensible framework for virtualization-based security systems that can provide both strong isolation and the compatibility with modern hardware. SecPod has two key techniques: paging delegation delegates and audits the kernel's paging operations to a secure space; execution trapping intercepts the (compromised) kernel's attempts to subvert SecPod by misusing privileged instructions. We have implemented a prototype of SecPod based on KVM. Our experiments show that SecPod is both effective and efficient.

Hui LI,Xing-shu CHEN,Lei ZHANG,Wen-xian WANG

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.12.009

2014-01-01

Abstract:Cloud computing is developing fast and widely used, as an important support for cloud computing, virtualization has improved the efifciency of resource utilization and management capability for a platform. As an open source software for virtualization, the unique design and excellent performance make Xen adopted by many could service providers, which are also troubled by the security problems of Xen hypervisor. The privilege interfaces provided by Xen can be utilized by malicious code of virtual machine, which can be used by intruders to attack Xen or virtual machines running above. To solve the problem of hypercalls of Xen to be abused by malicious code inside guest kernel, a method to analyze the execution path of guest kernel is provided, which is used to trace the execution path of guest kernel that has launched this hypercall, compared with the training set constructed at the beginning, preventing hypercalls being misused by malicious code of guest kernel becomes possible. By tracking stack information of guest kernel, the execution path of virtual machine is reconstructed and built up with the help of instruction analysis and symbol table of guest kernel, unexpected execution paths of hypervalls are avoided with this method. We experimented our idea on Xen platform, a new virtual machine was created to get its training set during its running time. Then when this heprcall happens, the corresponding execution path is constructed dynamically, compared with the training set, unforeseen invoking to hypervalls is avoided.

ZHANG Lei,CHEN Xing-shu,LIU Liang,LI Hui

DOI: https://doi.org/10.3969/j.issn.1001-0548.2015.01.020

2015-01-01

Abstract:For the kernel integrity threats of virtual machine in cloud computing environment, an integrity protecting technology of virtual machine kernel, cloud trusted virtual machine(CTVM ), is proposed. In the CTVM, the virtual trusted execution environment in kernel-based virtual machine(KVM) is created, the multiple virtual machines are endowed with a trusted computing function at the same time, and the guest virtual machines are provided with integrity measurement ability. By utilizing hardware virtualization technology, the untrusted kernel modules are isolated from operating system kernel through constructing isolated address space in guest virtual machines, so as to protect the booting integrity and runtime integrity of guest virtual machines. Finally, with a domestic server as the experimental platform, CTVM prototype system is presented. System test and analysis show that the system performance loss is within the acceptable range.

Donghai Tian,Deguang Kong,Changzhen Hu,Peng Liu

DOI: https://doi.org/10.1109/securware.2010.9

2010-01-01

Abstract:Operating system security (OS) is the basis for trust computing. As the kernel rootkits become popular and lots of kernel vulnerabilities are exposed, the OS kernel suffers a large number of attacks. It is difficult to protect the kernel by its own module because the kernel rootkits has the same ability to cripple the security module within the same kernel space. Recently, with the virtualization renaissance, virtualization technology provides many new ways to improve the system security. Utilizing this new technology, we present a kernel protection system called VMhuko. By monitoring the kernel data access actively, VMhuko can defend the kennel data attacks on the fly. The intensive experiment shows that VMhuko can protect the kernel with moderate performance.

Chuliang Weng,Qian Liu,Kenli Li,Deqing Zou

DOI: https://doi.org/10.1109/tc.2016.2560809

2016-01-01

Abstract:In the cloud platform, the startup security of guest virtual machines (VMs) can be guaranteed by existing techniques such as TBoot, however, how to monitor and guarantee their runtime security seems to be a non-trivial challenge, when they are exposed to the Internet. For a practical cloud system, security and performance are two important issues. In this paper, we propose a dynamic framework called CloudMon to detect kernel rootkits and guarantee the runtime security of guest VMs. CloudMon is transparent to a guest VM, neither requires its specific system information, nor has to one-on-one run with it. Meanwhile, CloudMon detects kernel rootkits through self-adjusting monitoring on memory with an acceptable overhead. A working prototype of CloudMon is implemented based on Xen. The case studies on security show that CloudMon is effective to detect kernel rootkits in guest VMs, while the performance experiments demonstrate that it brings a low performance overhead.

Ping LI,Chao-Yuan CUI,Yong-Gang LI

DOI: https://doi.org/10.3969/j.issn.1003-3254.2015.07.035

2015-01-01

Abstract:The virtualization technology is one of the key technologies of the cloud computing. Meanwhile, monitoring virtual machine is an important function on the virtualization platform. In order to obtain the internal information of the virtual machine better, a lightweight virtual machine kernel module detection method (KMDM) is designed and implemented on the virtualization environment of Xen. The KMDM resides in the host machine and uses the virtual machine introspection mechanism to obtain the kernel module information of the virtual machine. The experimental results show that the KMDM can detect the kernel module information of the guest virtual machine, and the detection results are accurate and reliable.

Xingjun Zhang,Endong Wang,Long Xin,Zhongyuan Wu,Weiqing Dong,Xiaoshe Dong

DOI: https://doi.org/10.1109/INCoS.2011.111

2011-01-01

Abstract:The kernel-level Root kit brings operating system mortal security risk. The existing detection methods, which are based on host environment, have limitations such as high Root kit privileges, weak isolation capacity. If the detected system, which may includes Root kit, and the detection system are resided on guest and host environment respectively, those limitations can be resolved. The paper proposed a method of Root kit detection based on KVM (Kernel-based Virtual Machine) by using virtualization technology. This method adopts guest memory protection mechanism, which is based on protection of host page tables and trusted code segments, for static kernel code and data. As for dynamically allocated code and data in heap space, this method introduces integrity checking mechanism, which is based on threshold triggering of calling sequences of monitored functions. The experimental results showed that this method can prevent static code or data from Root kit attacking effectively, and also detect attacks to dynamically allocated code or data quickly.

Huaizhe Zhou,Haihe Ba,Yongjun Wang,Tie Hong

DOI: https://doi.org/10.1587/transinf.2019EDL8148

2020-01-01

IEICE Transactions on Information and Systems

Abstract:The arms race between offense and defense in the cloud impels the innovation of techniques for monitoring attacks and unauthorized activities. The promising technique of virtual machine introspection (VMI) becomes prevalent for its tamper-resistant capability. However, some elaborate exploitations are capable of invalidating VMI-based tools by breaking the assumption of a trusted guest kernel. To achieve a more reliable and robust introspection, we introduce a practical approach to monitor and detect attacks that attempt to subvert VMI in this paper. Our approach combines supervised machine learning and hardware architectural events to identify those malicious behaviors which are targeted at VMI techniques. To demonstrate the feasibility, we implement a prototype named HyperMon on the Xen hypervisor. The results of our evaluation show the effectiveness of HyperMon in detecting malicious behaviors with an average accuracy of 90.51% (AUC).

Donghai Tian,Rui Ma,Xiaoqi Jia,Changzhen Hu

DOI: https://doi.org/10.1109/access.2019.2928060

IF: 3.9

2019-01-01

IEEE Access

Abstract:OS kernel is the core part of the operating system, and it plays an important role for OS resource management. A popular way to compromise OS kernel is through a kernel rootkit (i.e., malicious kernel module). Once a rootkit is loaded into the kernel space, it can carry out arbitrary malicious operations with high privilege. To defeat kernel rootkits, many approaches have been proposed in the past few years. However, existing methods suffer from some limitations: 1) most methods focus on user-mode rootkit detection; 2) some methods are limited to detect obfuscated kernel modules; and 3) some methods introduce significant performance overhead. To address these problems, we propose VKRD, a kernel rootkit detection system based on the hardware assisted virtualization technology. Compared with previous methods, VKRD can provide a transparent and an efficient execution environment for the target kernel module to reveal its run-time behavior. To select the important run-time features for training our detection models, we utilize the TF-IDF method. By combining the hardware assisted virtualization and machine learning techniques, our kernel rootkit detection solution could be potentially applied in the cloud environment. The experiments show that our system can detect windows kernel rootkits with high accuracy and moderate performance cost.

Dan-dan ZHAO,Xing-shu CHEN,Xin JIN

DOI: https://doi.org/10.6040/j.issn.1671-9352.1.2016.083

2017-01-01

Abstract:To enhance the security capabilities of kernel-based virtual machine(KVM) Hypervisor, a multi-level security capabilities enhancement technology was proposed based on multi vulnerabilities, including Hypervisor type trick, VMX instructions monitoring, the ioctl system call interface protection, dynamical KVM code measurement and antiunloading technology, to enhance the security capabilities of the KVM Hypervisor and detect some unknown attacks base interfaces of KVM in time. Eventually a prototype system on the full-virtualization platform of KVM was implemented which was called (Security-KVM, Sec-KVM). The experimental result shows that the Sec-KVM is able to hide the virtualization type of the Hypervisor which enhanced the ability of anti-attack of Hypervisor, dynamically measure the integrity of the KVM and the ioctl system call interface which prevented spread of the attacks, and detect some unknown attacks based KVM service interfaces.

Wang Huaixi,Chen Jianxiong,Wang Chen,Liu Kesheng

2012-01-01

Abstract:Focusing on the security of virtualization,the principle and classification of virtualization were described,and the potential vulnerabilities and attack vectors were pointed out at first.Then many kinds of virtualization detection methods based on different store descriptor tables and three typical attack cases based on hardware virtualization were investigated.As a concrete case,the attacking experiments on VMware vSphere were implemented and evaluated.The results show that the DoS attacks can make big influence on the stability of vSphere system and even result in the system halting.

Zhi-Xian Chen,Jun Cui,Wei Liu,Hao Huang

2010-01-01

Abstract:Kernel-level attacks or rootkits typically leverage security exploits to gain initial unauthorized privileged access to an operating system. Current approaches defend against these attacks by enforcing data-flow integrity and control-flow integrity. However, only taking a certain aspect into account cannot provide a complete integrity monitoring solution. In this paper, we present a lightweight in-kernel hypervisor (IKH) utilizing Intel VT hardware virtualization, for insuring the kernel integrity, which can bridge the semantic gap between hypervisor and monitored OS, meanwhile offer small code size for formal verification. We have developed a primitive prototype on Linux as a kernel module, which can avoid being tampered by malicious code and detect kernel-level rootkits or attacks by four protection mechanisms based on the hardware-assisted virtualization. Experiment results show the effectiveness and feasibility of IKH and tolerable overhead imposed.

Ding Shun,Li Minglu,Weng Chuliang,Liu Qian

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.06.015

2012-01-01

Abstract:As virtualization is widely applied to various fields such as cloud computing,it gradually becomes a target that various malicious attacks aim at.The runtime security of virtual machines is of the most importance.Aiming at this problem,a monitoring scheme suitable for virtualized environments is proposed.Moreover a security monitoring prototype system of a virtual machine is implemented in Xen.With this scheme,a privileged virtual machine can execute dynamic and customized monitoring upon the massive client virtual machines hosted in a same physical machine.Particularly,this system is very effective at detecting rootkits inside OS kernels.The security monitoring scheme can effectively increase the security not only of client virtual machines but also of the whole VM system.

Sina Bahram,Xuxian Jiang,Zhi Wang,Mike Grace,Jinku Li,Deepa Srinivasan,Junghwan Rhee,Dongyan Xu

DOI: https://doi.org/10.1109/srds.2010.39

2010-01-01

Abstract:Virtual machine (VM) introspection is a powerful technique for determining the specific aspects of guest VM execution from outside the VM. Unfortunately, existing introspection solutions share a common questionable assumption. This assumption is embodied in the expectation that original kernel data structures are respected by the untrusted guest and thus can be directly used to bridge the well-known semantic gap. In this paper, we assume the perspective of the attacker, and exploit this questionable assumption to subvert VM introspection. In particular, we present an attack called DKSM (Direct Kernel Structure Manipulation), and show that it can effectively foil existing VM introspection solutions into providing false information. By assuming this perspective, we hope to better understand the challenges and opportunities for the development of future reliable VM introspection solutions that are not vulnerable to the proposed attack.

Alex K. Ohoussou,Hai Jin,Deqing Zou,Feng Zhao,Guofu Xiang,Ge Cheng

DOI: https://doi.org/10.1109/wcins.2010.5541866

2010-01-01

Abstract:One of the motivations for virtualization technology is the desire to develop new services to enhance system security without trusting both the applications and the operating systems. An intrusion detection system is an example of such service that can help to isolate users from malicious attacks. In this paper, we propose hybrid-based intrusion detection architecture in virtual computing environment to detect and isolate harmful behaviors by real-time monitoring and alarming. In contrast to monolithic intrusion detection system, we introduce autonomous agents, acting independently of each other, to monitor the system. The agents are deployed in virtual machines to analyze actions occurring on the network and inside the hosts to determine whether they are potential security violations or not. Our architecture is implemented based on Xen, and the detection management center is deployed in a secure virtual machine.

Jianhua Sun,Hao Chen,Cheng Chang,Xingbang Li

2013-01-01

Computing and Informatics

Abstract:Kernel rootkits pose significant challenges on defensive techniques as they run at the highest privilege level along with the protection systems. Modern architectural approaches such as the NX protection have been used in mitigating attacks, however determined attackers can still bypass these defenses with specifically crafted payloads. In this paper, we propose a virtualized Harvard memory architecture to address the kernel code integrity problem, which virtually separates the code fetch and data access on the kernel code to prevent kernel from code modifications. We have implemented the proposed mechanism in commodity operating system, and the experimental results show that our approach is effective and incurs very low overhead.

KANG Chen,ZHU Zhixiang

DOI: https://doi.org/10.3969/j.issn.1007-3264.2013.03.022

2013-01-01

Abstract:Due to the high cost to build a computer network attack and defense experimental platform and the greater impact on the actual network environment and other issues,a network attack and defense experimental platform based on cloud computing is designed by using KVM virtual machines and the openstack virtualization management technology.The experimental results show that the platform can achieve virtual network environment,reduce experimental costs,and achieve a variety of network attack and defense experimental test.